CVE-2026-13589
Received Received - Intake

Heap-based Buffer Overflow in PcapPlusPlus

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulDB

Description
A vulnerability was identified in seladb PcapPlusPlus 25.05. This affects the function pcpp::TelnetLayer::getSubCommand of the file Packet++/src/TelnetLayer.cpp of the component Telnet Subnegotiation Packet Handler. The manipulation leads to heap-based buffer overflow. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit is publicly available and might be used. The identifier of the patch is 98e671010bc7c87b95898c22ae289220ae92542b. It is recommended to apply a patch to fix this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13589
EUVD
EUVD-2026-40150

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
seladb pcapplusplus to 25.05 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-13589 is a heap-based buffer overflow vulnerability in the seladb PcapPlusPlus library, specifically in the Telnet protocol parsing module within the function pcpp::TelnetLayer::getSubCommand. The vulnerability arises because the function attempts to read memory beyond the allocated buffer when processing truncated or malformed Telnet subnegotiation packets. This happens due to improper validation of the buffer length before accessing certain bytes, leading to out-of-bounds reads.

The issue occurs when the function expects at least 3 bytes but still reads the third byte even if the buffer is smaller, causing heap corruption. The vulnerability can be triggered remotely by sending specially crafted Telnet packets. The problem was identified through fuzz testing and is related to incorrect assumptions about the presence of optional bytes after minimal message headers.

The vulnerability was fixed by adding short-buffer guards that prevent reading past the available data, ensuring truncated inputs return fallback values instead of causing memory corruption.

Compliance Impact

The provided information does not include any details on how the CVE-2026-13589 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to heap-based buffer overflow, which may cause program crashes or denial of service (DoS) conditions when the vulnerable software processes malformed Telnet packets.

Because the overflow corrupts memory, it could potentially be exploited to execute arbitrary code or disrupt normal operation, although the attack complexity is high and exploitability is considered difficult.

Since the exploit is publicly available, attackers might use it to target systems running vulnerable versions of PcapPlusPlus, potentially impacting network monitoring or packet processing applications that rely on this library.

Applying the provided patch is recommended to mitigate these risks.

Detection Guidance

This vulnerability can be detected by monitoring for malformed or truncated Telnet subnegotiation packets that trigger out-of-bounds reads in the TelnetLayer::getSubCommand() function. Fuzz testing was used to identify the issue, and a proof-of-concept exploit is available.

To detect exploitation attempts on your system, you can capture Telnet traffic and analyze packets for abnormal subnegotiation commands or truncated packets that might cause the buffer overflow.

Using packet capture tools like tcpdump or Wireshark, you can filter Telnet traffic with commands such as:

  • tcpdump -i <interface> tcp port 23 -w telnet_traffic.pcap
  • wireshark telnet_traffic.pcap (then inspect Telnet subnegotiation packets for anomalies)

Additionally, running the provided fuzzer target with malicious input (as referenced in the proof-of-concept) can help verify if your version of PcapPlusPlus is vulnerable.

Mitigation Strategies

The primary mitigation step is to apply the patch identified by commit 98e671010bc7c87b95898c22ae289220ae92542b, which fixes the buffer overflow by adding proper buffer length validation and handling truncated Telnet and TLS packets safely.

If immediate patching is not possible, consider restricting or monitoring Telnet traffic to prevent remote exploitation, as the attack can be initiated remotely but requires high complexity.

Also, update to the latest version of PcapPlusPlus where this fix has been merged (after June 24, 2026) to ensure the vulnerability is resolved.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13589. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart