CVE-2023-38403: Integer Overflow

Published Jul 11, 2023
·
Updated

iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field.

Other sources

iperf3 uses the length to determine the size of a dynamically allocated memory buffer in which to store the incoming message. If the length equals 0xffffffff, an integer overflow can be triggered in the receiving iperf3 process (typically the server), which can in turn cause heap corruption and an abort/crash. While this is unlikely to happen during normal iperf3 operation, a suitably crafted client program could send a sequence of bytes on the iperf3 control channel to cause an iperf3 server to crash.

Reference: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040830 https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc https://github.com/esnet/iperf/issues/1542 https://github.com/esnet/iperf/pull/1543 https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9 (3.14)

Red Hat

iperf3. The issue was addressed with improved checks.

Apple

Credit

CVE-2023-38403

Affected Software

21 affected componentsFixes available
ubuntu/iperf3<3.1.3-1ubuntu0.1~
3.1.3-1ubuntu0.1~
ubuntu/iperf3<3.7-3ubuntu0.1~
3.7-3ubuntu0.1~
ubuntu/iperf3<3.9-1+
3.9-1+
ubuntu/iperf3<3.12-1+
3.12-1+
ubuntu/iperf3<3.0.11-1ubuntu0.1~
3.0.11-1ubuntu0.1~
redhat/iperf<3.14
3.14
debian/iperf3<=3.9-1, <=3.13-2
3.9-1+deb11u13.12-1+deb12u13.14-1
debian/iperf3<=3.6-2
3.6-2+deb10u13.9-1+deb11u13.12-1+deb12u13.16-1
Apple macOS Sonoma<14.1
14.1
Apple macOS Ventura<13.6.1
13.6.1
All of the following
es iperf3<3.14
Linux Linux kernel
Debian Debian Linux=10.0
Fedoraproject Fedora=37
Fedoraproject Fedora=38
NetApp ONTAP Select Deploy administration utility
NetApp Clustered Data ONTAP=9.0
Apple macOS<13.6.1
Apple macOS=14.0
es iperf3<3.14
Linux Linux kernel

Remediation

Patch Available

https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9

Event History

Jul 17, 2023
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
09:15 PM
Description
Jan 12, 2024
Data Sourced
via Launchpad·12:22 AM
Description

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID?

The vulnerability ID is CVE-2023-38403.

2

What is the title of the vulnerability?

The title of the vulnerability is 'iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field.'

3

What software is affected by this vulnerability?

The affected software is iperf3.

4

How can this vulnerability be exploited?

This vulnerability can be exploited by peers through a crafted length field, leading to integer overflow and heap corruption.

5

What is the severity of CVE-2023-38403?

The severity of CVE-2023-38403 is high with a severity value of 5.5.

6

How can I fix this vulnerability?

To fix this vulnerability, update iperf3 to version 3.14 or apply the recommended patches.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203