Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability has been found in Ettercap up to 0.8.3. The affected element is the function FUNC_DECODER of the file src/dissectors/ec_gg.c of the component GG Dissector. The manipulation of the argument gg leads to heap-based buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 0.8.4 is sufficient to fix this issue. The identifier of the patch is feeae6fa366e01a3dd9f1857ec6aae847b2ae00c. It is suggested to upgrade the affected component.
AnalysisAI
Heap-based buffer overflow in Ettercap's GG protocol dissector (versions up to 0.8.3) allows remote attackers to potentially achieve limited confidentiality, integrity, and availability compromise through crafted network traffic. The vulnerability exists in the ec_gg.c dissector when processing Gadu-Gadu instant messaging protocol packets. Publicly available exploit code exists (GitHub issue #1306), and vendor has released patch version 0.8.4 (commit feeae6fa). Despite network attack vector, exploitation difficulty is high (AC:H) with low EPSS risk, suggesting specialized targeting rather than mass exploitation.
Technical ContextAI
Ettercap is a comprehensive network interception and analysis suite for man-in-the-middle attacks on LANs. The vulnerability resides in the GG (Gadu-Gadu) protocol dissector component (src/dissectors/ec_gg.c), which parses instant messaging traffic. CWE-122 identifies this as a heap-based buffer overflow, occurring when FUNC_DECODER processes malformed GG protocol packets. The patch reveals multiple unsafe strncpy operations copying user-controlled description fields into fixed 71-byte buffers without proper bounds checking. The dissector processes GG_LOGIN50_CMD, GG_LOGIN60_CMD, GG_LOGIN70_CMD, and GG_STATUS commands, calculating copy lengths as (gg->len - offset) without validating that gg->len exceeds the offset, leading to integer underflow and excessive copy lengths. The fix introduces GG_MAX_LEN constant (70 bytes), proper offset validation, and MIN() macro to constrain copy operations.
RemediationAI
Upgrade to Ettercap version 0.8.4 or later, which includes the vendor-released patch (commit feeae6fa366e01a3dd9f1857ec6aae847b2ae00c) fixing the buffer overflow in the GG dissector. Patch details: https://github.com/Ettercap/ettercap/pull/1307 and https://github.com/Ettercap/ettercap/commit/feeae6fa366e01a3dd9f1857ec6aae847b2ae00c. If immediate patching is not feasible, implement the following compensating controls with noted trade-offs: (1) Disable the GG dissector module if Gadu-Gadu protocol analysis is not operationally required - reduces attack surface but eliminates visibility into GG traffic; (2) Run Ettercap only on isolated analysis networks separate from untrusted traffic sources - limits exposure but constrains operational flexibility; (3) Apply strict input validation at network boundaries to filter malformed GG protocol packets before they reach Ettercap - requires deep packet inspection capabilities and may introduce performance overhead or false positives blocking legitimate traffic. Organizations using Ettercap for production security monitoring should prioritize immediate upgrade to 0.8.4.
Heap-based buffer overflow in the dissector_postgresql function in dissectors/ec_postgresql.c in Ettercap before 0.8.1 a
The strescape function in ec_strings.c in Ettercap 0.8.2 allows remote attackers to cause a denial of service (heap-base
The compile_tree function in ef_compiler.c in the Etterfilter utility in Ettercap 0.8.2 and earlier allows remote attack
Stack-based buffer overflow in the scan_load_hosts function in ec_scan.c in Ettercap 0.7.5.1 and earlier might allow loc
Integer underflow in Ettercap 0.8.1 allows remote attackers to cause a denial of service (out-of-bounds write) and possi
The dissector_postgresql function in dissectors/ec_postgresql.c in Ettercap before 0.8.1 allows remote attackers to caus
The radius_get_attribute function in dissectors/ec_radius.c in Ettercap 0.8.1 performs an incorrect cast, which allows r
Heap-based buffer overflow in the nbns_spoof function in plug-ins/nbns_spoof/nbns_spoof.c in Ettercap 0.8.1 allows remot
Ettercap 0.8.1 does not validate certain return values, which allows remote attackers to cause a denial of service (cras
Integer signedness error in the dissector_cvs function in dissectors/ec_cvs.c in Ettercap 0.8.1 allows remote attackers
The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 0.8.1 allows remote attackers to cause a denial of service
A vulnerability has been found in Ettercap 0.8.4-Garofalo. Affected by this vulnerability is the function add_data_segme
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31576
GHSA-fgvc-qw77-cmcj