{"id":"CVE-2020-5209","details":"In NetHack before 3.6.5, unknown options starting with -de and -i can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to influence command line options. Users should upgrade to NetHack 3.6.5.","modified":"2026-03-13T21:59:44.198734Z","published":"2020-01-28T18:15:11.087Z","related":["GHSA-fw72-r8xm-45p8","MGASA-2021-0077"],"references":[{"type":"ADVISORY","url":"https://github.com/NetHack/NetHack/security/advisories/GHSA-fw72-r8xm-45p8"},{"type":"FIX","url":"https://github.com/NetHack/NetHack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nethack/nethack","events":[{"introduced":"0"},{"fixed":"514682730773318f68d5b28b0428cfe333f92fe0"},{"fixed":"f3def5c0b999478da2d0a8f0b6a7c370a2065f77"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.6.5"}]}}],"versions":["MOVE2GIT","NetHack-3.6.0_RC01","NetHack-3.6.0_RC02","NetHack-3.6.0_RC03","NetHack-3.6.0_RC04","NetHack-3.6.0_RC05","NetHack-3.6.0_Release","NetHack-3.6.1_RC01","NetHack-3.6.1_Release","NetHack-3.6.2_Release","NetHack-3.6.2_Released","NetHack-3.6.3.beta1.2019.11.17","NetHack-3.6.3.wip.2019.10.29","NetHack-3.6.3.wip.2019.10.30","NetHack-3.6.3.wip.2019.11.04","NetHack-3.6.3_Released","NetHack-3.6.3_WIP","NetHack-3.6.4_Released","v3.6.3.757eca7","v3.6.3.wip.2019.10.29"],"database_specific":{"vanir_signatures":[{"id":"CVE-2020-5209-43e29dc6","target":{"file":"sys/unix/unixmain.c"},"source":"https://github.com/nethack/nethack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77","digest":{"threshold":0.9,"line_hashes":["310830547162893224554599239014636806229","34018820599253730327709495934594299296","317225028476795745372107821617322743833","129609102664991773702097279054587424331","45378429732371276794293173907064817784","241454483409671680544040774729902404698","149353208139140988394970222965860121246","53005647659553145399784742355349458457","279442050954566056719610912906832870671","32054647461642218857189089395108982167","235111810993396765755956616487926850976","45378429732371276794293173907064817784","241454483409671680544040774729902404698","164566155690431377469522275781391668811","286170278300611490354691993875451927576","75407180318704451699303769443305508093","303014031863806519995615049820224845999"]},"signature_type":"Line","signature_version":"v1","deprecated":false},{"id":"CVE-2020-5209-ac76e6ec","target":{"file":"src/windows.c"},"source":"https://github.com/nethack/nethack/commit/f3def5c0b999478da2d0a8f0b6a7c370a2065f77","digest":{"threshold":0.9,"line_hashes":["237238631063296251006144018346673050574","41567080869605892763766933027668991111","321500404367367614574791705014071388786","32480354964781786051202560298652743524","121849526889383195702811084542056977169","316478146209911481076334286682992552367","126436293461250905056760455306129061267","195068358581375276627708135070540722944","197312668687739141795870205028744559684","17406290654842088973518909861769966865","254415618829491615975835525967253343944","125978380080712942028817202667769445249","3923122635708738405805642073433724736","316294812572794505879779794798027619718"]},"signature_type":"Line","signature_version":"v1","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5209.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}