Cyber Resilience

CVE-2020-37038

MediumPublic PoC

Published: 30 January 2026

Published
30 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 8.2th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37038 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Codeblocks (inferred from references). Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-37038 is a denial of service vulnerability in Code Blocks version 20.03, specifically affecting the FSymbols search field. Attackers can trigger an application crash by pasting a large payload consisting of 5000 repeated characters into the search field. The issue is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption with network accessibility and low attack complexity.

Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By manipulating input in the FSymbols search field with the specified oversized payload, they achieve a complete crash of the Code Blocks application, rendering it unavailable and potentially disrupting user workflows in the affected development environment.

Advisories and related resources include a VulnCheck advisory at https://www.vulncheck.com/advisories/code-blocks-denial-of-service detailing the issue, along with a proof-of-concept exploit published on Exploit-DB at https://www.exploit-db.com/exploits/48617. Official project pages are hosted at http://www.codeblocks.org/ and https://sourceforge.net/projects/codeblocks. No specific patch information is detailed in the provided references.

EU & UK References

Vulnerability details

Code Blocks 20.03 contains a denial of service vulnerability that allows attackers to crash the application by manipulating input in the FSymbols search field. Attackers can paste a large payload of 5000 repeated characters into the search field to trigger…

more

an application crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct match to application exploitation causing crash/DoS via unbounded resource allocation in input field (CWE-770).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770
CVE-2026-44004Shared CWE-770
CVE-2020-37139Shared CWE-770

Affected Assets

Codeblocks
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Rejects or sanitizes oversized input in the FSymbols search field before the application performs unbounded resource allocation.

prevent

Implements denial-of-service protection mechanisms that limit the impact of resource-exhaustion attacks triggered through application inputs.

prevent

Enforces resource availability controls that throttle or prioritize allocation to prevent a single input from crashing the process.

References