Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-29491

CVE-2023-29491: Gnu Ncurses Privilege Escalation Flaw

CVE-2023-29491 is a privilege escalation vulnerability in Gnu Ncurses affecting versions before 6.4 20230408. Local users can exploit malformed terminfo data to trigger memory corruption in setuid applications.

Published:

CVE-2023-29491 Overview

CVE-2023-29491 is a memory corruption vulnerability affecting GNU ncurses versions prior to 6.4 20230408. When ncurses is used by a setuid application, local users can trigger security-relevant memory corruption by crafting malformed data in a terminfo database file. The malicious terminfo file can be placed in $HOME/.terminfo or accessed through the TERMINFO or TERM environment variables, allowing attackers to potentially escalate privileges on affected systems.

Critical Impact

Local attackers can exploit this vulnerability to achieve privilege escalation through memory corruption in setuid applications that utilize the ncurses library, potentially gaining elevated system access.

Affected Products

  • GNU ncurses versions before 6.4 20230408
  • Apple macOS systems (addressed in HT213843, HT213844, HT213845)
  • Multiple Linux distributions including Debian and Fedora

Discovery Timeline

  • April 14, 2023 - CVE-2023-29491 published to NVD
  • November 4, 2025 - Last updated in NVD database

Technical Details for CVE-2023-29491

Vulnerability Analysis

This vulnerability is classified as CWE-787 (Out-of-Bounds Write), indicating that the ncurses library fails to properly validate data when parsing terminfo database files. The ncurses library is a widely-used terminal handling library that manages screen output and keyboard input for text-based applications. When processing terminfo files, the library reads terminal capability descriptions that define how a terminal emulator should behave.

The core issue lies in how ncurses handles malformed entries within terminfo database files. An attacker with local access can craft a specially constructed terminfo file containing malicious data that, when parsed by a setuid application using ncurses, triggers out-of-bounds memory writes. This memory corruption can potentially be leveraged to hijack program execution flow.

Root Cause

The root cause of this vulnerability is insufficient input validation when the ncurses library parses terminfo database files. The library trusts user-controllable terminfo files located in $HOME/.terminfo or specified via environment variables (TERMINFO, TERM) without adequate bounds checking. When processing these files, malformed capability strings or numeric values can cause the library to write data beyond allocated buffer boundaries, leading to memory corruption.

Attack Vector

The attack requires local access to the target system. An attacker can exploit this vulnerability through the following mechanism:

  1. The attacker creates a malicious terminfo database file with specially crafted malformed data
  2. The file is placed in $HOME/.terminfo or the attacker manipulates the TERMINFO or TERM environment variables to point to the malicious file
  3. When a setuid application that uses ncurses is executed, it loads and parses the malicious terminfo data
  4. The malformed data triggers out-of-bounds memory writes during parsing
  5. The attacker can potentially leverage this memory corruption to escalate privileges through the setuid application

The attack surface is particularly concerning because ncurses is ubiquitous in Unix-like operating systems, and many system utilities with elevated privileges depend on it for terminal handling.

Detection Methods for CVE-2023-29491

Indicators of Compromise

  • Unusual or suspicious terminfo files appearing in user home directories ($HOME/.terminfo/)
  • Unexpected modifications to the TERMINFO or TERM environment variables in user sessions
  • Crash logs or core dumps from setuid applications involving ncurses library functions
  • Signs of privilege escalation attempts following ncurses library loading failures

Detection Strategies

  • Monitor file system activity for creation or modification of terminfo database files in user-writable locations
  • Implement endpoint detection rules to identify setuid applications crashing with memory corruption signatures
  • Audit environment variable manipulation, particularly TERMINFO and TERM, in security-sensitive contexts
  • Deploy SentinelOne Singularity Platform to detect exploitation attempts through behavioral analysis of privilege escalation patterns

Monitoring Recommendations

  • Enable file integrity monitoring on system terminfo directories and user home directories
  • Configure logging for setuid application crashes and analyze for patterns indicating exploitation attempts
  • Monitor system calls related to terminfo file access from privileged processes
  • Utilize SentinelOne's runtime protection to identify anomalous memory access patterns in applications using ncurses

How to Mitigate CVE-2023-29491

Immediate Actions Required

  • Update GNU ncurses to version 6.4 20230408 or later immediately
  • Apply vendor-specific patches from your operating system distributor (Debian, Fedora, Apple, NetApp)
  • Audit systems for setuid applications that depend on ncurses and prioritize patching accordingly
  • Review user home directories for suspicious terminfo files

Patch Information

The vulnerability has been addressed in ncurses version 6.4 dated April 8, 2023. The fix is documented in the MIT ncurses Commit Log. Multiple vendors have released patches including:

Workarounds

  • Restrict write access to user terminfo directories on sensitive systems with setuid applications
  • Configure setuid applications to use only system-wide terminfo databases in trusted locations
  • Implement mandatory access control (SELinux/AppArmor) policies to prevent terminfo file manipulation
  • Consider removing setuid bits from applications where elevated privileges are not strictly required
bash
# Configuration example
# Restrict terminfo lookup to system directories only
export TERMINFO=/usr/share/terminfo
export TERMINFO_DIRS=/usr/share/terminfo

# Remove user-writable terminfo directories (use with caution)
# chmod 000 $HOME/.terminfo

# Verify ncurses version
ncurses6-config --version 2>/dev/null || ncurses5-config --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne