CVE-2017-11671

MEDIUM

GCC <5.5-6.4 - Info Disclosure

Title source: llm

Description

Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.

References (5)

[Mailing List, Third Party Advisory] http://openwall.com/lists/oss-security/2017/07/27/2

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/100018

[Issue Tracking, Vendor Advisory] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180

[Mailing List] https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:0849

Scores

CVSS v3 4.0

EPSS 0.0010

EPSS Percentile 28.0%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-338

Status published

Products (14)

gnu/gcc

gnu/gcc

gnu/gcc

gnu/gcc

gnu/gcc

gnu/gcc

gnu/gcc

gnu/gcc

gnu/gcc

gnu/gcc

... and 4 more

Published Jul 26, 2017

Tracked Since Feb 18, 2026