Buffer Overflow in GNU C Library 2.37
CVE-2023-25139

9.8CRITICAL

Key Information:

Vendor: Gnu
Status: Glibc
Vendor: CVE Published:; 3 February 2023

Summary

A vulnerability exists in the GNU C Library (glibc) version 2.37, where the 'sprintf' function may cause a buffer overflow under certain conditions. This issue arises when attempting to write a number's string representation with thousands separators into a precisely sized buffer. If the buffer is allocated the exact length needed for the padded string, it risks overflowing by two bytes, potentially leading to unexpected behavior or exploitation. This could be particularly damaging if untrusted input is processed.

References

https://sourceware.org/bugzilla/show_bug.cgi?id=30068

http://www.openwall.com/lists/oss-security/2023/02/10/1

mailing-list

https://security.netapp.com/advisory/ntap-20230302-0010/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 3, 2023
Vulnerability Reserved
Feb 3, 2023