A malicious RADIUS client or home server can send a malformed abinary attribute which can cause the server to crash.

All versions of FreeRADIUS from 0.0.1 to 3.0.25 are affected.

This crash is not exploitable by end users. Only systems which are in the RADIUS circle of trust can send these malformed attributes to a server. No actions other than a crash are possible.

As a result, the severity of this issue is low. A malicious RADIUS client or home server can do many worse things than crash the server. For example, it could cause all users to be authenticated, or cause all users to be rejected, or it could lie about all accounting data.

This issue was found during automated fuzzing of the source code.

The issue was fixed in commit 0ec2b39.