CVE-2026-2016
Stack-Based Buffer Overflow in libfastcommon base64_decode Function
Publication date: 2026-02-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| happyfish100 | libfastcommon | to 1.0.84 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2016 is a buffer overflow vulnerability in the libfastcommon library's base64_decode function located in src/base64.c. The issue arises from incorrect handling of Base64 input containing invalid characters and padding during decoding. Specifically, the function miscounts padding characters and invalid characters, leading to an erroneous calculation of the decoded output length."}, {'type': 'paragraph', 'content': 'This miscalculation causes the function to write a null terminator outside the allocated buffer bounds, resulting in a heap buffer overflow. This overflow can corrupt memory and potentially crash the program.'}, {'type': 'paragraph', 'content': 'The vulnerability requires local access to exploit and has been publicly disclosed with a proof-of-concept available. The recommended fix involves validating the decoded length before writing to the buffer to prevent out-of-bounds writes.'}] [1, 5]
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption through a heap buffer overflow, which may cause the affected application to crash or behave unpredictably.
Because the overflow occurs in a local context, an attacker with local access could exploit this flaw to compromise the confidentiality, integrity, and availability of the system running libfastcommon.
Potential impacts include denial of service due to crashes and possibly escalation of privileges or execution of arbitrary code if combined with other vulnerabilities or conditions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in the base64_decode function of the libfastcommon library when decoding specially crafted Base64 input containing invalid characters and excessive padding, leading to a heap buffer overflow.
Detection can be performed by monitoring for crashes or memory corruption related to the libfastcommon library, especially those triggered by Base64 decoding operations.
A practical detection method is to use AddressSanitizer (ASAN) with a test harness that feeds crafted Base64 inputs to the vulnerable base64_decode function. ASAN will report heap buffer overflows if the vulnerability is triggered.
Example command to compile and run a test harness with ASAN on Linux (assuming you have the source and test harness):
- clang -fsanitize=address -g -o test_base64_decode test_base64_decode.c
- ./test_base64_decode crafted_input_file
Additionally, you can check your system for the presence of vulnerable versions of libfastcommon (up to 1.0.84) by querying package versions or scanning binaries.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to apply the official patch identified by commit 82f66af3e252e3e137dba0c3891570f085e79adf, which fixes the vulnerability by adding proper validation of padding characters and bounds checking in the base64_decode function.
If patching is not immediately possible, avoid processing untrusted or malformed Base64 input with the vulnerable libfastcommon versions.
Monitor your systems for crashes or abnormal behavior related to Base64 decoding and consider restricting local access to systems running vulnerable versions, as exploitation requires local access.
Upgrading libfastcommon to a version that includes the patch or later is the most effective long-term mitigation.