CVE-2020-12885
CVE-2020-12885 is a high-severity vulnerability in Arm Mbed Os with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-835.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 7.8
- EPSS exploit prediction: 1% (65th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-835
- Affected product: Arm Mbed Os
- Published:
- Last modified:
Description
An infinite loop was discovered in the CoAP library in Arm Mbed OS 5.15.3. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse_multiple_options() parses CoAP options in a while loop. This loop's exit condition is computed using the previously allocated heap memory required for storing the result of parsing multiple options. If the input heap memory calculation results in zero bytes, the loop exit condition is never met and the loop is not terminated. As a result, the packet parsing function never exits, leading to resource consumption.
Frequently asked questions
- What is CVE-2020-12885?
- An infinite loop was discovered in the CoAP library in Arm Mbed OS 5.15.3. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse_multiple_options() parses CoAP options in a while loop. This loop's exit condition is computed using the previously allocated heap memory required for storing the result of parsing multiple options. If the input heap memory calculation results in zero bytes, the loop exit condition is never met and the loop is not terminated. As a result, the packet parsing function never exits, leading to resource consumption.
- How severe is CVE-2020-12885?
- CVE-2020-12885 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2020-12885 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (65th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-12885?
- CVE-2020-12885 affects Arm Mbed Os. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2020-12885?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2020-12885 published?
- CVE-2020-12885 was published on 2020-06-18 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:o:arm:mbed_os:5.15.3:*:*:*:*:*:*:*
More vulnerabilities in Arm Mbed Os
- CVE-2024-48984 — Critical (CVSS 9.8): An issue was discovered in MBed OS 6.16.0. When parsing hci reports, the hci parsing software dynamically determines…
- CVE-2020-12886 — Critical (CVSS 9.1): A buffer over-read was discovered in the CoAP library in Arm Mbed OS 5.15.3. The CoAP parser is responsible for parsing…
- CVE-2020-12884 — Critical (CVSS 9.1): A buffer over-read was discovered in the CoAP library in Arm Mbed OS 5.15.3. The CoAP parser is responsible for parsing…
- CVE-2020-12883 — Critical (CVSS 9.1): Buffer over-reads were discovered in the CoAP library in Arm Mbed OS 5.15.3. The CoAP parser is responsible for parsing…
- CVE-2024-22905 — High (CVSS 7.0): Buffer Overflow vulnerability in ARM mbed-os v.6.17.0 allows a remote attacker to execute arbitrary code via a crafted…
All CVEs affecting Arm Mbed Os →
Other CWE-835 (Loop with Unreachable Exit Condition (Infinite Loop)) vulnerabilities
- CVE-2026-24816 — Critical (CVSS 10.0): Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in datavane tis…
- CVE-2018-20784 — Critical (CVSS 9.8): In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a…
- CVE-2017-12997 — Critical (CVSS 9.8): The LLDP parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in…
- CVE-2017-12995 — Critical (CVSS 9.8): The DNS parser in tcpdump before 4.9.2 could enter an infinite loop due to a bug in print-domain.c:ns_print().
- CVE-2017-12990 — Critical (CVSS 9.8): The ISAKMP parser in tcpdump before 4.9.2 could enter an infinite loop due to bugs in print-isakmp.c, several functions.
- CVE-2026-31448 — Critical (CVSS 9.4): In the Linux kernel, the following vulnerability has been resolved: ext4: avoid infinite loops caused by residual…
Browse all CWE-835 (Loop with Unreachable Exit Condition (Infinite Loop)) vulnerabilities →