CVE-2020-27618 — Infinite Loop in Glibc

CWE-835 — Infinite Loop14 documents10 sources

Severity

5.5MEDIUMNVD

CNA5.9OSV5.9

EPSS

0.1%

top 83.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Glibc Debian Linux Oracle Communications Cloud Native Core Service Communication Proxy

Timeline

PublishedFeb 26

Latest updateDec 8

Description

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶Debiangnu/glibc< 2.31-5+3

▶Ubuntugnu/glibc< 2.27-3ubuntu1.5+2

▶NVDgnu/glibc2.32

▶NVDoracle/communications_cloud_native_core_service_communication_proxy1.14.0

Also affects: Debian Linux 10.0

Patches

Patch: sourceware.org ↗Patch: www.oracle.com ↗Patch: sourceware.org ↗

🔴Vulnerability Details

OSV

glibc vulnerabilities↗2022-12-08

▶

GHSA

GHSA-6q5q-4c7r-7r4r: The iconv function in the GNU C Library (aka glibc or libc6) 2↗2022-05-24

▶

OSV

glibc vulnerabilities↗2022-03-01

▶

OSV

CVE-2020-27618: The iconv function in the GNU C Library (aka glibc or libc6) 2↗2021-02-26

▶

CVEList

CVE-2020-27618: The iconv function in the GNU C Library (aka glibc or libc6) 2↗2021-02-26

▶

📋Vendor Advisories

Ubuntu

GNU C Library vulnerabilities↗2022-12-08

▶

Ubuntu

GNU C Library vulnerabilities↗2022-03-01

▶

Oracle

Oracle Oracle Communications Risk Matrix: SCP (glibc) — CVE-2020-27618↗2022-01-15

▶

Microsoft

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier when processing invalid multi-byte input sequences in IBM1364 IBM1371 IBM1388 IBM1390 and IBM1399 encodings fails to advan↗2021-02-09

▶

Red Hat

glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop↗2020-07-09

▶

💬Community

Bugzilla

CVE-2020-27618 glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop↗2020-11-02

▶

Bugzilla

CVE-2020-27618 glibc: iconv when processing invalid multi-byte input sequences fails to advance the input state, which could result in an infinite loop [fedora-all]↗2020-11-02

▶