CVE-2023-24056
MEDIUMpkgconf < 1.9.3 - Out-of-bounds Write via Tuple Parsing
Title source: llmDescription
In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred bytes can expand to one billion bytes.
References (3)
Core 3
Core References
Patch, Third Party Advisory
https://gitea.treehouse.systems/ariadne/pkgconf/commit/628b2b2bafa5d3a2017193ddf375093e70666059
Release Notes, Third Party Advisory
https://github.com/pkgconf/pkgconf/tags
Exploit, Third Party Advisory
https://nullprogram.com/blog/2023/01/18/
Scores
CVSS v3
5.5
EPSS
0.0052
EPSS Percentile
40.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-787
Status
published
Products (1)
pkgconf/pkgconf
< 1.9.3
Published
Jan 22, 2023
Tracked Since
Feb 18, 2026