Common Weakness Enumeration

CWE-122

Allowed

Heap-based Buffer Overflow

Abstraction: Variant · Status: Draft

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

4096 vulnerabilities reference this CWE, most recent first.

CVE-2023-5568 (GCVE-0-2023-5568)

Vulnerability from cvelistv5 – Published: 2023-10-24 21:56 – Updated: 2025-09-02 15:43
VLAI
Title
Samba: heap buffer overflow with freshness tokens in the heimdal kdc
Summary
A heap-based Buffer Overflow flaw was discovered in Samba. It could allow a remote, authenticated attacker to exploit this vulnerability to cause a denial of service.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
Impacted products
Date Public
2023-10-09 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:59:44.847Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-5568"
          },
          {
            "name": "RHBZ#2245174",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245174"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://bugzilla.samba.org/show_bug.cgi?id=15491"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231124-0007/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.samba.org/samba/history/samba-4.19.2.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5568",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-29T19:44:09.639707Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-29T20:00:25.977Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "samba",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:storage:3"
          ],
          "defaultStatus": "affected",
          "packageName": "samba",
          "product": "Red Hat Storage 3",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-10-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A heap-based Buffer Overflow flaw was discovered in Samba. It could allow a remote, authenticated attacker to exploit this vulnerability to cause a denial of service."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-02T15:43:02.714Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-5568"
        },
        {
          "name": "RHBZ#2245174",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2245174"
        },
        {
          "url": "https://bugzilla.samba.org/show_bug.cgi?id=15491"
        },
        {
          "url": "https://www.samba.org/samba/history/samba-4.19.2.html"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-10-19T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-10-09T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Samba: heap buffer overflow with freshness tokens in the heimdal kdc",
      "x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-5568",
    "datePublished": "2023-10-24T21:56:41.633Z",
    "dateReserved": "2023-10-13T07:06:17.684Z",
    "dateUpdated": "2025-09-02T15:43:02.714Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-5460 (GCVE-0-2023-5460)

Vulnerability from cvelistv5 – Published: 2023-10-09 19:00 – Updated: 2024-08-02 07:59
VLAI
Title
Delta Electronics WPLSoft Modbus Data Packet heap-based overflow
Summary
A vulnerability was found in Delta Electronics WPLSoft up to 2.51 and classified as problematic. This issue affects some unknown processing of the component Modbus Data Packet Handler. The manipulation leads to heap-based buffer overflow. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-241583. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
Delta Electronics WPLSoft Affected: 2.0
Affected: 2.1
Affected: 2.2
Affected: 2.3
Affected: 2.4
Affected: 2.5
Affected: 2.6
Affected: 2.7
Affected: 2.8
Affected: 2.9
Affected: 2.10
Affected: 2.11
Affected: 2.12
Affected: 2.13
Affected: 2.14
Affected: 2.15
Affected: 2.16
Affected: 2.17
Affected: 2.18
Affected: 2.19
Affected: 2.20
Affected: 2.21
Affected: 2.22
Affected: 2.23
Affected: 2.24
Affected: 2.25
Affected: 2.26
Affected: 2.27
Affected: 2.28
Affected: 2.29
Affected: 2.30
Affected: 2.31
Affected: 2.32
Affected: 2.33
Affected: 2.34
Affected: 2.35
Affected: 2.36
Affected: 2.37
Affected: 2.38
Affected: 2.39
Affected: 2.40
Affected: 2.41
Affected: 2.42
Affected: 2.43
Affected: 2.44
Affected: 2.45
Affected: 2.46
Affected: 2.47
Affected: 2.48
Affected: 2.49
Affected: 2.50
Affected: 2.51
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:59:44.643Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.241583"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.241583"
          },
          {
            "tags": [
              "exploit",
              "x_transferred"
            ],
            "url": "https://drive.google.com/drive/folders/1oYxs_KxK4Ftd7OsexGk6upkxhJ3-m8M3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Modbus Data Packet Handler"
          ],
          "product": "WPLSoft",
          "vendor": "Delta Electronics",
          "versions": [
            {
              "status": "affected",
              "version": "2.0"
            },
            {
              "status": "affected",
              "version": "2.1"
            },
            {
              "status": "affected",
              "version": "2.2"
            },
            {
              "status": "affected",
              "version": "2.3"
            },
            {
              "status": "affected",
              "version": "2.4"
            },
            {
              "status": "affected",
              "version": "2.5"
            },
            {
              "status": "affected",
              "version": "2.6"
            },
            {
              "status": "affected",
              "version": "2.7"
            },
            {
              "status": "affected",
              "version": "2.8"
            },
            {
              "status": "affected",
              "version": "2.9"
            },
            {
              "status": "affected",
              "version": "2.10"
            },
            {
              "status": "affected",
              "version": "2.11"
            },
            {
              "status": "affected",
              "version": "2.12"
            },
            {
              "status": "affected",
              "version": "2.13"
            },
            {
              "status": "affected",
              "version": "2.14"
            },
            {
              "status": "affected",
              "version": "2.15"
            },
            {
              "status": "affected",
              "version": "2.16"
            },
            {
              "status": "affected",
              "version": "2.17"
            },
            {
              "status": "affected",
              "version": "2.18"
            },
            {
              "status": "affected",
              "version": "2.19"
            },
            {
              "status": "affected",
              "version": "2.20"
            },
            {
              "status": "affected",
              "version": "2.21"
            },
            {
              "status": "affected",
              "version": "2.22"
            },
            {
              "status": "affected",
              "version": "2.23"
            },
            {
              "status": "affected",
              "version": "2.24"
            },
            {
              "status": "affected",
              "version": "2.25"
            },
            {
              "status": "affected",
              "version": "2.26"
            },
            {
              "status": "affected",
              "version": "2.27"
            },
            {
              "status": "affected",
              "version": "2.28"
            },
            {
              "status": "affected",
              "version": "2.29"
            },
            {
              "status": "affected",
              "version": "2.30"
            },
            {
              "status": "affected",
              "version": "2.31"
            },
            {
              "status": "affected",
              "version": "2.32"
            },
            {
              "status": "affected",
              "version": "2.33"
            },
            {
              "status": "affected",
              "version": "2.34"
            },
            {
              "status": "affected",
              "version": "2.35"
            },
            {
              "status": "affected",
              "version": "2.36"
            },
            {
              "status": "affected",
              "version": "2.37"
            },
            {
              "status": "affected",
              "version": "2.38"
            },
            {
              "status": "affected",
              "version": "2.39"
            },
            {
              "status": "affected",
              "version": "2.40"
            },
            {
              "status": "affected",
              "version": "2.41"
            },
            {
              "status": "affected",
              "version": "2.42"
            },
            {
              "status": "affected",
              "version": "2.43"
            },
            {
              "status": "affected",
              "version": "2.44"
            },
            {
              "status": "affected",
              "version": "2.45"
            },
            {
              "status": "affected",
              "version": "2.46"
            },
            {
              "status": "affected",
              "version": "2.47"
            },
            {
              "status": "affected",
              "version": "2.48"
            },
            {
              "status": "affected",
              "version": "2.49"
            },
            {
              "status": "affected",
              "version": "2.50"
            },
            {
              "status": "affected",
              "version": "2.51"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in Delta Electronics WPLSoft up to 2.51 and classified as problematic. This issue affects some unknown processing of the component Modbus Data Packet Handler. The manipulation leads to heap-based buffer overflow. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-241583. NOTE: The vendor was contacted early about this disclosure but did not respond in any way."
        },
        {
          "lang": "de",
          "value": "Eine problematische Schwachstelle wurde in Delta Electronics WPLSoft bis 2.51 gefunden. Betroffen davon ist ein unbekannter Prozess der Komponente Modbus Data Packet Handler. Dank Manipulation mit unbekannten Daten kann eine heap-based buffer overflow-Schwachstelle ausgenutzt werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 2.7,
            "vectorString": "AV:A/AC:L/Au:S/C:N/I:N/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-09T19:00:07.910Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.241583"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.241583"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://drive.google.com/drive/folders/1oYxs_KxK4Ftd7OsexGk6upkxhJ3-m8M3"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-10-09T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-10-09T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2023-10-09T15:51:41.000Z",
          "value": "VulDB last update"
        }
      ],
      "title": "Delta Electronics WPLSoft Modbus Data Packet heap-based overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2023-5460",
    "datePublished": "2023-10-09T19:00:07.910Z",
    "dateReserved": "2023-10-09T13:46:25.782Z",
    "dateUpdated": "2024-08-02T07:59:44.643Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-5404 (GCVE-0-2023-5404)

