Maliciously crafted evidence packet may cause denial of service
Description
Akashi is an open source server implementation of the Attorney Online video game based on the Ace Attorney universe. Affected versions of Akashi are subject to a denial of service attack. An attacker can use a specially crafted evidence packet to make an illegal modification, causing a server crash. This can be used to mount a denial-of-service exploit. Users are advised to upgrade. There is no known workaround for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Akashi server vulnerable to denial of service via specially crafted evidence packet causing out-of-bounds access and crash.
Vulnerability
Akashi, an open-source server implementation of Attorney Online, is vulnerable to a denial of service attack in versions prior to the unreleased patch. The vulnerability resides in the pktRemoveEvidence and pktEditEvidence functions within AOClient [2]. The off-by-one error checks idx <= area->evidence().size() instead of idx < area->evidence().size(), allowing an attacker to supply an index equal to the current size of the evidence list, resulting in an out-of-bounds memory access that crashes the server [1][2].
Exploitation
An attacker can send a specially crafted evidence packet (either remove or edit) with an index value set to the size of the evidence list in a target area. No authentication or special privileges are required beyond the ability to send evidence packets; however, the advisory notes that restricting evidence to moderators can serve as a workaround [1]. The malformed packet triggers the off-by-one condition, causing the server to attempt an illegal memory modification and crash.
Impact
Successful exploitation results in a denial of service (DoS). The server crashes, disrupting gameplay for all connected clients. The vulnerability does not appear to allow data corruption or remote code execution based on available references.
Mitigation
A fix has been developed in commit 5566cdfedd which changes the bound checks to use strict less-than (<) [2]. This patch has not yet been released in a new version. As a workaround, server administrators can restrict evidence creation and modification to moderator roles only [1]. No other workaround is known.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: < 1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/AttorneyOnline/akashi/commit/5566cdfedddef1f219aee33477d9c9690bf2f78bmitrex_refsource_MISC
- github.com/AttorneyOnline/akashi/security/advisories/GHSA-vj86-vfmg-q68vmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.