Cyber Posture

CVE-2020-36938

HighPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-36938 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-34 Non-modifiable Executable Programs good match
prevent

Directly prohibits modification of critical executable programs and DLLs in the WinAVR installation directory exploited via insecure permissions.

CM-5 Access Restrictions for Change good match
prevent

Authorizes and restricts access to change system components like the vulnerable executables and DLLs in the installation directory.

AC-6 Least Privilege good match
prevent

Applies least privilege to deny low-privileged authenticated users write access to critical system files despite overly permissive directory permissions.

NVD Description

WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory.

Deeper analysisAI

CVE-2020-36938 is an insecure permissions vulnerability (CWE-732) affecting WinAVR version 20100110. The issue arises from overly permissive access controls in the WinAVR installation directory, enabling authenticated users to modify system files and executables, including critical DLLs.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with low complexity, requiring only low privileges such as an authenticated user account, and no user interaction. Attackers can leverage this to modify critical files, potentially achieving high-impact compromise of confidentiality, integrity, and availability on affected systems.

Advisories, including one from VulnCheck on the insecure folder permissions, provide further details, while an exploit is documented on Exploit-DB (ID 49379). The WinAVR project page on SourceForge offers additional context on the software. No specific patches are detailed in the available information.

Details

CWE(s)
CWE-732

Affected Products

WinAVR
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-38337Shared CWE-732
CVE-2025-0064Shared CWE-732
CVE-2026-24834Shared CWE-732
CVE-2025-1067Shared CWE-732
CVE-2026-26102Shared CWE-732
CVE-2025-0066Shared CWE-732
CVE-2025-33088Shared CWE-732
CVE-2025-12985Shared CWE-732
CVE-2025-21325Shared CWE-732
CVE-2024-57068Shared CWE-732

References