Login Sign Up

CVE-2020-24978

9.8 CRITICAL
Denial of Service

📋 TL;DR

CVE-2020-24978 is a double-free vulnerability in NASM (Netwide Assembler) that could allow attackers to execute arbitrary code or cause denial of service. This affects systems using NASM 2.15.04rc3 for assembly compilation, potentially impacting developers, build systems, and software distribution pipelines.

💻 Affected Systems

Products:
  • NASM (Netwide Assembler)
Versions: 2.15.04rc3 specifically
Operating Systems: All platforms where NASM runs (Linux, Windows, macOS, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using the vulnerable version for assembly compilation. The vulnerability is in the preprocessor component.

📦 What is this software?

Netwide Assembler by Nasm

View all CVEs affecting Netwide Assembler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Application crash or denial of service when processing malicious assembly files, disrupting build processes.

🟢

If Mitigated

Limited impact if NASM runs in sandboxed environments with minimal privileges and input validation.

🌐 Internet-Facing: MEDIUM - NASM is typically used in build systems rather than directly internet-facing, but could be exploited through CI/CD pipelines.
🏢 Internal Only: MEDIUM - Internal build systems and development environments are primary targets.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires feeding malicious assembly files to NASM. No public exploit code is documented, but the vulnerability type suggests reliable exploitation is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 8806c3ca007b84accac21dd88b900fb03614ceb7 and later versions

Vendor Advisory: https://bugzilla.nasm.us/show_bug.cgi?id=3392712

Restart Required: No

Instructions:

1. Update NASM to version 2.15.04 or later. 2. For source installations: git pull from NASM repository and rebuild. 3. For package managers: Use system package manager to update nasm package.

🔧 Temporary Workarounds

Input validation and sanitization

all

Validate and sanitize assembly files before processing with NASM

Run NASM in restricted environment

linux

Execute NASM with minimal privileges using sandboxing or containerization

docker run --read-only --cap-drop=ALL -v $(pwd):/workdir nasm:latest

🧯 If You Can't Patch

  • Restrict NASM usage to trusted users and processes only
  • Monitor NASM processes for abnormal behavior and crashes

🔍 How to Verify

Check if Vulnerable:

Run 'nasm -v' and check if output shows version 2.15.04rc3

Check Version:

nasm -v

Verify Fix Applied:

Verify NASM version is 2.15.04 or later, or check git commit hash includes fix

📡 Detection & Monitoring

Log Indicators:

  • NASM process crashes with segmentation faults
  • Unexpected NASM child process creation

Network Indicators:

  • Unusual network connections from build systems

SIEM Query:

Process:name='nasm' AND (EventID=1000 OR EventID=1001) OR Process:parent_name='nasm'

📊 Metadata

CVE ID: CVE-2020-24978
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-415
Published: September 4, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-24978, you might also want to check these:

CVE-2020-35885 9.8

This vulnerability in the alpm-rs Rust crate allows double-free memory corruption due to improper de...

Same vulnerability type (CWE-415)
CVE-2021-29940 9.8

This vulnerability in the Rust 'through' crate allows double-free memory corruption when the map fun...

Same vulnerability type (CWE-415)
CVE-2023-49937 9.8

This CVE describes a double-free vulnerability in SchedMD Slurm workload manager that allows attacke...

Same vulnerability type (CWE-415)