Description
socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory by exploiting a sign-extension flaw in the DOMAINNAME reply parser. During connection setup, the domain name length byte is read through a signed char field causing a negative bytes_to_read value that is implicitly converted to size_t, resulting in an unbounded heap write into the 262-byte reply buffer with attacker-controlled size and content.
Published: 2026-06-25
Score: 9.2 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability manifests as a heap‑based buffer overflow triggered by a sign‑extension flaw in the SOCKS5 domain name reply parser. A malicious SOCKS5 proxy can supply a domain name length that, when read into a signed char, produces a negative value converted to an unsigned size_t, allowing an attacker to write beyond the 262‑byte reply buffer and corrupt adjacent heap memory. The consequence is uncontrolled memory corruption that could lead to arbitrary code execution or a crash, as defined by CWE‑122.

Affected Systems

All releases of socat from 1.8.0.0 through 1.8.1.1 are affected. The vulnerability exists in the standard socat binary distributed by the socat project. Users of these versions should verify the currently installed release number.

Risk and Exploitability

The CVSS score of 9.2 indicates critical severity, and although an EPSS score is not available, the known ability to trigger the overflow via a remote SOCKS5 server makes the risk high for services that rely on socat for proxying. The vulnerability is not listed in the CISA KEV catalog, but its remote nature and high severity would make it a priority for immediate remediation. Attackers would need control over a SOCKS5 proxy that a socat user connects to, and could then send crafted replies to corrupt memory.

Generated by OpenCVE AI on June 25, 2026 at 18:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade socat to version 1.8.1.2 or later, which removes the sign‑extension bug.
  • If an upgrade is not immediately possible, disable or restrict socat’s SOCKS5 support by using alternative proxy mechanisms or by configuring the application to only use trusted proxies.
  • Employ network controls to block unsolicited SOCKS5 traffic and monitor for anomalous domain length values in socat logs.

Generated by OpenCVE AI on June 25, 2026 at 18:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory by exploiting a sign-extension flaw in the DOMAINNAME reply parser. During connection setup, the domain name length byte is read through a signed char field causing a negative bytes_to_read value that is implicitly converted to size_t, resulting in an unbounded heap write into the 262-byte reply buffer with attacker-controlled size and content.
Title socat 1.8.0.0 - 1.8.1.1 Heap Buffer Overflow via SOCKS5 Reply Parser
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-25T15:43:19.580Z

Reserved: 2026-06-18T19:15:10.651Z

Link: CVE-2026-56123

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T18:15:04Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow