CVE-2020-36328
9.8
CRITICAL
CVSS 3.1
EPSS 0.53%
Description
A flaw was found in libwebp in versions before 1.0.1. A heap-based buffer overflow in function WebPDecodeRGBInto is possible due to an invalid check for buffer size. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
How to fix CVE-2020-36328
To remediate CVE-2020-36328, upgrade the affected package to a fixed version below.
- Debian/libwebp—upgrade to 0.6.1-2.1 or later
Is CVE-2020-36328 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.6.1-2.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |