CVE-2020-36940
Published: 27 January 2026
Summary
CVE-2020-36940 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
Easy CD & DVD Cover Creator 4.13 is affected by CVE-2020-36940, a buffer overflow vulnerability in the serial number input field. The flaw, classified under CWE-120, enables attackers to crash the application by generating a 6000-byte payload and pasting it into the field. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high impacts across confidentiality, integrity, and availability.
Any remote attacker can exploit this vulnerability without privileges or user interaction, according to the CVSS vector. By crafting and delivering the oversized payload to the serial number field, the attacker achieves a denial-of-service condition, crashing the application. While the description focuses on application termination, the high CVSS impact scores suggest possible escalation to broader compromise, though confirmed effects are limited to crashing.
Advisories referenced in Exploit-DB (exploit 49337) provide a proof-of-concept for the crash, demonstrating the 6000-byte payload technique. The Vulncheck advisory specifically details the denial-of-service impact in Easy CD & DVD Cover Creator. No patch or mitigation details are specified in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-30858
Vulnerability details
Easy CD & DVD Cover Creator 4.13 contains a buffer overflow vulnerability in the serial number input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the serial number field to…
more
trigger an application crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in local app input enables application crash/DoS via crafted payload (T1499.004); high CVSS suggests possible RCE but confirmed impact limited to termination.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of serial number field inputs to reject oversized payloads and prevent buffer overflow crashes.
Implements memory protections such as ASLR and DEP to mitigate exploitation and impacts of buffer overflows in the application.
Enforces restrictions on input length and types for the serial number field to block excessive payloads causing buffer overflows.