CVE-2019-7309

low-risk

Published 2019-02-03

In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.

Do I need to act?

0.22% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Glibc

Affected Vendors

Gnu

References (8)

Third Party Advisory http://www.securityfocus.com/bid/106835

https://security.gentoo.org/glsa/202006-04

Exploit https://sourceware.org/bugzilla/show_bug.cgi?id=24155

Mailing List https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html

Third Party Advisory http://www.securityfocus.com/bid/106835

https://security.gentoo.org/glsa/202006-04

Exploit https://sourceware.org/bugzilla/show_bug.cgi?id=24155

Mailing List https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal