A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCanonical Ubuntu
OSCanonical22.0423.04Debian
OSDebian11.012.0Fedora Project Fedora
OSFedoraproject373839Gnu Glibc
APPGnu2.34 – 2.39 (bez)Netapp Bootstrap Os
OSNetappwszystkie wersjeNetapp H300s
HWNetappwszystkie wersjeNetapp H300s Firmware
OSNetappwszystkie wersjeNetapp H410c
HWNetappwszystkie wersjeNetapp H410c Firmware
OSNetappwszystkie wersjeNetapp H410s
HWNetappwszystkie wersjeNetapp H410s Firmware
OSNetappwszystkie wersjeNetapp H500s
HWNetappwszystkie wersjeNetapp H500s Firmware
OSNetappwszystkie wersjeNetapp H700s
HWNetappwszystkie wersjeNetapp H700s Firmware
OSNetappwszystkie wersjeNetapp Hci Compute Node
HWNetappwszystkie wersjeNetapp Ontap Select Deploy Administration Utility
APPNetappwszystkie wersjeRed Hat Codeready Linux Builder
APPRedhat9.0Red Hat Codeready Linux Builder Eus
APPRedhat8.69.29.49.6Red Hat Codeready Linux Builder For Arm64
APPRedhat9.0_aarch64Red Hat Codeready Linux Builder For Arm64 Eus
APPRedhat8.69.2_aarch649.4_aarch649.6_aarch64Red Hat Codeready Linux Builder For IBM Z Systems
APPRedhat9.0_s390xRed Hat Codeready Linux Builder For IBM Z Systems Eus
APPRedhat8.69.2_s390x9.4_s390x9.6_s390xRed Hat Codeready Linux Builder For Power Little Endian
APPRedhat9.0_ppc64leRed Hat Codeready Linux Builder For Power Little Endian Eus
APPRedhat8.69.2_ppc64le9.4_ppc64le9.6_ppc64leRed Hat Enterprise Linux
OSRedhat8.09.0Red Hat Enterprise Linux Eus
OSRedhat8.69.29.49.6Red Hat Enterprise Linux For Arm 64
OSRedhat9.0_aarch64Red Hat Enterprise Linux For Arm 64 Eus
OSRedhat8.6_aarch649.2_aarch649.4_aarch649.6_aarch64Red Hat Enterprise Linux For IBM Z Systems
OSRedhat9.0_s390x
CISA KEV — detailsi
- Vendori
- GNU
- Producti
- GNU C Library
- Added to KEVi
- November 21, 2023
- Remediation deadline (US Federal)i
- December 12, 2023(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
GNU C Library's dynamic loader ld.so contains a buffer overflow vulnerability when processing the GLIBC_TUNABLES environment variable, allowing a local attacker to execute code with elevated privileges.
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki