CVE-2023-25139

sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
VendorProductVersion
gnuglibc
2.37
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
glibc
bullseye
2.31-13+deb11u11
fixed
bullseye (security)
2.31-13+deb11u10
fixed
bookworm
2.36-9+deb12u9
fixed
bookworm (security)
2.36-9+deb12u7
fixed
sid
2.40-4
fixed
trixie
2.40-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
eglibc
kinetic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
not-affected
glibc
lunar
Fixed 2.37-0ubuntu2
released
kinetic
not-affected
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/02/10/1
https://security.netapp.com/advisory/ntap-20230302-0010/
https://sourceware.org/bugzilla/show_bug.cgi?id=30068
http://www.openwall.com/lists/oss-security/2023/02/10/1
https://security.netapp.com/advisory/ntap-20230302-0010/
https://sourceware.org/bugzilla/show_bug.cgi?id=30068