CVE-2020-36846Dependency on Vulnerable Third-Party Component in IO Compress Brotli

CWE-1395Dependency on Vulnerable Third-Party Component10 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.5%
top 32.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
Timlegge IO Compress BrotliMicrosoft Microsoft.netcore.app.runtime.linux-armMicrosoft Microsoft.netcore.app.runtime.linux-arm64+10 more
Timeline
PublishedMay 30
Latest updateJun 3

Description

A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007 or later. If one cannot update, we recommend

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages13 packages

CVEListV5timlegge/io_compress_brotli< 0.007

🔴Vulnerability Details

8
OSV
IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library in github.com/google/brotli2025-06-03
OSV
CVE-2020-36846: A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library2025-05-30
CVEList
IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library2025-05-30
GHSA
GHSA-44qx-v2f9-7rq9: A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library2025-05-30
OSV
Integer overflow in the bundled Brotli C library2022-05-24

📋Vendor Advisories

1
Debian
CVE-2020-36846: libio-compress-brotli-perl - A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli ...2020
CVE-2020-36846 — IO Compress Brotli vulnerability | cvebase