CVE-2023-4039

CWE-693CWE-78810 documents8 sources
Severity
4.8MEDIUM
EPSS
0.2%
top 56.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GNU GCCARM LTD ARM GNU Toolchain
Timeline
PublishedSep 13
Latest updateAug 19

Description

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects a

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5

Affected Packages9 packages

NVDgnu/gcc< 2023-09-12
Alpinegcc< 13.2.1_git20231014-r0+4
Debiangcc-12< 12.2.0-14+deb12u1+2
Debiangcc-13< 13.2.0-4+1
Ubuntugcc-10< 10.5.0-1ubuntu1~22.04.2+1

Patches

Patch: developer.arm.comPatch: github.comPatch: developer.arm.com

🔴Vulnerability Details

4
OSV
gcc-10, gcc-11, gcc-12 vulnerability2025-08-19
CVEList
GCC's-fstack-protector fails to guard dynamically-sized local variables on AArch642023-09-13
OSV
CVE-2023-4039: **DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer ov2023-09-13
OSV
CVE-2023-4039: **DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer ov2023-09-13

📋Vendor Advisories

5
Ubuntu
GCC vulnerability2025-08-19
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (GCC Arm Aarch64 binary) — CVE-2023-40392023-10-15
Microsoft
GCC's-fstack-protector fails to guard dynamically-sized local variables on AArch642023-09-12
Red Hat
gcc: -fstack-protector fails to guard dynamic stack allocations on ARM642023-09-12
Debian
CVE-2023-4039: gcc-10 - **DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains ...2023
CVE-2023-4039 (MEDIUM CVSS 4.8) | **DISPUTED**A failure in the -fstac | cvebase.io