Buffer Overflow in GNU C Library 2.37
CVE-2023-25139

9.8CRITICAL

Key Information:

Vendor: Gnu
Status: Glibc
Vendor: CVE Published:; 3 February 2023

What is CVE-2023-25139?

A vulnerability exists in the GNU C Library (glibc) version 2.37, where the 'sprintf' function may cause a buffer overflow under certain conditions. This issue arises when attempting to write a number's string representation with thousands separators into a precisely sized buffer. If the buffer is allocated the exact length needed for the padded string, it risks overflowing by two bytes, potentially leading to unexpected behavior or exploitation. This could be particularly damaging if untrusted input is processed.

References

https://sourceware.org/bugzilla/show_bug.cgi?id=30068

http://www.openwall.com/lists/oss-security/2023/02/10/1

mailing-list

https://security.netapp.com/advisory/ntap-20230302-0010/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2023
Vulnerability Reserved
Feb 3, 2023

Gnu

What is CVE-2023-25139?

References

CVSS V3.1

Timeline