VDB

ALPINE-CVE-2023-4039

ALPINE-CVE-2023-4039 PUBLISHED CVSS 4.800000190734863 MEDIUM

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

Risk Scores

CVSS 3.1
4.800000190734863
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersions
Alpine:v3.19gcc4.7.3-r0, 0, 9.3.0-r4
Alpine:v3.20gcc0, 0, 9.3.0-r4
Alpine:v3.23gcc4.4.1-r3, 0, 10.2.0-r0
Alpine:v3.24gcc0
Alpine:v3.22gcc0, 4.6.2-r1, 4.6.2-r4
Alpine:v3.21gcc4.8.1-r5, 4.8.1-r4, 4.8.1-r2

Timeline

  • Sep 13, 2023 CVE Published
  • Apr 30, 2026 Distribution Patch
  • Jun 15, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›