Skip to main content

Ettercap CVE-2026-9365

| EUVDEUVD-2026-31576 LOW
Heap-based Buffer Overflow (CWE-122)
2026-05-24 VulDB GHSA-fgvc-qw77-cmcj
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
May 26, 2026 - 19:37 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 19:37 NVD
5.6 (MEDIUM) 2.9 (LOW)
Source Code Evidence Fetched
May 24, 2026 - 08:45 vuln.today
Analysis Generated
May 24, 2026 - 08:45 vuln.today

DescriptionCVE.org

A vulnerability has been found in Ettercap up to 0.8.3. The affected element is the function FUNC_DECODER of the file src/dissectors/ec_gg.c of the component GG Dissector. The manipulation of the argument gg leads to heap-based buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 0.8.4 is sufficient to fix this issue. The identifier of the patch is feeae6fa366e01a3dd9f1857ec6aae847b2ae00c. It is suggested to upgrade the affected component.

AnalysisAI

Heap-based buffer overflow in Ettercap's GG protocol dissector (versions up to 0.8.3) allows remote attackers to potentially achieve limited confidentiality, integrity, and availability compromise through crafted network traffic. The vulnerability exists in the ec_gg.c dissector when processing Gadu-Gadu instant messaging protocol packets. Publicly available exploit code exists (GitHub issue #1306), and vendor has released patch version 0.8.4 (commit feeae6fa). Despite network attack vector, exploitation difficulty is high (AC:H) with low EPSS risk, suggesting specialized targeting rather than mass exploitation.

Technical ContextAI

Ettercap is a comprehensive network interception and analysis suite for man-in-the-middle attacks on LANs. The vulnerability resides in the GG (Gadu-Gadu) protocol dissector component (src/dissectors/ec_gg.c), which parses instant messaging traffic. CWE-122 identifies this as a heap-based buffer overflow, occurring when FUNC_DECODER processes malformed GG protocol packets. The patch reveals multiple unsafe strncpy operations copying user-controlled description fields into fixed 71-byte buffers without proper bounds checking. The dissector processes GG_LOGIN50_CMD, GG_LOGIN60_CMD, GG_LOGIN70_CMD, and GG_STATUS commands, calculating copy lengths as (gg->len - offset) without validating that gg->len exceeds the offset, leading to integer underflow and excessive copy lengths. The fix introduces GG_MAX_LEN constant (70 bytes), proper offset validation, and MIN() macro to constrain copy operations.

RemediationAI

Upgrade to Ettercap version 0.8.4 or later, which includes the vendor-released patch (commit feeae6fa366e01a3dd9f1857ec6aae847b2ae00c) fixing the buffer overflow in the GG dissector. Patch details: https://github.com/Ettercap/ettercap/pull/1307 and https://github.com/Ettercap/ettercap/commit/feeae6fa366e01a3dd9f1857ec6aae847b2ae00c. If immediate patching is not feasible, implement the following compensating controls with noted trade-offs: (1) Disable the GG dissector module if Gadu-Gadu protocol analysis is not operationally required - reduces attack surface but eliminates visibility into GG traffic; (2) Run Ettercap only on isolated analysis networks separate from untrusted traffic sources - limits exposure but constrains operational flexibility; (3) Apply strict input validation at network boundaries to filter malformed GG protocol packets before they reach Ettercap - requires deep packet inspection capabilities and may introduce performance overhead or false positives blocking legitimate traffic. Organizations using Ettercap for production security monitoring should prioritize immediate upgrade to 0.8.4.

CVE-2014-6395 HIGH POC
7.5 Dec 19

Heap-based buffer overflow in the dissector_postgresql function in dissectors/ec_postgresql.c in Ettercap before 0.8.1 a

CVE-2017-8366 CRITICAL POC
9.8 Apr 30

The strescape function in ec_strings.c in Ettercap 0.8.2 allows remote attackers to cause a denial of service (heap-base

CVE-2017-6430 MEDIUM POC
5.5 Mar 15

The compile_tree function in ef_compiler.c in the Etterfilter utility in Ettercap 0.8.2 and earlier allows remote attack

CVE-2013-0722 MEDIUM POC
4.4 Jan 11

Stack-based buffer overflow in the scan_load_hosts function in ec_scan.c in Ettercap 0.7.5.1 and earlier might allow loc

CVE-2014-9376 HIGH
7.5 Dec 19

Integer underflow in Ettercap 0.8.1 allows remote attackers to cause a denial of service (out-of-bounds write) and possi

CVE-2014-6396 HIGH
7.5 Dec 19

The dissector_postgresql function in dissectors/ec_postgresql.c in Ettercap before 0.8.1 allows remote attackers to caus

CVE-2014-9379 HIGH
7.5 Dec 19

The radius_get_attribute function in dissectors/ec_radius.c in Ettercap 0.8.1 performs an incorrect cast, which allows r

CVE-2014-9377 HIGH
7.5 Dec 19

Heap-based buffer overflow in the nbns_spoof function in plug-ins/nbns_spoof/nbns_spoof.c in Ettercap 0.8.1 allows remot

CVE-2014-9378 HIGH
7.5 Dec 19

Ettercap 0.8.1 does not validate certain return values, which allows remote attackers to cause a denial of service (cras

CVE-2014-9381 MEDIUM
5.0 Dec 19

Integer signedness error in the dissector_cvs function in dissectors/ec_cvs.c in Ettercap 0.8.1 allows remote attackers

CVE-2014-9380 MEDIUM
5.0 Dec 19

The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 0.8.1 allows remote attackers to cause a denial of service

CVE-2026-3606 LOW
1.9 Mar 05

A vulnerability has been found in Ettercap 0.8.4-Garofalo. Affected by this vulnerability is the function add_data_segme

Share

CVE-2026-9365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy