{"id":"CVE-2020-5211","details":"In NetHack before 3.6.5, an invalid extended command in value for the AUTOCOMPLETE configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5.","modified":"2026-04-16T04:30:42.399256880Z","published":"2020-01-28T19:15:14.437Z","related":["GHSA-r788-4jf4-r9f7"],"references":[{"type":"ADVISORY","url":"https://github.com/NetHack/NetHack/security/advisories/GHSA-r788-4jf4-r9f7"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nethack/nethack","events":[{"introduced":"0"},{"fixed":"514682730773318f68d5b28b0428cfe333f92fe0"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.6.5"}]}}],"versions":["MOVE2GIT","NetHack-3.6.0_RC01","NetHack-3.6.0_RC02","NetHack-3.6.0_RC03","NetHack-3.6.0_RC04","NetHack-3.6.0_RC05","NetHack-3.6.0_Release","NetHack-3.6.1_RC01","NetHack-3.6.1_Release","NetHack-3.6.2_Release","NetHack-3.6.2_Released","NetHack-3.6.3.beta1.2019.11.17","NetHack-3.6.3.wip.2019.10.29","NetHack-3.6.3.wip.2019.10.30","NetHack-3.6.3_Released","NetHack-3.6.3_WIP","NetHack-3.6.4_Released","v3.6.3.757eca7","v3.6.3.wip.2019.10.29"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-5211.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}