CVE-2026-2653
Published: 18 February 2026
Summary
CVE-2026-2653 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Admesh Project Admesh. Its CVSS base score is 4.8 (Medium).
Operationally, ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-2653 is a heap-based buffer overflow vulnerability in the admesh library, affecting versions up to and including 0.98.5. The flaw resides in the stl_check_normal_vector function within the src/normals.c file. Triggered by specific input manipulation, it allows an attacker to overflow a heap buffer. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow).
A local attacker with low privileges can exploit this vulnerability by providing malicious input to admesh, leading to the heap buffer overflow. Successful exploitation could result in limited impacts, including partial disclosure of sensitive information, minor modification of data, or denial of service through application crashes. The attack requires low complexity and no user interaction. Publicly available exploits have been released, increasing the risk for systems running vulnerable versions.
Advisories and references, including GitHub issues #65 and related comments in the admesh repository, document the issue but indicate the project is no longer actively maintained, with no patches or fixes released. The VulDB entry (ctiid.346450) confirms the local attack vector and public exploit availability. Users should consider upgrading to alternative tools or isolating admesh usage, as no official mitigations are provided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7649
Vulnerability details
A security flaw has been discovered in admesh up to 0.98.5. This issue affects the function stl_check_normal_vector of the file src/normals.c. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit…
more
has been released to the public and may be used for attacks. It looks like this product is not really maintained anymore.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of untrusted input to stl_check_normal_vector before heap operations, blocking the buffer overflow at its source.
Applies memory-protection mechanisms (e.g., bounds checking, ASLR, guard pages) that mitigate exploitation of the heap-based overflow in normals.c.
Requires replacement or isolation of the unmaintained admesh component (≤0.98.5) for which no security patches exist.