CVE-2020-36400
published 2021-07-01CVE-2020-36400: ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, a different vulnerability than CVE-2021-20235.
PriorityP344critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.84%
76.3th percentile
ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, a different vulnerability than CVE-2021-20235.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | zeromq3 | — | — |
| zeromq | libzmq | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
zeromq: heap-based buffer overflow in zmq::tcp_read
vendor_redhat·2021-07-01·CVSS 9.8
CVE-2020-36400 [CRITICAL] CWE-787 zeromq: heap-based buffer overflow in zmq::tcp_read
zeromq: heap-based buffer overflow in zmq::tcp_read
ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, a different vulnerability than CVE-2021-20235.
A flaw has been identified in zeromq. A heap-based buffer overflow is possible in zmq::tcp_read by resizing a fixed static allocator. The highest threat from this vulnerability is to system availability.
Statement: Red Hat Enterprise Linux and Red Hat Ceph Storage are not affected by this flaw as they do not ship the vulnerable code.
Package: zeromq3 (Red Hat Ceph Storage 2) - Not affected
Debian
CVE-2020-36400: zeromq3 - ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, a differe...
vendor_debian·2020·CVSS 9.8
CVE-2020-36400 [CRITICAL] CVE-2020-36400: zeromq3 - ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, a differe...
ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, a different vulnerability than CVE-2021-20235.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-fw28-qj4f-2jpx: ZeroMQ libzmq 4
ghsa_unreviewed·2022-05-24·CVSS 8.1
CVE-2020-36400 [HIGH] CWE-787 GHSA-fw28-qj4f-2jpx: ZeroMQ libzmq 4
ZeroMQ libzmq 4.3.3 has a heap-based buffer overflow in zmq::tcp_read, a different vulnerability than CVE-2021-20235.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26042https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libzmq/OSV-2020-1887.yamlhttps://github.com/zeromq/libzmq/commit/397ac80850bf8d010fae23dd215db0ee2c677306https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26042https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libzmq/OSV-2020-1887.yamlhttps://github.com/zeromq/libzmq/commit/397ac80850bf8d010fae23dd215db0ee2c677306
2021-07-01
Published