Glibc: buffer overflow in ld.so leading to privilege escalation

Summary

CVE	CVE-2023-4911
State	PUBLISHED
Assigner	redhat
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-10-03 18:15:10 UTC
Updated	2026-05-12 16:24:45 UTC
Description	A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Risk And Classification

Primary CVSS: v3.1 7.8 HIGH from [email protected]

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS: 0.715340000 probability, percentile 0.987490000 (date 2026-05-12)

CISA KEV: Listed on 2023-11-21; due 2023-12-12; ransomware use Unknown

Problem Types: CWE-122 | CWE-787 | CWE-122 Heap-based Buffer Overflow

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	[email protected]	Secondary	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`
3.1	CNA	CVSS	7.8	HIGH	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`

CVSS v3.1 Breakdown

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA Known Exploited Vulnerability

Vendor	GNU
Product	GNU C Library
Name	GNU C Library Buffer Overflow Vulnerability
Required Action	Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes	This vulnerability affects a common open-source component, third-party library, or a protocol used by different products. Please check with specific vendors for information on patching status. For more information, please see: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa, https://access.redhat.com/security/cve/cve-2023-4911, https://www.debian.org/security/2023/dsa-5514 ; https://nvd.nist.gov/vuln/detail/CVE-2023-4911

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	22.04	All	All	All
Operating System	Canonical	Ubuntu Linux	23.04	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Debian	Debian Linux	12.0	All	All	All
Operating System	Fedoraproject	Fedora	37	All	All	All
Operating System	Fedoraproject	Fedora	38	All	All	All
Operating System	Fedoraproject	Fedora	39	All	All	All
Application	Gnu	Glibc	All	All	All	All
Operating System	Netapp	Bootstrap Os	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410c	-	All	All	All
Operating System	Netapp	H410c Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Hardware	Netapp	Hci Compute Node	-	All	All	All
Application	Netapp	Ontap Select Deploy Administration Utility	-	All	All	All
Application	Redhat	Codeready Linux Builder	9.0	All	All	All
Application	Redhat	Codeready Linux Builder Eus	8.6	All	All	All
Application	Redhat	Codeready Linux Builder Eus	9.2	All	All	All
Application	Redhat	Codeready Linux Builder Eus	9.4	All	All	All
Application	Redhat	Codeready Linux Builder Eus	9.6	All	All	All
Application	Redhat	Codeready Linux Builder For Arm64	9.0_aarch64	All	All	All
Application	Redhat	Codeready Linux Builder For Arm64 Eus	8.6	All	All	All
Application	Redhat	Codeready Linux Builder For Arm64 Eus	9.2_aarch64	All	All	All
Application	Redhat	Codeready Linux Builder For Arm64 Eus	9.4_aarch64	All	All	All
Application	Redhat	Codeready Linux Builder For Arm64 Eus	9.6_aarch64	All	All	All
Application	Redhat	Codeready Linux Builder For Ibm Z Systems	9.0_s390x	All	All	All
Application	Redhat	Codeready Linux Builder For Ibm Z Systems Eus	8.6	All	All	All
Application	Redhat	Codeready Linux Builder For Ibm Z Systems Eus	9.2_s390x	All	All	All
Application	Redhat	Codeready Linux Builder For Ibm Z Systems Eus	9.4_s390x	All	All	All
Application	Redhat	Codeready Linux Builder For Ibm Z Systems Eus	9.6_s390x	All	All	All
Application	Redhat	Codeready Linux Builder For Power Little Endian	9.0_ppc64le	All	All	All
Application	Redhat	Codeready Linux Builder For Power Little Endian Eus	8.6	All	All	All
Application	Redhat	Codeready Linux Builder For Power Little Endian Eus	9.2_ppc64le	All	All	All
Application	Redhat	Codeready Linux Builder For Power Little Endian Eus	9.4_ppc64le	All	All	All
Application	Redhat	Codeready Linux Builder For Power Little Endian Eus	9.6_ppc64le	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux	9.0	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Eus	9.2	All	All	All
