CVE-2023-4911 'Looney Tunables' Buffer Overflow in glibc tunable initialization

CVE-2023-4911 is a heap buffer overflow vulnerability in glibc's dynamic linker when processing the GLIBC_TUNABLES environment variable during program startup. The vulnerability allows local privilege escalation via buffer overflow in SETUID/SETGID programs. When __libc_enable_secure=1 (set for privileged binaries), parse_tunables() rewrites tunable names in canonical form back to a buffer that was allocated based on the original environment variable name length only, not accounting for the longer canonical names.