Описание
Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.
Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.
Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.
A flaw was found in the glibc library. Passing an excessively large alignment value to the memalign suite of functions, such as memalign, posix_memalign, aligned_alloc, valloc and pvalloc, an integer overflow can occur during internal size calculations due to improper overflow checks, causing an allocation of a small chunk of memory which is subsequently used for writing. This issue can result in an application crash or heap memory corruption.
Отчет
To exploit this flaw, an attacker needs to find an application linked to the glibc library that is using one of the vulnerable functions (memalign, posix_memalign, aligned_alloc, valloc or pvalloc) in a way that the alignment parameter can be user-controlled, allowing an attacker to trigger the integer overflow. However, the alignment parameter used by the functions is usually hard-coded power of two and do not allow arbitrary values, specially values supplied by a user. There is no known application vulnerable to this issue. Also, default Red Hat Enterprise Linux security features, including SELinux enforcement, Address Space Layout Randomization (ASLR) and memory protections significantly increase the difficult of achieving arbitrary code execution, limiting the impact of this vulnerability. Due to these reasons, this vulnerability has been rated with a low severity.
Меры по смягчению последствий
Applications calling one of the vulnerable functions and allowing the alignment parameter to be set by user-controlled input can implement additional validations checks, ensuring the alignment value is a power of two and does not exceed a sane limit, for example the system page size or a maximum of 64KB. This prevents the excessively large value required to trigger the integer overflow.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | compat-glibc | Not affected | ||
| Red Hat Enterprise Linux 6 | glibc | Not affected | ||
| Red Hat Enterprise Linux 7 | compat-glibc | Not affected | ||
| Red Hat Enterprise Linux 7 | glibc | Not affected | ||
| Red Hat Enterprise Linux 8 | glibc | Not affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Fix deferred | ||
| Red Hat Enterprise Linux 10 | glibc | Fixed | RHSA-2026:1334 | 27.01.2026 |
| Red Hat Enterprise Linux 9 | glibc | Fixed | RHSA-2026:2786 | 17.02.2026 |
| Red Hat Enterprise Linux 9 | glibc | Fixed | RHSA-2026:2786 | 17.02.2026 |
| Cost Management 4 | costmanagement/costmanagement-metrics-rhel9-operator | Fixed | RHSA-2026:3228 | 24.02.2026 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a differe...
Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a differe
Integer overflow in memalign leads to heap corruption
Passing too large an alignment to the memalign suite of functions (mem ...
EPSS
8.1 High
CVSS3