CVE-2017-17426 — Integer Overflow or Wraparound in Glibc

CWE-190 — Integer Overflow or Wraparound8 documents8 sources

Severity

8.1HIGHNVD

EPSS

0.4%

top 41.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Glibc

Timeline

PublishedDec 5

Latest updateMay 17

Description

The malloc function in the GNU C Library (aka glibc or libc6) 2.26 could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, potentially leading to a subsequent heap overflow. This occurs because the per-thread cache (aka tcache) feature enables a code path that lacks an integer overflow check.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

▶Ubuntugnu/glibc< 2.27-3ubuntu1

▶NVDgnu/glibc2.26

🔴Vulnerability Details

GHSA

GHSA-5rxv-m65f-6q4g: The malloc function in the GNU C Library (aka glibc or libc6) 2↗2022-05-17

▶

CVEList

CVE-2017-17426: The malloc function in the GNU C Library (aka glibc or libc6) 2↗2017-12-05

▶

OSV

CVE-2017-17426: The malloc function in the GNU C Library (aka glibc or libc6) 2↗2017-12-05

▶

📋Vendor Advisories

Ubuntu

GNU C Library vulnerabilities↗2018-01-17

▶

Red Hat

glibc: Integer overflow with enabled tcache↗2017-10-31

▶

Debian

CVE-2017-17426: glibc - The malloc function in the GNU C Library (aka glibc or libc6) 2.26 could return ...↗2017

▶

💬Community

Bugzilla

CVE-2017-17426 glibc: Integer overflow with enabled tcache↗2017-12-11

▶