Nethack
CVE-2020-5254
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
In NetHack before 3.6.6, some out-of-bound values for the hilite_status option can be exploited. NetHack 3.6.6 resolves this issue.
AnalysisAI
In NetHack before 3.6.6, some out-of-bound values for the hilite_status option can be exploited. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Out-of-bounds Read (CWE-125), which allows attackers to read data from memory outside the intended buffer boundaries. In NetHack before 3.6.6, some out-of-bound values for the hilite_status option can be exploited. NetHack 3.6.6 resolves this issue. Affected products include: Nethack. Version information: before 3.6.6.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate array indices and buffer lengths. Use memory-safe languages. Enable AddressSanitizer during testing.
NetHack before version 3.6.0 allowed malicious use of escaping of characters in the configuration file (usually .nethack
In NetHack before 3.6.5, an invalid extended command in value for the AUTOCOMPLETE configuration file option can cause a
In NetHack before 3.6.5, detecting an unknown configuration file option can cause a buffer overflow resulting in a crash
In NetHack before 3.6.5, too long of a value for the SYMBOL configuration file option can cause a buffer overflow result
In NetHack before 3.6.5, an extremely long value for the MENUCOLOR configuration file option can cause a buffer overflow
NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when reading very long lines from configuration f
In NetHack before 3.6.5, an invalid argument to the -w command line option can cause a buffer overflow resulting in a cr
In NetHack before 3.6.5, unknown options starting with -de and -i can cause a buffer overflow resulting in a crash or re
NetHack is a single player dungeon exploration game. Rated medium severity (CVSS 5.5), this vulnerability is low attack
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today