Wiz
Vulnerability DatabaseCVE-2019-14871

CVE-2019-14871
NixOS vulnerability analysis and mitigation

Overview

The REENT_CHECK macro in newlib versions prior to 3.3.0, as used by REENT_CHECK_TM, REENT_CHECK_MISC, REENT_CHECK_MP, and other newlib macros, contains a critical vulnerability. The issue exists in the macro implementation found in newlib/libc/include/sys/reent.h, where it fails to verify memory allocation problems when the DEBUG flag is unset, which is typically the case in production firmware builds (Census Labs).

Technical details

The vulnerability stems from the REENT_CHECK macro's implementation where it performs memory allocations without proper validation when DEBUG is disabled. This affects various newlib functions including gmtime, localtime, and strtok, which rely on REENT_CHECK to ensure proper object allocation. When memory allocation fails, the code proceeds with unsafe access patterns, leading to NULL pointer dereference bugs. For example, in the gmtime() implementation, if allocation fails, _localtime_buf becomes NULL and is passed to gmtime_r, resulting in a NULL pointer dereference during operations (Census Labs).

Impact

The vulnerability can lead to NULL pointer dereference bugs that force the processor to read or write bytes at an offset from the 0x0 memory address. On embedded processors where the Device Vector Table is commonly mapped at address 0x0, this could result in leaking interrupt handler addresses, overwriting interrupt handlers, or diverting program execution to installed interrupt handlers. The widespread use of newlib in 'bare metal' devices means many systems may remain vulnerable indefinitely, as they may never receive security updates (Census Labs).

Mitigation and workarounds

Users are strongly advised to update to newlib version 3.3.0 or later, which includes patches addressing this vulnerability. When building the library, it's crucial to enable the newlib-reent-check-verify 'configure' option, as building without this option provides no protection against CVE-2019-14871. For systems that cannot be updated, implementing memory protection mechanisms for pages near address 0x0 can help mitigate the vulnerability's impact (Census Labs).

Additional resources

SourceThis report was generated using AI

Related NixOS vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2026-22783HIGH8.1
  • NixOSNixOS
  • iris
NoYesJan 12, 2026
CVE-2026-0821MEDIUM6.9
  • NixOSNixOS
  • quickjs
NoNoJan 10, 2026
CVE-2025-68949MEDIUM5.3
  • NixOSNixOS
  • n8n
NoYesJan 13, 2026
CVE-2026-22784LOW2.3
  • NixOSNixOS
  • lychee
NoYesJan 12, 2026
CVE-2026-23497LOW1.3
  • NixOSNixOS
  • learning
NoYesJan 14, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo