CVE-2015-7547
critical-risk
Published 2016-02-18
Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.
Do I need to act?
!
94.0% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10
High
NETWORK
/ HIGH complexity
Affected Products (20)
References (150)
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00037.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00038.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00039.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00042.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00043.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00044.html
and 130 more references
79
/ 100
critical-risk
Severity
24/34 · High
Exploitability
27/34 · High
Exposure
28/34 · Critical