CVE-2020-26994: 
Siemens JT2Go vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2020-26994) was identified in JT2Go (all versions prior to V13.1.0) and Teamcenter Visualization (all versions prior to V13.1.0). The vulnerability stems from improper validation of user-supplied data when parsing PCX files, which could allow an attacker to execute code in the context of the current process (NVD, CISA).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) with a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue occurs when parsing PCX files due to insufficient validation of user-supplied data, which can lead to memory corruption (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process, potentially leading to full system compromise with the privileges of the affected application (CISA).

Siemens has released version 13.1.0 for both JT2Go and Teamcenter Visualization to address this vulnerability. Users are strongly recommended to update to the latest version. As additional mitigation, Siemens advises limiting the opening of untrusted files and applying defense-in-depth concepts (Siemens Advisory).