CVE-2021-43396

7.5HIGH

Key Information:

Vendor
Gnu
Status
Glibc
Vendor
CVE Published:
4 November 2021

Summary

In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug.

References

https://sourceware.org/bugzilla/show_bug.cgi?id=28524
x_refsource_MISC
https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=ff...
x_refsource_MISC
https://blog.tuxcare.com/vulnerability/vulnerability-in-i...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.