Description
PicaJet FX 2.6.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Attackers can paste a 6000-byte buffer into the Registration Name and Registration Key fields via the Help menu's Register PicaJet dialog to trigger an application crash.
Published: 2026-04-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply patch
AI Analysis

Impact

PicaJet FX 2.6.5 is vulnerable to a denial of service condition that is triggered when a local user supplies an oversized buffer—up to 6000 bytes—into the Registration Name and Registration Key fields via the application’s Help menu. This input overflows the memory buffer used to store the registration data, causing the application to crash. The weakness is a classic buffer overflow under CWE-120, leading to service disruption rather than data exfiltration or privilege escalation.

Affected Systems

The problem affects the Picajet PicaJet FX product, specifically version 2.6.5. Any installation of this version that runs the registration dialog is vulnerable; users who have local access to the application can trigger the crash.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity denial of service vulnerability. The EPSS score of less than 1% suggests that exploitation of this flaw is considered unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attackers need local access to the application and must trigger the registration dialog to submit the oversized payload, so the attack surface is limited to the local user environment and the application's graphical interface.

Generated by OpenCVE AI on April 28, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PicaJet FX to a version newer than 2.6.5 where the buffer overflow is fixed.
  • If an immediate upgrade is not feasible, contact Picajet support to obtain guidance on disabling or restricting the registration dialog so that local users cannot submit oversized input.
  • Until a fix is applied, monitor for crashes and consider restarting the application or restricting local accounts that can use the registration feature.

Generated by OpenCVE AI on April 28, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Picajet
Picajet picajet Fx
Vendors & Products Picajet
Picajet picajet Fx

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Description PicaJet FX 2.6.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Attackers can paste a 6000-byte buffer into the Registration Name and Registration Key fields via the Help menu's Register PicaJet dialog to trigger an application crash.
Title PicaJet FX 2.6.5 Denial of Service via Registration Fields
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Picajet Picajet Fx
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-27T16:46:04.669Z

Reserved: 2026-04-26T12:59:53.563Z

Link: CVE-2018-25278

cve-icon Vulnrichment

Updated: 2026-04-27T16:45:51.386Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T22:17:28.397

Modified: 2026-04-27T18:55:32.883

Link: CVE-2018-25278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:00:19Z

Weaknesses