CVE-2020-20335 – A buffer overflow vulnerability in the Kilo tex... (How to Fix)

Q: What is the severity of CVE-2020-20335?

CVE-2020-20335 has a CVSS score of 7.5 (HIGH). A buffer overflow vulnerability in the Kilo text editor allows remote attackers to cause denial of service by exploiting the editorUpdateRow function. This affects users running vulnerable versions of Kilo, particularly those opening malicious files or receiving untrusted input through the editor.

📋 TL;DR

A buffer overflow vulnerability in the Kilo text editor allows remote attackers to cause denial of service by exploiting the editorUpdateRow function. This affects users running vulnerable versions of Kilo, particularly those opening malicious files or receiving untrusted input through the editor.

💻 Affected Systems

Products:

Antirez Kilo

Versions: All versions before commit 7709a04ae8520c5b04d261616098cebf742f5a23

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the core editor functionality and affects all default installations.

📦 What is this software?

Kilo by Kilo Project

View all CVEs affecting Kilo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the buffer overflow can be controlled to execute arbitrary code.

🟠

Likely Case

Denial of service causing the Kilo editor to crash when processing specially crafted input.

🟢

If Mitigated

Limited impact if the editor is used only with trusted files and input validation is enforced.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific input to trigger the buffer overflow, but no public proof-of-concept has been disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit 7709a04ae8520c5b04d261616098cebf742f5a23 and later

Vendor Advisory: https://github.com/antirez/kilo/issues/60

Restart Required: No

Instructions:

1. Clone the latest Kilo repository from GitHub. 2. Ensure the commit hash includes 7709a04ae8520c5b04d261616098cebf742f5a23. 3. Recompile and replace the existing Kilo binary.

🔧 Temporary Workarounds

Avoid Untrusted Input

all

Restrict Kilo usage to trusted files and avoid opening files from unknown sources.

🧯 If You Can't Patch

Discontinue use of Kilo and switch to a patched or alternative text editor.
Implement strict file access controls to prevent opening untrusted files with Kilo.

🔍 How to Verify

Check if Vulnerable:

Check the Kilo version or commit hash; if earlier than commit 7709a04ae8520c5b04d261616098cebf742f5a23, it is vulnerable.

Check Version:

kilo --version or check git log in the Kilo source directory.

Verify Fix Applied:

Verify the Kilo binary includes commit 7709a04ae8520c5b04d261616098cebf742f5a23 by checking version or commit history.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from Kilo process

SIEM Query:

Process:name='kilo' AND Event:type='crash'

📊 Metadata

CVE ID: CVE-2020-20335

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

Published: June 20, 2023

Last Updated: December 10, 2024

🔗 References

https://github.com/antirez/kilo/issues/60 Exploit,Issue Tracking
https://github.com/antirez/kilo/issues/60 Exploit,Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-20335, you might also want to check these: