Skip to main content

bettercap CVE-2026-8276

| EUVDEUVD-2026-29036 LOW
Numeric Errors (CWE-189)
2026-05-11 cna@vuldb.com GHSA-jcqv-2g3v-gm88
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 11, 2026 - 06:30 vuln.today
Analysis Generated
May 11, 2026 - 06:30 vuln.today
CVE Published
May 11, 2026 - 06:16 nvd
LOW 2.9

DescriptionCVE.org

A flaw has been found in bettercap up to 2.41.5. Affected by this issue is some unknown functionality of the file modules/mysql_server/mysql_server.go of the component MySQL Server. Executing a manipulation can lead to integer coercion error. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation is known to be difficult. The exploit has been published and may be used. This patch is called 0eaa375c5e5446bfba94a290eff92967a5deac9e. It is advisable to implement a patch to correct this issue.

AnalysisAI

Integer coercion error in bettercap's MySQL Server module allows remote attackers to trigger information disclosure through malformed MySQL handshake packets. Versions up to 2.41.5 are affected. The vulnerability requires high attack complexity and has no impact on confidentiality, integrity, or service availability per CVSS 4.0 scoring (VA:L indicates only availability of a non-critical resource), but the described integer manipulation coupled with CWE-189 (numeric errors) suggests potential for partial data exposure or undefined behavior in packet parsing.

Technical ContextAI

Bettercap is a network attack and monitoring framework written in Go. The vulnerable component is the embedded MySQL Server module (modules/mysql_server/mysql_server.go), which implements a fake MySQL server for man-in-the-middle attacks and credential capture. The vulnerability resides in the MySQL handshake packet processing logic, specifically in the parsing of client authentication packets. The root cause is CWE-189 (Numeric Errors), manifesting as improper integer coercion when processing the MySQL protocol's capability flags field. The original code performed a 8-bit format operation on a value that should be 16-bit (uint16/uint32), causing integer truncation or overflow when the capability flags exceed 8-bit range. This occurs at the network protocol level before authentication, making it remotely exploitable without credentials.

RemediationAI

Upgrade bettercap to a version incorporating commit 0eaa375c5e5446bfba94a290eff92967a5deac9e or later. Check the official bettercap releases (https://github.com/bettercap/bettercap/releases) for the first version after this commit. If immediate upgrade is not possible and bettercap is deployed in production, disable the MySQL Server module entirely (remove or comment out the module configuration) if not actively needed for credential capture operations. The fix itself is minimal and low-risk: it adds a buffer length validation (ensuring the client handshake packet is at least 37 bytes) before parsing capability flags, and corrects the capability flags format string from 8-bit to 16-bit representation, eliminating the integer truncation. Side effect of disabling the module: loss of MySQL credential interception capability until patched.

Share

CVE-2026-8276 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy