Critical severity9.8NVD Advisory· Published Apr 7, 2016· Updated May 6, 2026

CVE-2016-2563

Description

Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67 and KiTTY 0.66.6.3 and earlier allows remote servers to cause a denial of service (stack memory corruption) or execute arbitrary code via a crafted SCP-SINK file-size response to an SCP download request.

Affected products

Putty/Putty
cpe:2.3:a:simon_tatham:putty:*:*:*:*:*:*:*:*
Range: <=0.66

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-pscp-sink-sscanf.htmlnvdPatch
github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563nvdVendor Advisory
lists.opensuse.org/opensuse-updates/2016-05/msg00131.htmlnvd
seclists.org/fulldisclosure/2016/Mar/22nvd
www.securityfocus.com/bid/84296nvd
www.securitytracker.com/id/1035257nvd
security.gentoo.org/glsa/201606-01nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.023
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000