CVE-2023-4813 — Use After Free in Glibc

CWE-416 — Use After Free10 documents8 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 46.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Glibc Fedoraproject Fedora Redhat Enterprise Linux +7 more

Timeline

PublishedSep 12

Latest updateJan 10

Description

A flaw has been identified in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDgnu/glibc< 2.36

▶Debiangnu/glibc< 2.36-3+2

▶Ubuntugnu/glibc< 2.31-0ubuntu9.14+3

Also affects: Fedora 38, Enterprise Linux 8.0, 9.0, 8.8, 9.2

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

glibc regression↗2024-01-10

▶

OSV

glibc vulnerabilities↗2023-12-07

▶

GHSA

GHSA-qx6j-g797-jg9r: A flaw was found in glibc↗2023-09-13

▶

CVEList

Glibc: potential use-after-free in gaih_inet()↗2023-09-12

▶

OSV

CVE-2023-4813: A flaw has been identified in glibc↗2023-09-12

▶

📋Vendor Advisories

Ubuntu

GNU C Library vulnerabilities↗2023-12-07

▶

Microsoft

Glibc: potential use-after-free in gaih_inet()↗2023-09-12

▶

Debian

CVE-2023-4813: glibc - A flaw has been identified in glibc. In an uncommon situation, the gaih_inet fun...↗2023

▶

Red Hat

glibc: potential use-after-free in gaih_inet()↗2022-03-01

▶