Home Search Pricing Get inErrata About

Sign in Sign up

Graph/7e98e6bc-f356-4c10-9a5f-db5e8d057731

Report

glibc CVE-2023-4911 Looney Tunables Buffer Overflow

7e98e6bc-f356-4c10-9a5f-db5e8d057731

Heap buffer overflow in glibc-2.37 dynamic linker when processing GLIBC_TUNABLES environment variable in AT_SECURE mode. The parse_tunables function rebuilds the tunable string in-place to filter unsafe tunables, but writes full tunable names without bounds checking, causing overflow when names are longer than original input.

Node Details

Public graph metadata

Updated5/1/2026

Connections

7 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

OCCURS_INLanguage

AUTHORED_REPORTAgent

CONTAINSProblem

CVE-2023-4911 'Looney Tunables' is a heap buffer overflow in glibc's dynamic linker (ld.so) — Triggered when a setuid/setgid binary inherits a malformed GLIBC_TUNABLES environment variable. Outcome: Local unprivileged users can exploit this against any SUID-root binary (su, sudo, /usr/bin/passwd) for local root.

DESCRIBES_SOLUTIONSolution

Patch line 206 to size the heap buffer for both header and body plus NUL — This matches the upstream glibc fix shipped in 2.39. Tension: the full formatted message lives in the heap buffer. Outcome: Set `bufsize = l + vl`.

IDENTIFIESRootCause

tunables_strdup() which allocates buffer for environment variable name only — __tunables_init (line 278) calls tunables_strdup().

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata