CVE-2020-28928 — MEDIUM (5.5)

Q: What is CVE-2020-28928?

CVE-2020-28928 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).

Q: How severe is CVE-2020-28928?

CVE-2020-28928 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-28928?

Check the references section above for vendor advisories and patch information. Affected products include: Musl-Libc Musl, Debian Debian Linux, Fedoraproject Fedora, Oracle Graalvm.

Vulnerability Description

In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Musl-Libc	Musl	<= 1.2.1
Debian	Debian Linux	9.0
Fedoraproject	Fedora	33
Oracle	Graalvm	20.3.2

Related Weaknesses (CWE)

CWE-787

References

http://www.openwall.com/lists/oss-security/2020/11/20/4Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab
https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf
https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1
https://lists.debian.org/debian-lts-announce/2020/11/msg00050.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://musl.libc.org/releases.htmlRelease NotesVendor Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2020/11/20/4Mailing ListThird Party Advisory
https://lists.apache.org/thread.html/r2134abfe847bea7795f0e53756d10a47e6643f35ab
https://lists.apache.org/thread.html/r90b60cf49348e515257b4950900c1bd3ab95a960cf
https://lists.apache.org/thread.html/ra63e8dc5137d952afc55dbbfa63be83304ecf842d1
https://lists.debian.org/debian-lts-announce/2020/11/msg00050.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2020-28928?

CVE-2020-28928 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).

How severe is CVE-2020-28928?

CVE-2020-28928 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-28928?

Check the references section above for vendor advisories and patch information. Affected products include: Musl-Libc Musl, Debian Debian Linux, Fedoraproject Fedora, Oracle Graalvm.