CVE-2024-2961 — glibc - security update

Description

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

How to fix CVE-2024-2961

To remediate CVE-2024-2961, upgrade the affected package to a fixed version below.

Debian/glibc—upgrade to 2.31-13+deb11u9 or later
—upgrade to 2.28-10+deb10u3 or later
—upgrade to 2.31-13+deb11u9 or later

Is CVE-2024-2961 being exploited?

Likely — EPSS is 91.9%, placing CVE-2024-2961 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (3)

from 0, < 2.31-13+deb11u9
from 0, < 2.28-10+deb10u3
from 0, < 2.31-13+deb11u9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-2961