{"id":"CVE-2020-11958","details":"re2c 1.3 has a heap-based buffer overflow in Scanner::fill in parse/scanner.cc via a long lexeme.","modified":"2026-04-11T15:27:48.069133Z","published":"2020-04-21T01:15:11.570Z","references":[{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202007-28"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4338-1/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4338-2/"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2020/04/19/1"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2020/04/21/1"},{"type":"ADVISORY","url":"https://blogs.gentoo.org/ago/2020/04/19/re2c-heap-overflow-in-scannerfill-scanner-cc/"},{"type":"FIX","url":"https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/skvadrik/re2c","events":[{"introduced":"0"},{"last_affected":"e1901b71c6414c510f10f4cc30c0a05600e55ed1"},{"fixed":"c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.3"}]}}],"versions":["0.13.6","0.13.7.1","0.13.7.2","0.13.7.3","0.13.7.4","0.13.7.5","0.14","0.15","0.15.1","0.15.2","0.15.3","0.16","1.0","1.0.1","1.0.2","1.0.3","1.1","1.1.1","1.2","1.2.1","1.3"],"database_specific":{"vanir_signatures":[{"deprecated":false,"target":{"function":"Scanner::fill","file":"src/parse/scanner.cc"},"id":"CVE-2020-11958-1ed4ef83","signature_version":"v1","signature_type":"Function","source":"https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a","digest":{"length":689,"function_hash":"333593729438856307916757536742331749380"}},{"deprecated":false,"target":{"file":"src/parse/scanner.cc"},"id":"CVE-2020-11958-ff60d1f0","signature_version":"v1","signature_type":"Line","source":"https://github.com/skvadrik/re2c/commit/c4603ba5ce229db83a2a4fb93e6d4b4e3ec3776a","digest":{"line_hashes":["49856157583685485338382242415855956217","62389220857190960901324283129598467832","184037409826309927940272893902015140416","273502829212453987266105187472144333968","61068454445922609334293328596814080330","171489683377489733976258294719111059476","63121316251367159155147134380828191841","239987518835152770604035393540266182148"],"threshold":0.9}}],"vanir_signatures_modified":"2026-04-11T15:27:48Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"19.10"}]},{"events":[{"introduced":"0"},{"last_affected":"20.04"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11958.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}