Use-after-Free Vulnerability in cflow by GNU
CVE-2020-23856

5.5MEDIUM

Key Information:

Vendor

Gnu
Status
Cflow
Vendor
CVE Published:
18 May 2021

What is CVE-2020-23856?

A Use-after-Free vulnerability exists in cflow 1.6, specifically within the void call(char *name, int line) function located at src/parser.c. This flaw arises from the misuse of a pointer variable, caller->callee, which can be exploited to trigger a denial of service condition. Attackers may manipulate memory access, leading to unexpected behaviors and potential crashes of the application.

References

https://lists.gnu.org/archive/html/bug-cflow/2020-07/msg0...
x_refsource_MISC
https://github.com/yangjiageng/PoC/blob/master/PoC_cflow_...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.