Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2023-6246Heap-based Buffer Overflow in Glibc

CWE-122Heap-based Buffer OverflowCWE-787Out-of-bounds Write13 documents12 sources
Severity
7.8HIGHNVD
CNA8.4
EPSS
25.5%
top 3.77%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
GNU GlibcFedoraproject Fedora
Timeline
PublishedJan 31
Latest updateApr 15

Description

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDgnu/glibc2.362.39
Debiangnu/glibc< 2.36-9+deb12u4+2

Also affects: Fedora 38, 39

🔴Vulnerability Details

3
GHSA
GHSA-p6rw-gvvh-q8v4: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library2024-01-31
CVEList
Glibc: heap-based buffer overflow in __vsyslog_internal()2024-01-31
OSV
CVE-2023-6246: A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library2024-01-31

💥Exploits & PoCs

1
Nuclei
glibc's syslog - Local Privilege Escalation

📋Vendor Advisories

5
Oracle
Oracle Oracle Hyperion Risk Matrix: Installation and Configuration (glibc) — CVE-2023-62462024-04-15
Ubuntu
GNU C Library vulnerabilities2024-02-01
Red Hat
glibc: heap-based buffer overflow in __vsyslog_internal()2024-01-30
Microsoft
Glibc: heap-based buffer overflow in __vsyslog_internal()2024-01-09
Debian
CVE-2023-6246: glibc - A heap-based buffer overflow was found in the __vsyslog_internal function of the...2023

🕵️Threat Intelligence

2
Qualys
Qualys TRU Discovers Important Vulnerabilities in GNU C Library’s syslog() | Qualys2024-01-30
Qualys
Qualys TRU Discovers Important Vulnerabilities in GNU C Library’s syslog()2024-01-30
CVE-2023-6246 — Heap-based Buffer Overflow in GNU Glibc | cvebase