CVE-2026-56123
Undergoing Analysis Undergoing Analysis - In Progress
Heap Overflow in Socat via SOCKS5 Proxy

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: VulnCheck

Description
socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory by exploiting a sign-extension flaw in the DOMAINNAME reply parser. During connection setup, the domain name length byte is read through a signed char field causing a negative bytes_to_read value that is implicitly converted to size_t, resulting in an unbounded heap write into the 262-byte reply buffer with attacker-controlled size and content.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-56123
EUVD
EUVD-2026-39455
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in socat versions 1.8.0.0 through 1.8.1.1 and is a heap-based buffer overflow. It occurs because of a sign-extension flaw in the DOMAINNAME reply parser when communicating with a malicious SOCKS5 proxy server. Specifically, the domain name length byte is read as a signed char, which can result in a negative value. This negative value is then implicitly converted to an unsigned size_t type, causing an unbounded write into a 262-byte heap buffer with attacker-controlled size and content.

Compliance Impact

The provided information does not specify how the CVE-2026-56123 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The vulnerability allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory during connection setup. This can lead to memory corruption, which may be exploited to execute arbitrary code, cause a denial of service, or crash the affected application.

Detection Guidance

Detection of CVE-2026-56123 involves identifying attempts to connect to malicious SOCKS5 proxy servers that exploit the heap-based buffer overflow in affected socat versions. Since the vulnerability is triggered during connection setup by a specially crafted DOMAINNAME reply, monitoring network traffic for unusual or suspicious SOCKS5 responses may help.

There are no specific detection commands or signatures provided in the available resources. However, general approaches include:

  • Monitoring socat versions in use to ensure they are not between 1.8.0.0 and 1.8.1.1, which are vulnerable.
  • Using network traffic analysis tools (e.g., Wireshark or tcpdump) to capture SOCKS5 negotiation packets and inspecting the DOMAINNAME reply length byte for anomalies.
  • Checking socat logs for crashes or abnormal behavior during SOCKS5 connections.

Since no explicit detection commands are provided, a practical step is to upgrade socat to version 1.8.1.2 or later, which fixes the issue.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade socat to version 1.8.1.2 or later, as versions 1.8.0.0 through 1.8.1.1 are affected by the heap-based buffer overflow.

Avoid connecting to untrusted or potentially malicious SOCKS5 proxy servers, since the vulnerability is exploited during connection setup with such servers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56123. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart