Description
A stack-based buffer over-read exists in setbit() at iptree.h of TCPFLOW 1.5.0, due to received incorrect values causing incorrect computation, leading to denial of service during an address_histogram call or a get_histogram call.
References (4)
Core 4
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://github.com/simsong/tcpflow/issues/195
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K6MP4YMCJX4ITOBFX427UMOA6E7ZLJDE/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MN5FW6HKPDP7PI2IVNMFSQVIDSCQ5BOR/
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3955-1/
Scores
CVSS v3
5.5
EPSS
0.0032
EPSS Percentile
55.4%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-125
Status
published
Products (6)
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
18.10
digitalcorpora/tcpflow
1.5.0
fedoraproject/fedora
28
fedoraproject/fedora
29
Published
Oct 17, 2018
Tracked Since
Feb 18, 2026