Security readout for executives and security teams
Plain-English summary
CVE-2020-36846 affects Perl systems using IO::Compress::Brotli before 0.007. A flaw in its bundled Brotli library can cause memory corruption or a crash when very large one-shot decompression input is attacker-controlled. Treat exposed decompression services as urgent to review and update.
Executive priority
Prioritize internet-facing or partner-facing services that process compressed uploads, API bodies, or files through Perl. The rating is critical, but urgency depends on whether vulnerable one-shot decompression is reachable by untrusted users.
Technical view
IO::Compress::Brotli versions before 0.007 bundled Brotli before 1.0.8, inheriting the CVE-2020-8927 integer overflow/buffer overflow issue. The described trigger is attacker-controlled input length in one-shot decompression, especially chunks larger than 2 GiB. CVSS is 9.8 with network, low-complexity, unauthenticated attack characteristics.
Likely exposure
Exposure is likely limited to Perl applications or scripts that use IO::Compress::Brotli before 0.007 and pass untrusted Brotli-compressed data into one-shot decompression. Systems not using this module, already on 0.007 or later, or using bounded streaming decompression are less likely exposed.
Exploitation context
The source bundle does not show CISA KEV listing or cited active exploitation. The plausible attack context is a network-reachable service that accepts attacker-supplied compressed data and decompresses it with the vulnerable one-shot API. Evidence for real-world exploitation is incomplete.
Researcher notes
The CVE record ties this to Brotli CVE-2020-8927 and recommends IO::Compress::Brotli 0.007 or later. The supplied evidence names crash behavior for large copies but assigns high confidentiality, integrity, and availability impact through CVSS. Confirm impact against the exact embedded library and call pattern.
Mitigation direction
- Update IO::Compress::Brotli to version 0.007 or later.
- If updating is blocked, use the streaming API instead of one-shot decompression.
- Impose strict decompression chunk size limits.
- Review vendor guidance for any environment-specific remediation details.
- Inventory bundled or vendored Brotli copies in Perl deployments.
Validation and detection
- Check installed IO::Compress::Brotli versions across production and build images.
- Find code paths that decompress attacker-supplied Brotli data.
- Confirm vulnerable one-shot decompression is not used on untrusted input.
- Verify chunk size limits exist where streaming decompression is used.
- Confirm dependency updates reached deployed runtime environments.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-1395: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2020-36846 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.8 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
9.8CriticalVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source materials
- CVE List V5 sourceCVE List V5
- https://github.com/google/brotli/pull/826CVE reference · issue-tracking
- https://github.com/advisories/GHSA-5v8v-66v8-mwm7CVE reference · third-party-advisory
- https://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52CVE reference · mitigation
- https://nvd.nist.gov/vuln/detail/CVE-2020-8927CVE reference · vdb-entry
- https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6CVE reference · patch
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Dependency on Vulnerable Third-Party Component
Dependency on Vulnerable Third-Party Component represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
