CVE-2026-25061
Published: 29 January 2026
Summary
CVE-2026-25061 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Digitalcorpora Tcpflow. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote out-of-bounds write in network packet parser (802.11/WiFi capture) enables client-side exploitation for code execution (T1203) or application DoS via crafted frames (T1499.004); RCE is uncertain due to overflow size.
NVD Description
tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM…
more
length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.
Deeper analysisAI
CVE-2026-25061 is a vulnerability in tcpflow, a TCP/IP packet demultiplexer, affecting versions up to and including 1.61. The issue resides in the wifipcap component, which parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length triggers a 1-byte out-of-bounds write past tim.bitmap[251]. The affected structure is stack-allocated in handle_beacon() and related handlers. It has a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-787 (Out-of-bounds Write).
An attacker can exploit this remotely over the network with low attack complexity, no privileges, and no user interaction. By sending a specially crafted 802.11 management frame, such as a beacon, to a system running vulnerable tcpflow while it processes WiFi pcap captures, the out-of-bounds write disrupts program execution. The primary impact is denial of service via crash, though code execution is potentially feasible but uncertain due to the small overflow size.
As of publication on 2026-01-29T22:15:55.797, no patches are available. Advisories include the GitHub security notice at https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6 and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html, which security practitioners should monitor for mitigation guidance or fixes.
Details
- CWE(s)