Glibc: off-by-one heap-based buffer overflow in __vsyslog_internal()
CVE-2023-6779

7.5HIGH

Key Information:

Vendor: Red Hat
Status: Glibc; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8
Vendor: CVE Published:; 31 January 2024

Badges

📰 News Worthy

Summary

An off-by-one heap-based buffer overflow was identified in the __vsyslog_internal function within the glibc library. When the syslog and vsyslog functions are invoked with a message exceeding INT_MAX bytes, it leads to improper calculations of the buffer size allocated for the message. This flaw may cause application crashes and can potentially be exploited if the affected functions are manipulated. The vulnerability impacts glibc versions 2.37 and newer, necessitating immediate attention from system administrators and software developers utilizing this library.

Affected Version(s)

glibc 2.39

News Articles

Qualys Security Blog

CVE-2023-6246 CVE-2023-6779

Qualys TRU Discovers Important Vulnerabilities in GNU C Library’s syslog() | Qualys Security Blog

The Qualys Threat Research Unit (TRU) has recently unearthed four significant vulnerabilities in the GNU C Library, a cornerstone for countless applications in…

11 months ago

References

http://packetstormsecurity.com/files/176932/glibc-syslog-...

http://seclists.org/fulldisclosure/2024/Feb/3

https://access.redhat.com/security/cve/CVE-2023-6779

vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

📰
First article discovered by Qualys Security Blog
Jan 31, 2024
Vulnerability published
Jan 31, 2024
Vulnerability Reserved
Dec 13, 2023

Collectors

NVD DatabaseMitre Database1 News Article(s)

Credit

Red Hat would like to thank Qualys Threat Research Unit for reporting this issue.