FKIE_CVE-2026-0861

Vulnerability from fkie_nvd - Published: 2026-01-14 21:15 - Updated: 2026-02-03 18:26
Severity ?
8.4 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.
References
3ff69d7a-14f2-4f67-a097-88dee7810d18https://sourceware.org/bugzilla/show_bug.cgi?id=33796Exploit
3ff69d7a-14f2-4f67-a097-88dee7810d18https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001Patch
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2026/01/16/5Mailing List, Patch
Impacted products
Vendor Product Version
gnu glibc *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "695F54F4-F00E-4777-BFA3-CA09D169D050",
              "versionEndIncluding": "2.42",
              "versionStartIncluding": "2.30",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.\n\nNote that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this.  The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument.  This limits the malicious inputs for the alignment for memalign to the range [1\u003c\u003c62+ 1, 1\u003c\u003c63] and exactly 1\u003c\u003c63 for posix_memalign and aligned_alloc.\n\nTypically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice.  An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments."
    },
    {
      "lang": "es",
      "value": "Pasar una alineaci\u00f3n demasiado grande a la suite de funciones memalign (memalign, posix_memalign, aligned_alloc) en la biblioteca C de GNU versi\u00f3n 2.30 a 2.42 puede resultar en un desbordamiento de entero, lo que podr\u00eda consecuentemente resultar en una corrupci\u00f3n de mont\u00f3n.\n\nTenga en cuenta que el atacante debe tener control sobre ambos, los argumentos de tama\u00f1o y de alineaci\u00f3n de la funci\u00f3n memalign para poder explotar esto. El par\u00e1metro de tama\u00f1o debe estar lo suficientemente cerca de PTRDIFF_MAX como para desbordar size_t junto con el argumento de alineaci\u00f3n grande. Esto limita las entradas maliciosas para la alineaci\u00f3n para memalign al rango [1\u0026lt;\u0026lt;62+ 1, 1\u0026lt;\u0026lt;63] y exactamente 1\u0026lt;\u0026lt;63 para posix_memalign y aligned_alloc.\n\nT\u00edpicamente, el argumento de alineaci\u00f3n pasado a tales funciones es una cantidad restringida conocida (p. ej., tama\u00f1o de p\u00e1gina, tama\u00f1o de bloque, tama\u00f1os de estructura) y no est\u00e1 controlado por el atacante, por lo cual esto podr\u00eda no ser f\u00e1cilmente explotable en la pr\u00e1ctica. Un error de aplicaci\u00f3n podr\u00eda potencialmente resultar en que la alineaci\u00f3n de entrada sea demasiado grande, p. ej., debido a un desbordamiento de b\u00fafer diferente o un desbordamiento de entero en la aplicaci\u00f3n o sus bibliotecas dependientes, pero ese es de nuevo un patr\u00f3n de uso poco com\u00fan dadas las fuentes t\u00edpicas de alineaciones."
    }
  ],
  "id": "CVE-2026-0861",
  "lastModified": "2026-02-03T18:26:25.390",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-14T21:15:52.617",
  "references": [
    {
      "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
      "tags": [
        "Exploit"
      ],
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33796"
    },
    {
      "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
      "tags": [
        "Patch"
      ],
      "url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2026/01/16/5"
    }
  ],
  "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-190"
        }
      ],
      "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.