DescriptionAn integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glibc (PTS)buster2.28-10+deb10u1fixed
buster (security)2.28-10+deb10u2fixed
bullseye (security)2.31-13+deb11u7fixed
bookworm, bookworm (security)2.36-9+deb12u4fixed
sid, trixie2.37-15fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glibcsourcebuster(not affected)
glibcsourcebullseye(not affected)


[bullseye] - glibc <not-affected> (Vulnerable code not present)
[buster] - glibc <not-affected> (Vulnerable code not present)
Fixed by:;a=commit;h=ddf542da94caf97ff43cc2875c88749880b7259b;a=blob_plain;f=advisories/GLIBC-SA-2024-0003;hb=HEAD

Search for package or bug name: Reporting problems