DEBIAN-CVE-2023-4806

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2023-4806

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-4806.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-4806

Upstream

CVE-2023-4806

Published

2023-09-18T17:15:55Z

Modified

2025-09-19T07:33:29.963399Z

Summary

[none]

Details

A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the nss_gethostbyname2_r and _nss_getcanonnamer hooks without implementing the nss*gethostbyname3r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AFINET6 address family with AICANONNAME, AIALL and AIV4MAPPED as flags.

References

https://security-tracker.debian.org/tracker/CVE-2023-4806

Affected packages

Debian:12 / glibc

Package

Name: glibc
Purl: pkg:deb/debian/glibc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.36-9+deb12u3

Affected versions

2.*

2.36-9

2.36-9+deb12u1

2.36-9+deb12u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / glibc

Package

Name: glibc
Purl: pkg:deb/debian/glibc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.37-10

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:14 / glibc

Package

Name: glibc
Purl: pkg:deb/debian/glibc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.37-10

Ecosystem specific

{
    "urgency": "not yet assigned"
}