Gcc GNU Gcc

Do you want an email whenever new security vulnerabilities are reported in GNU Gcc?

By the Year

In 2024 there have been 0 vulnerabilities in GNU Gcc . Last year Gcc had 1 security vulnerability published. Right now, Gcc is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 1 4.80
2022 3 5.83
2021 1 7.80
2020 0 0.00
2019 2 7.80
2018 0 0.00

It may take a day or so for new Gcc vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent GNU Gcc Security Vulnerabilities

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains

CVE-2023-4039 4.8 - Medium - September 13, 2023

**DISPUTED**A failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables. The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty

CVE-2021-3826 6.5 - Medium - September 01, 2022

Heap/stack buffer overflow in the dlang_lname function in d-demangle.c in libiberty allows attackers to potentially cause a denial of service (segmentation fault and crash) via a crafted mangled symbol.

Buffer Overflow

libiberty/rust-demangle.c in GNU GCC 11.2

CVE-2022-27943 5.5 - Medium - March 26, 2022

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Stack Exhaustion

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c

CVE-2021-46195 5.5 - Medium - January 14, 2022

GCC v12.0 was discovered to contain an uncontrolled recursion via the component libiberty/rust-demangle.c. This vulnerability allows attackers to cause a Denial of Service (DoS) by consuming excessive CPU and memory resources.

Stack Exhaustion

GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability

CVE-2021-37322 7.8 - High - November 18, 2021

GCC c++filt v2.26 was discovered to contain a use-after-free vulnerability via the component cplus-dem.c.

Dangling pointer

The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call

CVE-2019-15847 7.5 - High - September 02, 2019

The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.

Insufficient Entropy

stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets

CVE-2018-12886 8.1 - High - May 22, 2019

stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against.

Generation of Error Message Containing Sensitive Information

gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code

CVE-2008-1685 - April 06, 2008

gcc 4.2.0 through 4.3.0 in GNU Compiler Collection, when casts are not used, considers the sum of a pointer and an int to be greater than or equal to the pointer, which might lead to removal of length testing code that was intended as a protection mechanism against integer overflow and buffer overflow attacks, and provide no diagnostic message about this removal. NOTE: the vendor has determined that this compiler behavior is correct according to section 6.5.6 of the C99 standard (aka ISO/IEC 9899:1999)

Buffer Overflow

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for GNU Gcc or by GNU? Click the Watch button to subscribe.

GNU
Vendor

GNU Gcc
Product

subscribe