CVE-2020-16123
MEDIUMUbuntu Linux - Information Exposure via PulseAudio Snap Policy Race Condition
Title source: llmDescription
An Ubuntu-specific patch in PulseAudio created a race condition where the snap policy module would fail to identify a client connection from a snap as coming from a snap if SCM_CREDENTIALS were missing, allowing the snap to connect to PulseAudio without proper confinement. This could be exploited by an attacker to expose sensitive information. Fixed in 1:13.99.3-1ubuntu2, 1:13.99.2-1ubuntu2.1, 1:13.99.1-1ubuntu3.8, 1:11.1-1ubuntu7.11, and 1:8.0-0ubuntu3.15.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://launchpad.net/bugs/1895928
Patch, Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://ubuntu.com/USN-4640-1
Scores
CVSS v3
4.4
EPSS
0.0009
EPSS Percentile
24.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N
Details
CWE
CWE-362
Status
published
Products (4)
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
20.04
canonical/ubuntu_linux
20.10
Published
Dec 04, 2020
Tracked Since
Feb 18, 2026