Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <akUXwLl3OwYufXkb@zedat.fu-berlin.de>
Date: Wed, 1 Jul 2026 15:36:00 +0200
From: Holger Weiß <holger.weiss@...berlin.de>
To: OSS Security <oss-security@...ts.openwall.com>
Subject: check_icmp (Monitoring Plugins): host-count overflow leads to heap
 buffer overflow in setuid-root binary

We released Monitoring Plugins 3.0.1, which fixes a security issue in 
the check_icmp plugin.

Product:   Monitoring Plugins (check_icmp)
Date:      2026-07-01
Severity:  High (CVSS 3.1: 7.0, CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE:       requested, not yet assigned
CWE:       CWE-190 (Integer Overflow or Wraparound),
            CWE-787 (Out-of-bounds Write)
Affected:  check_icmp 3.0.0 (introduced in v3.0.0-rc1)
Fixed in:  Monitoring Plugins 3.0.1


Summary
-------

A local user can trigger a heap buffer overflow in check_icmp by 
supplying more than 65535 target hosts, which overflows an internal 
counter. This happens before check_icmp drops its privileges, so the 
corruption occurs while still running as root on setuid-root 
installations.


Description
-----------

The number of hosts is counted into an unsigned short, which is then 
used as the allocation size for the hosts array (calloc(3)). Because 
nothing bounds the increment, more than 65535 -H/--Host entries (whether 
passed directly on argv or via an --extra-opts ini file using Host= 
entries) wrap the counter, so the array is allocated far smaller than 
the number of entries actually written into it by the subsequent parsing 
loop, causing a heap buffer overflow.

This happens inside process_arguments(), before check_icmp drops its 
elevated privileges.


Impact
------

On installations where check_icmp is installed setuid-root (confirmed on 
Arch Linux's monitoring-plugins package), this is a local 
memory-corruption primitive triggered while the process is still running 
as root, with an attacker-controlled overflow length and partially 
attacker-influenced content. Reliable privilege escalation has not been 
demonstrated but appears plausible.

Installations that grant cap_net_raw via file capabilities instead of 
the setuid bit are not exposed to the privilege-escalation concern; the 
underlying memory corruption is still reachable in that configuration.

No special access is required beyond the ability to invoke check_icmp 
with attacker-chosen arguments.


Fixes
-----

The host count is now explicitly bounded, rejecting more than 65535 
hosts with a usage error instead of letting the counter overflow 
silently. Users should upgrade to Monitoring Plugins 3.0.1 or later.


Attribution
-----------

The issue was initially identified with an AI coding agent and then 
manually validated and reproduced by Christopher Kreft (GitHub: c-kr) 
using an ASan build, including verification against the installed 
setuid-root binary.


References
----------

   https://github.com/monitoring-plugins/monitoring-plugins/security/advisories/GHSA-xvvw-4j77-rp7q
   https://github.com/monitoring-plugins/monitoring-plugins/releases/tag/v3.0.1
   https://github.com/monitoring-plugins/monitoring-plugins/commit/c35c12e58d326ffbd6cfb3c9097653f9f3fb2f4a

-- 
Holger Weiß
Monitoring Plugins

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.