Get a Quote   (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support

Versions Affected : All versions prior to TrueNAS 12.0-U5


libradius did not perform sufficient validation of received messages.

rad_get_attr(3) did not verify that the attribute length is valid before subtracting the length of the Type and Length fields. As a result, it could return success while also providing a bogus length of SIZE_T_MAX - 2 for the Value field. When processing attributes to find an optional authenticator, is_valid_response() failed to verify that each attribute length is non-zero and could thus enter an infinite loop. A server may use libradius(3) to process messages from RADIUS clients. In this case, a malicious client could trigger a denial-of-service in the server. A client using libradius(3) to process messages from a server is susceptible to the same problem. The impact of the rad_get_attr(3) bug depends on how the returned length is validated and used by the consumer. It is possible that libradius(3) applications will crash or enter an infinite loop when calling rad_get_attr(3) on untrusted RADIUS messages.


No workaround is available. Systems not making use of libradius(3) are unaffected.


  • Upgrade to TrueNAS 12.0-U5 or later.


Further information