CVE-2023-4039

Updated: 2024-02-19 19:59:20.289338

Description:

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x MEDIUM 4.8

Status

OS name Project name Version Score Severity Status Errata Last updated
AlmaLinux 9.2 ESU gcc 11.3.1 4.8 MEDIUM Ignored 2023-12-01 03:18:56
CentOS 6 ELS gcc 4.4.7 4.8 MEDIUM Ignored 2023-12-01 03:18:55
CentOS 7 ELS gcc 4.8.5 4.8 MEDIUM Ignored 2023-12-01 03:18:55
CentOS 8.4 ELS gcc 8.4.1 4.8 MEDIUM Ignored 2023-12-01 03:18:56
CentOS 8.5 ELS gcc 8.5.0 4.8 MEDIUM Ignored 2023-12-01 03:18:55
CloudLinux 6 ELS gcc 4.4.7 4.8 MEDIUM Ignored 2023-12-01 03:18:55
Oracle Linux 6 ELS gcc 4.4.7 4.8 MEDIUM Ignored 2023-12-01 03:18:55