CVE-2023-32665

Gvariant deserialisation does not match spec for non-normal data

Published: 9/14/2023 Last updated: 2/13/2025 Reserved: 5/30/2023

A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	5.5	Medium	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Opam packages affected (1)

conf-glib-2

Products affected (12)

Product	Vendor	Version
Extra Packages for Enterprise Linux	Fedora	2.6.12
Fedora 37	Fedora	<= 5.4.*
Red Hat Enterprise Linux 6	Red Hat	< a3d408870bc19b794646871bc4c3a5daa66f91c5
Red Hat Enterprise Linux 7	Red Hat	< 491487eeddccc4bb49f2e59d8c8f35bec89c15ca
Fedora	Fedora	< 2.6.12
Red Hat Enterprise Linux 9	Red Hat	< 8a4311bbde702362fe7412045d06ab6767235dac
Fedora 38	Fedora	< a174706ba4dad895c40b1d2277bade16dfacdcd9
Red Hat Enterprise Linux 8	Red Hat	< 3b5d21b56c3774bc84eab0a93aaac22a4475e2c4
Fedora 37	Fedora	<= 5.15.*
Fedora 38	Fedora	<= 5.10.*
glib2	n/a	5.7.0 build 539
glib2	n/a	< 368a533152220b0a6f1142327d96c6b6361f3002

References (24)

Credits (2)

Upstream acknowledges William Manley as the original reporter.
Upstream acknowledges William Manley as the original reporter.