Description
Axessh 4.2 contains a stack-based buffer overflow vulnerability in the log file name field that allows local attackers to execute arbitrary code by supplying an excessively long filename. Attackers can overflow the buffer at offset 214 bytes to overwrite the instruction pointer and execute shellcode with system privileges.
Published: 2026-03-22
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Arbitrary Code Execution
Action: Immediate Patching
AI Analysis

Impact

The vulnerability is a stack‑based buffer overflow in the log file name field of Axessh 4.2. By supplying a filename longer than the allocated buffer, an attacker can overwrite the return pointer at an offset of 214 bytes. This allows execution of attacker‑controlled shellcode with system privileges, giving full control of the host the application runs on. The weakness is identified as CWE‑787 and rated high severity.

Affected Systems

Affected product is Axessh 4.2 from the vendor Labf. No further sub‑versions are listed, so all releases identified as 4.2 are susceptible unless a patch has been applied.

Risk and Exploitability

With a CVSS score of 8.6, this flaw is considered significant. The exploit requires local access; EPSS data is not available, and the vulnerability is not currently included in the CISA KEV catalog, suggesting no known widespread exploitation. Nevertheless, local attackers with the ability to create log file names can immediately trigger the buffer overflow, making the risk high for unattended systems.

Generated by OpenCVE AI on March 22, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately reinstall or upgrade to a patched version of Axessh (if vendor releases an update).
  • Restrict write access to the directory holding Axessh’s log files, ensuring only trusted users can write there.
  • If an upgrade is unavailable, avoid creating log files with excessively long names or disable logging that allows arbitrary filenames.
  • Keep the system’s other security controls up to date, such as SELinux or AppArmor profiles.
  • Monitor the application logs for anomalous activity and seek vendor notification.

Generated by OpenCVE AI on March 22, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Labf
Labf axessh
Vendors & Products Labf
Labf axessh

Sun, 22 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description Axessh 4.2 contains a stack-based buffer overflow vulnerability in the log file name field that allows local attackers to execute arbitrary code by supplying an excessively long filename. Attackers can overflow the buffer at offset 214 bytes to overwrite the instruction pointer and execute shellcode with system privileges.
Title Axessh 4.2 Local Stack-based Buffer Overflow via Log File Name
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Labf Axessh
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T16:16:24.289Z

Reserved: 2026-03-22T13:14:15.419Z

Link: CVE-2019-25607

cve-icon Vulnrichment

Updated: 2026-03-23T16:16:20.826Z

cve-icon NVD

Status : Deferred

Published: 2026-03-22T14:16:28.620

Modified: 2026-04-16T16:19:50.757

Link: CVE-2019-25607

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:46:09Z

Weaknesses