CVE-2022-23218

moderate-risk

Published 2022-01-14

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

Do I need to act?

0.38% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (6)

Glibc

Communications Cloud Native Core Unified Data Repository

Enterprise Operations Monitor

Debian Linux

Affected Vendors

Debian Gnu Oracle

References (8)

Mailing List https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html

Third Party Advisory https://security.gentoo.org/glsa/202208-24

Exploit https://sourceware.org/bugzilla/show_bug.cgi?id=28768

Patch https://www.oracle.com/security-alerts/cpujul2022.html

Mailing List https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html

Third Party Advisory https://security.gentoo.org/glsa/202208-24

Exploit https://sourceware.org/bugzilla/show_bug.cgi?id=28768

Patch https://www.oracle.com/security-alerts/cpujul2022.html

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 1/34 · Minimal

Exposure 13/34 · Low