CVE-2020-8927: Buffer overflow in Brotli library
Published Sep 15, 2020
·Updated
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
Other sources
Brotli is vulnerable to buffer overflow. By controlling the input length of a "one-shot" decompression request to a script, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
— IBM
Affected Software
118 affected componentsFixes available
pip/brotli>=0<1.0.8
1.0.8
nuget/Microsoft.NETCore.App.Runtime.win-x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.win-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.win-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.win-arm>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.osx-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.osx-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.linux-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.linux-musl-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.linux-musl-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.linux-musl-arm>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.linux-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.linux-arm>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.win-x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.win-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.tvos-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.osx-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.osx-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.linux-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.linux-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.linux-arm>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.ios-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.ios-arm.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.ios-arm.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.ios-arm>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.browser-wasm>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.android-arm>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm.Msi.x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-x64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvos-arm64>=6.0.0<6.0.3
6.0.3
nuget/Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-x64>=6.0.0<6.0.3
6.0.3
IBM Security Verify Access<=10.0.0
Google Brotli<1.0.8
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Fedoraproject Fedora=31
Fedoraproject Fedora=32
Fedoraproject Fedora=33
Fedoraproject Fedora=34
Fedoraproject Fedora=35
Fedoraproject Fedora=36
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
Canonical Ubuntu Linux=20.04
openSUSE Leap=15.2
Microsoft .NET>=5.0<=5.0.14
Microsoft .NET Core>=3.1<=3.1.22
Microsoft PowerShell>=7.0<7.0.9
Microsoft PowerShell>=7.1<7.1.6
Microsoft PowerShell>=7.2<7.2.2
Microsoft Visual Studio 2019>=16.0<=16.11
Microsoft Visual Studio 2022>=17.0<=17.0.7
Microsoft Visual Studio 2022=17.1
debian/brotli
1.0.9-21.1.0-21.2.0-3
Remediation
Event History
Sep 15, 2020
CVE Published
via MITRE·09:15 AM
Data Sourced
via MITRE·09:15 AM
DescriptionSeverityWeakness
May 24, 2022
Advisory Published
via GitHub·05:28 PM
May 29, 2026
Data Sourced
via Ubuntu·09:05 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Debian·09:06 PM
DescriptionAffected Software
Data Sourced
via Launchpad·09:06 PM
Description
Frequently Asked Questions
1
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2020-8927.
2
What is the severity of CVE-2020-8927?
The severity of CVE-2020-8927 is medium with a severity value of 6.5.
3
Which software versions are affected by CVE-2020-8927?
The Brotli library versions prior to 1.0.8 are affected by CVE-2020-8927.
4
How can I fix CVE-2020-8927?
It is recommended to update your Brotli library to version 1.0.8 or newer to fix CVE-2020-8927.
5
Where can I find more information about CVE-2020-8927?
You can find more information about CVE-2020-8927 at the following references: http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00108.html, https://github.com/google/brotli/releases/tag/v1.0.9, https://lists.debian.org/debian-lts-announce/2020/12/msg00003.html.