CVE-2020-3969
CVE-2020-3969 is a high-severity vulnerability in Vmware Cloud Foundation with a CVSS 3.x base score of 7.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-193.
Key facts
- Severity: High (CVSS 3.x base score 7.8)
- CVSS v2: 4.4
- EPSS exploit prediction: 0% (39th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-193
- Affected product: Vmware Cloud Foundation
- Published:
- Last modified:
Description
VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-202004101-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.5), and Fusion (11.x before 11.5.5) contain an off-by-one heap-overflow vulnerability in the SVGA device. A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.
Frequently asked questions
- What is CVE-2020-3969?
- VMware ESXi (7.0 before ESXi_7.0.0-1.20.16321839, 6.7 before ESXi670-202004101-SG and 6.5 before ESXi650-202005401-SG), Workstation (15.x before 15.5.5), and Fusion (11.x before 11.5.5) contain an off-by-one heap-overflow vulnerability in the SVGA device. A malicious actor with local access to a virtual machine with 3D graphics enabled may be able to exploit this vulnerability to execute code on the hypervisor from a virtual machine. Additional conditions beyond the attacker's control must be present for exploitation to be possible.
- How severe is CVE-2020-3969?
- CVE-2020-3969 has a CVSS 3.x base score of 7.8, rated high severity. It is exploitable over local access with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2020-3969 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (39th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2020-3969?
- CVE-2020-3969 primarily affects Vmware Cloud Foundation. In total, 179 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2020-3969?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2020-3969 published?
- CVE-2020-3969 was published on 2020-06-24 and last updated on 2026-06-17.
References
- https://www.vmware.com/security/advisories/VMSA-2020-0015.html
- https://www.zerodayinitiative.com/advisories/ZDI-20-786/
Affected products (179)
- cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:fusion:*:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:workstation:*:*:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:-:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201701001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201703001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201703002:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201704001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707101:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707102:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707103:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707201:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707202:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707203:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707204:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707205:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707206:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707207:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707208:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707209:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707210:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707211:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707212:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707213:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707214:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707215:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707216:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707217:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707218:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707219:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707220:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201707221:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201710001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201712001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201803001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201806001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201808001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201810001:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201810002:*:*:*:*:*:*
- cpe:2.3:o:vmware:esxi:6.5:650-201811001:*:*:*:*:*:*
More vulnerabilities in Vmware Cloud Foundation
- CVE-2023-34063 — Critical (CVSS 9.9): Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this…
- CVE-2024-38812 — Critical (CVSS 9.8): The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious…
- CVE-2024-37079 — Critical (CVSS 9.8): vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor…
- CVE-2023-20864 — Critical (CVSS 9.8): VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with…
- CVE-2022-22972 — Critical (CVSS 9.8): VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability…
- CVE-2022-22954 — Critical (CVSS 9.8): VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side…
All CVEs affecting Vmware Cloud Foundation →
Other CWE-193 (Off-by-one Error) vulnerabilities
- CVE-2024-10442 — Critical (CVSS 10.0): Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066,…
- CVE-2026-53309 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: fix off-by-one in dlm_match_regions()…
- CVE-2024-38441 — Critical (CVSS 9.8): Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to…
- CVE-2023-46853 — Critical (CVSS 9.8): In Memcached before 1.6.22, an off-by-one error exists when processing proxy requests in proxy mode, if \n is used…
- CVE-2023-38429 — Critical (CVSS 9.8): An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in…
- CVE-2022-34970 — Critical (CVSS 9.8): Crow before 1.0+4 has a heap-based buffer overflow via the function qs_parse in query_string.h. On successful…