Description
Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Attackers can paste malicious data exceeding 5000 bytes into the 'Open the following file when done' field to trigger a denial of service condition.
Published: 2026-05-16
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Internet Download Manager 6.38.12 contains a buffer overflow in the Scheduler component that can be triggered by supplying a malformed string longer than 5,000 bytes in the "Open the following file when done" field. The overflow corrupts the stack and causes the application to crash, resulting in a denial of service for the user who launched the download. The vulnerability is a classic buffer‑copy without bounds checking flaw (CWE‑120).

Affected Systems

The affected software is Internet Download Manager version 6.38.12, distributed by the vendor Internetdownloadmanager.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity for a local denial of service. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the exploit requires local access to the machine and manipulation of the Scheduler input, it is unlikely to be leveraged remotely unless a remote code execution vulnerability is also present. Nonetheless, any local attacker who can launch the application has a straightforward path to cause a crash.

Generated by OpenCVE AI on May 16, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Internet Download Manager to a version that includes the Scheduler buffer overflow fix; check the vendor's website for the latest release.
  • If no newer version is available, uninstall or disable the Scheduler feature to eliminate the vulnerable component.
  • Run Internet Download Manager with the least privilege required and restrict local user access to the Scheduler input areas to reduce the attack surface.

Generated by OpenCVE AI on May 16, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Attackers can paste malicious data exceeding 5000 bytes into the 'Open the following file when done' field to trigger a denial of service condition.
Title Internet Download Manager 6.38.12 Scheduler Buffer Overflow
First Time appeared Tonec
Tonec internet Download Manager
Weaknesses CWE-120
CPEs cpe:2.3:a:tonec:internet_download_manager:6.38.12:*:*:*:*:*:*:*
Vendors & Products Tonec
Tonec internet Download Manager
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Tonec Internet Download Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:25:51.356Z

Reserved: 2026-05-15T14:12:15.177Z

Link: CVE-2020-37234

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:19.440

Modified: 2026-05-16T16:16:19.440

Link: CVE-2020-37234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T17:00:13Z

Weaknesses