GNU glibc CVE-2023-6779
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
DescriptionCVE.org
An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.
AnalysisAI
Heap-based off-by-one buffer overflow in glibc's __vsyslog_internal function affects versions 2.37 and newer, triggered when syslog() or vsyslog() are invoked with messages exceeding INT_MAX bytes. Remote attackers can cause application crashes (denial of service) and potentially impact integrity in applications that log attacker-controlled data via syslog. Publicly available exploit code exists, though EPSS exploitation probability remains moderate at 0.65% (71st percentile) and the issue is not listed in CISA KEV.
Technical ContextAI
The vulnerability resides in __vsyslog_internal, a core internal helper inside the GNU C Library that backs the POSIX syslog() and vsyslog() interfaces used by virtually every Linux userspace process for logging. The root cause is CWE-122 (heap-based buffer overflow), specifically an off-by-one error in size calculation: when a log message larger than INT_MAX bytes is passed in, integer arithmetic produces an incorrect buffer length, causing a one-byte heap overrun when the message is written. Affected CPEs explicitly include gnu:glibc (all matching versions 2.37+), and Fedora 38 and Fedora 39, both of which ship glibc 2.37/2.38 in their base distributions. Because glibc is foundational, the bug surfaces in any application that forwards externally influenced strings into syslog without length capping.
RemediationAI
Upgrade affected systems to a glibc version containing the upstream fix in __vsyslog_internal - Patch available per vendor advisory, with downstream packages distributed via Fedora's bodhi updates for Fedora 38 and 39 and Red Hat errata tracked under the secalert@redhat.com reporter channel; consult your distribution's security tracker for the exact patched glibc package version applicable to your release. As a compensating control where prompt patching is not possible, audit applications that pass untrusted input directly to syslog()/vsyslog() and enforce a strict message length cap well below INT_MAX (e.g., truncate to a few kilobytes before logging), which has the side effect of losing very long log lines but eliminates the trigger; additionally, restricting which network-exposed services can reach syslog with attacker-controlled data (via input validation at the application boundary or WAF rules) reduces exposure at the cost of additional rule maintenance.
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18,
Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C
Local privilege escalation in GNU glibc 2.36 and newer arises from a heap-based buffer overflow in __vsyslog_internal, r
Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-depe
Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-depende
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before th
sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct
The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. Rated critical seve
GNU Libc current is affected by: Mitigation bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely e
In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer ove
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causin
The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Se
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Heap Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today