CVE-2020-10531: Buffer Overflow

Published Feb 26, 2020
·
Updated

An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

Other sources

International Components for Unicode (ICU) for C/C++ is vulnerable to a heap-based buffer overflow, caused by an integer overflow in UnicodeString::doAppend() function in common/unistr.cpp. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

IBM

Affected Software

35 affected componentsFixes available
debian/icu<=57.1-6+deb9u3, <=52.1-8+deb8u7, <=66.1-1, <=63.1-6, <=57.1-1, <=63.2-2, <=57.1-6
66.1-263.2-363.1-6+deb10u157.1-6+deb9u4
redhat/chromium-browser<80.0.3987.122
80.0.3987.122
redhat/node<14.3.0
14.3.0
redhat/node<12.17.0
12.17.0
redhat/node<10.21.0
10.21.0
debian/icu
63.1-6+deb10u363.1-6+deb10u267.1-772.1-372.1-4
IBM Data Risk Manager<=2.0.6
ubuntu/chromium-browser<80.0.3987.149-0ubuntu0.18.04.1
80.0.3987.149-0ubuntu0.18.04.1
ubuntu/chromium-browser<80.0.3987.122
80.0.3987.122
ubuntu/chromium-browser<80.0.3987.149-0ubuntu0.16.04.1
80.0.3987.149-0ubuntu0.16.04.1
ubuntu/icu<60.2-3ubuntu3.1
60.2-3ubuntu3.1
ubuntu/icu<63.2-2ubuntu0.1
63.2-2ubuntu0.1
ubuntu/icu<52.1-3ubuntu0.8+
52.1-3ubuntu0.8+
ubuntu/icu<55.1-7ubuntu0.5
55.1-7ubuntu0.5
icu-project International Components For Unicode C\/c\+\+<=66.1
redhat Enterprise Linux Desktop=6.0
redhat Enterprise Linux Server=6.0
redhat Enterprise Linux Workstation=6.0
Google Chrome<80.0.3987.122
Fedoraproject Fedora=30
Fedoraproject Fedora=31
Fedoraproject Fedora=33
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Canonical Ubuntu Linux=12.04
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
Canonical Ubuntu Linux=19.10
openSUSE Leap=15.1
Oracle Banking Extensibility Workbench=14.3.0
Oracle Banking Extensibility Workbench=14.4.0
Nodejs Node.js>=10.0.0<=10.12.0
Nodejs Node.js>=10.13.0<10.21.0

Remediation

Patch Available

https://chromium.googlesource.com/chromium/deps/icu/+/9f4020916eb1f28f3666f018fdcbe6c9a37f0e08

Patch Available

https://github.com/unicode-org/icu/commit/b7d08bc04a4296982fcef8b6b8a354a9e4e7afca

Patch Available

https://github.com/unicode-org/icu/pull/971

Patch Available

https://www.oracle.com/security-alerts/cpujan2021.html

Event History

Mar 12, 2020
CVE Published
via Ubuntu·12:00 AM
CVE Published
via MITRE·06:09 PM
Data Sourced
via MITRE·06:09 PM
Description
Jan 11, 2024
Data Sourced
via Launchpad·11:34 PM
Description

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the vulnerability ID?

The vulnerability ID is CVE-2020-10531.

2

What is the severity of CVE-2020-10531?

The severity of CVE-2020-10531 is critical with a CVSS score of 9.8.

3

Which software or products are affected by CVE-2020-10531?

The affected software/products include International Components for Unicode (ICU) for C/C++, Chromium browser, Node.js, IBM Data Risk Manager, Google Chrome, Redhat Enterprise Linux, Debian Linux, Ubuntu Linux, Fedora, openSUSE Leap, and Oracle Banking Extensibility Workbench.

4

How can an attacker exploit CVE-2020-10531?

An attacker can exploit CVE-2020-10531 by sending a specially-crafted request to trigger a heap-based buffer overflow in the affected software, leading to arbitrary code execution.

5

Is there a fix available for CVE-2020-10531?

Yes, there are patches and updates available for the affected software/packages. Please refer to the vendor's official website or security advisories for the appropriate remediation steps.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203