Vulnerability from cvelistv5 – Published: 2024-04-17 16:44 – Updated: 2024-08-02 07:59
VLAI
Summary
Server receiving a malformed message can cause a pointer to be overwritten which can result in a remote code execution or failure. See Honeywell Security Notification for recommendations on upgrading and versioning.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Honeywell Experion Server Affected: 520.2 , ≤ 520.2 TCU4 (semver)
Affected: 510.1 , ≤ 510.2 HF13 (semver)
Affected: 520.1 , ≤ 520.1 TCU4 (semver)
Affected: 511.1 , ≤ 511.5 TCU4 HF3 (semver)
Create a notification for this product.
Honeywell Experion Server Affected: 520.2 , ≤ 520.2 TCU4 (semver)
Affected: 511.1 , ≤ 511.5 TCU4 HF3 (semver)
Affected: 520.1 , ≤ 520.1 TCU4 (semver)
Create a notification for this product.
Honeywell Experion Server Affected: 520.2 , ≤ 520.2 TCU4 (semver)
Affected: 520.1 , ≤ 520.1 TCU4 (semver)
Affected: 520.2 TCU4 HFR2 , ≤ 511.5 TCU4 HF3 (semver)
Create a notification for this product.
honeywell experion_server Affected: 520.2, 510.1, 520.1, 511.1, 520.2, 511.1
    cpe:2.3:a:honeywell:experion_server:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:honeywell:experion_server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "experion_server",
            "vendor": "honeywell",
            "versions": [
              {
                "status": "affected",
                "version": "520.2, 510.1, 520.1, 511.1, 520.2, 511.1"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5404",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-09T18:36:32.635602Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:28:37.686Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:59:44.850Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://process.honeywell.com"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Experion PKS"
          ],
          "product": "Experion Server",
          "vendor": "Honeywell",
          "versions": [
            {
              "changes": [
                {
                  "at": "520.2 TCU4 HF1",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "520.2 TCU4",
              "status": "affected",
              "version": "520.2",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "510.2 HF14",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "510.2 HF13",
              "status": "affected",
              "version": "510.1",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "520.1 TCU5",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "520.1 TCU4",
              "status": "affected",
              "version": "520.1",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "511.5 TCU4 HF4",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "511.5 TCU4 HF3",
              "status": "affected",
              "version": "511.1",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Experion LX"
          ],
          "product": "Experion Server",
          "vendor": "Honeywell",
          "versions": [
            {
              "changes": [
                {
                  "at": "520.2 TCU4 HF2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "520.2 TCU4",
              "status": "affected",
              "version": "520.2",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "511.5 TCU4 HF4",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "511.5 TCU4 HF3",
              "status": "affected",
              "version": "511.1",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "520.1 TCU5",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "520.1 TCU4",
              "status": "affected",
              "version": "520.1",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "PlantCruise by Experion"
          ],
          "product": "Experion Server",
          "vendor": "Honeywell",
          "versions": [
            {
              "changes": [
                {
                  "at": "520.2 TCU4 HF2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "520.2 TCU4",
              "status": "affected",
              "version": "520.2",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "520.1 TCU5",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "520.1 TCU4",
              "status": "affected",
              "version": "520.1",
              "versionType": "semver"
            },
            {
              "changes": [
                {
                  "at": "511.5 TCU4 HF4",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "511.5 TCU4 HF3",
              "status": "affected",
              "version": "520.2 TCU4 HFR2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Server receiving a malformed message can cause a pointer to be overwritten which can result in a remote code execution or failure.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSee Honeywell Security Notification for recommendations on upgrading and versioning.\u003c/span\u003e"
            }
          ],
          "value": "Server receiving a malformed message can cause a pointer to be overwritten which can result in a remote code execution or failure.\u00a0See Honeywell Security Notification for recommendations on upgrading and versioning."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-09T19:55:07.106Z",
        "orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
        "shortName": "Honeywell"
      },
      "references": [
        {
          "url": "https://process.honeywell.com"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
    "assignerShortName": "Honeywell",
    "cveId": "CVE-2023-5404",
    "datePublished": "2024-04-17T16:44:37.703Z",
    "dateReserved": "2023-10-04T17:50:53.624Z",
    "dateUpdated": "2024-08-02T07:59:44.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-5400 (GCVE-0-2023-5400)

