Support Content Notification - Support Portal

Out of bounds read for cookie path

Product/Component

Brocade ASC-Gateway OVA

1 more products

Notification Id

37137

Last Updated

03 March 2026

Initial Publication Date

03 March 2026

Status

OPEN

Severity

LOW

CVSS Base Score

7.5

WorkAround

Affected CVE

CVE-2025-9086

Brocade Security Advisory ID	BSA-2026-3167
Component	curl

Summary

A cookie is set using the secure keyword for https://target curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set. The same cookie name is set - but with just a slash as path (path="/"). Since this site is not secure, the cookie should just be ignored. A bug in the path comparison logic makes curl read outside a heap buffer boundary. The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

INFO
The attacker needs to be in control of the http:// site that uses the same name as the https:// version, or otherwise possess MITM capability, which probably makes this problem the lesser one.

The attacker has no way to control or guess what is in the heap memory following the path buffer that is being read out of bounds, making it a fragile operation.

Products Affected

No Brocade products are affected

Products Not Affected

Brocade Fabric OS
[VEX Justification: Vulnerable_code_not_in_execute_path]
Brocade SANnav
[VEX Justification: Vulnerable_code_cannot_be_contolled_by_adversary]
Brocade ASCG
[VEX Justification: Vulnerable_code_not_in_execute_path]

Solution

While not exploitable, security update provided in Brocade ASCG version 3.4.0

Revision History

Version	Change	Date
1.0	Initial Publication	March 3, 2026

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.