MEDIUM 6.2

CVE-2018-25423: Buffer Overflow Denial of Service in Arm Whois 3.11

Arm Whois version 3.11 has a buffer overflow flaw that allows local users to crash the application by entering an extremely long string into IP address or domain input fields. An attacker with local access can supply a malicious 700-byte input to trigger a denial of service, making the tool temporarily unavailable but without risking data theft or system compromise.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.2 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-120
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized input string. Attackers can paste a malicious buffer of 700 bytes into the IP address or domain input field to trigger a denial of service condition.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25423 is a classic stack-based or heap-based buffer overflow (CWE-120) in Arm Whois 3.11. The vulnerability exists in input validation for IP address and domain fields, where the application fails to enforce length restrictions on user-supplied strings. When input exceeding the allocated buffer size is provided, it overwrites adjacent memory, causing uncontrolled application termination. The attack vector is local with no privileges required and no user interaction, meaning any account on the system can trigger the crash.

Business impact

Organizations relying on Arm Whois 3.11 as part of their infrastructure reconnaissance or network troubleshooting workflows face intermittent service disruption. While the vulnerability does not enable data exfiltration or privilege escalation, repeated crashes can disrupt operational continuity and frustrate incident response or administrative tasks. For environments where Whois lookups are automated or integrated into larger workflows, denial of service could cascade into dependent systems.

Affected systems

Arm Whois version 3.11 is affected. Users of this specific version should assess their deployment footprint. Verify whether your organization uses Arm Whois in production, test, or development environments, and document which systems or accounts have local access to trigger input fields.

Exploitability

Exploitability is straightforward for local attackers. No special privileges, complex exploitation techniques, or user interaction are required. An attacker with shell or interactive access to the system running Arm Whois can immediately reproduce the crash by pasting a 700-byte payload into the affected input field. The attack is reliable and repeatable, though impact is limited to availability rather than confidentiality or integrity.

Remediation

Upgrade Arm Whois to a version released after the vulnerability was identified. Consult the vendor advisory to confirm the patched version number and any compatibility considerations. As an interim control, restrict local access to systems running Arm Whois 3.11 to trusted users only, and monitor for unexpected process crashes or restarts of the Whois service.

Patch guidance

Contact the Arm Whois vendor or check their official release notes to identify the fixed version. Apply the patch in a controlled manner by testing in a non-production environment first, verifying functionality with your integration workflows, and then rolling out to production systems. Document the patched version in your asset inventory.

Detection guidance

Monitor system logs for repeated crashes or abnormal termination of Arm Whois processes. Implement application-level logging if available to capture oversized input attempts. Network intrusion detection may be ineffective since the attack is local; focus on endpoint and process monitoring. Consider integrity checks on the Whois binary to detect tampering or exploitation artifacts.

Why prioritize this

Although CVSS 6.2 (MEDIUM) reflects the lack of confidentiality and integrity impact, the ease of exploitation and local-access requirement warrant prompt remediation in environments where Whois is operationally critical. Organizations should prioritize this update for internet-facing or DMZ-deployed instances, but overall urgency is moderate since the attack requires pre-existing system access and causes only temporary disruption.

Risk score, explained

The CVSS 3.1 score of 6.2 reflects: Attack Vector Local (no remote exploitation), Access Complexity Low (no special conditions), Privileges Required None (any local user can trigger it), User Interaction None (no clicking or social engineering), and Availability Impact High (crash = complete denial of that service). Confidentiality and Integrity remain unaffected, preventing a higher score. The lack of CISA KEV listing confirms this is not yet weaponized in the wild at scale.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local access to the system running Arm Whois. An attacker must be able to interact with the input fields directly or through a local process. Remote exploitation is not possible.

Does this vulnerability lead to data breach or unauthorized access?

No. The buffer overflow causes only a denial of service (crash). It does not allow an attacker to read, modify, or exfiltrate data, nor does it escalate privileges or enable unauthorized system access.

How urgent is patching for my organization?

Priority depends on your use of Arm Whois. If it is non-critical or rarely used, defer patching to the next maintenance window. If it is part of an automated workflow or frequently accessed by staff, upgrade sooner to minimize disruption risk.

What should I do if I cannot patch immediately?

Restrict local system access to trusted administrators and service accounts. Disable or isolate Whois if it is not essential. Monitor process logs for crashes. These interim measures reduce the window of exposure while you plan for patching.

This analysis is provided for educational and risk assessment purposes. Patch version numbers, vendor contact details, and release dates must be verified directly with Arm or official vendor advisories before deployment. No exploit code or proof-of-concept is provided. Organizations should conduct their own testing and validation before applying patches to production systems. CVSS scores and severity ratings are derived from publicly available data and may be revised by vendors or NIST without notice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).