CVE-2021-43396

moderate-risk
Published 2021-11-04

In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug.

Do I need to act?

-
0.60% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (10)

Enterprise Operations Monitor
Enterprise Operations Monitor
Enterprise Operations Monitor

Affected Vendors

Gnu Oracle

References (8)

Exploit https://blog.tuxcare.com/vulnerability/vulnerability-in-iconv-identified-by-tuxc...
Exploit https://sourceware.org/bugzilla/show_bug.cgi?id=28524
https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=ff012870b2c02a62598c04daa...
Patch https://www.oracle.com/security-alerts/cpujul2022.html
Exploit https://blog.tuxcare.com/vulnerability/vulnerability-in-iconv-identified-by-tuxc...
Exploit https://sourceware.org/bugzilla/show_bug.cgi?id=28524
https://sourceware.org/git/?p=glibc.git%3Ba=commit%3Bh=ff012870b2c02a62598c04daa...
Patch https://www.oracle.com/security-alerts/cpujul2022.html
44
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 2/34 · Minimal
Exposure 16/34 · Moderate