GNU C Library (glibc) Vulnerability in Iconv Functionality
CVE-2021-43396

7.5HIGH

Key Information:

Vendor
Gnu
Status
Glibc
Vendor
CVE Published:
4 November 2021

Summary

A flaw in the GNU C Library's iconv functionality allows remote attackers to exploit crafted ISO-2022-JP-3 data to produce a spurious '\0' character due to an internal state reset. This could compromise data integrity in specific iconv() applications; however, it is noted that successful exploitation requires invoking iconv() with a NULL input buffer, implying that a distinct application error is necessary for it to occur unintentionally.

References

https://sourceware.org/bugzilla/show_bug.cgi?id=28524
x_refsource_MISC
https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=ff...
x_refsource_MISC
https://blog.tuxcare.com/vulnerability/vulnerability-in-i...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.