Description
NASA openVSP 3.16.1 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the geometry name field. Attackers can trigger a denial of service by pasting a 5000-byte payload into the name input field within the Geom browser pod addition interface.
Published: 2026-05-25
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NASA OpenVSP 3.16.1 contains a buffer overflow in the geometry name field that allows a local attacker to crash the application. By entering an exceptionally long string—such as a 5,000‑byte payload—into the name input on the Geom browser pod addition interface, the attacker can trigger a denial of service. The impact is a loss of availability of the OpenVSP process for the user.

Affected Systems

The vulnerability affects the NASA OpenVSP application at version 3.16.1.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating moderate severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog. As the exploit requires local access and manipulation of the geometry name field, it is suitable for attackers who have the ability to run arbitrary input locally. The lack of a publicly available patch suggests that the risk relies on an organization's chance to patch or mitigate the flaw before an attacker can leverage it.

Generated by OpenCVE AI on May 25, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a patched or newer release of OpenVSP that addresses the buffer overflow, following NASA’s official release notes or security advisories.
  • If an upgrade is not immediately possible, restrict local access to the geometry input functionality or disable the Geom browser pod addition interface to prevent the payload from being processed.
  • Monitor OpenVSP logs for abnormal crashes or input anomalies and consider isolating the application in a sandboxed environment until a fix is applied.

Generated by OpenCVE AI on May 25, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description NASA openVSP 3.16.1 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the geometry name field. Attackers can trigger a denial of service by pasting a 5000-byte payload into the name input field within the Geom browser pod addition interface.
Title NASA openVSP 3.16.1 Denial of Service via Buffer Overflow
Weaknesses CWE-120
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T14:15:13.261Z

Reserved: 2026-05-25T13:29:39.251Z

Link: CVE-2018-25367

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T15:30:06Z

Weaknesses