CVE-2023-4527 — Stack-based Buffer Overflow in Glibc

CWE-121 — Stack-based Buffer Overflow CWE-125 — Out-of-bounds Read9 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 71.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Glibc Fedoraproject Fedora Redhat Codeready Linux Builder EUS +19 more

Timeline

PublishedSep 18

Latest updateOct 3

Description

A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 2.2 | Impact: 4.2

Affected Packages4 packages

▶NVDgnu/glibc2.36 — 2.36.113+2

▶Debiangnu/glibc< 2.36-9+deb12u3+2

▶NVDredhat/codeready_linux_builder9.2, 9.0+1

▶NVDredhat/codeready_linux_builder_eus9.0, 9.2+1

Also affects: Fedora 37, 38, 39, Enterprise Linux 8.0, 9.0, 8.8, 9.2

🔴Vulnerability Details

OSV

glibc vulnerabilities↗2023-10-03

▶

OSV

CVE-2023-4527: A flaw was found in glibc↗2023-09-18

▶

GHSA

GHSA-hmf7-f8gf-8f4p: A flaw was found in glibc↗2023-09-18

▶

CVEList

Glibc: stack read overflow in getaddrinfo in no-aaaa mode↗2023-09-18

▶

📋Vendor Advisories

Ubuntu

GNU C Library vulnerabilities↗2023-10-03

▶

Microsoft

Glibc: stack read overflow in getaddrinfo in no-aaaa mode↗2023-09-12

▶

Red Hat

glibc: Stack read overflow in getaddrinfo in no-aaaa mode↗2023-09-12

▶

Debian

CVE-2023-4527: glibc - A flaw was found in glibc. When the getaddrinfo function is called with the AF_U...↗2023

▶