CVE-2026-25061

tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6	Exploit Mitigation Vendor Advisory
https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:digitalcorpora:tcpflow:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

History

25 Feb 2026, 15:24

Type	Values Removed	Values Added
References	~~() https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6 -~~	() https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6 - Exploit, Mitigation, Vendor Advisory
References	~~() https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html -~~	() https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html - Mailing List, Third Party Advisory
First Time		Debian debian Linux Digitalcorpora Digitalcorpora tcpflow Debian
CPE		cpe:2.3:a:digitalcorpora:tcpflow:::::::: cpe:2.3:o:debian:debian_linux:11.0:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

10 Feb 2026, 21:16

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html -

04 Feb 2026, 16:34

Type	Values Removed	Values Added
Summary		(es) tcpflow es un demultiplexador de paquetes TCP/IP. En versiones hasta la 1.61 inclusive, wifipcap analiza los elementos de tramas de gestión 802.11 y realiza una comprobación de longitud en el campo incorrecto al manejar el elemento TIM. Una trama manipulada con una longitud TIM grande puede causar una escritura fuera de límites de 1 byte más allá de 'tim.bitmap[251]'. El desbordamiento es pequeño y DoS es el impacto probable; la ejecución de código es potencial, pero aún está en el aire. La estructura afectada está asignada en la pila en 'handle_beacon()' y controladores relacionados. En el momento de la publicación, no hay parches conocidos disponibles.

29 Jan 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-29 22:15

Updated : 2026-02-25 15:24

NVD link : CVE-2026-25061

Mitre link : CVE-2026-25061

CVE.ORG link : CVE-2026-25061

JSON object : View

Products Affected

debian

debian_linux

digitalcorpora

tcpflow

CWE

CWE-787

Out-of-bounds Write

7.5 /10