Skip to main content

JS8Call EUVDEUVD-2026-26482

| CVE-2026-42996 CRITICAL
Stack-based Buffer Overflow (CWE-121)
2026-05-01 mitre
10.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:D/RE:M/U:Green

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:D/RE:M/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
P

Lifecycle Timeline

7
Patch released
May 01, 2026 - 23:16 nvd
Patch available
Analysis Generated
May 01, 2026 - 09:15 vuln.today
Patch available
May 01, 2026 - 08:01 EUVD
CVSS changed
May 01, 2026 - 07:22 NVD
10.0 (CRITICAL)
EUVD ID Assigned
May 01, 2026 - 07:00 euvd
EUVD-2026-26482
Analysis Generated
May 01, 2026 - 07:00 vuln.today
CVE Published
May 01, 2026 - 06:42 nvd
CRITICAL 10.0

DescriptionCVE.org

JS8Call through 2.3.1 and JS8Call-improved before 3.0 have a stack-based buffer overflow via a radio transmission of @APRSIS GRID followed by a long Maidenhead locator. This occurs in

grid2deg in APRSISClient.cpp.

AnalysisAI

Stack-based buffer overflow in JS8Call allows remote code execution via crafted radio transmission containing an oversized Maidenhead grid locator. CVSS 10.0 reflects network-reachable attack with no authentication required. Both JS8Call (through 2.3.1) and JS8Call-improved (before 3.0) are affected by the overflow in grid2deg function within APRSISClient.cpp. Vendor patch available for JS8Call-improved 3.0+; JS8Call project status unclear. No confirmed active exploitation or public POC identified at time of analysis, though attack vector is straightforward for actors with radio transmission capabilities.

Technical ContextAI

JS8Call is amateur radio software for weak-signal digital communication using SSB transceivers. The vulnerability exists in APRSISClient.cpp's grid2deg function, which parses APRS (Automatic Packet Reporting System) integration messages received via radio. When processing an '@APRSIS GRID' command followed by a Maidenhead locator (geographic coordinate system used in amateur radio), the function performs insufficient bounds checking before copying data into a stack-allocated buffer. CWE-121 (Stack-based Buffer Overflow) indicates the vulnerability class. The CPE strings identify two affected codebases: the original js8call project and the community-maintained js8call-improved fork. CVSS 4.0 vector shows Safety (S:P) impact, indicating potential physical consequences from compromised radio equipment.

RemediationAI

For JS8Call-improved users: upgrade to version 3.0 or later, which contains the vendor-released patch addressing the stack overflow in grid2deg function. Vendor security advisory available at https://github.com/JS8Call-improved/JS8Call-improved/security/advisories/GHSA-98hp-pjp7-w62x. For original JS8Call users (through 2.3.1): patch status from upstream js8call project not confirmed in available data-check project repository at https://github.com/js8call/js8call for updates or consider migrating to JS8Call-improved 3.0+. Workaround options: disable APRS integration features if not operationally required, reducing attack surface by eliminating the vulnerable code path (may impact position reporting and gateway functionality). Restrict radio access by operating on non-standard frequencies or using directional antennas to limit transmission footprint (trade-off: reduces legitimate communication range). Apply OS-level exploit mitigations such as Address Space Layout Randomization (ASLR) and stack canaries if not already enabled (provides defense-in-depth but may not fully prevent exploitation of stack overflows).

Share

EUVD-2026-26482 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy