CVE-2020-36846 — Vulnetix

Try Vulnetix Request Demo

CVE-2020-36846 PUBLISHED

A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library. Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

EPSS 0.15% · 35.2th percentile

Risk Scores

EPSS Score

0.15%

35.2th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:25.10	libio-compress-brotli-perl	0, 0.004001-2build4
Ubuntu:24.04:LTS	libio-compress-brotli-perl	0.004001-2build1, 0, 0.004001-2build3

Timeline

Sep 15, 2020 CVE Published
May 30, 2025 EPSS Score
Jun 9, 2025 EPSS Score
Jun 20, 2025 EPSS Score
Jun 30, 2025 EPSS Score
Jul 10, 2025 EPSS Score
Jul 21, 2025 EPSS Score
Jul 31, 2025 EPSS Score
Aug 10, 2025 EPSS Score
Aug 20, 2025 EPSS Score
Aug 31, 2025 EPSS Score
Sep 10, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2020-36846 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-36846 third-party-advisory
https://lists.security.metacpan.org/cve-announce/msg/30005245/ third-party-advisory
https://github.com/google/brotli/pull/826 third-party-advisory
https://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52 third-party-advisory
https://github.com/advisories/GHSA-5v8v-66v8-mwm7 third-party-advisory
https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6 third-party-advisory
https://nvd.nist.gov/vuln/detail/CVE-2020-8927 third-party-advisory

Open in Interactive Console →