CVE-2017-11671

Under certain circumstances, the ix86_expand_builtin function in i386.c in GNU Compiler Collection (GCC) version 4.6, 4.7, 4.8, 4.9, 5 before 5.5, and 6 before 6.4 will generate instruction sequences that clobber the status flag of the RDRAND and RDSEED intrinsics before it can be read, potentially causing failures of these instructions to go unreported. This could potentially lead to less randomness in random number generation.

Published: Jul 26, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-11671
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4
AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-338

Affected Software
References

Software	From	Fixed in
gnu / gcc	6.3	6.3.x
gnu / gcc	6.2	6.2.x
gnu / gcc	5.3	5.3.x
gnu / gcc	5.1	5.1.x
gnu / gcc	4.8	4.8.x
gnu / gcc	6.0	6.0.x
gnu / gcc	4.7	4.7.x
gnu / gcc	5.4	5.4.x
gnu / gcc	5.2	5.2.x
gnu / gcc	5.0	5.0.x
gnu / gcc	6.1	6.1.x
gnu / gcc	4.9	4.9.x
gnu / gcc	4.6	4.6.x

http://openwall.com/lists/oss-security/2017/07/27/2
http://www.securityfocus.com/bid/100018
https://access.redhat.com/errata/RHSA-2018:0849
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180
https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html

Vulnerability Database

289,784

CVE-2017-11671