CVE-2015-1473

Vulnerability

A buffer overflow vulnerability exists in the GNU C Library (glibc) before version 2.21, specifically in the ADDW macro within stdio-common/vfscanf.c. The macro fails to properly consider data-type size when deciding whether to use alloca or malloc for temporary buffers. In the wide-character case (CHAR_T being wchar_t), the macro allocates only newsize bytes instead of the required newsize * sizeof(CHAR_T) bytes, leading to a heap buffer overflow when processing wide characters in wscanf or related functions [1]. This affects all glibc versions prior to 2.21.

Exploitation

An attacker can trigger the vulnerability by providing a long line containing wide characters as input to a program that uses wscanf (or similar functions) to parse input. The attacker does not need authenticated access; only the ability to supply crafted input to an application that processes wide-character scan formats is required. The overflow occurs during the dynamic buffer reallocation within the ADDW macro, which miscalculates the allocation size, causing a buffer overrun [1].

Impact

Successful exploitation can lead to a denial of service (segmentation violation) or overwrite of memory locations beyond the allocated buffer boundary. The vulnerability may be leveraged for arbitrary code execution depending on the memory layout and the specific exploitation scenario, though the CVE description primarily highlights information disclosure or memory corruption [1]. The attacker gains the ability to corrupt heap memory, potentially leading to control of process execution.

Mitigation

This vulnerability is fixed in glibc version 2.21, which was released in February 2015. Users should upgrade to glibc 2.21 or later. There is no workaround for code that uses wide-character input functions; the only mitigation is to apply the patch or update the library. The issue is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of writing.