CVE-2020-27618

Description

The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228.

CVSS Metrics

• v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
• v2.0•LOW•Score: 2.1AV:L/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.05%• Percentile: 16%

Techniques & Countermeasures

• CWE-835•Loop with Unreachable Exit Condition ('Infinite Loop')

  The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Affected Systems

• debian•debian_linux

  10.0

• gnu•glibc

  ≤ 2.32

• netapp•500f_firmware

  na

• netapp•a250_firmware

  na

• netapp•h300e

  na

• netapp•h300s_firmware

  na

• netapp•h410c_firmware

  na

• netapp•h410s_firmware

  na

• netapp•h500e

  na

• netapp•h500s_firmware

  na

• netapp•h700e

  na

• netapp•h700s_firmware

  na

• netapp•ontap_select_deploy_administration_utility

  na

• oracle•communications_cloud_native_core_service_communication_proxy

  1.14.0

References (7)

• https://sourceware.org/bugzilla/show_bug.cgi?id=26224
• https://sourceware.org/bugzilla/show_bug.cgi?id=19519#c21
• https://security.gentoo.org/glsa/202107-07
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://security.netapp.com/advisory/ntap-20210401-0006/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://lists.debian.org/debian-lts-announce/2022/10/msg00021.html