CVE-2020-8927: Integer overflow in the bundled Brotli C library
6.5
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
compu-brotli-sys | rust | < 1.0.9 | 1.0.9 |
Microsoft.NETCore.App.Runtime.linux-arm | nuget | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.NETCore.App.Runtime.linux-arm64 | nuget | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.NETCore.App.Runtime.linux-musl-arm64 | nuget | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.NETCore.App.Runtime.linux-x64 | nuget | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.NETCore.App.Runtime.osx-x64 | nuget | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.NETCore.App.Runtime.win-arm | nuget | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.NETCore.App.Runtime.win-arm64 | nuget | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.NETCore.App.Runtime.win-x64 | nuget | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.NETCore.App.Runtime.win-x86 | nuget | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.Mono.linux-arm | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.Mono.linux-arm64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.Mono.linux-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.Mono.osx-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.browser-wasm | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.linux-arm | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.linux-arm64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.linux-musl-arm | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.linux-musl-arm64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.linux-musl-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.linux-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.osx-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.win-arm | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.win-arm64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.win-x64 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.win-x86 | nuget | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.android-x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.linux-x64.Cross.browser-wasm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-arm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.android-x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.browser-wasm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.ios-arm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.ios-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.iossimulator-x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.maccatalyst-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvos-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.osx-x64.Cross.tvossimulator-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-arm64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.android-x86.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-arm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-arm.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-arm64.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-x64.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.android-x86.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.browser-wasm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.browser-wasm.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.ios-arm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.ios-arm.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.ios-arm.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.ios-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.ios-arm64.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-arm64.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x64.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.iossimulator-x86.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.linux-arm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.linux-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.linux-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-arm64.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.maccatalyst-x64.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.osx-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.osx-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvos-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvos-arm64.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-arm64.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.tvossimulator-x64.Msi.x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.win-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.Mono.win-x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.linux-arm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.linux-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.linux-musl-arm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.linux-musl-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.linux-musl-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.linux-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.osx-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.osx-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.win-arm | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.win-arm64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.win-x64 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.NETCore.App.Runtime.win-x86 | nuget | >= 6.0.0, < 6.0.3 | 6.0.3 |
brotli | pip | >= 0, < 1.0.8 | 1.0.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CVE-2020-8927) explicitly affects Brotli's 'one-shot' decompression API when handling inputs >2 GiB. The advisory and commit messages indicate the root cause was improper integer overflow checks during buffer operations. The primary entry points for one-shot decompression are 'BrotliDecoderDecompress' and its streaming counterpart 'BrotliDecoderDecompressStream', both in decode.c
. The fixed commit (223d80c) specifically addresses overflow in the decoder, confirming these functions' involvement. The Rust/Python packages wrap this C library, inheriting the vulnerability. High confidence stems from the explicit linkage between the vulnerability description, API usage guidance (avoiding one-shot), and Brotli's code structure.