Skip to main content

GNU glibc CVE-2023-6246

HIGH
Heap-based Buffer Overflow (CWE-122)
2024-01-31 secalert@redhat.com
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

DescriptionCVE.org

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.

AnalysisAI

Local privilege escalation in GNU glibc 2.36 and newer arises from a heap-based buffer overflow in __vsyslog_internal, reachable via the syslog/vsyslog interfaces when openlog was not called (or called with a NULL ident) and argv[0]'s basename exceeds 1024 bytes. Any setuid/setgid binary on affected Linux distributions (including Fedora 38 and 39) that invokes syslog can be leveraged by a local attacker to crash the process or escalate privileges to root. Publicly available exploit code exists and EPSS sits at the 96th percentile, signaling meaningful real-world risk despite the local attack vector.

Technical ContextAI

glibc is the GNU C Library, the standard C library underpinning virtually every userland process on mainstream Linux distributions. The flaw resides in __vsyslog_internal, the shared backend for the syslog(3) and vsyslog(3) APIs defined in syslog.h. When a process never calls openlog (or passes ident=NULL), the implementation derives the log identifier from the basename of argv[0]; the affected code path miscomputes the heap buffer size needed to hold this identifier, allowing an attacker-controlled program name longer than 1024 bytes to overflow an allocation on the heap. This is a classic CWE-122 heap-based buffer overflow, and because argv[0] is attacker-controlled across an execve boundary, any setuid/setgid binary that ultimately calls syslog without first calling openlog with a non-NULL ident is exploitable. CPE data confirms upstream gnu:glibc and Fedora 38/39 as in-scope, and the issue was introduced in glibc 2.36, so distributions shipping that or newer (e.g., Fedora 36+, Debian trixie, recent Ubuntu) inherit the vulnerable code path.

RemediationAI

Upgrade glibc to a distribution-provided patched build as the primary fix: track and apply the vendor errata for your platform (e.g., Fedora updates for F38/F39 referenced from the Red Hat advisory and Bodhi, and equivalent DSA/USN/RHSA advisories from Debian, Ubuntu, and Red Hat). Where immediate patching is not feasible, the most effective compensating control is to reduce the setuid/setgid attack surface - audit setuid binaries with find / -perm -4000 and remove the setuid bit from non-essential binaries (trade-off: some admin tooling may break for non-root users), and consider mounting /tmp, /home, and user-writable filesystems with nosuid to prevent attacker-controlled setuid binaries from being staged. Mandatory access control via SELinux in enforcing mode or AppArmor profiles can further constrain post-exploitation, though it does not block the overflow itself. Disabling syslog usage in vulnerable programs is not a practical workaround since the affected function is invoked internally by libc consumers; do not rely on argv[0] length filtering at the shell layer because the attack uses execve directly.

More in Glibc

View all
CVE-2015-0235 CRITICAL POC
10.0 Jan 28

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18,

CVE-2015-7547 HIGH POC
8.1 Feb 18

Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C

CVE-2014-5119 HIGH POC
7.5 Aug 29

Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-depe

CVE-2012-4412 HIGH POC
7.5 Oct 09

Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-depende

CVE-2018-1000001 HIGH POC
7.8 Jan 31

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before th

CVE-2023-25139 CRITICAL POC
9.8 Feb 03

sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct

CVE-2021-33574 CRITICAL POC
9.8 May 25

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. Rated critical seve

CVE-2019-1010022 CRITICAL POC
9.8 Jul 15

GNU Libc current is affected by: Mitigation bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

CVE-2019-9169 CRITICAL POC
9.8 Feb 26

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer ove

CVE-2017-1000366 HIGH POC
7.8 Jun 19

glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causin

CVE-2014-9402 HIGH POC
7.8 Feb 24

The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Se

CVE-2026-0861 HIGH POC
8.4 Jan 14

Glibc versions 2.30 through 2.42 contain an integer overflow in the memalign function family that allows attackers with

Share

CVE-2023-6246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy