Description
NRSS RSS Reader 0.3.9-1 contains a stack buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized argument to the -F parameter. Attackers can craft a malicious input with 256 bytes of padding followed by a controlled EIP value to overwrite the return address and achieve code execution.
Published: 2026-03-28
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Patch immediately
AI Analysis

Impact

NRSS RSS Reader 0.3.9-1 includes a stack buffer overflow that can be triggered by passing an oversized value to the -F command‑line switch. The flaw allows an attacker to supply 256 bytes of padding followed by a crafted return‑address value, overwriting the function return pointer and enabling arbitrary code execution on the local machine.

Affected Systems

The vulnerability affects NRSS Reader version 0.3.9-1. No other versions or products are listed as impacted.

Risk and Exploitability

The issue carries a CVSS score of 8.6, indicating high severity, but the EPSS score is below 1%, implying low likelihood of widespread exploitation. The vulnerability is not currently catalogued in the CISA KEV list. Exploitation requires local access and the ability to invoke the program with the -F parameter supplied by a malicious user.

Generated by OpenCVE AI on April 10, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the NRSS website or vendor portal for an updated version that removes the buffer overflow and upgrade immediately.
  • If an upgrade is unavailable, restrict the ability to run NRSS or supply the -F argument to only trusted users and inputs.
  • Enforce strict local privilege controls so that only users who require the program can execute it, reducing the chance that a local attacker can exploit the flaw.

Generated by OpenCVE AI on April 10, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Nrss nrss
CPEs cpe:2.3:a:nrss:nrss:*:*:*:*:*:*:*:*
Vendors & Products Nrss nrss

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Nrss
Nrss nrss Reader
Vendors & Products Nrss
Nrss nrss Reader

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description NRSS RSS Reader 0.3.9-1 contains a stack buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized argument to the -F parameter. Attackers can craft a malicious input with 256 bytes of padding followed by a controlled EIP value to overwrite the return address and achieve code execution.
Title NRSS RSS Reader 0.3.9-1 Stack Buffer Overflow
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nrss Nrss Nrss Reader
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T14:53:37.019Z

Reserved: 2026-03-28T11:35:13.770Z

Link: CVE-2016-20043

cve-icon Vulnrichment

Updated: 2026-03-30T12:51:06.229Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-28T12:16:00.250

Modified: 2026-04-10T20:59:49.247

Link: CVE-2016-20043

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:13Z

Weaknesses