Cyber Resilience

CVE-2026-25061

MediumPublic PoC

Published: 29 January 2026

Published
29 January 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 24.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25061 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Digitalcorpora Tcpflow. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25061 is a vulnerability in tcpflow, a TCP/IP packet demultiplexer, affecting versions up to and including 1.61. The issue resides in the wifipcap component, which parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length triggers a 1-byte out-of-bounds write past tim.bitmap[251]. The affected structure is stack-allocated in handle_beacon() and related handlers. It has a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-787 (Out-of-bounds Write).

An attacker can exploit this remotely over the network with low attack complexity, no privileges, and no user interaction. By sending a specially crafted 802.11 management frame, such as a beacon, to a system running vulnerable tcpflow while it processes WiFi pcap captures, the out-of-bounds write disrupts program execution. The primary impact is denial of service via crash, though code execution is potentially feasible but uncertain due to the small overflow size.

As of publication on 2026-01-29T22:15:55.797, no patches are available. Advisories include the GitHub security notice at https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6 and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html, which security practitioners should monitor for mitigation guidance or fixes.

EU & UK References

Vulnerability details

tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM…

more

length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote out-of-bounds write in network packet parser (802.11/WiFi capture) enables client-side exploitation for code execution (T1203) or application DoS via crafted frames (T1499.004); RCE is uncertain due to overflow size.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-27363Same product: Debian Debian Linux
CVE-2026-25506Same product: Debian Debian Linux
CVE-2025-62602Same product: Debian Debian Linux
CVE-2025-24201Same product: Debian Debian Linux
CVE-2025-15467Shared CWE-787
CVE-2026-3849Shared CWE-787
CVE-2025-62599Same product: Debian Debian Linux
CVE-2025-25475Same product: Debian Debian Linux
CVE-2026-23490Same product: Debian Debian Linux
CVE-2025-62600Same product: Debian Debian Linux

Affected Assets

digitalcorpora
tcpflow
≤ 1.6.1
debian
debian linux
11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires monitoring for vulnerabilities like CVE-2026-25061 and timely flaw remediation through patching or upgrades to tcpflow, directly eliminating the out-of-bounds write risk.

prevent

SI-10 mandates validation of untrusted inputs such as crafted 802.11 TIM elements in WiFi pcap frames, preventing the incorrect length check from triggering the buffer overflow.

prevent

SI-16 enforces memory protections like stack canaries and ASLR to mitigate exploitation of the stack-allocated buffer overflow in tcpflow's handle_beacon function.

References