Vulnerability from cvelistv5 – Published: 2024-04-17 16:41 – Updated: 2024-08-02 07:59
VLAI
Summary
Server receiving a malformed message based on a using the specified key values can cause a heap overflow vulnerability which could lead to an attacker performing remote code execution or causing a failure.  See Honeywell Security Notification for recommendations on upgrading and versioning.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Honeywell Experion Server Affected: 520.2 , ≤ 520.2 TCU4 (semver)
Affected: 510.1 , ≤ 510.2 HF13 (semver)
Affected: 520.1 , ≤ 520.1 TCU4 (semver)
Affected: 511.1 , ≤ 511.5 TCU4 HF3 (semver)
Create a notification for this product.
Honeywell Experion Server Affected: 520.2 , ≤ 520.2 TCU4 (semver)
Affected: 511.1 , ≤ 511.5 TCU4 HF3 (semver)
Affected: 520.1 , ≤ 520.1 TCU4 (semver)
Create a notification for this product.
Honeywell Experion Server Affected: 520.2 , ≤ 520.2 TCU4 (semver)
Affected: 520.1 , ≤ 520.1 TCU4 (semver)
Affected: 520.2 TCU4 HFR2 , ≤ 511.5 TCU4 HF3 (semver)
Create a notification for this product.
honeywell experion_server Affected: *
    cpe:2.3:a:honeywell:experion_server:*:*:*:*:*:*:*:*
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:honeywell:experion_server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "experion_server",
            "vendor": "honeywell",
            "versions": [
              {
                "status": "affected",
                "version": "*"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:honeywell:experion_server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "experion_server",
            "vendor": "honeywell",
            "versions": [
              {
                "status": "affected",
                "version": "*"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:honeywell:experion_server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "experion_server",
            "vendor": "honeywell",
            "versions": [
              {
                "status": "affected",
                "version": "*"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:honeywell:experion_server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "experion_server",
            "vendor": "honeywell",
            "versions": [
              {
                "status": "affected",
                "version": "*"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5400",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-25T19:39:14.509795Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:28:46.487Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:59:44.742Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://process.honeywell.com"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Experion PKS"
          ],
          "product": "Experion Server",
          "vendor": "Honeywell",
          "versions": [
            {
              "lessThanOrEqual": "520.2 TCU4",
              "status": "affected",
              "version": "520.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "510.2 HF13",
              "status": "affected",
              "version": "510.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "520.1 TCU4",
              "status": "affected",
              "version": "520.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "511.5 TCU4 HF3",
              "status": "affected",
              "version": "511.1",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Experion LX"
          ],
          "product": "Experion Server",
          "vendor": "Honeywell",
          "versions": [
            {
              "lessThanOrEqual": "520.2 TCU4",
              "status": "affected",
              "version": "520.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "511.5 TCU4 HF3",
              "status": "affected",
              "version": "511.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "520.1 TCU4",
              "status": "affected",
              "version": "520.1",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "PlantCruise by Experion"
          ],
          "product": "Experion Server",
          "vendor": "Honeywell",
          "versions": [
            {
              "lessThanOrEqual": "520.2 TCU4",
              "status": "affected",
              "version": "520.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "520.1 TCU4",
              "status": "affected",
              "version": "520.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "511.5 TCU4 HF3",
              "status": "affected",
              "version": "520.2 TCU4 HFR2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Server receiving a malformed message based on a using the specified key values can cause a heap overflow vulnerability which could lead to an attacker performing remote code execution or causing a failure.\u0026nbsp;\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSee Honeywell Security Notification for recommendations on upgrading and versioning.\u003c/span\u003e\n\n"
            }
          ],
          "value": "Server receiving a malformed message based on a using the specified key values can cause a heap overflow vulnerability which could lead to an attacker performing remote code execution or causing a failure.\u00a0\nSee Honeywell Security Notification for recommendations on upgrading and versioning.\n\n"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-47",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-47"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-25T16:58:40.848Z",
        "orgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
        "shortName": "Honeywell"
      },
      "references": [
        {
          "url": "https://process.honeywell.com"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0dc86260-d7e3-4e81-ba06-3508e030ce8d",
    "assignerShortName": "Honeywell",
    "cveId": "CVE-2023-5400",
    "datePublished": "2024-04-17T16:41:10.932Z",
    "dateReserved": "2023-10-04T17:50:51.561Z",
    "dateUpdated": "2024-08-02T07:59:44.742Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-5344 (GCVE-0-2023-5344)

Vulnerability from cvelistv5 – Published: 2023-10-02 19:20 – Updated: 2025-11-03 20:36
VLAI

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:36:21.333Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/530cb762-899e-48d7-b50e-dad09eb775bf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4W665GQBN6S6ZDMYWVF4X7KMFI7AQKJL/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOXBUJLJ5VSPN3YXWN7XZA4JDYKNE7GZ/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT214038"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT214036"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT214037"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Dec/9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Dec/10"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Dec/11"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00023.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5344",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-18T13:55:14.458978Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-18T13:55:58.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim/vim",
          "vendor": "vim",
          "versions": [
            {
              "lessThan": "9.0.1969",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-13T01:06:48.315Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/530cb762-899e-48d7-b50e-dad09eb775bf"
        },
        {
          "url": "https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4W665GQBN6S6ZDMYWVF4X7KMFI7AQKJL/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOXBUJLJ5VSPN3YXWN7XZA4JDYKNE7GZ/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW/"
        },
        {
          "url": "https://support.apple.com/kb/HT214038"
        },
        {
          "url": "https://support.apple.com/kb/HT214036"
        },
        {
          "url": "https://support.apple.com/kb/HT214037"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Dec/9"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Dec/10"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Dec/11"
        }
      ],
      "source": {
        "advisory": "530cb762-899e-48d7-b50e-dad09eb775bf",
        "discovery": "EXTERNAL"
      },
      "title": "Heap-based Buffer Overflow in vim/vim"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2023-5344",
    "datePublished": "2023-10-02T19:20:30.352Z",
    "dateReserved": "2023-10-02T19:20:20.807Z",
    "dateUpdated": "2025-11-03T20:36:21.333Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-4911 (GCVE-0-2023-4911)

