A flaw was found in rrdcached, a component of rrdtool. A local attacker with access to a rrdcached socket can exploit a stack-based buffer overflow by sending an oversized CREATE request. This vulnerability can lead to a denial of service by crashing the daemon or potentially allow for arbitrary code execution, impacting the integrity and confidentiality of data.
Restrict access to the rrdcached UNIX socket using filesystem permissions and group ownership to prevent untrusted local users from connecting. Avoid exposing rrdcached on TCP listeners unless strictly necessary, and ensure any such listeners are protected by network access controls. Additionally, run the rrdcached daemon as an unprivileged user and group using the -U and -G options to minimize impact in case of compromise. If rrdcached is restarted or reloaded, these configurations will be reapplied.