CVE-2023-6246
high-risk
Published 2024-01-31
A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.
Do I need to act?
!
25.5% chance of exploitation in next 30 days
EPSS score — higher than 75% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.4/10
High
LOCAL
/ LOW complexity
Affected Vendors
References (24)
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-6246
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2249053
Third Party Advisory
https://security.gentoo.org/glsa/202402-01
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-6246
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2249053
and 4 more references
50
/ 100
high-risk
Severity
26/34 · High
Exploitability
15/34 · Moderate
Exposure
9/34 · Low