CVE-2018-19591

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions glibc versions through 2.28

Description The issue is related to insufficient input validation in the getaddrinfo function, which can lead to the invocation of the if nametoindex() function with incorrect parameters. This can be exploited by a remote attacker to cause memory exhaustion in the target system. The problem arises when attempting to resolve a crafted hostname via getaddrinfo(), resulting in the allocation of a socket descriptor that is not closed.

Recommendations For versions through 2.28, consider restricting the use of the getaddrinfo() function until a patch is available. As a temporary workaround, avoid using the getaddrinfo() function with untrusted hostnames to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Improper Resource Release

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-404

Related Identifiers

ALT-PU-2018-2753

ALT-PU-2019-3114

BDU:2019-00571

CVE-2018-19591

OPENSUSE-SU-2024:10792-1

USN-4416-1

Affected Products

Alt Linux

Ubuntu

Glibc

CVE-2018-19591

Weakness Enumeration

Related Identifiers

Affected Products

References · 120