VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 8, 2021· Updated Aug 4, 2024

CVE-2020-36152

CVE-2020-36152

Description

A stack buffer overflow in libmysofa's readDataVar function (versions 0.5–1.1) allows arbitrary code execution via a crafted SOFA file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stack buffer overflow in libmysofa's readDataVar function (versions 0.5–1.1) allows arbitrary code execution via a crafted SOFA file.

Vulnerability

A stack buffer overflow exists in the readDataVar function in hdf/dataobject.c of Symonics libmysofa versions 0.5 through 1.1. The bug stems from incorrect use of sprintf on a buffer that is too small, leading to a 4-byte overflow on the stack. The vulnerable code path is reachable when processing a specially crafted SOFA file, which triggers the overflow during the reading of HDF data variables.

Exploitation

An attacker must deliver a malicious SOFA file to a user or application that parses it using a vulnerable libmysofa version. No special network position or authentication beyond the ability to provide the file is required. The overflow occurs when readDataVar constructs a string using sprintf with a format like "REF%08lX" into a fixed-size buffer; a crafted file causes the output to exceed the buffer size, overwriting adjacent stack data as shown in GDB traces from the advisory [1].

Impact

Successful exploitation allows an attacker to corrupt stack variables, potentially leading to arbitrary code execution with the privileges of the process consuming the SOFA file. Depending on stack protection mechanisms, the overflow may also cause logic errors or a denial-of-service crash.

Mitigation

The issue was fixed in libmysofa version 1.2, released after the vulnerability was disclosed. Users should upgrade to 1.2 or later. No workaround is available; the only mitigation is to update the library. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References
  1. Stack buffer overflow in readDataVar

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Incorrect use of sprintf with a too-small stack buffer in readDataVar leads to a 4-byte stack buffer overflow."

Attack vector

An attacker crafts a malicious SOFA file that triggers the `readDataVar` function with a value that, when formatted by `sprintf` with the format string `"REF%08lX"`, exceeds the allocated stack buffer. The overflow by 4 bytes can corrupt adjacent stack variables, leading to logic errors, crashes, or potentially arbitrary code execution. The file is loaded via `mysofa_open` or `mysofa_open_default`, so the attacker only needs to supply the crafted file to a victim application using libmysofa.

Affected code

The vulnerability is in `readDataVar` in `src/hdf/dataobject.c` at line 806. The function uses `sprintf` with a buffer that is too small, causing a 4-byte stack buffer overflow that overwrites adjacent stack variables.

What the fix does

The advisory recommends making the number buffer larger, using `snprintf` with the buffer size, and checking the return value of `snprintf`. This would prevent the buffer overflow by ensuring the formatted string is truncated or the error is handled, rather than blindly writing past the buffer boundary.

Preconditions

  • inputThe victim application must load a crafted SOFA file using libmysofa (e.g., via mysofa_open or mysofa_open_default).
  • inputThe crafted file must contain HDF data that causes readDataVar to format a value exceeding the stack buffer size.

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.