CVE DATABASE / CVE-2023-4911

CVE-2023-4911

GNU C Library Buffer Overflow Vulnerability

CVSS 7.8 · HIGH ⚠ CISA KEV — ACTIVELY EXPLOITED

On the CISA KEV catalog

Confirmed exploited in the wild. Added 2023-11-21. Federal remediation due 2023-12-12.
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Summary

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

CVSS 3.1 breakdown

Base score	7.8 (HIGH)
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack vector	LOCAL
Attack complexity	LOW
Privileges required	LOW
User interaction	NONE
Scope	UNCHANGED
Confidentiality	HIGH
Integrity	HIGH
Availability	HIGH

Weakness type (CWE)

Affected products

Netapp bootstrap osNetapp hci compute nodeSiemens simatic s7-1500 cpu 1518-4 pn\/dp mfp firmwareSiemens simatic s7-1500 cpu 1518-4 pn\/dp mfpSiemens simatic s7-1500 cpu 1518f-4 pn\/dp mfp firmwareSiemens simatic s7-1500 cpu 1518f-4 pn\/dp mfpSiemens siplus s7-1500 cpu 1518-4 pn\/dp mfp firmwareSiemens siplus s7-1500 cpu 1518-4 pn\/dp mfpSiemens simatic s7-1500 tm mfp firmwareSiemens simatic s7-1500 tm mfpGnu glibcFedoraproject fedoraRedhat codeready linux builderRedhat codeready linux builder eusRedhat codeready linux builder for arm64Redhat codeready linux builder for arm64 eusRedhat codeready linux builder for ibm z systemsRedhat codeready linux builder for ibm z systems eusRedhat codeready linux builder for power little endianRedhat codeready linux builder for power little endian eus

Check this CVE live

Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.

References

Data: NIST NVD + CISA KEV. NVD last modified 2026-05-12. Always verify against the vendor advisory before acting.