{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2023-4039","assignerOrgId":"56a131ea-b967-4a0d-a41e-5f3549952846","state":"PUBLISHED","assignerShortName":"Arm","dateReserved":"2023-08-01T10:38:03.032Z","datePublished":"2023-09-13T08:05:10.274Z","dateUpdated":"2025-02-13T17:07:49.159Z"},"containers":{"cna":{"affected":[{"defaultStatus":"affected","product":"Arm GNU Toolchain","vendor":"Arm Ltd","versions":[{"status":"affected","version":"All versions where option -fstack-protector is used"}]},{"defaultStatus":"unaffected","product":"GCC","vendor":"GNU","versions":[{"status":"affected","version":"All versions of GCC that target AArch64 when option -fstack-protector is used"}]}],"configurations":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The specific conditions where the stack-protector fails to give the desired level of protection are when:\n\n\n\n

And to be exploitable there must also be a prior vulnerability in the\n program such that an attacker can cause a buffer overflow in these \nlocal variables that overwrites saved register values in the stack.

\n\n
"}],"value":"The specific conditions where the stack-protector fails to give the desired level of protection are when:\n\n\n\n * using GCC (all unpatched versions) targeting AArch64\n\n * and when the -fstack-protector option is used\n\n * and when the program uses C99-style dynamically-sized local variables or alloca()\n\n\n\n\nAnd to be exploitable there must also be a prior vulnerability in the\n program such that an attacker can cause a buffer overflow in these \nlocal variables that overwrites saved register values in the stack."}],"credits":[{"lang":"en","type":"finder","user":"00000000-0000-4000-9000-000000000000","value":"Tom Hebb from Meta Red Team X and Maria Markstedter from Azeria Labs"}],"datePublic":"2023-09-12T09:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"

\n

**DISPUTED** A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.

The default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

\n\n

"}],"value":"**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains \nthat target AArch64 allows an attacker to exploit an existing buffer \noverflow in dynamically-sized local variables in your application \nwithout this being detected. This stack-protector failure only applies \nto C99-style dynamically-sized local variables or those created using \nalloca(). The stack-protector operates as intended for statically-sized \nlocal variables.\n\nThe default behavior when the stack-protector \ndetects an overflow is to terminate your application, resulting in \ncontrolled loss of availability. An attacker who can exploit a buffer \noverflow without triggering the stack-protector might be able to change \nprogram flow control to cause an uncontrolled loss of availability or to\n go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself."}],"tags":["disputed"],"impacts":[{"capecId":"CAPEC-100","descriptions":[{"lang":"en","value":"CAPEC-100 Overflow Buffers"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-693","description":"CWE-693 Protection Mechanism Failure","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"56a131ea-b967-4a0d-a41e-5f3549952846","shortName":"Arm","dateUpdated":"2024-06-13T22:20:07.881Z"},"references":[{"url":"https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64"},{"url":"https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Recompile vulnerable code using an updated toolchain.\n\n
"}],"value":"Recompile vulnerable code using an updated toolchain."}],"source":{"discovery":"EXTERNAL"},"title":"GCC's-fstack-protector fails to guard dynamically-sized local variables on AArch64","x_generator":{"engine":"Vulnogram 0.1.0-dev"},"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"arm-security@arm.com","ID":"CVE-2023-4039","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Arm GNU Toolchain","version":{"version_data":[{"version_value":"All versions of GCC that target AArch64 when option -fstack-protector is used"}]}}]},"vendor_name":"Arm Ltd"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"5.0","description":{"description_data":[{"lang":"eng","value":"**DISPUTED** A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"GCC's-fstack-protector fails to guard dynamically-sized local variables on AArch64"}]}]},"references":{"reference_data":[{"name":"https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64","refsource":"MISC","url":"https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T07:17:11.837Z"},"title":"CVE Program Container","references":[{"url":"https://developer.arm.com/Arm%20Security%20Center/GCC%20Stack%20Protector%20Vulnerability%20AArch64","tags":["x_transferred"]},{"url":"https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf","tags":["x_transferred"]}]}]},"dataVersion":"5.1"}