Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof: before woof_15.3.0.
AnalysisAI
Out-of-bounds read in woof before version 15.3.0 allows remote attackers to trigger information disclosure and denial of service without authentication or user interaction. This critical vulnerability affects Debian systems and can be exploited over the network to leak sensitive data or crash the application. A patch is available and should be applied immediately.
Technical ContextAI
Woof (Web Offer One File) by Fabian Greffrath is a lightweight web server utility for quickly sharing files over HTTP. The vulnerability is classified as CWE-125 (Out-of-bounds Read), a memory safety issue where the application reads data past the end or before the beginning of an allocated memory buffer. This class of vulnerability can expose sensitive information from adjacent memory regions and may lead to application crashes or other undefined behavior. The affected product is identified via CPE as cpe:2.3:a:fabiangreffrath:woof, indicating all versions of the woof application prior to the patched release are vulnerable to this memory corruption issue.
RemediationAI
Upgrade fabiangreffrath woof to version 15.3.0 or later immediately to address this vulnerability. The patch is available through the vendor's GitHub repository as documented in pull request #2521 at https://github.com/fabiangreffrath/woof/pull/2521. Organizations should prioritize patching internet-facing instances of woof given the network-based attack vector and lack of authentication requirements. As an interim mitigation if immediate patching is not possible, restrict network access to woof instances using firewall rules to allow connections only from trusted IP ranges, deploy the service behind a reverse proxy with additional access controls, or temporarily disable the service until the update can be applied. Monitor system logs for unusual access patterns or crashes that could indicate exploitation attempts.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allVendor StatusVendor
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 10.5.1+dfsg-1 | - |
| trixie | vulnerable | 15.2.0+dfsg-1 | - |
| forky, sid | vulnerable | 15.3.0+dfsg-1 | - |
| (unstable) | fixed | (unfixed) | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14766
GHSA-r29r-g6g3-64qx