Discover Security Vulnerabilities News
CVE-2023-4911: Looney Tunables – Local Privilege Escalation in the glibc’s ld.so
A notorious buffer overflow vulnerability dubbed “Looney Tunables” was recently found in the GNU C Library. This severe bug exists in the glibc dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable (CVE-2023-4911). This vulnerability was introduced in April 2021 and poses a significant threat to systems with default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13.
According to the security researchers who discovered this vulnerability, "This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security."
A local user can exploit the Looney Tunables flaw to gain full root privileges on impacted systems, potentially resulting in data breaches and system compromise.
Debian, Fedora, Gentoo, Oracle, RedHat, and Ubuntu have released critical glibc security updates to mitigate this severe bug. Given this vulnerability's damaging repercussions on impacted systems, if left unpatched, we urge all impacted users to update immediately to protect against privilege escalation attacks potentially leading to downtime and compromise.
To stay on top of essential updates released by the open-source programs and applications you use, register as a LinuxSecurity user, subscribe to our Linux Advisory Watch newsletter, and customize your advisories for your distro(s). This will enable you to stay up-to-date on the latest, most significant issues impacting the security of your systems.
Follow @LS_Advisories on Twitter for real-time updates on advisories for your distro(s).