CVE-2020-35512 - A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <=

CVE-2020-35512

Summary

A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors

References

Vulnerable Configurations

cpe:2.3:a:freedesktop:dbus:1.12.20:*:*:*:*:*:*:*
cpe:2.3:a:freedesktop:dbus:1.12.20:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

CVSS

Base:	7.2 (as of 27-12-2023 - 16:36)
Impact:
Exploitability:

CWE

CWE-416

CAPEC

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:L/AC:L/Au:N/C:C/I:C/A:C

Last major update

27-12-2023 - 16:36

Published

15-02-2021 - 17:15

Last modified

27-12-2023 - 16:36