nethack CVE Vulnerabilities & Metrics

Focus on nethack vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About nethack Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with nethack. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total nethack CVEs: 10
Earliest CVE date: 09 Jun 2003, 04:00 UTC
Latest CVE date: 17 Feb 2023, 20:15 UTC

Latest CVE reference: CVE-2023-24809

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical nethack CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 5.96

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	4
7.0-8.9	6
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS nethack CVEs

These are the five CVEs with the highest CVSS scores for nethack, sorted by severity first and recency.

CVE-2020-5253 nethack Published on 10 Mar 2020, 17:15 UTC (CVSS: 7.5)
NetHack before version 3.6.0 allowed malicious use of escaping of characters in the configuration file (usually .nethackrc) which could be exploited. This bug is patched in NetHack 3.6.0.
CVE-2020-5211 nethack Published on 28 Jan 2020, 19:15 UTC (CVSS: 7.5)
In NetHack before 3.6.5, an invalid extended command in value for the AUTOCOMPLETE configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5.
CVE-2020-5214 nethack Published on 28 Jan 2020, 18:15 UTC (CVSS: 7.5)
In NetHack before 3.6.5, detecting an unknown configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5.
CVE-2020-5213 nethack Published on 28 Jan 2020, 18:15 UTC (CVSS: 7.5)
In NetHack before 3.6.5, too long of a value for the SYMBOL configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5.
CVE-2020-5212 nethack Published on 28 Jan 2020, 18:15 UTC (CVSS: 7.5)
In NetHack before 3.6.5, an extremely long value for the MENUCOLOR configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5.

All CVEs for nethack

CVE-2023-24809 nethack vulnerability CVSS: 0 17 Feb 2023, 20:15 UTC

NetHack is a single player dungeon exploration game. Starting with version 3.6.2 and prior to version 3.6.7, illegal input to the "C" (call) command can cause a buffer overflow and crash the NetHack process. This vulnerability may be a security issue for systems that have NetHack installed suid/sgid and for shared systems. For all systems, it may result in a process crash. This issue is resolved in NetHack 3.6.7. There are no known workarounds.

CVE-2020-5254 nethack vulnerability CVSS: 6.8 10 Mar 2020, 17:15 UTC

In NetHack before 3.6.6, some out-of-bound values for the hilite_status option can be exploited. NetHack 3.6.6 resolves this issue.

CVE-2020-5253 nethack vulnerability CVSS: 7.5 10 Mar 2020, 17:15 UTC

NetHack before version 3.6.0 allowed malicious use of escaping of characters in the configuration file (usually .nethackrc) which could be exploited. This bug is patched in NetHack 3.6.0.

CVE-2020-5211 nethack vulnerability CVSS: 7.5 28 Jan 2020, 19:15 UTC

In NetHack before 3.6.5, an invalid extended command in value for the AUTOCOMPLETE configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5.

CVE-2020-5214 nethack vulnerability CVSS: 7.5 28 Jan 2020, 18:15 UTC

In NetHack before 3.6.5, detecting an unknown configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5.

CVE-2020-5213 nethack vulnerability CVSS: 7.5 28 Jan 2020, 18:15 UTC

In NetHack before 3.6.5, too long of a value for the SYMBOL configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5.

CVE-2020-5212 nethack vulnerability CVSS: 7.5 28 Jan 2020, 18:15 UTC

In NetHack before 3.6.5, an extremely long value for the MENUCOLOR configuration file option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to upload their own configuration files. Users should upgrade to NetHack 3.6.5.

CVE-2020-5210 nethack vulnerability CVSS: 4.6 28 Jan 2020, 18:15 UTC

In NetHack before 3.6.5, an invalid argument to the -w command line option can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to influence command line options. Users should upgrade to NetHack 3.6.5.

CVE-2020-5209 nethack vulnerability CVSS: 4.6 28 Jan 2020, 18:15 UTC

In NetHack before 3.6.5, unknown options starting with -de and -i can cause a buffer overflow resulting in a crash or remote code execution/privilege escalation. This vulnerability affects systems that have NetHack installed suid/sgid and shared systems that allow users to influence command line options. Users should upgrade to NetHack 3.6.5.

CVE-2019-19905 nethack vulnerability CVSS: 7.5 19 Dec 2019, 18:15 UTC

NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability when reading very long lines from configuration files. This affects systems that have NetHack installed suid/sgid, and shared systems that allow users to upload their own configuration files.

CVE-2003-0358 nethack vulnerability CVSS: 4.6 09 Jun 2003, 04:00 UTC

Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges via a long -s command line option.