CVE & CISA-KEV Catalog

CVE-2020-6096

HIGHEPSS 91th pctl
8.1
CVSS v3
NVD

Description

An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data.

How to fix

Remediation Available
glibcDebian
Fixed in:2.31-2CVE-2020-6096
Fixed in:2.31-2CVE-2020-6096
Fixed in:2.31-2CVE-2020-6096
Fixed in:2.31-2CVE-2020-6096
glibcUbuntu
Fixed in:2.23-0ubuntu11.3USN-4954-1
Fixed in:2.27-3ubuntu1.5USN-5310-1
Fixed in:2.31-0ubuntu9.7USN-5310-1
libc6Ubuntu
Fixed in:2.23-0ubuntu11.3USN-4954-1
Fixed in:2.27-3ubuntu1.5USN-5310-1
Fixed in:2.31-0ubuntu9.7USN-5310-1

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

5.22%probability of exploitation in 30 days
91stpercentile

High risk: more likely to be exploited than 91% of all known CVEs.

References

Embed a live status badge for CVE-2020-6096
CVE-2020-6096 severity badge

Markdown

[![CVE-2020-6096](https://tridentstack.com/cve/badge/CVE-2020-6096.svg)](https://tridentstack.com/cve/CVE-2020-6096)

HTML

<a href="https://tridentstack.com/cve/CVE-2020-6096"><img src="https://tridentstack.com/cve/badge/CVE-2020-6096.svg" alt="CVE-2020-6096"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.