CVE-2026-2016
Unknown Unknown - Not Provided
Stack-Based Buffer Overflow in libfastcommon base64_decode Function

Publication date: 2026-02-06

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in happyfish100 libfastcommon up to 1.0.84. Affected by this vulnerability is the function base64_decode of the file src/base64.c. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 82f66af3e252e3e137dba0c3891570f085e79adf. Applying a patch is the recommended action to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-06
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2016
EUVD
EUVD-2026-5685
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
happyfish100 libfastcommon to 1.0.84 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2016 is a buffer overflow vulnerability in the libfastcommon library's base64_decode function located in src/base64.c. The issue arises from incorrect handling of Base64 input containing invalid characters and padding during decoding. Specifically, the function miscounts padding characters and invalid characters, leading to an erroneous calculation of the decoded output length."}, {'type': 'paragraph', 'content': 'This miscalculation causes the function to write a null terminator outside the allocated buffer bounds, resulting in a heap buffer overflow. This overflow can corrupt memory and potentially crash the program.'}, {'type': 'paragraph', 'content': 'The vulnerability requires local access to exploit and has been publicly disclosed with a proof-of-concept available. The recommended fix involves validating the decoded length before writing to the buffer to prevent out-of-bounds writes.'}] [1, 5]

Impact Analysis

This vulnerability can lead to memory corruption through a heap buffer overflow, which may cause the affected application to crash or behave unpredictably.

Because the overflow occurs in a local context, an attacker with local access could exploit this flaw to compromise the confidentiality, integrity, and availability of the system running libfastcommon.

Potential impacts include denial of service due to crashes and possibly escalation of privileges or execution of arbitrary code if combined with other vulnerabilities or conditions.

Compliance Impact

I don't know

Detection Guidance

This vulnerability occurs in the base64_decode function of the libfastcommon library when decoding specially crafted Base64 input containing invalid characters and excessive padding, leading to a heap buffer overflow.

Detection can be performed by monitoring for crashes or memory corruption related to the libfastcommon library, especially those triggered by Base64 decoding operations.

A practical detection method is to use AddressSanitizer (ASAN) with a test harness that feeds crafted Base64 inputs to the vulnerable base64_decode function. ASAN will report heap buffer overflows if the vulnerability is triggered.

Example command to compile and run a test harness with ASAN on Linux (assuming you have the source and test harness):

  • clang -fsanitize=address -g -o test_base64_decode test_base64_decode.c
  • ./test_base64_decode crafted_input_file

Additionally, you can check your system for the presence of vulnerable versions of libfastcommon (up to 1.0.84) by querying package versions or scanning binaries.

Mitigation Strategies

The recommended immediate mitigation is to apply the official patch identified by commit 82f66af3e252e3e137dba0c3891570f085e79adf, which fixes the vulnerability by adding proper validation of padding characters and bounds checking in the base64_decode function.

If patching is not immediately possible, avoid processing untrusted or malformed Base64 input with the vulnerable libfastcommon versions.

Monitor your systems for crashes or abnormal behavior related to Base64 decoding and consider restricting local access to systems running vulnerable versions, as exploitation requires local access.

Upgrading libfastcommon to a version that includes the patch or later is the most effective long-term mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2016. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart