Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-4039

Summary
Assigner-Arm
Assigner Org ID-56a131ea-b967-4a0d-a41e-5f3549952846
Published At-13 Sep, 2023 | 08:05
Updated At-13 Feb, 2025 | 17:07
Rejected At-
Credits

GCC's-fstack-protector fails to guard dynamically-sized local variables on AArch64

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Arm
Assigner Org ID:56a131ea-b967-4a0d-a41e-5f3549952846
Published At:13 Sep, 2023 | 08:05
Updated At:13 Feb, 2025 | 17:07
Rejected At:
▼CVE Numbering Authority (CNA)
GCC's-fstack-protector fails to guard dynamically-sized local variables on AArch64

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

Affected Products
Vendor
Arm LimitedArm Ltd
Product
Arm GNU Toolchain
Default Status
affected
Versions
Affected
  • All versions where option -fstack-protector is used
Vendor
GNUGNU
Product
GCC
Default Status
unaffected
Versions
Affected
  • All versions of GCC that target AArch64 when option -fstack-protector is used
Problem Types
TypeCWE IDDescription
CWECWE-693CWE-693 Protection Mechanism Failure
Type: CWE
CWE ID: CWE-693
Description: CWE-693 Protection Mechanism Failure
Metrics
VersionBase scoreBase severityVector
3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-100CAPEC-100 Overflow Buffers
CAPEC ID: CAPEC-100
Description: CAPEC-100 Overflow Buffers
Solutions

Recompile vulnerable code using an updated toolchain.

Configurations

The specific conditions where the stack-protector fails to give the desired level of protection are when: * using GCC (all unpatched versions) targeting AArch64 * and when the -fstack-protector option is used * and when the program uses C99-style dynamically-sized local variables or alloca() And to be exploitable there must also be a prior vulnerability in the program such that an attacker can cause a buffer overflow in these local variables that overwrites saved register values in the stack.

Workarounds
Exploits
Credits
finder
Tom Hebb from Meta Red Team X and Maria Markstedter from Azeria Labs
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
N/A
https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
N/A
Hyperlink: https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
Resource: N/A
Hyperlink: https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
Resource: N/A
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
x_transferred
https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
x_transferred
Hyperlink: https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
Resource:
x_transferred
Hyperlink: https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:arm-security@arm.com
Published At:13 Sep, 2023 | 09:15
Updated At:13 Feb, 2025 | 17:17

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary3.14.8MEDIUM
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.8
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CPE Matches
GNU
gnu
>>gcc>>Versions before 2023-09-12(exclusive)
cpe:2.3:a:gnu:gcc:*:*:*:*:*:*:arm64:*
Weaknesses
CWE IDTypeSource
CWE-693Secondaryarm-security@arm.com
NVD-CWE-OtherPrimarynvd@nist.gov
CWE ID: CWE-693
Type: Secondary
Source: arm-security@arm.com
CWE ID: NVD-CWE-Other
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64arm-security@arm.com
Exploit
Patch
Third Party Advisory
https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mfarm-security@arm.com
Exploit
Patch
Third Party Advisory
https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64af854a3a-2127-422b-91ae-364da2661108
Exploit
Patch
Third Party Advisory
https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mfaf854a3a-2127-422b-91ae-364da2661108
Exploit
Patch
Third Party Advisory
Hyperlink: https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
Source: arm-security@arm.com
Resource:
Exploit
Patch
Third Party Advisory
Hyperlink: https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
Source: arm-security@arm.com
Resource:
Exploit
Patch
Third Party Advisory
Hyperlink: https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Patch
Third Party Advisory
Hyperlink: https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Exploit
Patch
Third Party Advisory

Change History

0
Information is not available yet

Similar CVEs

3Records found
CVE-2026-1858
Matching Score-8
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-8
Assigner-Tenable Network Security, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.01% / 1.06%
||
7 Day CHG~0.00%
Published-29 Apr, 2026 | 20:15
Updated-05 May, 2026 | 02:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wget2 Improper Certificate Validation

wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.

Action-Not Available
Vendor-GNU
Product-wget2wget2
CWE ID-CWE-20
Improper Input Validation
CVE-2024-39836
Matching Score-4
Assigner-Mattermost, Inc.
ShareView Details
Matching Score-4
Assigner-Mattermost, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.52% / 66.99%
||
7 Day CHG~0.00%
Published-22 Aug, 2024 | 06:27
Updated-23 Aug, 2024 | 16:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Munged email address used for password resets and notifications

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 and 9.8.x <= 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset passwords, when they are valid, functional emails.

Action-Not Available
Vendor-Mattermost, Inc.
Product-mattermostMattermost
CWE ID-CWE-693
Protection Mechanism Failure
CVE-2024-21423
Matching Score-4
Assigner-Microsoft Corporation
ShareView Details
Matching Score-4
Assigner-Microsoft Corporation
CVSS Score-4.8||MEDIUM
EPSS-1.39% / 80.43%
||
7 Day CHG~0.00%
Published-23 Feb, 2024 | 21:35
Updated-03 May, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

Action-Not Available
Vendor-Microsoft Corporation
Product-edge_chromiumMicrosoft Edge (Chromium-based)
CWE ID-CWE-693
Protection Mechanism Failure
Details not found