CVE-2024-33602

Description

nscd: netgroup cache assumes NSS callback uses in-buffer strings The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.

How to fix CVE-2024-33602

To remediate CVE-2024-33602, upgrade the affected package to a fixed version below.

—upgrade to 2.31-13+deb11u10 or later

Is CVE-2024-33602 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.31-13+deb11u10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.4	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-33602