CVE-2014-8121
Description
DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) 2.21 and earlier does not properly check if a file is open, which allows remote attackers to cause a denial of service (infinite loop) by performing a look-up on a database while iterating over it, which triggers the file pointer to be reset.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A flaw in glibc's NSS 'files' backend allows remote attackers to cause a denial of service (infinite loop) by performing a lookup while iterating over a database.
Vulnerability
The vulnerability resides in the DB_LOOKUP function in nss_files/files-XXX.c of the GNU C Library (glibc) versions 2.21 and earlier. The function fails to properly check if a file descriptor is already open when performing lookups, leading to an infinite loop during simultaneous iteration and lookup operations. This issue affects all systems using the NSS "files" backend for services such as user and group databases [3].
Exploitation
An attacker can trigger this vulnerability by causing an application to interleave a key-based lookup (e.g., getpwuid) while iterating over the same NSS database (e.g., getpwent). This sequence resets the file pointer, causing the iteration to restart indefinitely. The attack can be performed remotely by sending crafted requests to a network service that uses NSS for authentication or user enumeration, such as Samba processing quota-related requests [2][3].
Impact
Successful exploitation results in an infinite loop, leading to a denial of service (DoS) condition. The affected application becomes unresponsive or hangs, potentially impacting system services. No elevation of privileges or data disclosure occurs [3].
Mitigation
The vulnerability is fixed in glibc version 2.22 (released February 2015) and in patched versions provided by distributors. Red Hat Enterprise Linux 7 received a fix in glibc-2.17-78.el7 (RHSA-2015-0327) [1]. Ubuntu issued updates in USN-2985-1 and USN-2985-2 [4]. Users should apply the latest updates from their operating system vendor. No workarounds are currently available [3].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*+ 2 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_desktop:11:sp3:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:suse:suse_linux_enterprise_desktop:11:sp3:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_desktop:11:sp4:*:*:*:*:*:*
cpe:2.3:o:suse:suse_linux_enterprise_server:11.0:sp3:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:suse:suse_linux_enterprise_server:11.0:sp3:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:11.0:sp3:*:*:*:vmware:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server:11.0:sp4:*:*:*:*:*:*
- osv-coords15 versionspkg:rpm/opensuse/glibc&distro=openSUSE%20Tumbleweedpkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP3pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Desktop%2012pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP2-LTSSpkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP3-TERADATApkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%2012pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP3pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP3pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012
< 2.24-2.3+ 14 more
- (no CPE)range: < 2.24-2.3
- (no CPE)range: < 2.11.3-17.87.3
- (no CPE)range: < 2.11.3-17.87.3
- (no CPE)range: < 2.19-22.7.1
- (no CPE)range: < 2.11.3-17.45.66.1
- (no CPE)range: < 2.11.3-17.87.3
- (no CPE)range: < 2.11.3-17.87.3
- (no CPE)range: < 2.11.3-17.87.3
- (no CPE)range: < 2.19-22.7.1
- (no CPE)range: < 2.11.3-17.87.3
- (no CPE)range: < 2.11.3-17.87.3
- (no CPE)range: < 2.19-22.7.1
- (no CPE)range: < 2.11.3-17.87.3
- (no CPE)range: < 2.11.3-17.87.3
- (no CPE)range: < 2.19-22.7.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- bugzilla.redhat.com/show_bug.cginvdExploitIssue Tracking
- rhn.redhat.com/errata/RHSA-2015-0327.htmlnvdThird Party Advisory
- www.debian.org/security/2016/dsa-3480nvdThird Party Advisory
- www.securityfocus.com/bid/73038nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-2985-1nvdThird Party Advisory
- www.ubuntu.com/usn/USN-2985-2nvdThird Party Advisory
- security.gentoo.org/glsa/201602-02nvdThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2015-08/msg00019.htmlnvdMailing List
- lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.htmlnvdMailing List
News mentions
0No linked articles in our index yet.