Vulnerability from cvelistv5 – Published: 2023-10-03 17:25 – Updated: 2026-07-14 11:59
VLAI
Title
Glibc: buffer overflow in ld.so leading to privilege escalation
Summary
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
SSVC
Exploitation: active Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
References
URL Tags
https://access.redhat.com/errata/RHSA-2023:5453 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5454 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5455 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5476 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0033 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-4911 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2238352 issue-trackingx_refsource_REDHAT
https://www.qualys.com/2023/10/03/cve-2023-4911/l…
https://www.qualys.com/cve-2023-4911/
https://www.exploit-db.com/exploits/52479
http://packetstormsecurity.com/files/174986/glibc… x_transferred
http://packetstormsecurity.com/files/176288/Glibc… x_transferred
http://seclists.org/fulldisclosure/2023/Oct/11 x_transferred
http://www.openwall.com/lists/oss-security/2023/10/03/2 x_transferred
http://www.openwall.com/lists/oss-security/2023/10/03/3 x_transferred
http://www.openwall.com/lists/oss-security/2023/10/05/1 x_transferred
http://www.openwall.com/lists/oss-security/2023/1… x_transferred
http://www.openwall.com/lists/oss-security/2023/10/14/3 x_transferred
http://www.openwall.com/lists/oss-security/2023/10/14/5 x_transferred
http://www.openwall.com/lists/oss-security/2023/10/14/6 x_transferred
https://lists.fedoraproject.org/archives/list/pac… x_transferred
https://lists.fedoraproject.org/archives/list/pac… x_transferred
https://lists.fedoraproject.org/archives/list/pac… x_transferred
https://security.gentoo.org/glsa/202310-03 x_transferred
https://security.netapp.com/advisory/ntap-2023101… x_transferred
https://www.debian.org/security/2023/dsa-5514 x_transferred
https://www.cisa.gov/known-exploited-vulnerabilit… government-resource
https://cert-portal.siemens.com/productcert/html/…
https://cert-portal.siemens.com/productcert/html/…
https://cert-portal.siemens.com/productcert/html/…
Impacted products
Vendor Product Version
Affected: 2.34 , < 2.39 (custom)
Red Hat Red Hat Enterprise Linux 8 Unaffected: 0:2.28-225.el8_8.6 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:8::appstream
    cpe:/o:redhat:enterprise_linux:8::baseos
    cpe:/a:redhat:enterprise_linux:8::crb
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.6 Extended Update Support Unaffected: 0:2.28-189.6.el8_6 , < * (rpm)
    cpe:/o:redhat:rhel_eus:8.6::baseos
    cpe:/a:redhat:rhel_eus:8.6::appstream
    cpe:/o:redhat:rhev_hypervisor:4.4::el8
    cpe:/a:redhat:rhel_eus:8.6::crb
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:2.34-60.el9_2.7 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9::appstream
    cpe:/a:redhat:enterprise_linux:9::crb
    cpe:/o:redhat:enterprise_linux:9::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.0 Extended Update Support Unaffected: 0:2.34-28.el9_0.4 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.0::appstream
    cpe:/o:redhat:rhel_eus:9.0::baseos
    cpe:/a:redhat:rhel_eus:9.0::crb
Create a notification for this product.
Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Unaffected: 0:2.28-189.6.el8_6 , < * (rpm)
    cpe:/o:redhat:rhel_eus:8.6::baseos
    cpe:/a:redhat:rhel_eus:8.6::appstream
    cpe:/o:redhat:rhev_hypervisor:4.4::el8
    cpe:/a:redhat:rhel_eus:8.6::crb
Create a notification for this product.
Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Unaffected: 0:4.5.3-10.el8ev , < * (rpm)
    cpe:/o:redhat:rhev_hypervisor:4.4::el8
Create a notification for this product.
Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Unaffected: 0:4.5.3-202312060823_8.6 , < * (rpm)
    cpe:/o:redhat:rhev_hypervisor:4.4::el8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Siemens SIMATIC S7-1500 CPU 1518-4 PN/DP MFP Affected: V3.1.5 , < * (custom)
Create a notification for this product.
Siemens SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP Affected: V3.1.5 , < * (custom)
Create a notification for this product.
Siemens SIPLUS S7-1500 CPU 1518-4 PN/DP MFP Affected: V3.1.5 , < * (custom)
Create a notification for this product.
Date Public
2023-10-03 17:00
Credits
Red Hat would like to thank Qualys Research Labs for reporting this issue.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-02-13T17:01:57.799Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.exploit-db.com/exploits/52479"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/11"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/03/2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/03/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/05/1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/13/11"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/14/3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/14/5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2023/10/14/6"
          },
          {
            "name": "RHSA-2023:5453",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5453"
          },
          {
            "name": "RHSA-2023:5454",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5454"
          },
          {
            "name": "RHSA-2023:5455",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5455"
          },
          {
            "name": "RHSA-2023:5476",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2023:5476"
          },
          {
            "name": "RHSA-2024:0033",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:0033"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-4911"
          },
          {
            "name": "RHBZ#2238352",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202310-03"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231013-0006/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5514"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.qualys.com/cve-2023-4911/"
          }
        ],
        "title": "CVE Program Container",
        "x_generator": {
          "engine": "ADPogram 0.0.1"
        }
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4911",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-15T19:45:35.724824Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-11-21",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4911"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:05:35.687Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-4911"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2023-11-21T00:00:00.000Z",
            "value": "CVE-2023-4911 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          },
          {
            "defaultStatus": "unknown",
            "product": "SIPLUS S7-1500 CPU 1518-4 PN/DP MFP",
            "vendor": "Siemens",
            "versions": [
              {
                "lessThan": "*",
                "status": "affected",
                "version": "V3.1.5",
                "versionType": "custom"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-14T11:59:00.527Z",
          "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
          "shortName": "siemens-SADP"
        },
        "references": [
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-831302.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-794697.html"
          },
          {
            "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
          }
        ],
        "x_adpType": "supplier"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://sourceware.org/git/glibc.git",
          "defaultStatus": "unaffected",
          "packageName": "glibc",
          "versions": [
            {
              "lessThan": "2.39",
              "status": "affected",
              "version": "2.34",
              "versionType": "custom"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:8::appstream",
            "cpe:/o:redhat:enterprise_linux:8::baseos",
            "cpe:/a:redhat:enterprise_linux:8::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "glibc",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.28-225.el8_8.6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:8::appstream",
            "cpe:/o:redhat:enterprise_linux:8::baseos",
            "cpe:/a:redhat:enterprise_linux:8::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "glibc",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.28-225.el8_8.6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_eus:8.6::baseos",
            "cpe:/a:redhat:rhel_eus:8.6::appstream",
            "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
            "cpe:/a:redhat:rhel_eus:8.6::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "glibc",
          "product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.28-189.6.el8_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/a:redhat:enterprise_linux:9::crb",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "glibc",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.34-60.el9_2.7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream",
            "cpe:/a:redhat:enterprise_linux:9::crb",
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "glibc",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.34-60.el9_2.7",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:rhel_eus:9.0::appstream",
            "cpe:/o:redhat:rhel_eus:9.0::baseos",
            "cpe:/a:redhat:rhel_eus:9.0::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "glibc",
          "product": "Red Hat Enterprise Linux 9.0 Extended Update Support",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.34-28.el9_0.4",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhel_eus:8.6::baseos",
            "cpe:/a:redhat:rhel_eus:8.6::appstream",
            "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
            "cpe:/a:redhat:rhel_eus:8.6::crb"
          ],
          "defaultStatus": "affected",
          "packageName": "glibc",
          "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:2.28-189.6.el8_6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhev_hypervisor:4.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "redhat-release-virtualization-host",
          "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.5.3-10.el8ev",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:rhev_hypervisor:4.4::el8"
          ],
          "defaultStatus": "affected",
          "packageName": "redhat-virtualization-host",
          "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "0:4.5.3-202312060823_8.6",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "glibc",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "compat-glibc",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "glibc",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Red Hat would like to thank Qualys Research Labs for reporting this issue."
        }
      ],
      "datePublic": "2023-10-03T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A buffer overflow was discovered in the GNU C Library\u0027s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-05T17:25:54.427Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2023:5453",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5453"
        },
        {
          "name": "RHSA-2023:5454",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5454"
        },
        {
          "name": "RHSA-2023:5455",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5455"
        },
        {
          "name": "RHSA-2023:5476",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2023:5476"
        },
        {
          "name": "RHSA-2024:0033",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:0033"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-4911"
        },
        {
          "name": "RHBZ#2238352",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352"
        },
        {
          "url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"
        },
        {
          "url": "https://www.qualys.com/cve-2023-4911/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-09-04T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-10-03T17:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Glibc: buffer overflow in ld.so leading to privilege escalation",
      "workarounds": [
        {
          "lang": "en",
          "value": "For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps.  When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately.  To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. `GLIBC_TUNABLES= sudo` . \n\nNote that these mitigation steps will need to be repeated if the system is rebooted.\n\n1)    Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441\n\n\n2)    Create the following systemtap script, and name it stap_block_suid_tunables.stp:\n    ~~~\nfunction has_tunable_string:long()\n{\n  name = \"GLIBC_TUNABLES\"\n\n  mm = @task(task_current())-\u003emm;\n  if (mm)\n    {\n      env_start = @mm(mm)-\u003eenv_start;\n      env_end = @mm(mm)-\u003eenv_end;\n\n      if (env_start != 0 \u0026\u0026 env_end != 0)\n        while (env_end \u003e env_start)\n          {\n            cur = user_string(env_start, \"\");\n            env_name = tokenize(cur, \"=\");\n      \n            if (env_name == name \u0026\u0026 tokenize(\"\", \"\") != \"\")\n              return 1;\n            env_start += strlen (cur) + 1\n          }\n    }\n\n  return 0;\n}\n\nprobe process(\"/lib*/ld*.so*\").function(\"__tunables_init\")\n{\n  atsecure = 0;\n  /* Skip processing if we can\u0027t read __libc_enable_secure, e.g. core dump\n     handler (systemd-cgroups-agent and systemd-coredump).  */\n  try { atsecure = @var(\"__libc_enable_secure\"); }\n  catch { printk (4, sprintf (\"CVE-2023-4911: Skipped check: %s (%d)\", execname(), pid())); }\n  if (atsecure \u0026\u0026 has_tunable_string ())\n    raise (9);\n}\n~~~\n\n3) Load the systemtap module into the running kernel:\n    ~~~\n    stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp\n    ~~~\n\n4) Ensure the module is loaded:\n    ~~~\n     lsmod | grep -i stap_block_suid_tunables\nstap_block_suid_tunables     249856  0\n~~~\n\n5) Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:\n    ~~~\n    rmmod stap_block_suid_tunables\n    ~~~\n\nIf Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel\u0027s keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap"
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-4911",
    "datePublished": "2023-10-03T17:25:08.434Z",
    "dateReserved": "2023-09-12T13:10:32.495Z",
    "dateUpdated": "2026-07-14T11:59:00.527Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-4781 (GCVE-0-2023-4781)

