CVE-2017-15671 — Missing Release of Resource after Effective Lifetime in Glibc

CWE-772 — Missing Release of Resource after Effective Lifetime CWE-400 — Uncontrolled Resource Consumption8 documents7 sources

Severity

5.9MEDIUMNVD

EPSS

0.2%

top 54.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Glibc

Timeline

PublishedOct 20

Latest updateMay 13

Description

The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27, when invoked with GLOB_TILDE, could skip freeing allocated memory when processing the ~ operator with a long user name, potentially leading to a denial of service (memory leak).

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶Debiangnu/glibc< 2.25-3+3

▶NVDgnu/glibc2.26

Patches

Patch: sourceware.org ↗Patch: sourceware.org ↗

🔴Vulnerability Details

GHSA

GHSA-3gv3-62jc-35qm: The glob function in glob↗2022-05-13

▶

CVEList

CVE-2017-15671: The glob function in glob↗2017-10-20

▶

OSV

CVE-2017-15671: The glob function in glob↗2017-10-20

▶

📋Vendor Advisories

Red Hat

glibc: Memory leak in glob with GLOB_TILDE↗2017-10-20

▶

Debian

CVE-2017-15671: glibc - The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.2...↗2017

▶

💬Community

Bugzilla

CVE-2017-15671 glibc: Memory leak in glob with GLOB_TILDE↗2017-10-20

▶

Bugzilla

CVE-2017-15670 CVE-2017-15671 glibc: various flaws [fedora-all]↗2017-10-20

▶