Total vulnerabilities in the database
The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.
While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.
| Software | From | Fixed in |
|---|---|---|
| freebsd / freebsd | 13.0-rc5 | 13.0-rc5.x |
| freebsd / freebsd | 13.0-rc1 | 13.0-rc1.x |
| freebsd / freebsd | 13.0-rc2 | 13.0-rc2.x |
| freebsd / freebsd | 13.0-rc4 | 13.0-rc4.x |
| freebsd / freebsd | 13.0-beta1 | 13.0-beta1.x |
| freebsd / freebsd | 13.0-beta2 | 13.0-beta2.x |
| freebsd / freebsd | 13.0-beta3 | 13.0-beta3.x |
| freebsd / freebsd | 13.0-beta3-p1 | 13.0-beta3-p1.x |
| freebsd / freebsd | 13.0-beta4 | 13.0-beta4.x |
| freebsd / freebsd | 13.0-p1 | 13.0-p1.x |
| freebsd / freebsd | 13.0-p2 | 13.0-p2.x |
| freebsd / freebsd | 13.0-p3 | 13.0-p3.x |
| freebsd / freebsd | 13.0-p4 | 13.0-p4.x |
| freebsd / freebsd | 13.0-p5 | 13.0-p5.x |
| freebsd / freebsd | 13.0-rc3 | 13.0-rc3.x |
| freebsd / freebsd | 13.0-rc5-p1 | 13.0-rc5-p1.x |
| freebsd / freebsd | 13.1-b1-p1 | 13.1-b1-p1.x |
| freebsd / freebsd | 13.1-b2-p2 | 13.1-b2-p2.x |
| freebsd / freebsd | 12.3-p1 | 12.3-p1.x |
| freebsd / freebsd | 12.3-p2 | 12.3-p2.x |
| freebsd / freebsd | 12.3-p3 | 12.3-p3.x |
| freebsd / freebsd | 12.3-p4 | 12.3-p4.x |
| freebsd / freebsd | 13.0-p10 | 13.0-p10.x |
| freebsd / freebsd | 13.0-p6 | 13.0-p6.x |
| freebsd / freebsd | 13.0-p7 | 13.0-p7.x |
| freebsd / freebsd | 13.0-p8 | 13.0-p8.x |
| freebsd / freebsd | 13.0-p9 | 13.0-p9.x |
| freebsd / freebsd | - | 12.3 |
| freebsd / freebsd | 12.4 | 13.0 |