CVE-2020-11958

Publication date 21 April 2020

Last updated 25 August 2025

Ubuntu priority

Why this priority?

Cvss 3 Severity Score

Score breakdown

Description

re2c 1.3 has a heap-based buffer overflow in Scanner::fill in parse/scanner.cc via a long lexeme.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
re2c	20.04 LTS focal	Fixed 1.3-1ubuntu0.1
	19.10 eoan	Fixed 1.2.1-1ubuntu0.1
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

Notes

leosilva

introduced by 1.2 by https://github.com/skvadrik/re2c/commit/1edd26a35457c5835afd58b8fa8330d33e7a1192

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
re2c	Upstream: 1edd26a

Severity score breakdown

Parameter	Value
Base score	7.8 · High
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-4338-1
re2c vulnerability
22 April 2020

USN-4338-2
re2c vulnerability
28 April 2020

Other references