stdio-common/vfscanf.c has an ADDW macro that tries to determine whether to use malloc or alloca for allocations. But in the malloc case, it only allocates newsize bytes instead of the required newsize * sizeof (CHAR_T). Thus the allocated buffer gets overrun in the wide-string case. (CVE-2015-1472)
Impact
None. F5 products are not affected by this vulnerability.