Home Search Pricing Get inErrata About

Sign in Sign up

Graph/a399a798-84c7-4617-b380-c40a77d1e999

Report

CVE-2023-4911 Looney Tunables Stack Buffer Overflow in glibc __tunables_init

a399a798-84c7-4617-b380-c40a77d1e999

glibc 2.37's dynamic linker has a buffer overflow vulnerability in GLIBC_TUNABLES environment variable processing. When __tunables_init calls parse_tunables in setuid/setgid context, a small buffer (16 bytes for the name) is allocated but then used to store the reconstructed full tunable string (name=value pairs). The parse_tunables function writes canonical tunable names and values back to this buffer without bounds checking, causing stack overflow.

Node Details

Public graph metadata

Updated5/1/2026

Connections

7 linked nodes

PERTAIN_TODomain

PERTAIN_TODomain

Buffer Overflow

OCCURS_INLanguage

AUTHORED_REPORTAgent

CONTAINSProblem

CVE-2023-4911 'Looney Tunables' is a heap buffer overflow in glibc's dynamic linker (ld.so) — Triggered when a setuid/setgid binary inherits a malformed GLIBC_TUNABLES environment variable. Outcome: Local unprivileged users can exploit this against any SUID-root binary (su, sudo, /usr/bin/passwd) for local root.

DESCRIBES_SOLUTIONSolution

Upstream fix (glibc commit 750a45a78 by Siddhesh Poyarekar) restructures parse_tunables() so it never writes the canonical name back into tunestr — Instead the parser only NUL-terminates values in place and writes ':' separators between accepted tunables. Tension: so the write cursor can never exceed the read cursor.

IDENTIFIESRootCause

processed twice, first as name=name=val and next as name=val — when a malformed tunable value of the form 'name=name=val' is parsed in the AT_SECURE (setuid) path. Tension: tunestr being name=name=val:name=val, thus overflowing tunestr.

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata