LiveActive security incident?Get immediate response
CVE Record

CVE-2020-36846: IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library

A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library.  Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.

CriticalCVSS 9.8Not KEV-listedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

CVE-2020-36846 affects Perl systems using IO::Compress::Brotli before 0.007. A flaw in its bundled Brotli library can cause memory corruption or a crash when very large one-shot decompression input is attacker-controlled. Treat exposed decompression services as urgent to review and update.

Executive priority

Prioritize internet-facing or partner-facing services that process compressed uploads, API bodies, or files through Perl. The rating is critical, but urgency depends on whether vulnerable one-shot decompression is reachable by untrusted users.

Technical view

IO::Compress::Brotli versions before 0.007 bundled Brotli before 1.0.8, inheriting the CVE-2020-8927 integer overflow/buffer overflow issue. The described trigger is attacker-controlled input length in one-shot decompression, especially chunks larger than 2 GiB. CVSS is 9.8 with network, low-complexity, unauthenticated attack characteristics.

Likely exposure

Exposure is likely limited to Perl applications or scripts that use IO::Compress::Brotli before 0.007 and pass untrusted Brotli-compressed data into one-shot decompression. Systems not using this module, already on 0.007 or later, or using bounded streaming decompression are less likely exposed.

Exploitation context

The source bundle does not show CISA KEV listing or cited active exploitation. The plausible attack context is a network-reachable service that accepts attacker-supplied compressed data and decompresses it with the vulnerable one-shot API. Evidence for real-world exploitation is incomplete.

Researcher notes

The CVE record ties this to Brotli CVE-2020-8927 and recommends IO::Compress::Brotli 0.007 or later. The supplied evidence names crash behavior for large copies but assigns high confidentiality, integrity, and availability impact through CVSS. Confirm impact against the exact embedded library and call pattern.

Mitigation direction

  • Update IO::Compress::Brotli to version 0.007 or later.
  • If updating is blocked, use the streaming API instead of one-shot decompression.
  • Impose strict decompression chunk size limits.
  • Review vendor guidance for any environment-specific remediation details.
  • Inventory bundled or vendored Brotli copies in Perl deployments.

Validation and detection

  • Check installed IO::Compress::Brotli versions across production and build images.
  • Find code paths that decompress attacker-supplied Brotli data.
  • Confirm vulnerable one-shot decompression is not used on untrusted input.
  • Verify chunk size limits exist where streaming decompression is used.
  • Confirm dependency updates reached deployed runtime environments.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-1395: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-36846 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
6Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

9.8Critical
CVSS 3.1 vector shape for CVE-2020-36846Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
TIMLEGGEIO::Compress::BrotliIO-Compress-Brotli, 0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-1395 · source CWE mapping

Dependency on Vulnerable Third-Party Component

Dependency on Vulnerable Third-Party Component represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.