CVE-2026-43958
Description
A stack buffer overflow in rrdcached's CREATE request handler allows local attackers to crash the daemon or execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stack buffer overflow in rrdcached's CREATE request handler allows local attackers to crash the daemon or execute arbitrary code.
Vulnerability
A stack-based buffer overflow exists in rrdcached, a component of rrdtool, specifically within the handle_request_create() function in src/rrd_daemon.c [2]. The vulnerability occurs when processing a CREATE request with an excessive number of DS: or RRA: tokens. These tokens are appended to a fixed-size stack array without bounds checking, allowing an oversized request to overwrite adjacent memory on the stack [2]. Affected versions include rrdtool-1.8.0-20.el10, and potentially others with similar parser logic [2].
Exploitation
An attacker requires local access to a system running rrdcached and permission to connect to a socket that accepts CREATE requests [2]. The default exposure is often a local UNIX socket, such as unix:/tmp/rrdcached.sock, though TCP sockets may also be exposed [2]. The attacker must send a single, oversized CREATE request containing more than 128 DS: or RRA: tokens to trigger the overflow. No user interaction is necessary once socket access is established [2].
Impact
Successful exploitation of this vulnerability can lead to a denial of service by crashing the rrdcached daemon [2]. More critically, it may allow for arbitrary code execution, potentially impacting the confidentiality and integrity of the data managed by rrdcached [2]. The scope of the compromise is within the rrdcached process itself [2].
Mitigation
A patch has been proposed, but the upstream release status and the exact version fixed are currently unknown [2]. No other mitigation or workaround details are available in the provided references. The vulnerability is listed with a CVSS score of 7.8 (HIGH) [2].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The rrdcached handle_request_create() function appends attacker-controlled tokens to a fixed-size stack array without checking bounds."
Attack vector
A local attacker with access to a rrdcached socket can send a single oversized CREATE request. This request must contain more than 128 DS: or RRA: tokens. The oversized request causes a stack-based buffer overflow by writing past the end of the `av` array. No user interaction is required once socket access is obtained [ref_id=1].
Affected code
The vulnerability exists in the `handle_request_create()` function within `src/rrd_daemon.c`. Specifically, the code iterates through tokens, adding DS: and RRA: tokens to a local array `av` without validating the count `ac` against the array's capacity of 128 [ref_id=1].
What the fix does
The proposed fix adds bounds checking to the `handle_request_create()` function. Before appending a DS: or RRA: token to the `av` array, the code now checks if the current count `ac` has reached the maximum allowed size of 128. If the limit is exceeded, an error response is sent back to the client, preventing the out-of-bounds write and subsequent crash or potential code execution [ref_id=1].
Preconditions
- authAttacker needs local access and permission to connect to a socket that accepts CREATE requests [ref_id=1].
- networkThe rrdcached daemon must be running and accessible via a socket (e.g., local UNIX socket or potentially a TCP socket) [ref_id=1].
Reproduction
1. Build `rrdcached` with AddressSanitizer if available, then start the daemon in the foreground on a UNIX socket, for example: `./src/rrdcached -g -l unix:/tmp/rrdcached.sock` 2. Send one `CREATE` line with more than 128 `DS:` fields and at least one `RRA:` field using python3 and socat: ```bash python3 - <<'PY' | socat - UNIX-CONNECT:/tmp/rrdcached.sock ds = " ".join([f"DS:x{i}:GAUGE:1:0:U" for i in range(150)]) print(f"CREATE /tmp/poc.rrd {ds} RRA:AVERAGE:0.5:1:10") PY ``` 3. Observe the result: An ASan build reports a stack out-of-bounds write at `av[ac++]`. A non-ASan build may crash or exhibit undefined memory-corruption behavior [ref_id=1].
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.