CVE-2023-4813

Summary

A flaw has been identified in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Enterprise Linux 80:2.28-225.el8_8.6 < *unaffected
Red HatRed Hat Enterprise Linux 80:2.28-225.el8_8.6 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support0:2.28-189.8.el8_6 < *unaffected
Red HatRed Hat Enterprise Linux 90:2.34-100.el9 < *unaffected
Red HatRed Hat Enterprise Linux 90:2.34-60.el9_2.7 < *unaffected
Red HatRed Hat Enterprise Linux 90:2.34-100.el9 < *unaffected
Red HatRed Hat Enterprise Linux 90:2.34-60.el9_2.7 < *unaffected
Red HatRed Hat Virtualization 4 for Red Hat Enterprise Linux 80:2.28-189.8.el8_6 < *unaffected

Weaknesses

  • CWE-416: Use After Free

Workarounds

Removing the "SUCCESS=continue" or "SUCCESS=merge" configuration from the hosts database in /etc/nsswitch.conf will mitigate this vulnerability.

Note that, these options are not supported by the hosts database, if they were working before it was because of this bug.

ADP Enrichment

CVE Program Container

Additional References

References