Operating System	Redhat	Enterprise Linux Eus	9.4	All	All	All
Operating System	Redhat	Enterprise Linux Eus	9.6	All	All	All
Operating System	Redhat	Enterprise Linux For Arm 64	9.0_aarch64	All	All	All
Operating System	Redhat	Enterprise Linux For Arm 64 Eus	8.6_aarch64	All	All	All
Operating System	Redhat	Enterprise Linux For Arm 64 Eus	9.2_aarch64	All	All	All
Operating System	Redhat	Enterprise Linux For Arm 64 Eus	9.4_aarch64	All	All	All
Operating System	Redhat	Enterprise Linux For Arm 64 Eus	9.6_aarch64	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems	9.0_s390x	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	9.2_s390x	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	9.4_s390x	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	9.6_s390x	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus S390x	8.6	All	All	All
Operating System	Redhat	Enterprise Linux For Power Big Endian Eus	8.6_ppc64le	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian	9.0_ppc64le	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	9.2_ppc64le	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	9.4_ppc64le	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	9.6_ppc64le	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	9.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	9.4	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	9.6	All	All	All
Operating System	Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	9.2_ppc64le	All	All	All
Operating System	Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	9.4_ppc64le	All	All	All
Operating System	Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	9.6_ppc64le	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Update Services For Sap Solutions	9.2	All	All	All
Operating System	Redhat	Enterprise Linux Update Services For Sap Solutions	9.4	All	All	All
Operating System	Redhat	Enterprise Linux Update Services For Sap Solutions	9.6	All	All	All
Application	Redhat	Virtualization	4.0	All	All	All
Application	Redhat	Virtualization Host	4.0	All	All	All
Hardware	Siemens	Simatic S7-1500 Cpu 1518-4 Pn/dp Mfp	-	All	All	All
Operating System	Siemens	Simatic S7-1500 Cpu 1518-4 Pn/dp Mfp Firmware	All	All	All	All
Hardware	Siemens	Simatic S7-1500 Cpu 1518f-4 Pn/dp Mfp	-	All	All	All
Operating System	Siemens	Simatic S7-1500 Cpu 1518f-4 Pn/dp Mfp Firmware	All	All	All	All
Hardware	Siemens	Simatic S7-1500 Tm Mfp	-	All	All	All
Operating System	Siemens	Simatic S7-1500 Tm Mfp Firmware	All	All	All	All
Hardware	Siemens	Siplus S7-1500 Cpu 1518-4 Pn/dp Mfp	-	All	All	All
Operating System	Siemens	Siplus S7-1500 Cpu 1518-4 Pn/dp Mfp Firmware	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Red Hat	Red Hat Enterprise Linux 8	unaffected 0:2.28-225.el8_8.6 * rpm	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 8	unaffected 0:2.28-225.el8_8.6 * rpm	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 8.6 Extended Update Support	unaffected 0:2.28-189.6.el8_6 * rpm	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 9	unaffected 0:2.34-60.el9_2.7 * rpm	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 9	unaffected 0:2.34-60.el9_2.7 * rpm	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 9.0 Extended Update Support	unaffected 0:2.34-28.el9_0.4 * rpm	Not specified
CNA	Red Hat	Red Hat Virtualization 4 For Red Hat Enterprise Linux 8	unaffected 0:2.28-189.6.el8_6 * rpm	Not specified
CNA	Red Hat	Red Hat Virtualization 4 For Red Hat Enterprise Linux 8	unaffected 0:4.5.3-10.el8ev * rpm	Not specified
CNA	Red Hat	Red Hat Virtualization 4 For Red Hat Enterprise Linux 8	unaffected 0:4.5.3-202312060823_8.6 * rpm	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 6	Not specified	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 7	Not specified	Not specified
CNA	Red Hat	Red Hat Enterprise Linux 7	Not specified	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP	affected V3.1.5 * custom	Not specified
ADP	Siemens	SIPLUS S7-1500 CPU 1518-4 PN/DP MFP	affected V3.1.5 * custom	Not specified

