CVE-2021-43396Improper Input Validation in Glibc

CWE-20Improper Input Validation7 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.6%
top 30.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
GNU GlibcOracle Communications Cloud Native Core Binding Support FunctionOracle Communications Cloud Native Core Network Function Cloud Native Environment+4 more
Timeline
PublishedNov 4
Latest updateMay 24

Description

In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

Debiangnu/glibc< 2.31-13+deb11u3+3
NVDgnu/glibc2.34

Patches

Patch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

3
GHSA
GHSA-73g2-m4v3-6c2h: In iconvdata/iso-2022-jp-32022-05-24
OSV
CVE-2021-43396: In iconvdata/iso-2022-jp-32021-11-04
CVEList
CVE-2021-43396: In iconvdata/iso-2022-jp-32021-11-04

📋Vendor Advisories

3
Microsoft
In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34 remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an interna2021-11-09
Red Hat
glibc: conversion from ISO-2022-JP-3 with iconv may emit spurious NUL character on state reset2021-11-01
Debian
CVE-2021-43396: glibc - In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attac...2021
CVE-2021-43396 — Improper Input Validation in GNU Glibc | cvebase