VulnerableCode Package Details - pkg:deb/debian/glibc@2.31-13%2Bdeb11u3

Search for packages

Vulnerability	Summary	Fixed by
VCID-49m9-v222-aaae Aliases: CVE-2024-2961	The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.	2.31-13+deb11u11 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-4ps4-wrmd-aaaj Aliases: CVE-2021-3999	A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.	2.31-13+deb11u5 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-cvwe-heq6-sqcr Aliases: CVE-2025-0395	glibc: buffer overflow in the GNU C Library's assert()	2.36-8 Affected by 0 other vulnerabilities.
VCID-mbyf-7tfq-aaad Aliases: CVE-2024-33600	glibc: null pointer dereferences after failed netgroup cache insertion	2.31-13+deb11u11 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-sysh-eg5e-aaak Aliases: CVE-2023-4911	A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.	2.31-13+deb11u11 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vv4f-b7e1-aaak Aliases: CVE-2024-33602	glibc: netgroup cache assumes NSS callback uses in-buffer strings	2.31-13+deb11u11 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vv6m-c181-aaaj Aliases: CVE-2024-33601	glibc: netgroup cache may terminate daemon on memory allocation failure	2.31-13+deb11u11 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-zvjp-1njs-aaah Aliases: CVE-2024-33599	glibc: stack-based buffer overflow in netgroup cache	2.31-13+deb11u11 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-49m9-v222-aaae
Aliases:
CVE-2024-2961

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

2.31-13+deb11u11
Affected by 4 other vulnerabilities.

VCID-4ps4-wrmd-aaaj
Aliases:
CVE-2021-3999

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

2.31-13+deb11u5
Affected by 7 other vulnerabilities.

VCID-cvwe-heq6-sqcr
Aliases:
CVE-2025-0395

glibc: buffer overflow in the GNU C Library's assert()

2.36-8
Affected by 0 other vulnerabilities.

VCID-mbyf-7tfq-aaad
Aliases:
CVE-2024-33600

glibc: null pointer dereferences after failed netgroup cache insertion

2.31-13+deb11u11
Affected by 4 other vulnerabilities.

VCID-sysh-eg5e-aaak
Aliases:
CVE-2023-4911

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

2.31-13+deb11u11
Affected by 4 other vulnerabilities.

VCID-vv4f-b7e1-aaak
Aliases:
CVE-2024-33602

glibc: netgroup cache assumes NSS callback uses in-buffer strings

2.31-13+deb11u11
Affected by 4 other vulnerabilities.

VCID-vv6m-c181-aaaj
Aliases:
CVE-2024-33601

glibc: netgroup cache may terminate daemon on memory allocation failure

2.31-13+deb11u11
Affected by 4 other vulnerabilities.

VCID-zvjp-1njs-aaah
Aliases:
CVE-2024-33599

glibc: stack-based buffer overflow in netgroup cache

2.31-13+deb11u11
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-16q3-v9ba-aaar	DISPUTED In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug."	CVE-2021-43396
VCID-3g4r-ex56-aaaa	The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.	CVE-2021-33574
VCID-vqwk-tqf1-aaac	The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.	CVE-2022-23218
VCID-wjry-nwm2-aaaf	The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.	CVE-2022-23219

