CVE-2023-29491 – This vulnerability in ncurses allows local user... (How to Fix)

Q: What is the severity of CVE-2023-29491?

CVE-2023-29491 has a CVSS score of 7.8 (HIGH). This vulnerability in ncurses allows local users to trigger memory corruption by providing malformed terminfo database files. It affects setuid applications using vulnerable ncurses versions, potentially allowing privilege escalation. The issue stems from improper validation of terminfo data.

📋 TL;DR

This vulnerability in ncurses allows local users to trigger memory corruption by providing malformed terminfo database files. It affects setuid applications using vulnerable ncurses versions, potentially allowing privilege escalation. The issue stems from improper validation of terminfo data.

💻 Affected Systems

Products:

ncurses

Versions: All versions before 6.4 20230408

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable when used by setuid applications. Requires local user access and ability to write to terminfo directories.

📦 What is this software?

Ncurses by Gnu

View all CVEs affecting Ncurses →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root via exploitation of setuid applications, leading to complete system compromise.

🟠

Likely Case

Local privilege escalation to the user running the setuid application, potentially gaining elevated privileges.

🟢

If Mitigated

No impact if proper file permissions prevent users from writing to terminfo directories or if setuid applications don't use vulnerable ncurses functions.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access.

🏢 Internal Only: HIGH - Internal users with local shell access can potentially exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of vulnerable setuid applications. Proof-of-concept code has been published in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ncurses 6.4 20230408 and later

Vendor Advisory: http://ncurses.scripts.mit.edu/?p=ncurses.git%3Ba=commit%3Bh=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56

Restart Required: No

Instructions:

1. Update ncurses package to version 6.4 20230408 or later. 2. For Debian/Ubuntu: apt update && apt upgrade ncurses. 3. For RHEL/CentOS: yum update ncurses. 4. For Fedora: dnf update ncurses. 5. Recompile any applications statically linked to vulnerable ncurses versions.

🔧 Temporary Workarounds

Restrict terminfo directory permissions

linux

Prevent users from writing to terminfo directories that setuid applications might access.

chmod 755 /usr/share/terminfo
chmod 755 $HOME/.terminfo
chmod 755 /etc/terminfo

Remove setuid bit from vulnerable applications

linux

Remove setuid permissions from applications using ncurses until patched.

chmod u-s /path/to/vulnerable/application

🧯 If You Can't Patch

Remove or disable setuid applications that use ncurses
Implement strict file permissions on terminfo directories and user home directories

🔍 How to Verify

Check if Vulnerable:

Check ncurses version: ncursesw6-config --version or dpkg -l libncurses* | grep ^ii

Check Version:

ncursesw6-config --version || dpkg -l libncurses* | grep ^ii || rpm -q ncurses

Verify Fix Applied:

Verify installed ncurses version is 6.4 20230408 or later: ncursesw6-config --version | grep -q '6.4' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

Failed setuid executions
Abnormal terminfo file access patterns
Memory corruption errors in application logs

Network Indicators:

None - this is a local exploit

SIEM Query:

process.name:setuid AND file.path:/usr/share/terminfo/* OR file.path:$HOME/.terminfo/*

📊 Metadata

CVE ID: CVE-2023-29491

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: April 14, 2023

Last Updated: November 4, 2025

🔗 References

http://ncurses.scripts.mit.edu/?p=ncurses.git%3Ba=commit%3Bh=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
http://www.openwall.com/lists/oss-security/2023/04/19/10 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/04/19/11 Exploit,Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/
https://security.netapp.com/advisory/ntap-20230517-0009/
https://support.apple.com/kb/HT213843
https://support.apple.com/kb/HT213844
https://support.apple.com/kb/HT213845
https://www.openwall.com/lists/oss-security/2023/04/12/5 Mailing List
https://www.openwall.com/lists/oss-security/2023/04/13/4 Mailing List,Patch
http://ncurses.scripts.mit.edu/?p=ncurses.git%3Ba=commit%3Bh=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
http://www.openwall.com/lists/oss-security/2023/04/19/10 Mailing List,Patch,Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/04/19/11 Exploit,Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/12/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LU4MYMKFEZQ5VSCVLRIZGDQOUW3T44GT/
https://security.netapp.com/advisory/ntap-20230517-0009/
https://support.apple.com/kb/HT213843
https://support.apple.com/kb/HT213844
https://support.apple.com/kb/HT213845
https://www.openwall.com/lists/oss-security/2023/04/12/5 Mailing List
https://www.openwall.com/lists/oss-security/2023/04/13/4 Mailing List,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29491, you might also want to check these: