Description
Free Download Manager 2.0 Built 417 contains a local buffer overflow vulnerability in the URL import functionality that allows attackers to trigger a structured exception handler (SEH) chain exploitation. Attackers can craft a malicious URL file that, when imported through the File > Import > Import lists of downloads menu, causes a buffer overflow in the Location header response that overwrites the SEH chain and executes arbitrary code.
Published: 2026-04-29
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A local buffer overflow exists in the URL import feature of Free Download Manager 2.0 that corrupts the Structured Exception Handler chain to run arbitrary code. This flaw is a classic stack-based overflow (CWE‑120) and offers an attacker the ability to execute code with the privileges of the user running the application.

Affected Systems

Filehippo’s Free Download Manager 2.0 is affected. No other versions are listed.

Risk and Exploitability

The vulnerability scores a 8.6 on the CVSS scale, indicating high severity. The issue is not listed in CISA KEV, implying that there is no confirmed widespread exploitation at the time of this analysis. The attack vector is local; an attacker would need to possess a user account on the target machine and deliver a specially crafted URL file via the Import menus. Once the URL file is imported, the SEH chain is overwritten and code execution is achieved, potentially providing arbitrary access within the user context.

Generated by OpenCVE AI on April 30, 2026 at 13:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Free Download Manager that removes the vulnerable URL import logic.
  • If an upgrade is not immediately possible, disable the Import URLs feature or prevent the application from running at elevated privileges to reduce the attack surface.
  • Restrict access to the application and the Import functionality by limiting installation and execution to trusted users, or enforce AppLocker/Exploit Guard policies that block SEH-based exploit attempts.

Generated by OpenCVE AI on April 30, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Free Download Manager 2.0 Built 417 contains a local buffer overflow vulnerability in the URL import functionality that allows attackers to trigger a structured exception handler (SEH) chain exploitation. Attackers can craft a malicious URL file that, when imported through the File > Import > Import lists of downloads menu, causes a buffer overflow in the Location header response that overwrites the SEH chain and executes arbitrary code.
Title Free Download Manager 2.0 Built 417 Local Buffer Overflow SEH
First Time appeared Freedownloadmanager
Freedownloadmanager free Download Manager
Weaknesses CWE-120
CPEs cpe:2.3:a:freedownloadmanager:free_download_manager:2.0:*:*:*:*:*:*:*
Vendors & Products Freedownloadmanager
Freedownloadmanager free Download Manager
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Freedownloadmanager Free Download Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-30T12:40:48.181Z

Reserved: 2026-04-29T12:07:57.580Z

Link: CVE-2018-25304

cve-icon Vulnrichment

Updated: 2026-04-30T12:40:43.781Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T20:16:25.760

Modified: 2026-04-30T15:44:48.290

Link: CVE-2018-25304

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:00:22Z

Weaknesses