What is the CVSS score of CVE-2023-4911?

CVE-2023-4911 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 71.5%.

Which versions of GNU C Library are affected by CVE-2023-4911?

A heap buffer overflow in glibc affects Linux systems across the enterprise, enabling any local user-including low-privileged accounts and container tenants-to escalate to root.. A patch is available.

Is there a public PoC exploit available for CVE-2023-4911?

Yes, a public proof-of-concept exploit is available for CVE-2023-4911. Prioritise patching immediately. EPSS: 71.5%.

How to fix or mitigate CVE-2023-4911?

Within 24 hours: Inventory all Linux systems via asset management; prioritize those with direct internet exposure or multi-tenant workloads. Within 7 days: Deploy glibc security updates from your Linux vendor (RHEL, Ubuntu, Debian, etc.) to non-production systems and test application compatibility. Within 30 days: Complete glibc patching on all production systems; verify patch status via package management tools and re-scan with vulnerability assessment to confirm remediation.

GNU C Library CVE-2023-4911

HIGH

Heap-based Buffer Overflow (CWE-122)

2023-10-03 secalert@redhat.com

Buffer Overflow Heap Overflow

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Added to CISA KEV

May 12, 2026 - 11:31 CISA

DescriptionNVD

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

AnalysisAI

Local privilege escalation in the GNU C Library (glibc) dynamic loader ld.so allows unprivileged local users on affected Linux distributions to gain root by abusing a heap buffer overflow when ld.so processes the GLIBC_TUNABLES environment variable during execution of SUID binaries. The flaw is confirmed actively exploited (CISA KEV) with publicly available exploit code, and the EPSS score of 71.53% (99th percentile) reflects very high exploitation likelihood across Linux estates.

Technical ContextAI

The vulnerability resides in glibc's dynamic linker/loader (ld.so), which is invoked for nearly every dynamically linked binary on Linux and runs with the privileges of the calling binary. GLIBC_TUNABLES is an environment variable mechanism introduced to tweak runtime behavior of glibc; the parser that splits and copies tunable name=value pairs mishandles malformed input, producing a CWE-122 heap-based buffer overflow in ld.so's internal data structures. Because ld.so retains the caller's elevated privileges when launching SUID-root binaries, corrupting its memory enables hijacking control flow inside a process that has not yet dropped privileges. Affected CPE coverage includes upstream gnu:glibc, Red Hat Enterprise Linux (CodeReady Builder 8.6/9.x EUS streams), Fedora 37/38/39, and NetApp Bootstrap OS, indicating broad downstream exposure across enterprise and appliance Linux.

RemediationAI

Apply the vendor-released glibc patch for your distribution as the primary fix - Red Hat, Fedora, Debian, Ubuntu, SUSE, and NetApp have all shipped updated glibc packages (e.g., glibc-2.34-60.el9_2.7 on RHEL 9.2 and equivalents on other streams); consult your distribution's advisory for the exact patched NEVRA matching your release. Patching glibc typically requires a reboot or at minimum a full service restart cycle because ld.so is mapped into every running process. As an interim compensating control where patching is delayed, administrators can use systemtap or an equivalent kernel hook to terminate any process whose environment contains a GLIBC_TUNABLES value triggering the parser bug (Red Hat published a systemtap mitigation script in RHSB-2023-003) - the trade-off is added kernel-side overhead and the risk of breaking legitimate tunables usage. Reducing the SUID binary footprint (removing the SUID bit from non-essential binaries) limits attack surface but can break expected user functionality such as ping, su, or mount; this should be tested per environment before deployment.

CVE-2023-4911 vulnerability details – vuln.today

Back

GNU C Library CVE-2023-4911

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code