Buffer overflow in SPICE - CVE-2020-14355
Published: October 7, 2020 / Updated: October 9, 2020
Vulnerability identifier: #VU47486
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-14355
CWE-ID: CWE-119
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SPICE
Affected software:
SPICE
SPICE
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the QUIC image decoding process of the SPICE remote display system. A remote user can pass specially crafted data to the server or client application, trigger memory corruption in the QUIC image compression algorithm and crash the application or execute arbitrary code on the system.
How to mitigate CVE-2020-14355
Install updates from vendor's website.