Cyber Resilience

CVE-2026-2653

MediumPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 0.4th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2653 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Admesh Project Admesh. Its CVSS base score is 4.8 (Medium).

Operationally, ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-2653 is a heap-based buffer overflow vulnerability in the admesh library, affecting versions up to and including 0.98.5. The flaw resides in the stl_check_normal_vector function within the src/normals.c file. Triggered by specific input manipulation, it allows an attacker to overflow a heap buffer. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow).

A local attacker with low privileges can exploit this vulnerability by providing malicious input to admesh, leading to the heap buffer overflow. Successful exploitation could result in limited impacts, including partial disclosure of sensitive information, minor modification of data, or denial of service through application crashes. The attack requires low complexity and no user interaction. Publicly available exploits have been released, increasing the risk for systems running vulnerable versions.

Advisories and references, including GitHub issues #65 and related comments in the admesh repository, document the issue but indicate the project is no longer actively maintained, with no patches or fixes released. The VulDB entry (ctiid.346450) confirms the local attack vector and public exploit availability. Users should consider upgrading to alternative tools or isolating admesh usage, as no official mitigations are provided.

EU & UK References

Vulnerability details

A security flaw has been discovered in admesh up to 0.98.5. This issue affects the function stl_check_normal_vector of the file src/normals.c. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit…

more

has been released to the public and may be used for attacks. It looks like this product is not really maintained anymore.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1788Shared CWE-119, CWE-122
CVE-2024-45421Shared CWE-119, CWE-122
CVE-2026-1145Shared CWE-119, CWE-122
CVE-2025-15533Shared CWE-119, CWE-122
CVE-2026-3281Shared CWE-119, CWE-122
CVE-2026-3463Shared CWE-119, CWE-122
CVE-2025-2757Shared CWE-119, CWE-122
CVE-2025-8178Shared CWE-119, CWE-122
CVE-2026-5244Shared CWE-119, CWE-122
CVE-2025-2337Shared CWE-119, CWE-122

Affected Assets

admesh project
admesh
≤ 0.98.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of untrusted input to stl_check_normal_vector before heap operations, blocking the buffer overflow at its source.

prevent

Applies memory-protection mechanisms (e.g., bounds checking, ASLR, guard pages) that mitigate exploitation of the heap-based overflow in normals.c.

prevent

Requires replacement or isolation of the unmaintained admesh component (≤0.98.5) for which no security patches exist.

References