Suse
CVE-2026-33250
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Freeciv21 is a free open source, turn-based, empire-building strategy game. Versions prior to 3.1.1 crash with a stack overflow when receiving specially-crafted packets. A remote attacker can use this to take down any public server. A malicious server can use this to crash the game on the player's machine. Authentication is not needed and, by default, logs do not contain any useful information. All users should upgrade to Freeciv21 version 3.1.1. Running the server behind a firewall can help mitigate the issue for non-public servers. For local games, Freeciv21 restricts connections to the current user and is therefore not affected.
AnalysisAI
Freeciv21, an open-source turn-based strategy game, contains a stack overflow vulnerability that allows remote attackers to crash servers or client applications through specially-crafted network packets. All versions prior to 3.1.1 are affected, with exploitation requiring no authentication and leaving no useful logs by default. While there is no evidence of active exploitation (not in CISA KEV) or public proof-of-concept code, Debian has issued security advisory DSA-6173-1 indicating distribution-level concern.
Technical ContextAI
This vulnerability stems from improper input validation (CWE-20) in Freeciv21's network packet handling code. The affected product is Freeciv21, a fork of the Freeciv game engine that implements multiplayer turn-based strategy gameplay over network sockets. The stack overflow occurs when the application receives malformed packets without proper bounds checking, causing excessive recursion or oversized stack allocations that exhaust stack space. The fix committed in ad8e18ca22595529599782b2984bf44df8d69ed6 addresses the input validation weakness that allows attackers to trigger this condition through network communication channels.
Affected ProductsAI
Freeciv21 versions prior to 3.1.1 are affected by this vulnerability. The issue impacts both the game server component (used to host multiplayer games) and the client application (which can be crashed by malicious servers). According to the GitHub security advisory GHSA-f76g-6w3f-f6r3 and Debian tracking bug #1131524, the vulnerability was addressed in the v3.1.1 release. Debian has issued advisory DSA-6173-1 covering 8 Debian release versions, indicating widespread distribution of the vulnerable software through package repositories. The official project repository is maintained at github.com/longturn/freeciv21.
RemediationAI
Upgrade Freeciv21 to version 3.1.1 or later immediately, as documented in the release at github.com/longturn/freeciv21/releases/tag/v3.1.1 and the security advisory at github.com/longturn/freeciv21/security/advisories/GHSA-f76g-6w3f-f6r3. Debian users should apply the DSA-6173-1 security update through their package manager. For server operators unable to patch immediately, deploy the server behind a firewall that restricts access to trusted IP addresses only, as suggested in the advisory. The Redmine issue tracker entry at redmine.freeciv.org/issues/1955 contains additional technical details. Local single-player games are already protected by default connection restrictions and do not require additional mitigation.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allVendor StatusVendor
Debian
Bug #1131524| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | (unfixed) | end-of-life |
| bookworm | fixed | 3.0.6-1+deb12u1 | - |
| bookworm (security) | fixed | 3.0.6-1+deb12u1 | - |
| trixie | fixed | 3.1.4+ds-2+deb13u1 | - |
| trixie (security) | fixed | 3.1.4+ds-2+deb13u1 | - |
| forky | vulnerable | 3.2.2+ds-1 | - |
| sid | fixed | 3.2.4+ds-1 | - |
| (unstable) | fixed | 3.2.4+ds-1 | - |
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today