Description
PInfo 0.6.9-5.1 contains a local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized argument to the -m parameter. Attackers can craft a malicious input string with 564 bytes of padding followed by a return address to overwrite the instruction pointer and execute shellcode with user privileges.
Published: 2026-03-28
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a local buffer overflow triggered when the -m parameter of PInfo receives an input longer than permitted. The overflow allows the attacker to overwrite the instruction pointer with a crafted return address and inject shellcode, leading to arbitrary code execution with the privileges of the user running the program. This represents a CWE‑787 buffer overflow weakness.

Affected Systems

The vendor PInfo, version 0.6.9-5.1, is affected. Users installing this package—commonly found in Debian-based distributions—are vulnerable if they run the command with the -m option. No other versions or platforms are listed, so the issue appears confined to this specific release.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, while the EPSS score of less than 1% suggests exploitation is unlikely under current conditions. The vulnerability is not in the CISA KEV catalog. Attackers must be local to the system; they do not need external network access. If a malicious payload is supplied via the -m flag, the local user can gain control of the process and potentially elevate privileges on the host.

Generated by OpenCVE AI on April 10, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PInfo to a version that removes the vulnerable -m handling or otherwise patches the buffer overflow.
  • If an upgrade is unavailable, uninstall or disable PInfo to eliminate the attack surface.
  • Restrict local user rights to prevent execution of PInfo with arbitrary arguments, for example by adjusting file permissions or using an application whitelist.

Generated by OpenCVE AI on April 10, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Surf
Surf pinfo
CPEs cpe:2.3:a:surf:pinfo:*:*:*:*:*:*:*:*
Vendors & Products Surf
Surf pinfo

Mon, 30 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Pinfo
Pinfo pinfo
Vendors & Products Pinfo
Pinfo pinfo

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description PInfo 0.6.9-5.1 contains a local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized argument to the -m parameter. Attackers can craft a malicious input string with 564 bytes of padding followed by a return address to overwrite the instruction pointer and execute shellcode with user privileges.
Title PInfo 0.6.9-5.1 Local Buffer Overflow via -m Parameter
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Pinfo Pinfo
Surf Pinfo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T15:51:04.916Z

Reserved: 2026-03-28T11:37:07.937Z

Link: CVE-2016-20044

cve-icon Vulnrichment

Updated: 2026-03-30T15:50:59.329Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-28T12:16:00.447

Modified: 2026-04-10T20:58:50.403

Link: CVE-2016-20044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:28:12Z

Weaknesses