CVE-2024-2961

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.3 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
glibcCNA
---
---
CISA-ADPADP
7.3 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
gnuglibc
2.40 <
𝑥
< 2.40
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
glibc
bullseye
2.31-13+deb11u11
fixed
bullseye (security)
2.31-13+deb11u13
fixed
bookworm
2.36-9+deb12u10
fixed
bookworm (security)
2.36-9+deb12u7
fixed
sid
2.41-8
fixed
trixie
2.41-8
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
eglibc
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
trusty
Fixed 2.19-0ubuntu6.15+esm3
released
glibc
plucky
Fixed 2.39-0ubuntu8.1
released
oracular
Fixed 2.39-0ubuntu8.1
released
noble
Fixed 2.39-0ubuntu8.1
released
mantic
Fixed 2.38-1ubuntu6.2
released
jammy
Fixed 2.35-0ubuntu3.7
released
focal
Fixed 2.31-0ubuntu9.15
released
bionic
Fixed 2.27-3ubuntu1.6+esm2
released
xenial
Fixed 2.23-0ubuntu11.3+esm6
released
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2024/04/17/9
http://www.openwall.com/lists/oss-security/2024/04/18/4
http://www.openwall.com/lists/oss-security/2024/04/24/2
http://www.openwall.com/lists/oss-security/2024/05/27/1
http://www.openwall.com/lists/oss-security/2024/05/27/2
http://www.openwall.com/lists/oss-security/2024/05/27/3
http://www.openwall.com/lists/oss-security/2024/05/27/4
http://www.openwall.com/lists/oss-security/2024/05/27/5
http://www.openwall.com/lists/oss-security/2024/05/27/6
http://www.openwall.com/lists/oss-security/2024/07/22/5
https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/
https://security.netapp.com/advisory/ntap-20240531-0002/
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
http://www.openwall.com/lists/oss-security/2024/04/17/9
http://www.openwall.com/lists/oss-security/2024/04/18/4
http://www.openwall.com/lists/oss-security/2024/04/24/2
http://www.openwall.com/lists/oss-security/2024/05/27/1
http://www.openwall.com/lists/oss-security/2024/05/27/2
http://www.openwall.com/lists/oss-security/2024/05/27/3
http://www.openwall.com/lists/oss-security/2024/05/27/4
http://www.openwall.com/lists/oss-security/2024/05/27/5
http://www.openwall.com/lists/oss-security/2024/05/27/6
http://www.openwall.com/lists/oss-security/2024/07/22/5
https://lists.debian.org/debian-lts-announce/2024/05/msg00001.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BTJFBGHDYG5PEIFD5WSSSKSFZ2AZWC5N/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P3I4KYS6EU6S7QZ47WFNTPVAHFIUQNEL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YAMJQI3Y6BHWV3CUTYBXOZONCUJNOB2Z/
https://security.netapp.com/advisory/ntap-20240531-0002/
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004
https://www.ambionics.io/blog/iconv-cve-2024-2961-p1
https://www.ambionics.io/blog/iconv-cve-2024-2961-p2
https://www.ambionics.io/blog/iconv-cve-2024-2961-p3