VYPR
← All advisories
Unrated severityOSV Advisory· Published Jun 5, 2018· Updated Aug 5, 2024

CVE-2018-10058

CVE-2018-10058

Description

Cgminer 4.10.0 and bfgminer 5.5.0 remote management interface contains a stack-based buffer overflow allowing authenticated remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cgminer 4.10.0 and bfgminer 5.5.0 remote management interface contains a stack-based buffer overflow allowing authenticated remote code execution.

Vulnerability

The remote management interface in cgminer 4.10.0 and bfgminer 5.5.0 (and earlier versions) contains a stack-based buffer overflow (CWE-121) in the handlers for the addpool, failover-only, poolquota, and save commands. The vulnerability arises because user-supplied input is copied into fixed-size stack buffers without proper bounds checking. Both miners share a common code base, so both are affected [1][2].

Exploitation

An attacker must first authenticate to the remote management interface. Once authenticated, they can send crafted requests to the vulnerable command handlers. The PoC demonstrates sending an oversized argument to the addpool command, which overflows the stack buffer and overwrites the return address. No user interaction beyond authentication is required; the attack is network-based [1].

Impact

Successful exploitation allows an authenticated remote attacker to execute arbitrary code with the privileges of the miner process. This can lead to full compromise of the mining system, including data exfiltration, installation of malware, or disruption of mining operations. The impact is high as it provides code execution on the target [1][2].

Mitigation

As of the publication date (2018-06-05), no official patches have been released for either cgminer or bfgminer. The latest versions (4.10.0 and 5.5.0) remain vulnerable. Users are advised to restrict access to the remote management interface to trusted networks only, or disable it if not required. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].

References
  1. pub/pocs/cve-2018-10058 at master · tintinweb/pub
  2. oss-security - CVE-2018-10058 and CVE-2018-10057

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Ckolivas/CgminerOSV2 versions
    bfgminer-2.10.0, bfgminer-2.10.1, bfgminer-2.10.2, …+ 1 more
    • (no CPE)range: bfgminer-2.10.0, bfgminer-2.10.1, bfgminer-2.10.2, …
    • (no CPE)range: =4.10.0
  • Bfgminer/Bfgminerllm-fuzzy
    Range: =5.5.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds checking on attacker-supplied input in the addpool, failover-only, poolquota, and save command handlers allows a stack-based buffer overflow."

Attack vector

An attacker must first authenticate to the remote management API interface, which accepts either plaintext or JSON-encoded commands [ref_id=1]. After authentication, the attacker sends a crafted command to one of the vulnerable handlers (`addpool`, `failover-only`, `poolquota`, or `save`) with an oversized payload that overflows a stack buffer [ref_id=1][ref_id=2]. This overflow corrupts the stack and can be leveraged to achieve arbitrary code execution on the miner host [CWE-121].

Affected code

The vulnerability resides in the API command handlers defined in `api.c` for both cgminer (≤4.10.0) and bfgminer (≤5.5.0). The `addpool`, `failover-only`, `poolquota`, and `save` command handlers lack proper bounds checking on attacker-supplied input, leading to a stack-based buffer overflow [ref_id=1][ref_id=2].

What the fix does

No patch is published in the supplied bundle. The advisory does not specify a fix; both cgminer 4.10.0 and bfgminer 5.5.0 are listed as the latest affected versions with no mention of a subsequent release [ref_id=1][ref_id=2]. Remediation would require the vendor to add bounds checking on input lengths in the `addpool`, `failover-only`, `poolquota`, and `save` command handlers before copying data into fixed-size stack buffers.

Preconditions

  • authAttacker must have valid credentials to authenticate to the remote management API
  • networkNetwork access to the API port (typically port 4028) on the miner host
  • configThe vulnerable command handlers (addpool, failover-only, poolquota, save) must be enabled in the API

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.