CVE-2023-6780 Fedoraproject CVE debrief

Who should care

Linux distribution maintainers, system administrators, and application owners running affected glibc releases, especially systems that call syslog or vsyslog and may process unusually long or untrusted log messages.

Technical summary

NVD describes an integer overflow in __vsyslog_internal, the internal glibc function behind syslog and vsyslog. When these APIs are called with a very long message, the code can miscalculate the buffer size needed to store the message, resulting in undefined behavior. The NVD record assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L and lists CWE-131 and CWE-190 as weaknesses. The vulnerable glibc range in the supplied CPE criteria starts at 2.37 and ends before 2.39.

Defensive priority

Medium

Recommended defensive actions

• Inventory systems using glibc 2.37 or 2.38 and confirm whether vendor packages are updated.
• Apply the relevant vendor or distribution security updates for glibc.
• Review any code or services that pass very large messages into syslog/vsyslog, especially where input may be externally influenced.
• Monitor vendor advisories and package announcements referenced by NVD for backported fixes and packaging guidance.
• Treat this as a stability and availability issue first; prioritize faster remediation on production systems that aggregate logs from untrusted sources.

Evidence notes

This debrief is based on the supplied NVD CVE record and its linked advisories. The record states the flaw is an integer overflow in __vsyslog_internal, reachable via syslog/vsyslog with very long messages. The NVD metadata includes CVSS 5.3, vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, and weaknesses CWE-131 and CWE-190. The reference set includes Red Hat, Bugzilla, Fedora package announcements, Gentoo GLSA, and public third-party write-ups cited by NVD. No KEV entry is present in the supplied corpus.

Official resources