What is CVE-2017-18206?

CVE-2017-18206 is a critical-severity software vulnerability (Memory corruption) with a CVSS score of 9.8. In utils.c in zsh before 5.4, symlink expansion had a buffer overflow.

Is CVE-2017-18206 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 3%.

What products does CVE-2017-18206 affect?

Tracked products affected include Ubuntu. Check the version you run to see whether it is affected.

How do I fix CVE-2017-18206?

Apply the vendor fix promptly. An official patch or advisory is available. Upgrade affected products to a fixed version.

← All products

CVE-2017-18206

CRITICAL severity · CVSS 9.8 · Memory corruption

9.8CVSS CRITICAL

Summary

In utils.c in zsh before 5.4, symlink expansion had a buffer overflow.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)3%

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Ubuntu

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Official patch: https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6d ↗

Additional information

NVD record
https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6dPatch
https://access.redhat.com/errata/RHSA-2018:1932Advisory
https://access.redhat.com/errata/RHSA-2018:3073Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00000.html
https://security.gentoo.org/glsa/201805-10Advisory
https://usn.ubuntu.com/3593-1/Advisory