{"id":"CVE-2019-20503","details":"usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_addresses_from_init.","modified":"2026-04-16T04:39:04.817124804Z","published":"2020-03-06T20:15:12.470Z","related":["SUSE-SU-2020:0686-1","SUSE-SU-2020:0717-1","SUSE-SU-2020:0721-1","SUSE-SU-2020:14312-1","openSUSE-SU-2020:0340-1","openSUSE-SU-2020:0365-1","openSUSE-SU-2020:0366-1","openSUSE-SU-2020:0389-1","openSUSE-SU-2024:10600-1","openSUSE-SU-2024:10601-1","openSUSE-SU-2024:10681-1","openSUSE-SU-2024:12948-1","openSUSE-SU-2024:14572-1"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0816"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0820"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-10"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWANFIR3PYAL5RJQ4AO3ZS2DYMSF2ZGZ/"},{"type":"ADVISORY","url":"https://support.apple.com/HT211171"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT211177"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT211168"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT211175"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4335-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4639"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2020/May/49"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202003-02"},{"type":"ADVISORY","url":"https://support.apple.com/HT211168"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4645"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2020/May/55"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0815"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00013.html"},{"type":"ADVISORY","url":"https://support.apple.com/HT211175"},{"type":"ADVISORY","url":"https://support.apple.com/HT211177"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00022.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2020:0819"},{"type":"ADVISORY","url":"https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00028.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00037.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2020/May/52"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00023.html"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DDNOAGIX5D77TTHT6YPMVJ5WTXTCQEI/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4642"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2020/May/59"},{"type":"ADVISORY","url":"https://crbug.com/1059349"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00003.html"},{"type":"ADVISORY","url":"https://support.apple.com/kb/HT211171"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4299-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4328-1/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00030.html"},{"type":"FIX","url":"https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467"},{"type":"FIX","url":"https://bugs.chromium.org/p/project-zero/issues/detail?id=1992"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sctplab/usrsctp","events":[{"introduced":"0"},{"fixed":"f1de842428b6d97c424e0d4b40bb4a25bd91b7ec"},{"fixed":"790a7a2555aefb392a5a69923f1e9d17b4968467"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.9.4.0"}]}}],"versions":["0.9.3.0"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["327730508206728550863753806873793731736","232271758629531299930137668846449714744","194005753297318196458770335547941487347","86204924904057636553596664040784693774","244136754859619190609903659491420283679","44612721252499536122830739299996825008","116186934364462999016852279057551526709","64501329213993218393816168186692126019","119328532300576277392225218027534876256","329598022706840916657844249803604086365","176396067618788986641177387171929621588"]},"target":{"file":"usrsctplib/netinet/sctp_pcb.c"},"signature_type":"Line","id":"CVE-2019-20503-14ff5ff7","source":"https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467"},{"signature_version":"v1","deprecated":false,"digest":{"length":3188,"function_hash":"27420102985421191217555899899753575960"},"target":{"function":"sctp_auth_get_cookie_params","file":"usrsctplib/netinet/sctp_auth.c"},"signature_type":"Function","id":"CVE-2019-20503-185f67a0","source":"https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467"},{"signature_version":"v1","target":{"file":"usrsctplib/netinet/sctp_auth.c"},"digest":{"threshold":0.9,"line_hashes":["198649497057395982509242331217339772045","326714267827621994314007627938541425994","200687103341371863484723060369228893508","35232636956357906578787539674949587156","293811026459325849753854165102556642130","187752912983013076529152616624826225304","177037905624134339009325707825459025466"]},"deprecated":false,"signature_type":"Line","id":"CVE-2019-20503-e574742e","source":"https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467"},{"signature_version":"v1","target":{"function":"sctp_load_addresses_from_init","file":"usrsctplib/netinet/sctp_pcb.c"},"digest":{"length":12999,"function_hash":"72565663288024329373879027215936898435"},"deprecated":false,"signature_type":"Function","id":"CVE-2019-20503-e903d135","source":"https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.10"}]}],"vanir_signatures_modified":"2026-04-11T09:40:05Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20503.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}