Vulnerability from cvelistv5 – Published: 2023-09-05 18:32 – Updated: 2026-06-23 17:19
VLAI
Title
Heap-based Buffer Overflow in vim/vim
Summary
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
Impacted products
Vendor Product Version
vim vim/vim Affected: unspecified , < 9.0.1873 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:36:09.591Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/c867eb0a-aa8b-4946-a621-510350673883"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213984"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/24"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00023.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4781",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-03T19:18:08.260782Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T17:19:10.527Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim/vim",
          "vendor": "vim",
          "versions": [
            {
              "lessThan": "9.0.1873",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-25T19:07:18.216Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/c867eb0a-aa8b-4946-a621-510350673883"
        },
        {
          "url": "https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00035.html"
        },
        {
          "url": "https://support.apple.com/kb/HT213984"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Oct/24"
        }
      ],
      "source": {
        "advisory": "c867eb0a-aa8b-4946-a621-510350673883",
        "discovery": "EXTERNAL"
      },
      "title": "Heap-based Buffer Overflow in vim/vim"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2023-4781",
    "datePublished": "2023-09-05T18:32:30.859Z",
    "dateReserved": "2023-09-05T18:32:20.319Z",
    "dateUpdated": "2026-06-23T17:19:10.527Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-4751 (GCVE-0-2023-4751)

