{"uuid": "8c25ab78-0a8e-4282-ad66-07fbfff462e9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-26076", "type": "published-proof-of-concept", "source": "https://t.me/crackcodes/2794", "content": "\ud83d\udca5Shannon Baseband: Intra-object overflow in NrSmPcoCodec when decoding reserved options(CVE-2023-26076).\nThere is an intra-object overflow in Shannon Baseband, inside the 5G SM protocol implementation (NrSmMsgCodec as it\u2019s called in Shannon according to debug strings), when decoding the \u201cExtended protocol configuration options\u201d message (IEI = 0x7B).\n\nThe problem is that the size of the content isn\u2019t checked before copying it. As the length of content can be up to 255 bytes, copying the content to one of the 6 reservedPco buffers can result in an OOB write.\nThe array that holds the \u201cReserved\u201d option data isn\u2019t in a standalone allocation, rather this array is a part of a larger structure. Thus, an OOB write as described above overwrites other data within the same structure. It is currently unclear what kind of data lies after the 6 reservedPco buffers within reach of the overwrite.\n\n\ud83d\udd16An \u201cExtended protocol configuration options\u201d message that triggers the overflow is provided in epco-reserved-poc.dat.", "creation_timestamp": "2023-03-20T14:22:52.000000Z"}