CVE-2026-13588
Received Received - Intake

Heap-based Buffer Overflow in PcapPlusPlus TLS Hello Handler

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A vulnerability was determined in seladb PcapPlusPlus 25.05. The impacted element is the function pcpp::SSLClientHelloMessage::getHandshakeVersion of the file Packet++/src/SSLHandshake.cpp of the component TLS Hello Handler. Executing a manipulation of the argument handshakeVersion can lead to heap-based buffer overflow. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitability is regarded as difficult. The exploit has been publicly disclosed and may be utilized. This patch is called 98e671010bc7c87b95898c22ae289220ae92542b. It is best practice to apply a patch to resolve this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13588
EUVD
EUVD-2026-40148

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
seladb pcapplusplus to 25.05 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a heap-based buffer overflow in the seladb PcapPlusPlus library, specifically in the function pcpp::SSLClientHelloMessage::getHandshakeVersion located in the TLS Hello Handler component. The issue occurs because the function accesses the handshakeVersion field of a TLS Client Hello packet without verifying if the packet data is complete and valid. This can cause the function to read beyond the allocated memory boundary when processing a truncated or malformed TLS Client Hello packet.

An attacker can exploit this vulnerability remotely by sending a specially crafted TLS Client Hello packet that triggers the buffer overflow. The attack is considered to have high complexity and is difficult to exploit, but the exploit has been publicly disclosed.

Impact Analysis

Exploiting this vulnerability can lead to a heap-based buffer overflow, which may allow an attacker to cause a denial of service (application crash) or potentially execute arbitrary code on the affected system.

Since the vulnerability can be triggered remotely without user interaction, it poses a risk to systems using the vulnerable PcapPlusPlus library version up to 25.05 that process TLS Client Hello packets.

Detection Guidance

This vulnerability can be detected by monitoring for specially crafted TLS Client Hello packets that trigger a heap-buffer-overflow in the function pcpp::SSLClientHelloMessage::getHandshakeVersion(). Detection involves identifying malformed or truncated TLS Client Hello packets that cause out-of-bounds reads.

Using fuzz testing tools with AddressSanitizer can help identify this vulnerability by detecting heap-buffer-overflow errors when processing network traffic.

While no specific commands are provided, network administrators can use packet capture tools like tcpdump or Wireshark to capture TLS Client Hello packets and analyze them for abnormalities or truncation.

  • Use tcpdump to capture TLS Client Hello packets: tcpdump -i <interface> 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' -w capture.pcap
  • Analyze captured packets with Wireshark to inspect TLS Client Hello messages for truncation or malformed handshakeVersion fields.
  • Run fuzz testing with AddressSanitizer enabled on the PcapPlusPlus library to detect heap-buffer-overflow issues.
Mitigation Strategies

The best immediate step to mitigate this vulnerability is to apply the patch identified as commit 98e671010bc7c87b95898c22ae289220ae92542b to the PcapPlusPlus library.

Since the vulnerability is exploitable remotely and involves processing malicious TLS Client Hello packets, it is also advisable to monitor and filter suspicious network traffic to reduce exposure.

Avoid using vulnerable versions of PcapPlusPlus (up to v25.05) until patched.

Compliance Impact

The provided context and resources do not contain any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart