CVE-2020-28895

moderate-risk

Published 2021-02-03

In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

Do I need to act?

0.31% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.3/10 High

NETWORK / LOW complexity

Affected Products (5)

Vxworks

Communications Eagle

Affected Vendors

Oracle Windriver

References (6)

Vendor Advisory https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2020-28895

Permissions Required https://support2.windriver.com/index.php?page=defects&on=view&id=V7LIBC-1327

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Vendor Advisory https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2020-28895

Permissions Required https://support2.windriver.com/index.php?page=defects&on=view&id=V7LIBC-1327

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 12/34 · Low