NetHack: Privilege escalation/remote code execution/crash in configuration parsing

Severity: High
Affected versions: 3.6.0, 3.6.1, 3.6.2, 3.6.3
First Patched Version: 3.6.4

Basic Information:
A buffer overflow issue exists when reading very long lines from a NetHack configuration file (usually named .nethackrc).

This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files.

All users are urged to upgrade to NetHack 3.6.4 as soon as possible.

Additional information related to this advisory, if any, will be made available at

18-Dec-2019 NetHack 3.6.4 released with fix.
13-Dec-2019 Bug reported.

The NetHack Development Team gratefully acknowledges security researcher David Mendenhall for discovering this issue and for responsibly reporting it.
Revision History:
23-Dec-2019 Resolve duplicate CVE information.
19-Dec-2019 Add acknowledgements, Debian CVE, revision history.
18-Dec-2019 Initial Version.

Known Bug List
Version 3.6.7
Known Bug Search
Site Map
Old News
Security Issues
Developer Resources
Old Versions
Contact Us

Hosted courtesy of

NetHack is Copyright 1985-2023 by Stichting Mathematisch Centrum and M. Stephenson. See our license for details.
This site is Copyright 1999-2023 by Kenneth Lorber, Kensington, Maryland.