CVE-2017-8804

HIGH

GNU Glibc - Insecure Deserialization

Title source: rule

Description

The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779. NOTE: [Information provided from upstream and references

References (11)

[Patch] https://sourceware.org/legacy-ml/libc-alpha/2017-05/msg00128.html

[Patch] https://sourceware.org/legacy-ml/libc-alpha/2017-05/msg00129.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00026.html

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2017/05/05/2

[Broken Link] http://www.securityfocus.com/bid/98339

[Issue Tracking, Patch] https://bugzilla.suse.com/show_bug.cgi?id=1037559#c7

[Mailing List] https://seclists.org/oss-sec/2017/q2/228

[Issue Tracking, Patch] https://sourceware.org/bugzilla/show_bug.cgi?id=21461

[Issue Tracking, Patch] https://sourceware.org/ml/libc-alpha/2017-05/msg00105.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00039.html

[Mailing List] http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00049.html

Scores

CVSS v3 7.5

EPSS 0.0376

EPSS Percentile 87.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-502

Status draft

Affected Products (1)

gnu/glibc

Timeline

Published May 07, 2017

Tracked Since Feb 18, 2026