Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.8
CVSSv3

CVE-2023-4039

Published: 13/09/2023 Updated: 19/02/2024
CVSS v3 Base Score: 4.8 | Impact Score: 2.5 | Exploitability Score: 2.2
VMScore: 0
Subscribe to Gcc

Vulnerability Summary

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an malicious user to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

gnu gcc

Vendor Advisories

Amazon Linux 2: ALAS2-2023-2245
An issue was found in a defense in depth feature of the GCC compiler on aarch64 platforms The stack protector feature (-fstack-protector) did not detect or defend against overflows of dynamically-sized local variables This update to the GCC compiler remedies code generation for this defense in depth feature, ensuring it is working as intended Cu ...
Amazon Linux 2: ALAS2-2023-2244
An issue was found in a defense in depth feature of the GCC compiler on aarch64 platforms The stack protector feature (-fstack-protector) did not detect or defend against overflows of dynamically-sized local variables This update to the GCC compiler remedies code generation for this defense in depth feature, ensuring it is working as intended Cu ...
Red Hat:
Description<!---->A vulnerability was found in GCC The GCC's stack protection feature, enabled with the flag -fstack-protector, aims to detect buffer overflows in C/C++ function local variables that might allow an attacker to overwrite saved registers on the stack If an attacker can modify saved register values, it may be possible for them to sub ...

ICS Advisories

https://ics-cert.us-cert.gov/advisories/fd87a3fc00e025fdc5034360097d2bdf
Critical Infrastructure Sectors: Critical Manufacturing

References

NVD-CWE-Otherhttps://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mfhttps://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64https://nvd.nist.govhttps://alas.aws.amazon.com/AL2/ALAS-2023-2245.htmlhttps://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
path traversalCVE-2024-26978CVE-2024-26982wirelessCVE-2023-6949CVE-2024-26980CVE-2024-32766CVE-2024-26939cache poisoning
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook