CVE-2020-5211

Name of the Vulnerable Software and Affected Versions NetHack versions prior to 3.6.5

Description The issue is caused by an invalid extended command in the value for the AUTOCOMPLETE configuration file option, leading to a buffer overflow. This can result in a crash or remote code execution/privilege escalation. It affects systems with NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files.

Recommendations For versions prior to 3.6.5, upgrade to NetHack 3.6.5 to resolve the issue. As a temporary workaround, consider restricting access to the AUTOCOMPLETE configuration file option to minimize the risk of exploitation.