libc stdio buffer overflow
CVE-2023-5941

9.8CRITICAL

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 8 November 2023

What is CVE-2023-5941?

In FreeBSD versions 12.4-RELEASE prior to 12.4-RELEASE-p7 and 13.2-RELEASE prior to 13.2-RELEASE-p5, an issue exists in the __sflush() function of the standard I/O library (libc). This function fails to properly update the write space for write-buffered streams when the write(2) system call encounters an error. This flaw can lead to a heap buffer overflow, potentially resulting in data corruption or allowing an attacker to execute arbitrary code at the privilege level of the affected application. Users are advised to apply the necessary patches to mitigate this risk.

Affected Version(s)

FreeBSD 12.4-RELEASE

FreeBSD 13.2-RELEASE

References

https://security.freebsd.org/advisories/FreeBSD-SA-23:15....

vendor-advisory

https://security.netapp.com/advisory/ntap-20231214-0004/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 8, 2023
Vulnerability Reserved
Nov 2, 2023

Credit

inooo