Description
Prime95 29.4b7 contains a buffer overflow vulnerability in the PrimeNet connection dialog that allows local attackers to crash the application by supplying an excessively long string in the optional proxy password field. Attackers can trigger a denial of service by entering a 6000-byte payload into the proxy password parameter, causing the application to crash when processing the connection settings.
Published: 2026-04-26
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Update Immediately
AI Analysis

Impact

Prime95 29.4b7 has a buffer overflow in the PrimeNet connection dialog that lets a local user crash the program by entering an excessively long string in the optional proxy password field. The vulnerability results in a denial of service for the application; the crash occurs when the application processes the stored connection settings after the user supplies a payload, such as a 6000‑byte string. The weakness is a classic stack corruption (CWE‑120).

Affected Systems

The issue affects the Mersenne Prime95 family, specifically version 29.4b7 and later build 30.7. Users running these versions that have the PrimeNet proxy feature enabled are susceptible to the crash.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS of less than 1% suggests that exploitation attempts are rare at present. The vulnerability is not listed in the CISA KEV catalog, meaning no known widespread exploitation has been observed. It requires local access to the machine running Prime95; remote exploitation would need the attacker to inject the payload via a user’s interaction with the proxy password field, which is not exposed over a network interface. Given the moderate score and low exploitation probability, the risk is significant mainly to users who depend on continuous Prime95 operations for computational work.

Generated by OpenCVE AI on April 28, 2026 at 05:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Prime95 release (e.g., 30.7 or later) which fixes the proxy password buffer overflow.
  • If an upgrade is not possible, avoid using the proxy feature or keep the proxy password field empty when containing only short strings; the application must not accept passwords longer than the buffer size for the dialog.
  • Run Prime95 under a restricted user account and consider disabling or isolating the PrimeNet feature to reduce the attack surface when the application is in use.

Generated by OpenCVE AI on April 28, 2026 at 05:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Description Prime95 29.4b7 contains a buffer overflow vulnerability in the PrimeNet connection dialog that allows local attackers to crash the application by supplying an excessively long string in the optional proxy password field. Attackers can trigger a denial of service by entering a 6000-byte payload into the proxy password parameter, causing the application to crash when processing the connection settings.
Title Prime95 29.4b7 Denial of Service via Proxy Password Field
First Time appeared Mersenne
Mersenne prime95
Weaknesses CWE-120
CPEs cpe:2.3:a:mersenne:prime95:29.4b7:*:*:*:*:*:*:*
cpe:2.3:a:mersenne:prime95:30.7:-:*:*:*:*:*:*
cpe:2.3:a:mersenne:prime95:30.7:build9:*:*:*:*:*:*
Vendors & Products Mersenne
Mersenne prime95
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mersenne Prime95
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-27T13:05:40.610Z

Reserved: 2026-04-26T13:11:04.130Z

Link: CVE-2018-25293

cve-icon Vulnrichment

Updated: 2026-04-27T13:05:32.917Z

cve-icon NVD

Status : Deferred

Published: 2026-04-26T22:17:30.660

Modified: 2026-04-27T18:53:00.053

Link: CVE-2018-25293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:15:22Z

Weaknesses