High severity7.8NVD Advisory· Published Dec 18, 2017· Updated Jun 17, 2026
CVE-2017-16997
CVE-2017-16997
Description
elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
21cpe:2.3:a:gnu:glibc:2.19:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:gnu:glibc:2.19:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.20:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.21:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.22:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.23:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.25:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:glibc:2.26:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- osv-coords10 versionspkg:rpm/opensuse/glibc&distro=openSUSE%20Tumbleweedpkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/glibc&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 2.34-1.2+ 9 more
- (no CPE)range: < 2.34-1.2
- (no CPE)range: < 2.22-62.3.4
- (no CPE)range: < 2.22-62.3.4
- (no CPE)range: < 2.22-62.3.4
- (no CPE)range: < 2.22-62.3.4
- (no CPE)range: < 2.22-62.3.4
- (no CPE)range: < 2.22-62.3.4
- (no CPE)range: < 2.22-62.3.4
- (no CPE)range: < 2.22-62.3.4
- (no CPE)range: < 2.22-62.3.4
Patches
Vulnerability mechanics
References
5- bugs.debian.org/884615nvdIssue TrackingMailing ListPatchThird Party Advisory
- sourceware.org/bugzilla/show_bug.cginvdIssue TrackingPatchThird Party Advisory
- www.securityfocus.com/bid/102228nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHBA-2019:0327nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2018:3092nvdThird Party Advisory
News mentions
0No linked articles in our index yet.