CVE-2026-25061

tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past tim.bitmap[251]. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in handle_beacon() and related handlers. As of time of publication, no known patches are available.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-787"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25061.json"
}

References

Affected packages

Git / github.com/simsong/tcpflow

Affected ranges

Type

GIT

Repo

https://github.com/simsong/tcpflow

Events

Introduced

Last affected

c98938b320f5aba5e40312e1ad6db9fe55733909

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.6.1"
        }
    ]
}

Affected versions

Other

push

tcpflow-1.*

tcpflow-1.2.5

tcpflow-1.2.7

tcpflow-1.2.9

tcpflow-1.3.0

tcpflow-1.4.0

tcpflow-1.4.0beta1

tcpflow-1.4.1

tcpflow-1.4.2

tcpflow-1.4.3

tcpflow-1.4.4

tcpflow-1.4.5

tcpflow-1.5.0

tcpflow-1.5.1

tcpflow-1.5.2

tcpflow-1.6.1

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25061.json"