HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56123Published Modified CNA VulnCheck

CVE-2026-56123: socat 1.8.0.0 - 1.8.1.1 Heap Buffer Overflow via SOCKS5 Reply Parser

socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory by exploiting a sign-extension flaw in the DOMAINNAME reply parser. During connection setup, the domain name length byte is read through a signed char field causing a negative bytes_to_read value that is implicitly converted to size_t, resulting in an unbounded heap write into the 262-byte reply buffer with attacker-controlled size and content.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
1.8.1.2
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A heap-based buffer overflow affects socat versions 1.8.0.0 through 1.8.1.1 in the SOCKS5 reply parser. The vulnerability is reachable over the network without any authentication, triggered when socat connects through a malicious SOCKS5 proxy server that returns a crafted DOMAINNAME reply. A sign-extension flaw converts a negative domain name length byte into a massive size_t value, causing an unbounded write of attacker-controlled data into heap memory, enabling remote code execution or service disruption. A patched-image rebuild at version 1.8.1.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-56123 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including VulnCheck, NVD, and OS vendor advisories. Coverage extends to custom-built images that bundle socat, not just images sourced from public registries.

Available
Triage

Triage is available using the CVSS v4.0 score of 9.2 (Critical), weighted against each customer environment's compliance policy to determine priority and escalation path. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

A patched-image rebuild at socat 1.8.1.2 is available for any image found to include an affected version of socat. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must operate or control a SOCKS5 proxy server that socat connects to over the network, making network-level access to the proxy path a prerequisite.

  • AuthenticationNot required

    No authentication credentials are required; the malicious proxy server can trigger the overflow during the unauthenticated SOCKS5 connection handshake.

  • Victim interactionNot required

    No user or operator action beyond the normal operation of socat is needed; the overflow occurs automatically during connection setup.

  • Attack complexityDetail

    Attack complexity is rated High, meaning the attacker must position a malicious SOCKS5 server in the connection path and craft a precise reply payload to control heap layout and overflow size.

Blast Radius

  • An attacker writes arbitrary data of attacker-controlled size into heap memory adjacent to socat's 262-byte reply buffer, overwriting internal heap structures or other allocations.
  • Successful heap corruption enables remote code execution in the context of the socat process, which may run with elevated privileges depending on how the host uses it.
  • Confidential data passing through the socat relay, including proxied network streams, becomes readable or modifiable by the attacker.
  • The socat process can be crashed, interrupting any tunnels, port forwards, or relay connections it is managing.

How HarborGuard Handles This

Available on HarborGuard: detection of this Critical-severity issue is active for all images scanned in customer pipelines and registries, with results available within minutes of CVE publication. For environments running socat 1.8.0.0 through 1.8.1.1, a rebuilt image at version 1.8.1.2 is available as soon as the base image or package layer is updated. Where compliance policy permits auto-remediation, HarborGuard triggers a rebuild, executes a regression test run against the updated image, and opens a pull request against affected workloads. For environments where auto-remediation is not enabled, the finding appears in the dashboard with severity 9.2 Critical and fix-version guidance so engineering teams can act manually. Given the network-reachable nature of this flaw, teams using socat as a SOCKS5 client should treat remediation as urgent and consider network-policy controls that restrict which proxy endpoints socat is permitted to reach as a compensating measure until the patched image is deployed.

See how HarborGuard automates this

Fix available

1.8.1.2
Patch commits
Affected packages
  • socat / socat
    < 1.8.1.2 (from 1.8.0.0)
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References