Andreas Schwab

**Name of the Vulnerable Software and Affected Versions** glibc versions prior to 2.31 **Description** The issue is related to an out-of-bounds write vulnerability in the backtrace function of the GNU C Library. This vulnerability is caused by incorrect array bounds checking, allowing an attacker to access confidential data, compromise data integrity, and potentially cause a denial of service or achieve code execution. The highest threat from this vulnerability is to system availability. **Recommendations** For glibc versions prior to 2.31, update to version 2.31 or later to resolve the issue. As a temporary workaround, consider restricting access to the backtrace function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** glibc versions 2.27 and earlier **Description** The issue is caused by a buffer overflow in the mempcpy function implementation, specifically in the AVX-512-optimized version. This overflow can occur when the function writes data beyond the target buffer, leading to a potential denial of service. The vulnerable function is ` mempcpy avx512 no vzeroupper`. **Recommendations** For glibc versions 2.27 and earlier, consider disabling the ` mempcpy avx512 no vzeroupper` function as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNU C Library versions prior to 2.25 **Description** The issue is related to the makecontext function in the GNU C Library, which creates execution contexts incompatible with the unwinder on ARM EABI (32-bit) platforms. This might allow attackers to cause a denial of service (hang), as demonstrated by applications compiled using gccgo, related to backtrace generation. The vulnerability is also associated with inadequate access control, allowing a remote attacker to cause a denial of service. **Recommendations** For GNU C Library versions prior to 2.25, update to version 2.25 or later to resolve the issue. As a temporary workaround, consider restricting the use of the makecontext function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** glibc versions prior to 2.20 **Description** The issue is related to the get contents function in the Name Service Switch (NSS) in GNU C Library, which might allow local users to cause a denial of service or gain privileges via a long line in the NSS files database. **Recommendations** For versions prior to 2.20, update to version 2.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the NSS files database to minimize the risk of exploitation.