Vulnerability from cvelistv5 – Published: 2023-09-03 18:54 – Updated: 2025-02-13 17:18
VLAI
Title
Heap-based Buffer Overflow in vim/vim
Summary
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
Impacted products
Vendor Product Version
vim vim/vim Affected: unspecified , < 9.0.1331 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:38:00.594Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/db7be8d6-6cb7-4ae5-9c4e-805423afa378"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/vim/vim/commit/e1121b139480f53d1b06f84f3e4574048108fa0b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213984"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/24"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4751",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-05T16:57:55.979341Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-12-03T14:59:04.202Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim/vim",
          "vendor": "vim",
          "versions": [
            {
              "lessThan": "9.0.1331",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1331."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-25T19:07:39.408Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/db7be8d6-6cb7-4ae5-9c4e-805423afa378"
        },
        {
          "url": "https://github.com/vim/vim/commit/e1121b139480f53d1b06f84f3e4574048108fa0b"
        },
        {
          "url": "https://support.apple.com/kb/HT213984"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Oct/24"
        }
      ],
      "source": {
        "advisory": "db7be8d6-6cb7-4ae5-9c4e-805423afa378",
        "discovery": "EXTERNAL"
      },
      "title": "Heap-based Buffer Overflow in vim/vim"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2023-4751",
    "datePublished": "2023-09-03T18:54:47.173Z",
    "dateReserved": "2023-09-03T18:54:37.128Z",
    "dateUpdated": "2025-02-13T17:18:02.214Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-4738 (GCVE-0-2023-4738)

