Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:D/RE:M/U:Green
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:D/RE:M/U:Green
Lifecycle Timeline
7DescriptionCVE.org
JS8Call through 2.3.1 and JS8Call-improved before 3.0 have a stack-based buffer overflow via a radio transmission of @APRSIS GRID followed by a long Maidenhead locator. This occurs in
grid2deg in APRSISClient.cpp.
AnalysisAI
Stack-based buffer overflow in JS8Call allows remote code execution via crafted radio transmission containing an oversized Maidenhead grid locator. CVSS 10.0 reflects network-reachable attack with no authentication required. Both JS8Call (through 2.3.1) and JS8Call-improved (before 3.0) are affected by the overflow in grid2deg function within APRSISClient.cpp. Vendor patch available for JS8Call-improved 3.0+; JS8Call project status unclear. No confirmed active exploitation or public POC identified at time of analysis, though attack vector is straightforward for actors with radio transmission capabilities.
Technical ContextAI
JS8Call is amateur radio software for weak-signal digital communication using SSB transceivers. The vulnerability exists in APRSISClient.cpp's grid2deg function, which parses APRS (Automatic Packet Reporting System) integration messages received via radio. When processing an '@APRSIS GRID' command followed by a Maidenhead locator (geographic coordinate system used in amateur radio), the function performs insufficient bounds checking before copying data into a stack-allocated buffer. CWE-121 (Stack-based Buffer Overflow) indicates the vulnerability class. The CPE strings identify two affected codebases: the original js8call project and the community-maintained js8call-improved fork. CVSS 4.0 vector shows Safety (S:P) impact, indicating potential physical consequences from compromised radio equipment.
RemediationAI
For JS8Call-improved users: upgrade to version 3.0 or later, which contains the vendor-released patch addressing the stack overflow in grid2deg function. Vendor security advisory available at https://github.com/JS8Call-improved/JS8Call-improved/security/advisories/GHSA-98hp-pjp7-w62x. For original JS8Call users (through 2.3.1): patch status from upstream js8call project not confirmed in available data-check project repository at https://github.com/js8call/js8call for updates or consider migrating to JS8Call-improved 3.0+. Workaround options: disable APRS integration features if not operationally required, reducing attack surface by eliminating the vulnerable code path (may impact position reporting and gateway functionality). Restrict radio access by operating on non-standard frequencies or using directional antennas to limit transmission footprint (trade-off: reduces legitimate communication range). Apply OS-level exploit mitigations such as Address Space Layout Randomization (ASLR) and stack canaries if not already enabled (provides defense-in-depth but may not fully prevent exploitation of stack overflows).
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Stack Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26482