CVE-2024-30949Integer Overflow or Wraparound in Newlib

CWE-190Integer Overflow or WraparoundCWE-787Out-of-bounds Write5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.7%
top 28.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Newlib Project NewlibDebian Newlib
Timeline
PublishedAug 20

Description

An issue in newlib v.4.3.0 allows an attacker to execute arbitrary code via the time unit scaling in the _gettimeofday function.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

debiandebian/newlib< newlib 4.4.0.20231231-2 (forky)
Debiannewlib_project/newlib< 4.4.0.20231231-2+1

Patches

Patch: gist.github.comPatch: inbox.sourceware.org

🔴Vulnerability Details

2
OSV
CVE-2024-30949: An issue in newlib v2024-08-20
GHSA
GHSA-qhpg-jf9r-mqxq: An issue in newlib v2024-08-20

📋Vendor Advisories

2
Red Hat
newlib: arbitrary code execution via the time unit scaling in the _gettimeofday function2024-08-20
Debian
CVE-2024-30949: newlib - An issue in newlib v.4.3.0 allows an attacker to execute arbitrary code via the ...2024