Skip to main content

Woof CVE-2026-4750

| EUVDEUVD-2026-14766 CRITICAL
Out-of-bounds Read (CWE-125)
2026-03-24 GovTech CSG GHSA-r29r-g6g3-64qx
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 06:15 euvd
EUVD-2026-14766
Analysis Generated
Mar 24, 2026 - 06:15 vuln.today
Patch released
Mar 24, 2026 - 06:15 nvd
Patch available
CVE Published
Mar 24, 2026 - 05:36 nvd
CRITICAL 9.1

DescriptionCVE.org

Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof: before woof_15.3.0.

AnalysisAI

Out-of-bounds read in woof before version 15.3.0 allows remote attackers to trigger information disclosure and denial of service without authentication or user interaction. This critical vulnerability affects Debian systems and can be exploited over the network to leak sensitive data or crash the application. A patch is available and should be applied immediately.

Technical ContextAI

Woof (Web Offer One File) by Fabian Greffrath is a lightweight web server utility for quickly sharing files over HTTP. The vulnerability is classified as CWE-125 (Out-of-bounds Read), a memory safety issue where the application reads data past the end or before the beginning of an allocated memory buffer. This class of vulnerability can expose sensitive information from adjacent memory regions and may lead to application crashes or other undefined behavior. The affected product is identified via CPE as cpe:2.3:a:fabiangreffrath:woof, indicating all versions of the woof application prior to the patched release are vulnerable to this memory corruption issue.

RemediationAI

Upgrade fabiangreffrath woof to version 15.3.0 or later immediately to address this vulnerability. The patch is available through the vendor's GitHub repository as documented in pull request #2521 at https://github.com/fabiangreffrath/woof/pull/2521. Organizations should prioritize patching internet-facing instances of woof given the network-based attack vector and lack of authentication requirements. As an interim mitigation if immediate patching is not possible, restrict network access to woof instances using firewall rules to allow connections only from trusted IP ranges, deploy the service behind a reverse proxy with additional access controls, or temporarily disable the service until the update can be applied. Monitor system logs for unusual access patterns or crashes that could indicate exploitation attempts.

Vendor StatusVendor

Debian

woof-doom
Release Status Fixed Version Urgency
bookworm vulnerable 10.5.1+dfsg-1 -
trixie vulnerable 15.2.0+dfsg-1 -
forky, sid vulnerable 15.3.0+dfsg-1 -
(unstable) fixed (unfixed) -

Share

CVE-2026-4750 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy