CVE-2020-35198

high-risk

Published 2021-05-12

An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

Do I need to act?

2.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (6)

Vxworks

Communications Eagle

Affected Vendors

Oracle Windriver

References (6)

Vendor Advisory https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2020-35198

Vendor Advisory https://support2.windriver.com/index.php?page=security-notices

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

Vendor Advisory https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2020-35198

Vendor Advisory https://support2.windriver.com/index.php?page=security-notices

Patch https://www.oracle.com/security-alerts/cpuapr2022.html

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 5/34 · Minimal

Exposure 13/34 · Low