Description
In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.
References (4)
Core 4
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106835
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://sourceware.org/bugzilla/show_bug.cgi?id=24155
Mailing List, Third Party Advisory x_refsource_misc
https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202006-04
Scores
CVSS v3
5.5
EPSS
0.0022
EPSS Percentile
44.1%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
Status
published
Products (1)
gnu/glibc
< 2.29
Published
Feb 03, 2019
Tracked Since
Feb 18, 2026