Vulnerability from cvelistv5 – Published: 2023-09-02 19:39 – Updated: 2025-11-03 20:36
VLAI
Title
Heap-based Buffer Overflow in vim/vim
Summary
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
Impacted products
Vendor Product Version
vim vim/vim Affected: unspecified , < 9.0.1848 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:36:03.988Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/9fc7dced-a7bb-4479-9718-f956df20f612"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.apple.com/kb/HT213984"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2023/Oct/24"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00023.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4738",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-25T14:31:27.533912Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-25T14:32:31.999Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim/vim",
          "vendor": "vim",
          "versions": [
            {
              "lessThan": "9.0.1848",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-25T19:07:06.758Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntrdev"
      },
      "references": [
        {
          "url": "https://huntr.dev/bounties/9fc7dced-a7bb-4479-9718-f956df20f612"
        },
        {
          "url": "https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1"
        },
        {
          "url": "https://support.apple.com/kb/HT213984"
        },
        {
          "url": "http://seclists.org/fulldisclosure/2023/Oct/24"
        }
      ],
      "source": {
        "advisory": "9fc7dced-a7bb-4479-9718-f956df20f612",
        "discovery": "EXTERNAL"
      },
      "title": "Heap-based Buffer Overflow in vim/vim"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntrdev",
    "cveId": "CVE-2023-4738",
    "datePublished": "2023-09-02T19:39:14.290Z",
    "dateReserved": "2023-09-02T19:39:04.775Z",
    "dateUpdated": "2025-11-03T20:36:03.988Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2023-4692 (GCVE-0-2023-4692)

Vulnerability from cvelistv5 – Published: 2023-10-25 10:27 – Updated: 2025-11-07 00:30
VLAI
Title
Grub2: out-of-bounds write at fs/ntfs.c may lead to unsigned code execution
Summary
An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
Impacted products
Vendor Product Version
Unaffected: 2.12 , < * (custom)
Red Hat Red Hat Enterprise Linux 8 Unaffected: 1:2.02-156.el8 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:8::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9 Unaffected: 1:2.06-77.el9 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:9::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Date Public
2023-10-03 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T19:25:43.776Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "RHSA-2024:2456",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:2456"
          },
          {
            "name": "RHSA-2024:3184",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2024:3184"
          },
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2023-4692"
          },
          {
            "name": "RHBZ#2236613",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236613"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://dfir.ru/2023/10/03/cve-2023-4692-cve-2023-4693-vulnerabilities-in-the-grub-boot-manager/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUU42E7CPYLATXOYVYNW6YTXXULAOV6L/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIRJ5UZRXX2KLR4IKBJEQUNGOCXMMDLY/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PERFILCHFEUGG3OAMC6W55P6DDIBZK4Q/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://seclists.org/oss-sec/2023/q4/37"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202311-14"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231208-0002/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-4692",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-15T14:23:06.893381Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-17T17:19:59.141Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://git.savannah.gnu.org/git/grub.git/",
          "packageName": "grub",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "2.12",
              "versionType": "custom"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "grub2",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1:2.02-156.el8",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9::baseos"
          ],
          "defaultStatus": "affected",
          "packageName": "grub2",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "1:2.06-77.el9",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unknown",
          "packageName": "grub2",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2023-10-03T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "An out-of-bounds write flaw was found in grub2\u0027s NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub\u0027s heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Low"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-07T00:30:50.177Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2024:2456",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:2456"
        },
        {
          "name": "RHSA-2024:3184",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2024:3184"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2023-4692"
        },
        {
          "name": "RHBZ#2236613",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236613"
        },
        {
          "url": "https://dfir.ru/2023/10/03/cve-2023-4692-cve-2023-4693-vulnerabilities-in-the-grub-boot-manager/"
        },
        {
          "url": "https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html"
        },
        {
          "url": "https://seclists.org/oss-sec/2023/q4/37"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-08-31T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2023-10-03T00:00:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Grub2: out-of-bounds write at fs/ntfs.c may lead to unsigned code execution",
      "x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2023-4692",
    "datePublished": "2023-10-25T10:27:29.173Z",
    "dateReserved": "2023-08-31T21:53:09.692Z",
    "dateUpdated": "2025-11-07T00:30:50.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Pre-design: Use a language or compiler that performs automatic bounds checking.

Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation
Implementation

Implement and perform bounds checking on input.

Mitigation
Implementation

Strategy: Libraries or Frameworks

Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.

Mitigation
Operation

Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.

CAPEC-92: Forced Integer Overflow

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.