Tcpflow
CVE-2026-25061
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past tim.bitmap[251]. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in handle_beacon() and related handlers. As of time of publication, no known patches are available.
AnalysisAI
Denial-of-service attacks against tcpflow up to version 1.61 are possible via malformed 802.11 management frames that trigger a stack-based buffer overflow in TIM element parsing. An unauthenticated remote attacker can craft a specially designed wireless frame to cause a one-byte out-of-bounds write, crashing the application or potentially executing arbitrary code. Public exploit code exists, but no patches are currently available for affected Debian Linux systems and other distributions using vulnerable tcpflow versions.
Technical ContextAI
Classified as CWE-787 (Out-of-bounds Write). Affects Tcpflow. tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past tim.bitmap[251]. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in handle_beacon() and related handlers.
RemediationAI
Monitor vendor advisories for a patch. Enable ASLR, DEP/NX, and stack canaries where possible. Restrict network access to the affected service where possible.
An issue was discovered in wifipcap/wifipcap.cpp in TCPFLOW through 1.5.0-alpha. Rated critical severity (CVSS 9.1), thi
A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW 1.5.0, due to received incorrect values causing
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today