#VU58432 Use-after-free in icu - CVE-2020-21913


Vulnerability identifier: #VU58432

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-21913

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
icu
Universal components / Libraries / Libraries used by multiple products

Vendor: ICU - International Components for Unicode

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error within the pkg_createWithAssemblyCode() function in the file tools/pkgdata/pkgdata.cpp. A remote attacker can trick the victim to open a specially crafted file and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

icu: 60.1 - 65.1

External links
https://github.com/unicode-org/icu/pull/886
https://unicode-org.atlassian.net/browse/ICU-20850

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for icu73_2
SUSE update for icu73_2
SUSE update for icu73_2
Multiple vulnerabilities in Dell NetWorker vProxy
Multiple vulnerabilities in Dell EMC Data Protection Central
SUSE update for icu
SUSE update for icu
SUSE update for icu
Denial of service in Western Digital My Cloud OS 5
Debian update for icu