CVE-2020-19725 – CVE-2020-19725 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2020-19725?

CVE-2020-19725 has a CVSS score of 7.8 (HIGH). CVE-2020-19725 is a use-after-free vulnerability in Z3 theorem prover that occurs during constraint simplification in pdd_simplifier.cpp. This vulnerability allows attackers to cause segmentation faults or potentially execute arbitrary code by triggering unexpected memory access. Anyone using Z3 versions before 4.8.8 is affected.

📋 TL;DR

CVE-2020-19725 is a use-after-free vulnerability in Z3 theorem prover that occurs during constraint simplification in pdd_simplifier.cpp. This vulnerability allows attackers to cause segmentation faults or potentially execute arbitrary code by triggering unexpected memory access. Anyone using Z3 versions before 4.8.8 is affected.

💻 Affected Systems

Products:

Z3 Theorem Prover

Versions: All versions before 4.8.8

Operating Systems: All platforms running Z3

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in core solver functionality; all configurations using the affected code path are vulnerable.

📦 What is this software?

Z3 by Microsoft

View all CVEs affecting Z3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if Z3 processes untrusted input from network sources.

🟠

Likely Case

Application crashes (segmentation faults) causing denial of service when processing malicious input.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, potentially only causing crashes.

🌐 Internet-Facing: MEDIUM - Risk depends on whether Z3 processes untrusted input from external sources; many deployments are internal.

🏢 Internal Only: MEDIUM - Internal applications using Z3 could be vulnerable to privilege escalation or lateral movement if exploited.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof-of-concept exists in GitHub issue #3363; exploitation requires crafting specific constraints to trigger the use-after-free.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.8.8 and later

Vendor Advisory: https://github.com/Z3Prover/z3/issues/3363

Restart Required: Yes

Instructions:

1. Download Z3 version 4.8.8 or later from GitHub releases. 2. Replace existing Z3 installation with patched version. 3. Restart any services or applications using Z3.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for Z3 constraints to prevent malicious input from reaching vulnerable code path.

Sandbox Execution

linux

Run Z3 in a sandboxed environment with limited privileges to contain potential exploitation.

firejail --net=none --private /path/to/z3

🧯 If You Can't Patch

Isolate Z3 instances from network access and untrusted input sources.
Implement application-level monitoring for segmentation faults and abnormal Z3 process behavior.

🔍 How to Verify

Check if Vulnerable:

Check Z3 version with 'z3 --version' or examine installed package version.

Check Version:

z3 --version

Verify Fix Applied:

Confirm version is 4.8.8 or later and test with known problematic constraints from GitHub issue.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault errors in application logs
Unexpected Z3 process termination

Network Indicators:

Unusual network connections from Z3 processes if exploited

SIEM Query:

process_name:z3 AND (event_type:crash OR exit_code:139)

📊 Metadata

CVE ID: CVE-2020-19725

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: August 22, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/Z3Prover/z3/issues/3363 Exploit,Issue Tracking,Patch,Third Party Advisory
https://github.com/Z3Prover/z3/issues/3363 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-19725, you might also want to check these: