CVE-2017-1000376

libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. It was previously stated that this affects libffi version 3.2.1 but this appears to be incorrect. libffi prior to version 3.1 on 32 bit x86 systems was vulnerable, and upstream is believed to have fixed this issue in version 3.1.

Published: Jun 19, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-1000376
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.9
AV:L/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
redhat / enterprise_linux	7.0	7.0.x
redhat / enterprise_linux	6.0	6.0.x
redhat / openshift	2.0	2.0.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
libffi_project / libffi	-	3.2
oracle / peopletools	8.57	8.57.x
oracle / peopletools	8.56	8.56.x

http://www.debian.org/security/2017/dsa-3889
https://access.redhat.com/security/cve/CVE-2017-1000376
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

Vulnerability Database

289,697

CVE-2017-1000376