CVE-2019-19126

Public on 2019-11-19
Modified on 2022-12-01
Description
A vulnerability was discovered in glibc where the LD_PREFER_MAP_32BIT_EXEC environment variable is not ignored when running binaries with the setuid flag on x86_64 architectures. This allows an attacker to force system to utilize only half of the memory (making the system think the software is 32-bit only), thus lowering the amount of memory being used with address space layout randomization (ASLR). The highest threat is confidentiality although the complexity of attack is high. The affected application must already have other vulnerabilities for this flaw to be usable.
Severity
Low severity
Low
CVSS v3 Base Score
2.9
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 1 glibc 2021-07-08 ALAS-2021-1511 Fixed
Amazon Linux 2 - Core glibc 2023-08-21 ALAS2-2023-2221 Fixed

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 2.9 CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
NVD CVSSv2 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N
NVD CVSSv3 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N