CVE-2012-3405
Advisory lineage Upstream: 0 Downstream: 4
Modified
Published: 10 Feb 2014, 17:00
Last modified:06 Aug 2024, 20:05
Vulnerability Summary
Overall Risk (default)
low
20/100 CVSS Score
5 MEDIUM
v2.0 (nvd)
EPSS Score
0.67% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
10 Feb 2014, 17:00
Published
Vulnerability first disclosed
06 Aug 2024, 20:05
Last Modified
Vulnerability information updated
Description
The vfprintf function in stdio-common/vfprintf.c in libc in GNU C Library (aka glibc) 2.14 and other versions does not properly calculate a buffer length, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (segmentation fault and crash) via a format string with a large number of format specifiers that triggers "desynchronization within the buffer size handling," a different vulnerability than CVE-2012-3404.
CVSS Metrics
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 0.67%• Percentile: 72%
Techniques & Countermeasures
- CWE-189•Numeric Errors
Weaknesses in this category are related to improper calculation or conversion of numbers.
Affected Systems
- canonical•ubuntu_linux
8.04 | 10.04 | 11.04 | 11.10 | 12.04
- gnu•glibc
2.14
- redhat•enterprise_linux
6.0
- redhat•enterprise_virtualization
3.0
References (7)
- http://rhn.redhat.com/errata/RHSA-2012-1200.html
- https://bugzilla.redhat.com/show_bug.cgi?id=833704
- https://sourceware.org/bugzilla/show_bug.cgi?id=13446
- https://security.gentoo.org/glsa/201503-04
- http://rhn.redhat.com/errata/RHSA-2012-1098.html
- http://www.ubuntu.com/usn/USN-1589-1
- http://www.openwall.com/lists/oss-security/2012/07/11/17