Cyber Resilience

CVE-2026-33849

High

Published: 24 March 2026

Published
24 March 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0024 15.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33849 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Linkingvision Rapidvms. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33849 is an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability, classified under CWE-119, affecting the linkingvision rapidvms software. This buffer overflow issue impacts versions of rapidvms prior to the changes introduced in pull request #96.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity, no privileges required, but necessitating user interaction. An unauthenticated attacker could leverage this flaw to achieve high-impact confidentiality, integrity, and availability violations, potentially leading to remote code execution or system compromise upon successful exploitation.

Mitigation is addressed in the project's GitHub pull request #96 at https://github.com/linkingvision/rapidvms/pull/96, which resolves the issue for affected versions of rapidvms. Security practitioners should ensure deployment of the patched version from this PR to remediate the vulnerability.

EU & UK References

Vulnerability details

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Buffer overflow (CWE-119) with AV:N/UI:R enables client-side exploitation for arbitrary code execution (RCE) in rapidvms.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33848Same product: Linkingvision Rapidvms
CVE-2026-33847Same product: Linkingvision Rapidvms
CVE-2026-5731Shared CWE-119
CVE-2026-28905Shared CWE-119
CVE-2026-8093Shared CWE-119
CVE-2026-7324Shared CWE-119
CVE-2026-0891Shared CWE-119
CVE-2026-6752Shared CWE-119
CVE-2026-8974Shared CWE-119
CVE-2026-2779Shared CWE-119

Affected Assets

linkingvision
rapidvms
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like this buffer overflow via patching as in PR#96, directly eliminating the vulnerability.

prevent

Implements memory protection mechanisms such as ASLR, DEP, and stack canaries to prevent unauthorized code execution from buffer overflow exploits.

prevent

Enforces validation of inputs to restrict operations within memory buffer bounds, mitigating the improper restriction issue in CWE-119.

References