CVE-2019-19126
Public on 2019-11-19
Modified on 2022-12-01
Description
A vulnerability was discovered in glibc where the LD_PREFER_MAP_32BIT_EXEC environment variable is not ignored when running binaries with the setuid flag on x86_64 architectures. This allows an attacker to force system to utilize only half of the memory (making the system think the software is 32-bit only), thus lowering the amount of memory being used with address space layout randomization (ASLR). The highest threat is confidentiality although the complexity of attack is high. The affected application must already have other vulnerabilities for this flaw to be usable.
Severity
Low
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | glibc | 2021-07-08 | ALAS-2021-1511 | Fixed |
| Amazon Linux 2 - Core | glibc | 2023-08-21 | ALAS2-2023-2221 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 2.9 | CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
| NVD | CVSSv2 | 2.1 | AV:L/AC:L/Au:N/C:P/I:N/A:N |
| NVD | CVSSv3 | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |