CVE-2026-25061

CVE-2026-25061

Name

CVE-2026-25061

Description

tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html

Type

URI

security-advisories@github.com

https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6

af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:digitalcorpora:tcpflow::::::::`	tcpflow	>= None	<= 1.6.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:digitalcorpora:tcpflow:*:*:*:*:*:*:*:*

tcpflow

>= None

<= 1.6.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
tcpflow	edge-main	1.6.1-r14	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
tcpflow	edge-main	1.5.0-r1	None	possibly vulnerable
tcpflow	edge-main	1.5.0-r0	None	possibly vulnerable
tcpflow	3.23-main	1.6.1-r14	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
tcpflow	3.22-main	1.6.1-r14	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
tcpflow	3.22-main	1.5.0-r1	None	possibly vulnerable
tcpflow	3.22-main	1.5.0-r0	None	possibly vulnerable
tcpflow	3.21-main	1.6.1-r14	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
tcpflow	3.21-main	1.5.0-r1	None	possibly vulnerable
tcpflow	3.21-main	1.5.0-r0	None	possibly vulnerable
tcpflow	3.20-main	1.6.1-r14	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
tcpflow	3.20-main	1.5.0-r1	None	possibly vulnerable
tcpflow	3.20-main	1.5.0-r0	None	possibly vulnerable
tcpflow	3.19-main	1.6.1-r13	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
tcpflow	3.19-main	1.5.0-r1	None	possibly vulnerable
tcpflow	3.19-main	1.5.0-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages