CVE-2026-2016

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-2016
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2016.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2016
Published
2026-02-06T12:16:26.073Z
Modified
2026-03-14T08:46:09.748597Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A security vulnerability has been detected in happyfish100 libfastcommon up to 1.0.84. Affected by this vulnerability is the function base64_decode of the file src/base64.c. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 82f66af3e252e3e137dba0c3891570f085e79adf. Applying a patch is the recommended action to fix this issue.

References

Affected packages

Git / github.com/happyfish100/libfastcommon

Affected ranges

Type
GIT
Repo
https://github.com/happyfish100/libfastcommon
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
128e04b2ec408eb16b14052f69de9d02fd34fb73
Fixed
82f66af3e252e3e137dba0c3891570f085e79adf
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.0.84"
        }
    ]
}

Affected versions

1.*
1.0.65
V1.*
V1.0.35
V1.0.36
V1.0.37
V1.0.38
V1.0.39
V1.0.40
V1.0.41
V1.0.42
V1.0.43
V1.0.44
V1.0.45
V1.0.47
V1.0.48
V1.0.49
V1.0.50
V1.0.51
V1.0.52
V1.0.53
V1.0.54
V1.0.55
V1.0.56
V1.0.57
V1.0.58
V1.0.59
V1.0.60
V1.0.61
V1.0.62
V1.0.63
V1.0.64
V1.0.65
V1.0.66
V1.0.67
V1.0.68
V1.0.69
V1.0.7
V1.0.70
V1.0.71
V1.0.72
V1.0.73
V1.0.74
V1.0.75
V1.0.76
V1.0.77
V1.0.78
V1.0.79
V1.0.80
V1.0.81
V1.0.82
V1.0.83
V1.0.84

Database specific

vanir_signatures 
[
    {
        "signature_type": "Line",
        "deprecated": false,
        "id": "CVE-2026-2016-25c24ad8",
        "target": {
            "file": "src/base64.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "52792127485649528244036212812212428830",
                "244564151359647250887928497871014904392",
                "115955599080429114479581435839942501856",
                "95170179270789726670019671868863176974",
                "269103852097483132054304021673304595826",
                "312328059861139713655210597605284791393",
                "107991829929071671895191781611185296507",
                "95687358357388333917042706157950859799",
                "62932264688856123081586427316957088109",
                "257219420171226631020597467776581962138",
                "9183316775992320691999527670894350686",
                "245661019840773830542518271704366194304",
                "275403775594647015951378639441853682732",
                "295045554048778348793230885893916908448"
            ]
        },
        "signature_version": "v1",
        "source": "https://github.com/happyfish100/libfastcommon/commit/82f66af3e252e3e137dba0c3891570f085e79adf"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "id": "CVE-2026-2016-2b969434",
        "target": {
            "file": "src/base64.c",
            "function": "base64_decode"
        },
        "digest": {
            "length": 1128.0,
            "function_hash": "29041597499329794403442703817706983425"
        },
        "signature_version": "v1",
        "source": "https://github.com/happyfish100/libfastcommon/commit/82f66af3e252e3e137dba0c3891570f085e79adf"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2016.json"