Description
Crashmail 1.6 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending malicious input to the application. Attackers can craft payloads with ROP chains to achieve code execution in the application context, with failed attempts potentially causing denial of service.
Published: 2026-03-28
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

Crashmail 1.6 contains a stack‑based buffer overflow that lets a remote attacker send specially crafted data to the application, resulting in arbitrary code execution. The vulnerability is triggered by malformed input and can also crash the application if exploitation fails, causing denial of service.

Affected Systems

The flaw affects Crashmail version 1.6, distributed by FTNApps. Users running this release on any platform are potentially vulnerable; no other versions or products are listed as affected.

Risk and Exploitability

The issue has a CVSS score of 9.3, indicating severe impact. EPSS is below 1 percent, meaning the likelihood of an attacker successfully exploiting this flaw in the wild is low, and the vulnerability is not yet cited in the CISA KEV catalog. The attack vector is remote; attackers would need to be able to transmit data to the application over the network. Based on the description, it is inferred that the exploit requires remote network access to Crashmail’s listening service.

Generated by OpenCVE AI on April 2, 2026 at 21:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Crashmail release that contains the stack‑overflow fix.
  • If an upgrade is not immediately possible, limit access to Crashmail to trusted networks or hosts only.
  • Monitor application logs for unexpected input or repeated connection attempts that may indicate exploitation attempts.

Generated by OpenCVE AI on April 2, 2026 at 21:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ftnapps
Ftnapps crashmail Ii
CPEs cpe:2.3:a:ftnapps:crashmail_ii:*:*:*:*:*:*:*:*
Vendors & Products Ftnapps
Ftnapps crashmail Ii

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Crashmail
Crashmail crashmail
Vendors & Products Crashmail
Crashmail crashmail

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description Crashmail 1.6 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending malicious input to the application. Attackers can craft payloads with ROP chains to achieve code execution in the application context, with failed attempts potentially causing denial of service.
Title Crashmail 1.6 Stack-based Buffer Overflow Remote Code Execution
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Crashmail Crashmail
Ftnapps Crashmail Ii
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T14:03:32.093Z

Reserved: 2026-03-28T11:48:53.485Z

Link: CVE-2018-25223

cve-icon Vulnrichment

Updated: 2026-04-01T14:03:28.071Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-28T12:16:03.170

Modified: 2026-04-02T19:10:16.517

Link: CVE-2018-25223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:30Z

Weaknesses