CVE-2020-8927
Severity
6.5MEDIUM
EPSS
0.3%
top 45.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 15
Latest updateJun 3
Description
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages128 packages
Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32, 33, 34, 35, 36, Ubuntu Linux 16.04, 18.04, 20.04
🔴Vulnerability Details
8OSV▶
IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library in github.com/google/brotli↗2025-06-03
📋Vendor Advisories
4Debian▶
CVE-2020-8927: brotli - A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an ...↗2020