AZL-29954

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-29954.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-29954

Upstream

CVE-2023-4806

Published

2023-09-18T17:15:55Z

Modified

2026-04-01T05:09:52.699247Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

CVE-2023-4806 affecting package glibc for versions less than 2.35-6

Details

A flaw has been identified in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the nssgethostbyname2r and nssgetcanonnamer hooks without implementing the nss*gethostbyname3r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AFINET6 address family with AICANONNAME, AIALL and AIV4MAPPED as flags.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-4806

Affected packages

Azure Linux:2 / glibc

Package

Name: glibc
Purl: pkg:rpm/azure-linux/glibc

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.35-6

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-29954.json"