References

Reference	Source	Link	Tags
Red Hat	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
Red Hat	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
oss-security - Re: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com	Mailing List
oss-security - Re: linux-distros list membership application - CIQ Rocky Linux Security Team	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com	Mailing List
cert-portal.siemens.com/productcert/html/ssa-082556.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com	Third Party Advisory
glibc: Multiple vulnerabilities (GLSA 202310-03) — Gentoo security	af854a3a-2127-422b-91ae-364da2661108	security.gentoo.org	Third Party Advisory
cve-details	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
www.cisa.gov/known-exploited-vulnerabilities-catalog	134c704f-9b21-4f2e-91b3-4a467353bcc0	www.cisa.gov	US Government Resource
glibc ld.so Local Privilege Escalation ≈ Packet Storm	af854a3a-2127-422b-91ae-364da2661108	packetstormsecurity.com	Exploit, Third Party Advisory, VDB Entry
oss-security - Re: linux-distros list membership application - CIQ Rocky Linux Security Team	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com	Mailing List
oss-security - Re: linux-distros list membership application - CIQ Rocky Linux Security Team	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com	Mailing List
CVE-2023-4911: Looney Tunables - Local Privilege Escalation in the glibc’s ld.so \| Qualys Security Blog	af854a3a-2127-422b-91ae-364da2661108	www.qualys.com	Third Party Advisory
[SECURITY] Fedora 38 Update: glibc-2.37-10.fc38 - package-announce - Fedora Mailing-Lists	af854a3a-2127-422b-91ae-364da2661108	lists.fedoraproject.org	Mailing List
www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-esca...	af854a3a-2127-422b-91ae-364da2661108	www.qualys.com	Exploit, Third Party Advisory
cert-portal.siemens.com/productcert/html/ssa-831302.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com	Third Party Advisory
Red Hat	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
oss-security - Re: linux-distros list membership application - CIQ Rocky Linux Security Team	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com	Mailing List
oss-security - CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com	Exploit, Mailing List
oss-security - Re: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so	af854a3a-2127-422b-91ae-364da2661108	www.openwall.com	Mailing List
[SECURITY] Fedora 39 Update: glibc-2.38-6.fc39 - package-announce - Fedora Mailing-Lists	af854a3a-2127-422b-91ae-364da2661108	lists.fedoraproject.org	Mailing List
CVE-2023-4911 GNU C Library (glibc) Vulnerability in NetApp Products \| NetApp Product Security	af854a3a-2127-422b-91ae-364da2661108	security.netapp.com	Third Party Advisory
www.exploit-db.com/exploits/52479	af854a3a-2127-422b-91ae-364da2661108	www.exploit-db.com	Exploit, Third Party Advisory, VDB Entry
access.redhat.com/errata/RHSA-2024:0033	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
2238352 – (CVE-2023-4911) CVE-2023-4911 glibc: buffer overflow in ld.so leading to privilege escalation	af854a3a-2127-422b-91ae-364da2661108	bugzilla.redhat.com	Issue Tracking, Patch
cert-portal.siemens.com/productcert/html/ssa-794697.html	0b142b55-0307-4c5a-b3c9-f314f3fb7c5e	cert-portal.siemens.com	Third Party Advisory
Full Disclosure: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so	af854a3a-2127-422b-91ae-364da2661108	seclists.org	Exploit, Mailing List, Third Party Advisory
[SECURITY] Fedora 37 Update: glibc-2.36-14.fc37 - package-announce - Fedora Mailing-Lists	af854a3a-2127-422b-91ae-364da2661108	lists.fedoraproject.org	Mailing List
Red Hat	af854a3a-2127-422b-91ae-364da2661108	access.redhat.com	Third Party Advisory
packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html	af854a3a-2127-422b-91ae-364da2661108	packetstormsecurity.com	Exploit, Third Party Advisory, VDB Entry
Debian -- Security Information -- DSA-5514-1 glibc	af854a3a-2127-422b-91ae-364da2661108	www.debian.org	Mailing List
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis
CISA Known Exploited Vulnerabilities catalog	CISA	www.cisa.gov	kev

Vendor Comments And Credit

Discovery Credit

CNA: Red Hat would like to thank Qualys Research Labs for reporting this issue. (en)

