{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25061", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-28T14:50:47.889Z", "datePublished": "2026-01-29T21:42:47.013Z", "dateUpdated": "2026-02-10T20:14:00.298Z"}, "containers": {"cna": {"title": "tcpflow has TIM Element OOB Write in wifipcap", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6"}], "affected": [{"vendor": "simsong", "product": "tcpflow", "versions": [{"version": "<= 1.61", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T21:42:47.013Z"}, "descriptions": [{"lang": "en", "value": "tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available."}], "source": {"advisory": "GHSA-q5q6-frrv-9rj6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-30T14:47:54.181992Z", "id": "CVE-2026-25061", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T16:35:14.092Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-10T20:14:00.298Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25061", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-30T14:47:54.181992Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-30T14:48:03.234Z"}}], "cna": {"title": "tcpflow has TIM Element OOB Write in wifipcap", "source": {"advisory": "GHSA-q5q6-frrv-9rj6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "simsong", "product": "tcpflow", "versions": [{"status": "affected", "version": "<= 1.61"}]}], "references": [{"url": "https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6", "name": "https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T21:42:47.013Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25061", "state": "PUBLISHED", "dateUpdated": "2026-02-02T16:35:14.092Z", "dateReserved": "2026-01-28T14:50:47.889Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-29T21:42:47.013Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:digitalcorpora:tcpflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2DE3D04-62BF-4CE6-BB8C-2AD5BFDFABAD", "versionEndIncluding": "1.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available."}, {"lang": "es", "value": "tcpflow es un demultiplexador de paquetes TCP/IP. En versiones hasta la 1.61 inclusive, wifipcap analiza los elementos de tramas de gesti\u00f3n 802.11 y realiza una comprobaci\u00f3n de longitud en el campo incorrecto al manejar el elemento TIM. Una trama manipulada con una longitud TIM grande puede causar una escritura fuera de l\u00edmites de 1 byte m\u00e1s all\u00e1 de 'tim.bitmap[251]'. El desbordamiento es peque\u00f1o y DoS es el impacto probable; la ejecuci\u00f3n de c\u00f3digo es potencial, pero a\u00fan est\u00e1 en el aire. La estructura afectada est\u00e1 asignada en la pila en 'handle_beacon()' y controladores relacionados. En el momento de la publicaci\u00f3n, no hay parches conocidos disponibles."}], "id": "CVE-2026-25061", "lastModified": "2026-02-25T15:24:30.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-29T22:15:55.797", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:18:00.328596+00:00", "value": {"mitigation_remediation": ["Update tcpflow to the latest version, which addresses the TIM element parsing defect if a patch release has become available.", "If no patch is available, avoid using the wifipcap module or configure tcpflow to ignore 802.11 management frames; consider disabling TIM parsing if a configuration option exists.", "Run tcpflow in a sandboxed or restricted environment, limit its access to untrusted network traffic, and monitor for abnormal crashes or restarts."], "summary": {"action": "Monitor", "impact": "Denial of Service (DoS) with potential code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Sim Song\u2019s tcpflow up to and including version 1.61. The problem is present in the wifipcap module that parses Wi\u2011Fi traffic. Debian systems running tcpflow 1.61 or earlier are also impacted as they ship the vulnerable binary. No post\u20111.61 releases have confirmed remediation.", "description_and_impact": "A single-byte out\u2011of\u2011bounds write is performed by tcpflow\u2019s wifipcap parser when processing the TIM element of 802.11 management frames. The vulnerable code performs a length check on the wrong field, writing beyond the bounds of a stack\u2011allocated bitmap. The overflow is small and is likely to cause a crash leading to a denial\u2011of\u2011service condition; the possibility of code execution cannot be ruled out but remains unverified. This weakness is a classic buffer overflow (CWE\u2011787).", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate impact, and the EPSS score of less than 1% shows a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to provide a crafted 802.11 management frame containing a TIM element with an inflated length to trigger the overflow. This requires the ability to inject frames into the wireless interface monitored by tcpflow, implying either a local attacker on the same networks or an attacker who has compromised the system running tcpflow. The attack vector is thus inferred to be a controlled network injection, not a generic remote exploit."}}}}, "created": "2026-01-30T08:42:44.046203+00:00", "updated": "2026-04-18T01:30:16.031909+00:00", "vendors": ["simsong", "simsong$PRODUCT$tcpflow"]}