CVE-2017-1000366

glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.

• CWE-119

• http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html
• http://seclists.org/fulldisclosure/2019/Sep/7
• http://www.debian.org/security/2017/dsa-3887Third Party Advisory
• http://www.securityfocus.com/bid/99127Third Party Advisory, VDB Entry
• http://www.securitytracker.com/id/1038712Third Party Advisory, VDB Entry
• https://access.redhat.com/errata/RHSA-2017:1479Third Party Advisory
• https://access.redhat.com/errata/RHSA-2017:1480Third Party Advisory
• https://access.redhat.com/errata/RHSA-2017:1481Third Party Advisory
• https://access.redhat.com/errata/RHSA-2017:1567Third Party Advisory
• https://access.redhat.com/errata/RHSA-2017:1712Third Party Advisory
• https://access.redhat.com/security/cve/CVE-2017-1000366Third Party Advisory
• https://kc.mcafee.com/corporate/index?page=content&id=SB10205Patch, Third Party Advisory
• https://seclists.org/bugtraq/2019/Sep/7
• https://security.gentoo.org/glsa/201706-19Third Party Advisory
• https://www.exploit-db.com/exploits/42274/Third Party Advisory, VDB Entry
• https://www.exploit-db.com/exploits/42275/Third Party Advisory, VDB Entry
• https://www.exploit-db.com/exploits/42276/Third Party Advisory, VDB Entry
• https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txtTechnical Description, Third Party Advisory
• https://www.suse.com/security/cve/CVE-2017-1000366/Third Party Advisory
• https://www.suse.com/support/kb/doc/?id=7020973Third Party Advisory
• http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html
• http://seclists.org/fulldisclosure/2019/Sep/7
• http://www.debian.org/security/2017/dsa-3887Third Party Advisory
• http://www.securityfocus.com/bid/99127Third Party Advisory, VDB Entry
• http://www.securitytracker.com/id/1038712Third Party Advisory, VDB Entry
• https://access.redhat.com/errata/RHSA-2017:1479Third Party Advisory
• https://access.redhat.com/errata/RHSA-2017:1480Third Party Advisory
• https://access.redhat.com/errata/RHSA-2017:1481Third Party Advisory
• https://access.redhat.com/errata/RHSA-2017:1567Third Party Advisory
• https://access.redhat.com/errata/RHSA-2017:1712Third Party Advisory
• https://access.redhat.com/security/cve/CVE-2017-1000366Third Party Advisory
• https://kc.mcafee.com/corporate/index?page=content&id=SB10205Patch, Third Party Advisory
• https://seclists.org/bugtraq/2019/Sep/7
• https://security.gentoo.org/glsa/201706-19Third Party Advisory
• https://www.exploit-db.com/exploits/42274/Third Party Advisory, VDB Entry
• https://www.exploit-db.com/exploits/42275/Third Party Advisory, VDB Entry
• https://www.exploit-db.com/exploits/42276/Third Party Advisory, VDB Entry
• https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txtTechnical Description, Third Party Advisory
• https://www.suse.com/security/cve/CVE-2017-1000366/Third Party Advisory
• https://www.suse.com/support/kb/doc/?id=7020973Third Party Advisory

Published

Jun 19, 2017

Last Modified

Jun 17, 2026

Status

Modified