Additional Advisory Data

Source	Time	Event
CNA	2023-09-04T00:00:00.000Z	Reported to Red Hat.
CNA	2023-10-03T17:00:00.000Z	Made public.
ADP	2023-11-21T00:00:00.000Z	CVE-2023-4911 added to CISA KEV

Workarounds

CNA: For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. `GLIBC_TUNABLES= sudo` . Note that these mitigation steps will need to be repeated if the system is rebooted. 1) Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441 2) Create the following systemtap script, and name it stap_block_suid_tunables.stp: ~~~ function has_tunable_string:long() { name = "GLIBC_TUNABLES" mm = @task(task_current())->mm; if (mm) { env_start = @mm(mm)->env_start; env_end = @mm(mm)->env_end; if (env_start != 0 && env_end != 0) while (env_end > env_start) { cur = user_string(env_start, ""); env_name = tokenize(cur, "="); if (env_name == name && tokenize("", "") != "") return 1; env_start += strlen (cur) + 1 } } return 0; } probe process("/lib*/ld*.so*").function("__tunables_init") { atsecure = 0; /* Skip processing if we can't read __libc_enable_secure, e.g. core dump handler (systemd-cgroups-agent and systemd-coredump). */ try { atsecure = @var("__libc_enable_secure"); } catch { printk (4, sprintf ("CVE-2023-4911: Skipped check: %s (%d)", execname(), pid())); } if (atsecure && has_tunable_string ()) raise (9); } ~~~ 3) Load the systemtap module into the running kernel: ~~~ stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp ~~~ 4) Ensure the module is loaded: ~~~ lsmod | grep -i stap_block_suid_tunables stap_block_suid_tunables 249856 0 ~~~ 5) Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running: ~~~ rmmod stap_block_suid_tunables ~~~ If Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap

Legacy QID Mappings

160950 Oracle Enterprise Linux Security Update for glibc (ELSA-2023-12850)
160953 Oracle Enterprise Linux Security Update for glibc (ELSA-2023-12851)
160958 Oracle Enterprise Linux Security Update for glibc (ELSA-2023-12854)
160962 Oracle Enterprise Linux Security Update for glibc (ELSA-2023-12853)
160965 Oracle Enterprise Linux Security Update for glibc (ELSA-2023-5455)
160968 Oracle Enterprise Linux Security Update for glibc (ELSA-2023-5453)
160973 Oracle Enterprise Linux Security Update for glibc (ELSA-2023-12872)
160974 Oracle Enterprise Linux Security Update for glibc (ELSA-2023-12873)
199798 Ubuntu Security Notification for GNU C Library Vulnerabilities (USN-6409-1)
242111 Red Hat Update for glibc (RHSA-2023:5453)
242114 Red Hat Update for glibc (RHSA-2023:5454)
242118 Red Hat Update for glibc (RHSA-2023:5455)
242120 Red Hat Update for glibc (RHSA-2023:5476)
284570 Fedora Security Update for glibc (FEDORA-2023-2b8c11ee75)
284571 Fedora Security Update for glibc (FEDORA-2023-028062484e)
285226 Fedora Security Update for glibc (FEDORA-2023-63e5a77522)
356310 Amazon Linux Security Advisory for glibc : ALAS2023-2023-359
378929 Alibaba Cloud Linux Security Update for glibc (ALINUX3-SA-2023:0124)
6000014 Debian Security Update for glibc (DSA 5514-1)
6140086 AWS Bottlerocket Security Update for glibc (GHSA-q944-5mwf-727h)
673505 EulerOS Security Update for glibc (EulerOS-SA-2023-3269)
673617 EulerOS Security Update for glibc (EulerOS-SA-2023-3241)
710764 Gentoo Linux glibc Multiple Vulnerabilities (GLSA 202310-03)
907418 Common Base Linux Mariner (CBL-Mariner) Security Update for glibc (31117-1)
941278 AlmaLinux Security Update for glibc (ALSA-2023:5455)
941283 AlmaLinux Security Update for glibc (ALSA-2023:5453)
961035 Rocky Linux Security Update for glibc (RLSA-2023:5455)