Description
tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.
Published: 2026-01-29
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (DoS) with potential code execution
Action: Monitor
AI Analysis

Impact

A single-byte out‑of‑bounds write is performed by tcpflow’s wifipcap parser when processing the TIM element of 802.11 management frames. The vulnerable code performs a length check on the wrong field, writing beyond the bounds of a stack‑allocated bitmap. The overflow is small and is likely to cause a crash leading to a denial‑of‑service condition; the possibility of code execution cannot be ruled out but remains unverified. This weakness is a classic buffer overflow (CWE‑787).

Affected Systems

The vulnerability affects Sim Song’s tcpflow up to and including version 1.61. The problem is present in the wifipcap module that parses Wi‑Fi traffic. Debian systems running tcpflow 1.61 or earlier are also impacted as they ship the vulnerable binary. No post‑1.61 releases have confirmed remediation.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate impact, and the EPSS score of less than 1% shows a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to provide a crafted 802.11 management frame containing a TIM element with an inflated length to trigger the overflow. This requires the ability to inject frames into the wireless interface monitored by tcpflow, implying either a local attacker on the same networks or an attacker who has compromised the system running tcpflow. The attack vector is thus inferred to be a controlled network injection, not a generic remote exploit.

Generated by OpenCVE AI on April 18, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update tcpflow to the latest version, which addresses the TIM element parsing defect if a patch release has become available.
  • If no patch is available, avoid using the wifipcap module or configure tcpflow to ignore 802.11 management frames; consider disabling TIM parsing if a configuration option exists.
  • Run tcpflow in a sandboxed or restricted environment, limit its access to untrusted network traffic, and monitor for abnormal crashes or restarts.

Generated by OpenCVE AI on April 18, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4478-1 tcpflow security update
History

Wed, 25 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debian Linux
Digitalcorpora
Digitalcorpora tcpflow
CPEs cpe:2.3:a:digitalcorpora:tcpflow:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Vendors & Products Debian
Debian debian Linux
Digitalcorpora
Digitalcorpora tcpflow
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 10 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 02 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Simsong
Simsong tcpflow
Vendors & Products Simsong
Simsong tcpflow

Thu, 29 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.
Title tcpflow has TIM Element OOB Write in wifipcap
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Debian Debian Linux
Digitalcorpora Tcpflow
Simsong Tcpflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T20:14:00.298Z

Reserved: 2026-01-28T14:50:47.889Z

Link: CVE-2026-25061

cve-icon Vulnrichment

Updated: 2026-01-30T14:48:03.234Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T22:15:55.797

Modified: 2026-02-25T15:24:30.993

Link: CVE-2026-25061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:30:16Z

Weaknesses