CVE-2017-3158
Description
A race condition in Guacamole's terminal emulator in versions 0.9.5 through 0.9.10-incubating could allow writes of blocks of printed data to overlap. Such overlapping writes could cause packet data to be misread as the packet length, resulting in the remaining data being written beyond the end of a statically-allocated buffer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Guacamole's terminal emulator (0.9.5–0.9.10-incubating) can cause overlapping writes leading to heap buffer overflow.
Vulnerability
A race condition exists in the terminal emulator of Apache Guacamole versions 0.9.5 through 0.9.10-incubating [1]. When blocks of printed data are written concurrently, the writes can overlap, causing packet data to be misread as the packet length. This results in the remaining data being written beyond the end of a statically-allocated buffer, leading to a heap-based buffer overflow [1].
Exploitation
An attacker needs to be able to send crafted input to the Guacamole terminal emulator, which is reachable during normal usage of the client [1]. Exploitation requires precise timing to trigger the race window, as two or more writes must overlap. No authentication is strictly required if the attacker can inject data into the terminal session; the vulnerability is triggered by the terminal emulator's handling of concurrent writes [1].
Impact
Successful exploitation allows the attacker to write controlled data beyond the bounds of the statically-allocated buffer. This can lead to a denial of service (crash) or potentially arbitrary code execution depending on the memory layout [1]. The compromise occurs within the context of the Guacamole application, potentially allowing further attacks on the server.
Mitigation
Apache Guacamole versions 0.9.11-incubating (released in 2017) and later fix this race condition [1]. Users should upgrade to 0.9.11-incubating or newer. If upgrading is not immediately possible, consider limiting exposure by restricting network access to the Guacamole service and monitoring for unusual terminal behavior. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.guacamole:guacamole-commonMaven | >= 0.9.5, < 0.9.11-incubating | 0.9.11-incubating |
Affected products
3- Apache Software Foundation/Apache Guacamolev5Range: Apache Guacamole 0.9.5 to 0.9.10-incubating
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3vv3-585q-wv6xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-3158ghsaADVISORY
- lists.apache.org/thread.html/b218d36bfdaf655d27382daec4dcd02ec717631f4aee8b7e4300ad65%40%3Cuser.guacamole.apache.org%3Emitrex_refsource_MISC
- lists.apache.org/thread.html/b218d36bfdaf655d27382daec4dcd02ec717631f4aee8b7e4300ad65@%3Cuser.guacamole.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.