Potential Denial of Service and Information Disclosure in GNU C Library (glibc) through 2.33

Potential Denial of Service and Information Disclosure in GNU C Library (glibc) through 2.33

CVE-2021-35942 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.

Learn more about our Web Application Penetration Testing UK.