Description
FlexHEX 2.71 contains a local buffer overflow vulnerability in the Stream Name field that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overflow. Attackers can craft a malicious text file with carefully aligned shellcode and SEH chain pointers, paste the contents into the Stream Name dialog, and execute arbitrary commands like calc.exe when the exception handler is triggered.
Published: 2026-03-24
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Arbitrary Code Execution
Action: Patch
AI Analysis

Impact

A local buffer overflow exists in FlexHEX version 2.71 within the Stream Name dialog. By copying crafted text containing shellcode and SEH chain pointers into the field, a local attacker can trigger the structured exception handler and execute arbitrary commands such as launching calc.exe.

Affected Systems

The vulnerability affects the FlexHEX application, version 2.71, from the vendor Flexhex. No other versions or vendors are listed as affected.

Risk and Exploitability

The CVSS base score of 8.6 indicates high severity. The attack requires local access and user interaction with the application, and a malicious file can be easily constructed to trigger the overflow. While no EPSS data or KEV listing is available, the high score and straightforward local execution path imply a significant risk to machines running the vulnerable software.

Generated by OpenCVE AI on March 24, 2026 at 12:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest FlexHEX version that contains the buffer‑overflow fix from the vendor’s website.
  • If a patch is not yet available, uninstall or disable FlexHEX to prevent exploitation.
  • Run FlexHEX with the lowest privilege level possible, using a dedicated low‑privilege account.
  • Monitor systems for unexpected local code execution or abnormal usage of the application.

Generated by OpenCVE AI on March 24, 2026 at 12:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:flexhex:flexhex:2.71:*:*:*:*:*:*:*

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Flexhex
Flexhex flexhex
Vendors & Products Flexhex
Flexhex flexhex

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description FlexHEX 2.71 contains a local buffer overflow vulnerability in the Stream Name field that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overflow. Attackers can craft a malicious text file with carefully aligned shellcode and SEH chain pointers, paste the contents into the Stream Name dialog, and execute arbitrary commands like calc.exe when the exception handler is triggered.
Title FlexHEX 2.71 Local Buffer Overflow via SEH Unicode
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flexhex Flexhex
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T13:15:20.448Z

Reserved: 2026-03-24T10:59:43.113Z

Link: CVE-2019-25627

cve-icon Vulnrichment

Updated: 2026-03-24T13:15:16.254Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T12:16:02.560

Modified: 2026-04-15T16:10:01.797

Link: CVE-2019-25627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:39:43Z

Weaknesses