CVE-2024-2961

Published Apr 17, 2024

Last updated a month ago

CVSS high 7.3
Ubuntu

Overview

Description
The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.
Source
3ff69d7a-14f2-4f67-a097-88dee7810d18
NVD status
Analyzed
Products
glibc, active_iq_unified_manager, debian_linux, hci_h300s_firmware, hci_h500s_firmware, hci_h700s_firmware, hci_h410s_firmware, hci_h410c_firmware, hci_h610c_firmware, hci_h610s_firmware, hci_h615c_firmware, hci_compute_node, ontap_select_deploy_administration_utility

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.3
Impact score
4.7
Exploitability score
2.5
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Severity
HIGH

Weaknesses

3ff69d7a-14f2-4f67-a097-88dee7810d18
CWE-787

Social media

Hype score
Not currently trending

  1. We found an interesting CTF-inspired vuln CVE-2026-22200 affecting osTicket, a popular ticketing system. It allows anonymous attackers to exfil local files as BMP images through the mPDF library. This can be chained to RCE if the host is vuln to CNEXT (CVE-2024-2961)

    @Horizon3Attack

    22 Jan 2026

    5270 Impressions

    17 Retweets

    74 Likes

    38 Bookmarks

    2 Replies

    0 Quotes

  2. cve-2024-34102+CVE-2024-2961第一个漏洞已经解决,第二个漏洞libc和maps已经读取下来了,最后一部构造filterchain的时候一直有问题,没法rce,libc和maps可以保证是正确的。请问有大佬会的吗?

    @Xiaoxiao_2585

    18 Sept 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🔴 Cloudflare CIRCL (FourQ), Cryptographic Validation Flaw, #CVE-2024-2961 (Critical) https://t.co/4dcWIVX0UB

    @dailycve

    10 Jun 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  4. ⚠️Múltiples vulnerabilidades en HPE OneView ❗CVE-2024-38476 ❗CVE-2024-38475 ❗CVE-2024-38477 ❗CVE-2024-2961 ➡️Más info: https://t.co/f2jdGg96ol https://t.co/f6JFnAJ5Ze

    @CERTpy

    2 Jun 2025

    141 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  5. Just rooted #BigBang (Hard) on #HTB (@hackthebox_eu) 🔓🔥 🕳️ WordPress LFI → CVE-2024-2961 → shell 🔄 DB creds → port-forward → SSH 🔐 Grafana hash → crack → user pivot 📲 APK reverse → subdomain → RCE → root 🎯 POC: https://t.co/t0CNJ0OJi2 #

    @sakibulalikhan

    1 May 2025

    51 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition on transaction flags that allows unprivileged users to install packages as root and thus leads to a local privilege escalation. This is patched in version 1.3.5. A local unprivileged user can install arbitrary RPM packages as root, including executing RPM scriptlets, without authentication. The vulnerability is a TOCTOU race condition on `transaction->cached_transaction_flags` combined with a silent state-machine guard that discards illegal backward transitions while leaving corrupted flags in place. Three bugs exist in `src/pk-transaction.c`: 1. Unconditional flag overwrite (line 4036): `InstallFiles()` writes caller-supplied flags to `transaction->cached_transaction_flags` without checking whether the transaction has already been authorized/started. A second call blindly overwrites the flags even while the transaction is RUNNING. 2. Silent state-transition rejection (lines 873–882): `pk_transaction_set_state()` silently discards backward state transitions (e.g. `RUNNING` → `WAITING_FOR_AUTH`) but the flag overwrite at step 1 already happened. The transaction continues running with corrupted flags. 3. Late flag read at execution time (lines 2273–2277): The scheduler's idle callback reads cached_transaction_flags at dispatch time, not at authorization time. If flags were overwritten between authorization and execution, the backend sees the attacker's flags.CVE-2026-41651
  2. Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.CVE-2026-5928
  3. Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.CVE-2026-5450
  4. A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition.CVE-2026-1584
  5. In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation.CVE-2026-35535

References

Sources include official advisories and independent security research.