-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability CVE-2024-2961 describes a buffer overflow in the iconv() function of the GNU C Library when converting strings to the ISO-2022-CN-EXT character set.
iconv() function itself is identified as a vulnerable function because it's the API entry point. The provided commit f9dc609e06b1136bb0408be9605ce7973a767ada includes a new test case (iconvdata/tst-iconv-iso-2022-cn-ext.c) that explicitly calls iconv() to trigger and verify the fix for the vulnerable path.iconvdata/iso-2022-cn-ext.c. The function responsible for the conversion within this file (typically named gconv) was missing bounds checks. The patch in commit f9dc609e06b1136bb0408be9605ce7973a767ada directly modifies this file by adding checks (if (outptr + 4 > outend)) before writing 4-byte escape sequences for SS2designation (e.g., ESC $*H) and SS3designation (e.g., ESC $+I). The commit message confirms these specific escape sequences were problematic due to missing checks.
Both iconv() (as the user-facing API) and the internal gconv function (within iconvdata/iso-2022-cn-ext.c, where the defective logic resided) are critical to understanding the vulnerability and would appear in a runtime profile during exploitation or when triggering the bug.Ongoing coverage of React2Shell