CVE-2012-3406

The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405.

Published : 2014-02-10 18:15 Updated : 2019-04-22 17:48

6.8
CVSS Score More info
Score 6.8 / 10
6.8
Vendor Product Version URI
Redhat Enterprise Linux 6.0 cpe:/o:redhat:enterprise_linux:6.0
Redhat Enterprise Linux 5 cpe:/o:redhat:enterprise_linux:5
Gnu Glibc 2.5 cpe:/a:gnu:glibc:2.5
Canonical Ubuntu Linux 11.04 cpe:/o:canonical:ubuntu_linux:11.04
Canonical Ubuntu Linux 8.04 cpe:/o:canonical:ubuntu_linux:8.04:-:lts
Canonical Ubuntu Linux 11.10 cpe:/o:canonical:ubuntu_linux:11.10
Canonical Ubuntu Linux 12.04 cpe:/o:canonical:ubuntu_linux:12.04:-:lts
Gnu Glibc 2.12 cpe:/a:gnu:glibc:2.12
Canonical Ubuntu Linux 10.04 cpe:/o:canonical:ubuntu_linux:10.04:-:lts
Redhat Enterprise Virtualization 3.0 cpe:/a:redhat:enterprise_virtualization:3.0
  1. Canonical (1) Search CVE
    1. Ubuntu Linux (5) Search CVE
      1. 11.04
      2. 8.04
      3. 11.10
      4. 12.04
      5. 10.04
  2. Gnu (1) Search CVE
    1. Glibc (2) Search CVE
      1. 2.5
      2. 2.12
  3. Redhat (2) Search CVE
    1. Enterprise Linux (2) Search CVE
      1. 6.0
      2. 5
    2. Enterprise Virtualization (1) Search CVE
      1. 3.0

CWE

ID Name Description Links
CWE-264 Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. CVE

History of changes

Date Event
2019-04-22 17:48
2017-07-01 05:29
2014-02-10 18:15

New CVE