Vulnerability

Summary

Aliases

VCID-16q3-v9ba-aaar

** DISPUTED ** In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug."

CVE-2021-43396

VCID-3g4r-ex56-aaaa

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

CVE-2021-33574

VCID-vqwk-tqf1-aaac

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

CVE-2022-23218

VCID-wjry-nwm2-aaaf

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

CVE-2022-23219

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-06-21T04:52:57.637219+00:00	Debian Oval Importer	Fixing	VCID-wjry-nwm2-aaaf	None	36.1.3
2025-06-21T03:56:32.532647+00:00	Debian Oval Importer	Fixing	VCID-16q3-v9ba-aaar	None	36.1.3
2025-06-21T03:09:18.792870+00:00	Debian Oval Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	36.1.3
2025-06-21T02:11:19.597361+00:00	Debian Oval Importer	Fixing	VCID-vqwk-tqf1-aaac	None	36.1.3
2025-06-21T01:43:18.016057+00:00	Debian Oval Importer	Fixing	VCID-3g4r-ex56-aaaa	None	36.1.3
2025-06-21T00:44:38.481589+00:00	Debian Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	36.1.3
2025-06-07T22:30:15.015167+00:00	Debian Oval Importer	Fixing	VCID-wjry-nwm2-aaaf	None	36.1.0
2025-06-07T21:31:48.349181+00:00	Debian Oval Importer	Fixing	VCID-16q3-v9ba-aaar	None	36.1.0
2025-06-07T20:42:08.889628+00:00	Debian Oval Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	36.1.0
2025-06-07T19:35:05.141154+00:00	Debian Oval Importer	Fixing	VCID-vqwk-tqf1-aaac	None	36.1.0
2025-06-07T19:06:28.995522+00:00	Debian Oval Importer	Fixing	VCID-3g4r-ex56-aaaa	None	36.1.0
2025-05-06T18:45:14.383562+00:00	Debian Oval Importer	Affected by	VCID-cvwe-heq6-sqcr	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T23:42:49.649018+00:00	Debian Oval Importer	Affected by	VCID-mbyf-7tfq-aaad	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T23:42:46.756747+00:00	Debian Oval Importer	Affected by	VCID-zvjp-1njs-aaah	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T23:42:42.718552+00:00	Debian Oval Importer	Affected by	VCID-vv6m-c181-aaaj	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T23:42:40.323803+00:00	Debian Oval Importer	Affected by	VCID-vv4f-b7e1-aaak	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T23:33:04.647553+00:00	Debian Oval Importer	Affected by	VCID-49m9-v222-aaae	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T22:23:15.600548+00:00	Debian Oval Importer	Fixing	VCID-wjry-nwm2-aaaf	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T21:56:11.936859+00:00	Debian Oval Importer	Affected by	VCID-4ps4-wrmd-aaaj	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T21:51:00.215047+00:00	Debian Oval Importer	Affected by	VCID-sysh-eg5e-aaak	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T20:49:22.215305+00:00	Debian Oval Importer	Fixing	VCID-vqwk-tqf1-aaac	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T20:06:02.105187+00:00	Debian Oval Importer	Fixing	VCID-16q3-v9ba-aaar	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-12T19:46:32.549593+00:00	Debian Oval Importer	Fixing	VCID-3g4r-ex56-aaaa	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	36.0.0
2025-04-07T21:01:48.715534+00:00	Debian Oval Importer	Fixing	VCID-wjry-nwm2-aaaf	None	36.0.0
2025-04-07T20:00:53.717216+00:00	Debian Oval Importer	Fixing	VCID-16q3-v9ba-aaar	None	36.0.0
2025-04-07T19:12:37.492775+00:00	Debian Oval Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	36.0.0
2025-04-07T18:12:47.530284+00:00	Debian Oval Importer	Fixing	VCID-vqwk-tqf1-aaac	None	36.0.0
2025-04-07T17:44:20.308555+00:00	Debian Oval Importer	Fixing	VCID-3g4r-ex56-aaaa	None	36.0.0
2025-04-04T03:27:47.636057+00:00	Debian Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	36.0.0
2025-02-20T05:35:33.934964+00:00	Debian Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	35.1.0
2024-11-22T23:31:28.002719+00:00	Debian Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	35.0.0
2024-10-09T21:59:12.691688+00:00	Debian Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	34.0.2
2024-09-19T05:56:56.642431+00:00	Debian Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	34.0.1
2024-04-25T04:15:58.108072+00:00	Debian Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	34.0.0rc4
2024-01-11T05:43:41.353914+00:00	Debian Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	34.0.0rc2
2024-01-04T16:59:45.609942+00:00	Debian Importer	Affected by	VCID-4ps4-wrmd-aaaj	None	34.0.0rc1

2025-06-21T04:52:57.637219+00:00

Debian Oval Importer

Fixing

Next non-vulnerable version	2.36-8
Latest non-vulnerable version	2.41-9
Risk	10.0