CVE-2019-9169. Heap-based buffer over-read in the GNU C Library. (BSA-2022-776)

Brocade Fabric OS

2 more products


20 March 2023

13 September 2022



Base Score: 9.8 - CRITICAL - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H




Security Advisory ID: BSA-2022-776

Component: GNU C Library

Revision: 2.0

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.


Brocade PSIRT has confirmed that the glibc interface is only exposed to internal trusted modules and is not accessible for exploitation. The only way to cause a heap-based buffer over-read, and exploit this vulnerability would be through crafted execution of external code that only a user with root privileges can introduce.

Affected Products

  • Brocade GEN 6 SAN switches (Brocade X6-8, Brocade X6-4, G630, Brocade G620, Brocade G610, and the Brocade 7810) running Brocade Fabric OS versions before v8.2.3c
  • Brocade GEN 6 SAN switches running Brocade Fabric OS before v8.2.0_cbn5 and after v8.2.0_cbn1

Product under investigation

  • Brocade Active Support Connectivity Gateway (ASC-G)

Products Confirmed Not Vulnerable

  • Brocade SAN switches (Brocade 300, Brocade 7800, Brocade 8510, Brocade 6520, Brocade 6510, and Brocade 6505) running any version of Brocade Fabric OS
  • Brocade Fabric OS versions after v9.0.0 or higher.
  • Brocade Fabric OS Version v7.4.2x releases.

No other Brocade Fibre Channel Products from Broadcom products are known to be affected by this vulnerability.


Security update provided in Brocade Fabric OS: v8.2.3c, v8.2.0_CBN5, and all later versions.

Revision History





Initial Publication

Sept 13, 2022


Statement on GEN 5 and FOS 7.4.2x releases.

Oct 18, 2022

2.0 Statement on GEN 6 Nov 29, 2022