Description
Valentina Studio 9.0.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can trigger the crash by pasting a 256-byte buffer of repeated characters into the Host parameter during server connection attempts.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in Valentina Studio 9.0.4 and is triggered when a user supplies an excessively long string to the Host field during a server connection attempt. The 256‑byte buffer of repeated characters causes the application to crash, resulting in a loss of availability for local users. This weakness is defined by CWE‑466, indicating an out‑of‑bounds buffer write due to improper bounds checking.

Affected Systems

Valentina Studio version 9.0.4 from Valentina‑Db is affected. No additional affected versions are listed in the CVE data.

Risk and Exploitability

The CVSS base score is 6.9, indicating moderate severity. The EPSS score is not provided and the vulnerability is not listed in the CISA KEV catalog, implying no publicly known exploits. The attack requires local access and manual input of a 256‑byte payload, so the risk is limited to local users. Nevertheless, an attacker who can provide the malicious input can repeatedly crash the application, causing a denial of service to legitimate users.

Generated by OpenCVE AI on March 30, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Valentina Studio to the latest version that fixes the host‑parameter buffer overflow.
  • If an upgrade is not immediately possible, eliminate the possibility of supplying an overly long host string by enforcing a maximum length in the UI or configuration.
  • Restrict local user privileges so that only trusted accounts can initiate server connections.
  • Monitor application logs for unexpected crashes and investigate any anomalies promptly.

Generated by OpenCVE AI on March 30, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Valentina-db
Valentina-db valentina Studio
Vendors & Products Valentina-db
Valentina-db valentina Studio

Mon, 30 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description Valentina Studio 9.0.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can trigger the crash by pasting a 256-byte buffer of repeated characters into the Host parameter during server connection attempts.
Title Valentina Studio 9.0.4 Denial of Service via Host Parameter
Weaknesses CWE-466
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Valentina-db Valentina Studio
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T13:39:24.628Z

Reserved: 2026-03-30T10:53:51.466Z

Link: CVE-2018-25227

cve-icon Vulnrichment

Updated: 2026-03-30T13:39:21.436Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-30T12:16:15.940

Modified: 2026-03-30T13:26:07.647

Link: CVE-2018-25227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:41:05Z

Weaknesses