Cyber Resilience

CVE-2020-36940

MediumPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 15.4th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2020-36940 is a medium-severity Classic Buffer Overflow (CWE-120) vulnerability. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

Easy CD & DVD Cover Creator 4.13 is affected by CVE-2020-36940, a buffer overflow vulnerability in the serial number input field. The flaw, classified under CWE-120, enables attackers to crash the application by generating a 6000-byte payload and pasting it into the field. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high impacts across confidentiality, integrity, and availability.

Any remote attacker can exploit this vulnerability without privileges or user interaction, according to the CVSS vector. By crafting and delivering the oversized payload to the serial number field, the attacker achieves a denial-of-service condition, crashing the application. While the description focuses on application termination, the high CVSS impact scores suggest possible escalation to broader compromise, though confirmed effects are limited to crashing.

Advisories referenced in Exploit-DB (exploit 49337) provide a proof-of-concept for the crash, demonstrating the 6000-byte payload technique. The Vulncheck advisory specifically details the denial-of-service impact in Easy CD & DVD Cover Creator. No patch or mitigation details are specified in the available information.

EU & UK References

Vulnerability details

Easy CD & DVD Cover Creator 4.13 contains a buffer overflow vulnerability in the serial number input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the serial number field to…

more

trigger an application crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer overflow in local app input enables application crash/DoS via crafted payload (T1499.004); high CVSS suggests possible RCE but confirmed impact limited to termination.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-37212Shared CWE-120
CVE-2025-50648Shared CWE-120
CVE-2020-37187Shared CWE-120
CVE-2020-37206Shared CWE-120
CVE-2025-20115Shared CWE-120
CVE-2021-47797Shared CWE-120
CVE-2025-50654Shared CWE-120
CVE-2020-37213Shared CWE-120
CVE-2018-25294Shared CWE-120
CVE-2024-24419Shared CWE-120

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of serial number field inputs to reject oversized payloads and prevent buffer overflow crashes.

prevent

Implements memory protections such as ASLR and DEP to mitigate exploitation and impacts of buffer overflows in the application.

prevent

Enforces restrictions on input length and types for the serial number field to block excessive payloads causing buffer overflows.

References