CVE-2020-35512Use After Free in Dbus

CWE-416Use After Free8 documents7 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 90.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Freedesktop Dbus
Timeline
PublishedFeb 15
Latest updateMay 24

Description

A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

Debianfreedesktop/dbus< 1.12.20-1+3
NVDfreedesktop/dbus1.12.20

🔴Vulnerability Details

3
GHSA
GHSA-f5qm-fxvw-fwjg: A use-after-free flaw was found in D-Bus 12022-05-24
OSV
CVE-2020-35512: A use-after-free flaw was found in D-Bus Development branch <= 12021-02-15
CVEList
CVE-2020-35512: A use-after-free flaw was found in D-Bus Development branch <= 12021-02-15

📋Vendor Advisories

4
Ubuntu
DBus vulnerability2022-05-09
Ubuntu
DBus vulnerability2022-01-20
Red Hat
dbus: users with the same numeric UID could lead to use-after-free and undefined behaviour2020-06-30
Debian
CVE-2020-35512: dbus - A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.1...2020
CVE-2020-35512 — Use After Free in Freedesktop Dbus | cvebase