CVE-2017-20190
CVE-2017-20190 is a security vulnerability that is still awaiting full analysis and scoring. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-176.
Key facts
- EPSS exploit prediction: 0% (18th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2017-11182
- Weakness: CWE-176
- Published:
- Last modified:
Description
Some Microsoft technologies as used in Windows 8 through 11 allow a temporary client-side performance degradation during processing of multiple Unicode combining characters, aka a "Zalgo text" attack. NOTE: third parties dispute whether the computational cost of interpreting Unicode data should be considered a vulnerability.
Frequently asked questions
- What is CVE-2017-20190?
- Some Microsoft technologies as used in Windows 8 through 11 allow a temporary client-side performance degradation during processing of multiple Unicode combining characters, aka a "Zalgo text" attack. NOTE: third parties dispute whether the computational cost of interpreting Unicode data should be considered a vulnerability.
- Is CVE-2017-20190 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (18th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2017-20190?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2017-20190 have an EU (EUVD) identifier?
- Yes. CVE-2017-20190 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2017-11182.
- When was CVE-2017-20190 published?
- CVE-2017-20190 was published on 2024-03-27 and last updated on 2026-06-17.
References
- https://aka.ms/windowsbugbar
- https://en.wikipedia.org/wiki/Zalgo_text
- https://talk.dynalist.io/t/dynalist-is-vulnerable-to-zalgo/1234
Other CWE-176 vulnerabilities
- CVE-2025-71316 — Critical (CVSS 9.8): SQLite 'sqldiff.exe' does not securely handle the way the Microsoft Windows C runtime converts Unicode characters to…
- CVE-2024-24691 — Critical (CVSS 9.6): Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for…
- CVE-2026-23950 — High (CVSS 8.8): node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an…
- CVE-2024-43093 — High (CVSS 7.3): In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to…
- CVE-2026-4116 — High (CVSS 7.2): Improper handling of Unicode encoding in SonicWall SMA1000 series appliances allows a remote authenticated SSLVPN user…
- CVE-2026-20202 — Medium (CVSS 6.6): In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below…