CVE-2023-4806 Redhat CVE debrief

Who should care

System owners and maintainers using glibc-based Linux distributions, especially those that ship Red Hat or Fedora packages listed in the NVD record, should review this CVE. It is most relevant if you use custom or third-party NSS modules, resolver-heavy workloads, or software that depends on getaddrinfo for name resolution.

Technical summary

The NVD description identifies a rare memory-safety bug in glibc's getaddrinfo path, classified as CWE-416 (Use After Free). The issue is conditionally reachable only when an NSS module provides _nss_*_gethostbyname2_r and _nss_*_getcanonname_r but not _nss_*_gethostbyname3_r, and when resolution is performed with AF_INET6 plus AI_CANONNAME, AI_ALL, and AI_V4MAPPED against a name that yields a large mix of IPv6 and IPv4 answers. NVD rates the issue CVSS 3.1 5.9/Medium with network attack vector, high attack complexity, no privileges or user interaction required, and impact limited to availability.

Defensive priority

Medium. The severity is moderate because the flaw is a crash-oriented use-after-free with high attack complexity and a narrow prerequisite set, but it still affects a core name-resolution path and should be patched where exposed.

Recommended defensive actions

• Apply vendor-provided updates for affected glibc packages and follow the linked Red Hat advisories.
• Check whether any deployed NSS modules implement only _nss_*_gethostbyname2_r and _nss_*_getcanonname_r without _nss_*_gethostbyname3_r.
• Inventory systems matching the affected glibc and vendor CPEs listed in the NVD record, including Red Hat and Fedora builds.
• Prioritize remediation on hosts that perform heavy DNS or name-resolution workloads.
• Monitor for resolver-related crashes or unexpected application terminations until patched.
• Use the linked vendor security pages and CVE records to confirm package-specific fixed builds.

Evidence notes

All substantive details come from the supplied NVD record and its listed references. The NVD description states that getaddrinfo may access freed memory in an extremely rare situation and that exploitation requires a specific NSS hook combination plus AF_INET6 with AI_CANONNAME, AI_ALL, and AI_V4MAPPED. NVD assigns CWE-416 and CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (5.9). The record references Red Hat advisories, a Red Hat CVE page, Bugzilla 2237782, Fedora package announcements, Gentoo GLSA, NetApp, Siemens, and oss-security posts. The CVE publication date is 2023-09-18; the modified date 2026-05-12 is a record update, not the issue date.

Official resources