CVE-2026-25061
Published: 29 January 2026
Summary
CVE-2026-25061 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Digitalcorpora Tcpflow. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25061 is a vulnerability in tcpflow, a TCP/IP packet demultiplexer, affecting versions up to and including 1.61. The issue resides in the wifipcap component, which parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length triggers a 1-byte out-of-bounds write past tim.bitmap[251]. The affected structure is stack-allocated in handle_beacon() and related handlers. It has a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-787 (Out-of-bounds Write).
An attacker can exploit this remotely over the network with low attack complexity, no privileges, and no user interaction. By sending a specially crafted 802.11 management frame, such as a beacon, to a system running vulnerable tcpflow while it processes WiFi pcap captures, the out-of-bounds write disrupts program execution. The primary impact is denial of service via crash, though code execution is potentially feasible but uncertain due to the small overflow size.
As of publication on 2026-01-29T22:15:55.797, no patches are available. Advisories include the GitHub security notice at https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6 and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html, which security practitioners should monitor for mitigation guidance or fixes.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4944
Vulnerability details
tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM…
more
length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote out-of-bounds write in network packet parser (802.11/WiFi capture) enables client-side exploitation for code execution (T1203) or application DoS via crafted frames (T1499.004); RCE is uncertain due to overflow size.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires monitoring for vulnerabilities like CVE-2026-25061 and timely flaw remediation through patching or upgrades to tcpflow, directly eliminating the out-of-bounds write risk.
SI-10 mandates validation of untrusted inputs such as crafted 802.11 TIM elements in WiFi pcap frames, preventing the incorrect length check from triggering the buffer overflow.
SI-16 enforces memory protections like stack canaries and ASLR to mitigate exploitation of the stack-allocated buffer overflow in tcpflow's handle_beacon function.