Malicious actors could exploit various memory corruption vulnerabilities impacting the ncurses programming library to facilitate code execution attacks against systems running on Linux and macOS, reports The Hacker News.
Patches have already been issued for the identified flaws, collectively tracked as CVE-2023-29491, which include a denial-of-service with canceled strings bug, an off-by-one error, a stack information leak vulnerability, a heap out-of-bounds during terminfo database file parsing bug, and a stack information leak flaw, according to a Microsoft Threat Intelligence report.
Researchers also discovered that privilege escalation could be achieved by compromising and exploiting several environment variable searches within the ncurses library alongside the identified vulnerabilities.
"The vulnerabilities may have needed to be chained together for an attacker to elevate privileges, such as exploiting the stack information leak to gain arbitrary read primitives along with exploiting the heap overflow to obtain a write primitive," said researchers.