Double Free Vulnerability in Das U-Boot by Denx
CVE-2020-8432

9.8CRITICAL

Key Information:

Vendor

Denx

Status
U-boot
Vendor
CVE Published:
29 January 2020

What is CVE-2020-8432?

In Das U-Boot version 2020.01, a double free issue exists within the cmd/gpt.c do_rename_gpt_parts() function. This oversight may lead to a write-what-where condition, which could allow an attacker to execute arbitrary code. The vulnerability was introduced during efforts to resolve a previously identified memory leak, as noted in various static analysis reports.

References

https://www.mail-archive.com/u-boot%40lists.denx.de/msg35...
x_refsource_MISC
https://www.mail-archive.com/u-boot%40lists.denx.de/msg35...
x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2020...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.