CVE-2023-4039

Description

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

How to fix CVE-2023-4039

To remediate CVE-2023-4039, upgrade the affected package to a fixed version below.

• —upgrade to 13.2.1_git20231014-r0 or later
• —no fix listed
• —no fix listed
• —upgrade to 12.2.0-14+deb12u1 or later
• —upgrade to 13.2.0-4 or later
• —no fix listed

Is CVE-2023-4039 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 13.2.1_git20231014-r0
• from 0
• from 0
• from 0, < 12.2.0-14+deb12u1
• from 0, < 13.2.0-4
• from 0

CVSS scores

References (2)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2023-4039
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-4039