[escape_velocity]

Small silver lining for the folks here that manage Red Hat Enterprise Linux systems.

The bug was introduced in glibc 2.34 so I'm guessing RHEL 7 (glibc-2.17) and RHEL 8 (glibc-2.28) are not affected. That just leaves RHEL 9 which is running glibc 2.34.

[cozzyd]

(and it's not obvious if 2.34 is easily exploitable either, though it has the same bug, as it uses sbrk instead of __minimal_malloc. So at least the exploit here won't work, though maybe there is another one).

As most genuine multi-user setups are probably running EL (at least, nearly all the ones I've ever used...), this is a pretty big silver lining...

[intorio]

RHEL 8 is impacted, the fix that introduced the issue was back ported:

https://access.redhat.com/security/cve/cve-2023-4911