Description
SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Attackers can trigger the vulnerability by supplying oversized input to the -3pcc, -i, or -log_file parameters, causing strcpy to write beyond buffer boundaries in sipp.cpp.
Published: 2026-05-23
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a local buffer overflow that occurs when SIPp parses command‑line arguments. Oversized values supplied to the -3pcc, -i, or -log_file options cause the unsafe strcpy call in sipp.cpp to write past the buffer's boundaries, allowing a local attacker to crash the application or execute arbitrary code.

Affected Systems

All publicly released SIPp versions 3.6 and earlier are affected, including the official releases distributed on sourceforge and the GitHub releases prior to the 3.7 update.

Risk and Exploitability

The CVSS score of 8.6 reflects a high‑severity local code‑execution flaw. The EPSS score is not currently available, so the exact probability of exploitation today is uncertain, but because the vulnerability requires local privileges the attack access is limited to users who can run SIPp on the affected system. The flaw is not listed in the CISA KEV catalog, indicating that known attacks are not reported yet.

Generated by OpenCVE AI on May 23, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SIPp to version 3.7 or later, where the buffer overflow has been fixed.
  • If an immediate upgrade is not possible, run SIPp under a dedicated, least‑privileged account and restrict write permission on the incoming files to prevent local attackers from manipulating the input arguments.
  • Modify any scripts that invoke SIPp to enforce maximum length checks on the -3pcc, -i, and -log_file parameters before passing them to the executable.

Generated by OpenCVE AI on May 23, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Sipp
Sipp sipp
Vendors & Products Sipp
Sipp sipp

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Attackers can trigger the vulnerability by supplying oversized input to the -3pcc, -i, or -log_file parameters, causing strcpy to write beyond buffer boundaries in sipp.cpp.
Title SIPp 3.6 Local Buffer Overflow via Command-line Arguments
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sipp Sipp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T18:30:55.727Z

Reserved: 2026-05-23T16:26:22.154Z

Link: CVE-2018-25356

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T19:30:25Z

Weaknesses