CVE-2026-25061 – This vulnerability in tcpflow's wifipcap compon... (How to Fix)

Q: What is the severity of CVE-2026-25061?

CVE-2026-25061 has a CVSS score of 7.5 (HIGH). This vulnerability in tcpflow's wifipcap component allows a 1-byte out-of-bounds write when parsing specially crafted 802.11 management frames with large TIM elements. Attackers could potentially cause denial of service or execute arbitrary code by sending malicious wireless packets. Users running tcpflow versions up to 1.61 for wireless packet analysis are affected.

📋 TL;DR

This vulnerability in tcpflow's wifipcap component allows a 1-byte out-of-bounds write when parsing specially crafted 802.11 management frames with large TIM elements. Attackers could potentially cause denial of service or execute arbitrary code by sending malicious wireless packets. Users running tcpflow versions up to 1.61 for wireless packet analysis are affected.

💻 Affected Systems

Products:

tcpflow

Versions: Up to and including version 1.61

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using tcpflow's wifipcap functionality for wireless packet analysis

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Tcpflow by Digitalcorpora

View all CVEs affecting Tcpflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the 1-byte overflow can be leveraged for memory corruption attacks

🟠

Likely Case

Denial of service through application crash or instability when processing malicious wireless frames

🟢

If Mitigated

No impact if tcpflow is not used for wireless packet capture or if network filtering blocks malicious 802.11 frames

🌐 Internet-Facing: LOW - Requires local wireless network access or specific wireless packet injection capabilities

🏢 Internal Only: MEDIUM - Internal attackers with wireless access could exploit this against systems running tcpflow

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires wireless packet injection capabilities and specific knowledge of 802.11 frame crafting

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6

Restart Required: No

Instructions:

No official patch available. Monitor the GitHub advisory for updates and apply patches when released.

🔧 Temporary Workarounds

Disable wireless packet capture

all

Avoid using tcpflow for wireless packet analysis until a patch is available

Network segmentation

all

Isolate systems running tcpflow from untrusted wireless networks

🧯 If You Can't Patch

Remove tcpflow from production systems if wireless analysis is not required
Implement strict network access controls to prevent wireless packet injection attacks

🔍 How to Verify

Check if Vulnerable:

Check tcpflow version: tcpflow --version | grep -i version

Check Version:

tcpflow --version

Verify Fix Applied:

Verify version is greater than 1.61 when patch becomes available

📡 Detection & Monitoring

Log Indicators:

Application crashes or segmentation faults in tcpflow processes
Unexpected termination of tcpflow daemons

Network Indicators:

Malformed 802.11 management frames with unusually large TIM elements
Wireless packet injection attempts

SIEM Query:

process_name:"tcpflow" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2026-25061

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

EPSS Score: 0.12% exploit probability (30.7th percentile)

Published: January 29, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6 Exploit,Mitigation,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25061, you might also want to check these: