{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25220", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-28T11:46:46.215Z", "datePublished": "2026-03-28T11:58:13.268Z", "dateUpdated": "2026-03-30T14:53:23.576Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-28T11:58:13.268Z"}, "title": "Bochs 2.6-5 Buffer Overflow Remote Code Execution", "descriptions": [{"lang": "en", "value": "Bochs 2.6-5 contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized input string to the application. Attackers can craft a malicious payload with 1200 bytes of padding followed by a return-oriented programming chain to overwrite the instruction pointer and execute shell commands with application privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Out-of-bounds Write", "cweId": "CWE-787", "type": "CWE"}]}], "affected": [{"vendor": "bochs", "product": "BOCHS", "versions": [{"version": "2.6-5", "status": "affected"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bochs_project:bochs:2.6-5:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/43979", "name": "ExploitDB-43979", "tags": ["exploit"]}, {"url": "http://bochs.sourceforge.net/", "name": "Official Product Homepage", "tags": ["product"]}, {"name": "VulnCheck Advisory: Bochs 2.6-5 Buffer Overflow Remote Code Execution", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/bochs-5-buffer-overflow-remote-code-execution"}], "credits": [{"lang": "en", "value": "Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2018-02-05T00:00:00.000Z"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T12:46:25.542647Z", "id": "CVE-2018-25220", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:53:23.576Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-25220", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-30T12:46:25.542647Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T12:50:53.466Z"}}], "cna": {"title": "Bochs 2.6-5 Buffer Overflow Remote Code Execution", "credits": [{"lang": "en", "type": "finder", "value": "Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "bochs", "product": "BOCHS", "versions": [{"status": "affected", "version": "2.6-5"}]}], "datePublic": "2018-02-05T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/43979", "name": "ExploitDB-43979", "tags": ["exploit"]}, {"url": "http://bochs.sourceforge.net/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/bochs-5-buffer-overflow-remote-code-execution", "name": "VulnCheck Advisory: Bochs 2.6-5 Buffer Overflow Remote Code Execution", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Bochs 2.6-5 contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized input string to the application. Attackers can craft a malicious payload with 1200 bytes of padding followed by a return-oriented programming chain to overwrite the instruction pointer and execute shell commands with application privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "Out-of-bounds Write"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bochs_project:bochs:2.6-5:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-28T11:58:13.268Z"}}}, "cveMetadata": {"cveId": "CVE-2018-25220", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:53:23.576Z", "dateReserved": "2026-03-28T11:46:46.215Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-28T11:58:13.268Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bochs_project:bochs:2.6.5:*:*:*:*:*:*:*", "matchCriteriaId": "C690E514-C352-4BD3-8946-41D47D684552", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Bochs 2.6-5 contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized input string to the application. Attackers can craft a malicious payload with 1200 bytes of padding followed by a return-oriented programming chain to overwrite the instruction pointer and execute shell commands with application privileges."}, {"lang": "es", "value": "Bochs 2.6-5 contiene una vulnerabilidad de desbordamiento de b\u00fafer basado en pila que permite a los atacantes ejecutar c\u00f3digo arbitrario al proporcionar una cadena de entrada sobredimensionada a la aplicaci\u00f3n. Los atacantes pueden crear una carga \u00fatil maliciosa con 1200 bytes de relleno seguidos de una cadena de programaci\u00f3n orientada a retorno para sobrescribir el puntero de instrucci\u00f3n y ejecutar comandos de shell con privilegios de aplicaci\u00f3n."}], "id": "CVE-2018-25220", "lastModified": "2026-04-02T19:18:20.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-28T12:16:02.600", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "http://bochs.sourceforge.net/"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/43979"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/bochs-5-buffer-overflow-remote-code-execution"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.6-5"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "BOCHS", "source": "cna", "vendor": "bochs"}, "product": "bochs", "vendor": "bochs"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.6-5"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "bochs", "vendor": "bochs_project"}], "analysis": {"en": {"generated_at": "2026-04-02T21:21:20.617281+00:00", "value": {"mitigation_remediation": ["Upgrade Bochs to a version newer than 2.6\u20115 that contains the buffer overflow fix", "If a timely upgrade is not possible, restrict Bochs from receiving untrusted input, for example by disabling network or file readers that provide data to the emulator", "Monitor logs for abnormal input lengths or crashes that could indicate an attempted buffer overflow"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems are the Bochs emulator distributed by the Bochs Project. The vulnerability exists in version 2.6\u20115 (also listed as 2.6.5). No other product versions are listed as affected. Applications that run this version of Bochs are at risk if they accept user\u2011supplied input without proper bounds checking.", "description_and_impact": "The vulnerability is a stack\u2011based buffer overflow in the Bochs 2.6\u20115 emulator. An attacker can supply an oversized input string, 1200 bytes of padding followed by a return\u2011oriented\u2011programming chain, that overwrites the instruction pointer and causes arbitrary shell commands to execute with the privileges of the running Bochs process. This provides the attacker with the ability to read, modify, or delete files and execute any program under the emulator\u2019s user account. The weakness is a classic buffer overflow and is classified as CWE\u2011787.", "risk_and_exploitability": "The CVSS score of 9.3 marks this issue as critical. However, the EPSS score of less than 1% indicates a very low likelihood of current exploitation in the wild, and the vulnerability is not included in CISA\u2019s KEV catalog. The attack vector is inferred to be remote or local depending on how the emulator receives input; if the Bochs process is exposed to network traffic or processes untrusted files, an attacker could deliver the malicious payload. The exploit requires only the ability to supply a crafted string to Bochs, making it potentially exploitable in environments where the emulator is run with elevated privileges."}}}}, "created": "2026-03-29T20:32:18.059098+00:00", "updated": "2026-04-03T09:38:32.599544+00:00", "vendors": ["bochs", "bochs$PRODUCT$bochs", "bochs_project", "bochs_project$PRODUCT$bochs"]}