CVE-2020-27174
Last modified
CVE-2020-27174 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. In Amazon AWS Firecracker before 0.21.3, and 0.22.x before 0.22.1, the serial console buffer can grow its memory usage without limit when data is sent to the standard input. This can result in a memory leak on the microVM emulation thread, possibly occupying more memory than intended on the host.. EPSS estimates a 1.72% chance of exploitation in the next 30 days.
Description
In Amazon AWS Firecracker before 0.21.3, and 0.22.x before 0.22.1, the serial console buffer can grow its memory usage without limit when data is sent to the standard input. This can result in a memory leak on the microVM emulation thread, possibly occupying more memory than intended on the host.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Amazon | Firecracker | < 0.21.3 |
| Amazon | Firecracker | >= 0.22.0, < 0.22.1 |
References
- http://www.openwall.com/lists/oss-security/2020/10/23/1Third Party Advisory
- https://github.com/firecracker-microvm/firecracker/issues/2177Third Party Advisory
- https://github.com/firecracker-microvm/firecracker/pull/2178Patch, Third Party Advisory
- https://github.com/firecracker-microvm/firecracker/pull/2179Patch, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2020/10/23/1Third Party Advisory
- https://github.com/firecracker-microvm/firecracker/issues/2177Third Party Advisory
- https://github.com/firecracker-microvm/firecracker/pull/2178Patch, Third Party Advisory
- https://github.com/firecracker-microvm/firecracker/pull/2179Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-27174?
How severe is CVE-2020-27174?
How do I fix CVE-2020-27174?
Are you affected by CVE-2020-27174?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST