CVE-2020-6096 — Signed to Unsigned Conversion Error in Glibc
Severity
8.1HIGHNVD
OSV7.5
EPSS
1.9%
top 16.72%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 1
Latest updateMay 24
Description
An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy(…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9
🔴Vulnerability Details
5GHSA▶
GHSA-xmhr-mv9m-hhvf: An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2↗2022-05-24
CVEList▶
CVE-2020-6096: An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2↗2020-04-01
OSV▶
CVE-2020-6096: An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2↗2020-04-01
📋Vendor Advisories
5Microsoft▶
An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a ↗2020-04-14
Debian▶
CVE-2020-6096: glibc - An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() impl...↗2020
🕵️Threat Intelligence
1Talos▶
Vulnerability Spotlight: Memory corruption vulnerability in GNU Glibc leaves smart vehicles open to attack↗2020-05-21