Login Sign Up

CVE-2015-4042

9.8 CRITICAL
Denial of Service

📋 TL;DR

This CVE describes an integer overflow vulnerability in GNU Coreutils' sort command that can be triggered via long strings. Attackers could cause denial of service (application crash) or potentially execute arbitrary code. Systems using vulnerable versions of GNU Coreutils (through 8.23) are affected.

💻 Affected Systems

Products:
  • GNU Coreutils
Versions: through 8.23
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the sort command which is commonly installed by default on Unix-like systems.

📦 What is this software?

Coreutils by Gnu

View all CVEs affecting Coreutils →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the overflow can be leveraged for memory corruption attacks.

🟠

Likely Case

Application crash (denial of service) when processing malicious input through the sort command.

🟢

If Mitigated

Limited to denial of service if exploit attempts are blocked or systems are patched.

🌐 Internet-Facing: MEDIUM - Requires sort command to process attacker-controlled input, which is less common in internet-facing services.
🏢 Internal Only: MEDIUM - Internal systems using sort on untrusted data could be vulnerable to DoS attacks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof of concept exists in public advisories. Exploitation requires feeding long strings to the sort command.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.24 and later

Vendor Advisory: http://openwall.com/lists/oss-security/2015/05/15/1

Restart Required: No

Instructions:

1. Update GNU Coreutils to version 8.24 or later. 2. On Debian/Ubuntu: apt-get update && apt-get install coreutils. 3. On RHEL/CentOS: yum update coreutils. 4. On other systems, compile from source with the fix applied.

🔧 Temporary Workarounds

Input validation wrapper

linux

Create a wrapper script that validates input length before passing to sort

#!/bin/bash
MAX_LEN=1000000
if [ ${#1} -gt $MAX_LEN ]; then
    echo "Input too long"
    exit 1
fi
sort "$@"

🧯 If You Can't Patch

  • Restrict sort command usage to trusted users only via sudoers or permissions
  • Monitor for abnormal sort command usage patterns and long input strings

🔍 How to Verify

Check if Vulnerable:

Run: sort --version | head -1 | grep -q '8.23\|8.22\|8.21\|8.20\|8.19\|8.18\|8.17\|8.16\|8.15\|8.14\|8.13\|8.12\|8.11\|8.10\|8.9\|8.8\|8.7\|8.6\|8.5\|8.4\|8.3\|8.2\|8.1\|8.0' && echo "VULNERABLE" || echo "NOT VULNERABLE"

Check Version:

sort --version | head -1

Verify Fix Applied:

Run: sort --version | head -1 | grep -q '8.24\|8.25\|8.26\|8.27\|8.28\|8.29\|8.30\|8.31\|8.32' && echo "PATCHED" || echo "NOT PATCHED"

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault or crash logs from sort process
  • Abnormally long command line arguments to sort

Network Indicators:

  • Unusual network traffic to systems running sort on network input

SIEM Query:

process.name="sort" AND (command_line.length>1000000 OR exit_code=139)

📊 Metadata

CVE ID: CVE-2015-4042
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: January 24, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-4042, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2018-20177 9.8

CVE-2018-20177 is a critical integer overflow vulnerability in rdesktop RDP client that leads to hea...

Same vulnerability type (CWE-190)
CVE-2019-9930 9.8

CVE-2019-9930 is an integer overflow vulnerability affecting various Lexmark printers and multifunct...

Same vulnerability type (CWE-190)