{"api_version":"1","generated_at":"2026-04-23T02:32:58+00:00","cve":"CVE-2019-7309","urls":{"html":"https://cve.report/CVE-2019-7309","api":"https://cve.report/api/cve/CVE-2019-7309.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-7309","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-7309"},"summary":{"title":"CVE-2019-7309","description":"In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2019-02-03 02:29:00","updated_at":"2020-08-24 17:37:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://sourceware.org/bugzilla/show_bug.cgi?id=24155","name":"https://sourceware.org/bugzilla/show_bug.cgi?id=24155","refsource":"MISC","tags":["Exploit","Issue Tracking","Third Party Advisory"],"title":"24155 – (CVE-2019-7309) x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/106835","name":"106835","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"GNU glibc CVE-2019-7309 Local Denial of Service Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html","name":"https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html","refsource":"MISC","tags":["Mailing List","Third Party Advisory"],"title":"H.J. Lu - Re: [PATCH] x86-64 memcmp: Use unsigned Jcc instructions on size","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202006-04","name":"GLSA-202006-04","refsource":"GENTOO","tags":[],"title":"glibc: Multiple vulnerabilities (GLSA 202006-04) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-7309","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-7309","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"7309","vulnerable":"1","versionEndIncluding":"2.29","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"gnu","cpe5":"glibc","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"x86","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-7309","qid":"900243","title":"CBL-Mariner Linux Security Update for glibc 2.28"},{"cve":"CVE-2019-7309","qid":"903380","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for glibc (1940)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2019-7309","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"106835","refsource":"BID","url":"http://www.securityfocus.com/bid/106835"},{"name":"https://sourceware.org/bugzilla/show_bug.cgi?id=24155","refsource":"MISC","url":"https://sourceware.org/bugzilla/show_bug.cgi?id=24155"},{"name":"https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html","refsource":"MISC","url":"https://sourceware.org/ml/libc-alpha/2019-02/msg00041.html"},{"refsource":"GENTOO","name":"GLSA-202006-04","url":"https://security.gentoo.org/glsa/202006-04"}]}},"nvd":{"publishedDate":"2019-02-03 02:29:00","lastModifiedDate":"2020-08-24 17:37:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:N/I:N/A:P","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"PARTIAL","baseScore":2.1},"severity":"LOW","exploitabilityScore":3.9,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:x86:*","versionEndIncluding":"2.29","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"7309","Ordinal":"145055","Title":"CVE-2019-7309","CVE":"CVE-2019-7309","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"7309","Ordinal":"1","NoteData":"In the GNU C Library (aka glibc or libc6) through 2.29, the memcmp function for the x32 architecture can incorrectly return zero (indicating that the inputs are equal) because the RDX most significant bit is mishandled.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"7309","Ordinal":"2","NoteData":"2019-02-02","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"7309","Ordinal":"3","NoteData":"2020-06-12","Type":"Other","Title":"Modified"}]}}}