⚠ Actively exploited

Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-17. Required action: Apply updates per vendor instructions..

CVE-2020-11899 — Out-of-bounds Read in TCP IP

CWE-125 — Out-of-bounds Read CWE-20 — Improper Input Validation7 documents7 sources

Severity

5.4MEDIUMNVD

EPSS

33.3%

top 3.08%

CISA KEV

KEV

Added 2022-03-03

Due 2022-03-17

Exploit

Exploited in wild

Active exploitation observed

Affected products

Treck TCP IP Paloalto Pan-os

Timeline

PublishedJun 17

KEV addedMar 3

KEV dueMar 17

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

The Treck TCP/IP stack before 6.0.1.66 has an IPv6 Out-of-bounds Read.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶NVDtreck/tcp_ip< 6.0.1.66

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

GHSA

GHSA-6r3w-c7h6-wfhg: The Treck TCP/IP stack before 6↗2022-05-24

▶

CVEList

CVE-2020-11899: The Treck TCP/IP stack before 6↗2020-06-17

▶

VulnCheck

Treck TCP/IP stack Out-of-Bounds Read Vulnerability↗2020

▶

📋Vendor Advisories

CISA

Treck TCP/IP stack Out-of-Bounds Read Vulnerability↗2022-03-03

▶

Palo Alto

PAN↗2020-07-08

▶

Cisco

Multiple Vulnerabilities in Treck IP Stack Affecting Cisco Products: June 2020↗2020-06-17

▶