CVE-2016-2563
NONE EPSS 98.2%
Published Apr 7, 201610y ago · Modified Jun 17, 20262w ago
Published Apr 7, 2016 10y ago
Last Modified Jun 17, 2026 2w ago
Description
Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67 and KiTTY 0.66.6.3 and earlier allows remote servers to cause a denial of service (stack memory corruption) or execute arbitrary code via a crafted SCP-SINK file-size response to an SCP download request.
Threat Intelligence
EPSS Exploit Probability
98.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Memory Safety
Affected Products 2
| Vendor | Product | Version | Range |
|---|---|---|---|
| 9bis | kitty | * | ≤0.66.6.3 |
| simon_tatham | putty | * | ≤0.66 |
References 7
- lists.opensuse.org http://lists.opensuse.org/opensuse-updates/2016-05/msg00131.html
- seclists.org http://seclists.org/fulldisclosure/2016/Mar/22
- chiark.greenend.org.uk http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html
- securityfocus.com http://www.securityfocus.com/bid/84296
- securitytracker.com http://www.securitytracker.com/id/1035257
- github.com https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563
- security.gentoo.org https://security.gentoo.org/glsa/201606-01
Remediation
- chiark.greenend.org.uk http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.html