Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attacker-controlled SOCKS5 proxy reply reaches socat over the network without victim auth (AV:N/PR:N/UI:N), but the specific proxy-client path and heap-grooming make it AC:H; memory corruption yields full C/I/A impact.
Primary rating from Vendor (vendor:alpine).
CVSS VectorVendor: vendor:alpine
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Alpine Linux: socat fixed in 1.8.1.2-r0
AnalysisAI
Heap-based buffer overflow in socat's SOCKS5 reply parser allows a malicious or compromised SOCKS5 proxy server to corrupt heap memory in clients that route connections through it, with potential for code execution. The flaw affects socat versions prior to 1.8.1.2 (packaged on Alpine Linux as 1.8.1.2-r0) and is triggered when socat acts as a SOCKS5 client and processes an attacker-crafted server reply. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run socat as a SOCKS5 client - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and warrant careful prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or has compromised a SOCKS5 proxy (or can tamper with proxy replies on the network path) waits for a victim's socat process to connect outbound through that proxy. The proxy returns a crafted SOCKS5 reply with malformed length/address fields, overflowing a heap buffer in socat's parser to corrupt memory and potentially achieve code execution in the socat process. … |
| Remediation | Upgrade socat to version 1.8.1.2 or later; on Alpine Linux install socat 1.8.1.2-r0 or newer (Vendor-released patch: 1.8.1.2 / Alpine 1.8.1.2-r0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all systems running socat prior to version 1.8.1.2 (Alpine: 1.8.1.2-r0); disable SOCKS5 functionality where operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The signal handler implementations in socat before 1.7.3.0 and 2.0.0-b8 allow remote attackers to cause a denial of serv
Heap-based buffer overflow in the xioscan_readline function in xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0
The OpenSSL address implementation in Socat 1.7.3.0 and 2.0.0-b8 does not use a prime number for the DH, which makes it
socat 1.2.0.0 before 1.7.2.2 and 2.0.0-b1 before 2.0.0-b6, when used for a listen type address and the fork option is en
Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39455
GHSA-6r8c-w5mj-43hv