ALPINE-CVE-2023-4039
**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.19 | gcc | 4.7.3-r0, 0, 9.3.0-r4 |
| Alpine:v3.20 | gcc | 0, 0, 9.3.0-r4 |
| Alpine:v3.23 | gcc | 4.4.1-r3, 0, 10.2.0-r0 |
| Alpine:v3.24 | gcc | 0 |
| Alpine:v3.22 | gcc | 0, 4.6.2-r1, 4.6.2-r4 |
| Alpine:v3.21 | gcc | 4.8.1-r5, 4.8.1-r4, 4.8.1-r2 |
Timeline
- Sep 13, 2023 CVE Published
- Apr 30, 2026 Distribution Patch
- Jun 15, 2026 CVE Updated