Unrated severityNVD Advisory· Published Feb 10, 2014· Updated Apr 29, 2026
CVE-2012-3406
CVE-2012-3406
Description
The vfprintf function in stdio-common/vfprintf.c in GNU C Library (aka glibc) 2.5, 2.12, and probably other versions does not "properly restrict the use of" the alloca function when allocating the SPECS array, which allows context-dependent attackers to bypass the FORTIFY_SOURCE format-string protection mechanism and cause a denial of service (crash) or possibly execute arbitrary code via a crafted format string using positional parameters and a large number of format specifiers, a different vulnerability than CVE-2012-3404 and CVE-2012-3405.
Affected products
10- cpe:2.3:a:redhat:enterprise_virtualization:3.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:8.04:-:lts:*:*:*:*:*+ 4 more
- cpe:2.3:o:canonical:ubuntu_linux:8.04:-:lts:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux:5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- rhn.redhat.com/errata/RHSA-2012-1097.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-1098.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-1185.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-1200.htmlnvd
- www.openwall.com/lists/oss-security/2012/07/11/17nvd
- www.ubuntu.com/usn/USN-1589-1nvd
- bugzilla.redhat.com/attachment.cginvd
- bugzilla.redhat.com/show_bug.cginvd
- security.gentoo.org/glsa/201503-04nvd
News mentions
0No linked articles in our index yet.