CVE-2026-9365 Overview
CVE-2026-9365 is a heap-based buffer overflow vulnerability in Ettercap versions up to and including 0.8.3. The flaw resides in the FUNC_DECODER function within src/dissectors/ec_gg.c, which is part of the Gadu-Gadu (GG) Dissector component. An attacker can trigger the overflow remotely by manipulating the gg argument processed by the dissector. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). A public exploit disclosure exists, but exploitation is described as difficult due to high attack complexity. Upgrading to Ettercap version 0.8.4 resolves the issue.
Critical Impact
Remote attackers can corrupt heap memory in Ettercap by sending crafted GG protocol traffic, potentially affecting confidentiality, integrity, and availability of the analyzer process.
Affected Products
- Ettercap versions up to and including 0.8.3
- Ettercap GG Dissector component (src/dissectors/ec_gg.c)
- Fixed in Ettercap 0.8.4
Discovery Timeline
- 2026-05-24 - CVE-2026-9365 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9365
Vulnerability Analysis
The vulnerability exists in the FUNC_DECODER function of the Gadu-Gadu protocol dissector in Ettercap. Ettercap is a widely used network security tool for man-in-the-middle attacks and protocol analysis on local area networks. When the GG dissector processes traffic, the manipulation of the gg argument leads to a heap-based buffer overflow [CWE-119]. The dissector writes attacker-controlled data past the bounds of a heap-allocated buffer, corrupting adjacent heap memory structures. Because Ettercap actively captures and dissects passing network traffic, an attacker positioned on the same network segment can introduce crafted GG protocol packets that the tool will parse automatically.
Root Cause
The root cause is improper validation of the length or contents of the gg argument before it is copied into a heap-allocated buffer inside FUNC_DECODER. The dissector trusts attacker-supplied protocol fields without enforcing strict bounds checking. The upstream patch identified by commit feeae6fa366e01a3dd9f1857ec6aae847b2ae00c corrects the boundary handling within the GG dissector code path.
Attack Vector
The attack vector is network-based. An attacker sends malformed GG protocol traffic across a network segment where Ettercap is actively dissecting traffic. The attack complexity is high, and exploitation is described as difficult, which limits practical mass abuse. A public disclosure of the issue exists and may be leveraged by motivated attackers with deep knowledge of the dissector internals. Successful exploitation can corrupt heap memory in the Ettercap process and disrupt analyzer operations.
No verified proof-of-concept code is provided. Refer to the GitHub Commit Details and the GitHub Issue Tracker for the technical specifics of the flaw and its fix.
Detection Methods for CVE-2026-9365
Indicators of Compromise
- Unexpected crashes or abnormal termination of the ettercap process during live traffic dissection.
- Heap corruption signatures in core dumps generated by Ettercap on analyst workstations.
- Presence of Gadu-Gadu (GG) protocol traffic on segments where it is not expected as part of normal operations.
Detection Strategies
- Inventory hosts running Ettercap and verify installed versions against 0.8.4 using package managers or binary version checks.
- Monitor analyst and red-team workstations for repeated Ettercap process crashes correlated with packet capture activity.
- Inspect network traffic for malformed GG protocol frames targeting hosts running Ettercap.
Monitoring Recommendations
- Enable system crash and core dump collection on hosts where Ettercap is used so that heap corruption events can be triaged.
- Forward host telemetry and process crash events to a central SIEM or data lake for correlation with packet-capture activities.
- Track installed Ettercap versions via configuration management and flag any version at or below 0.8.3.
How to Mitigate CVE-2026-9365
Immediate Actions Required
- Upgrade Ettercap to version 0.8.4 or later on all workstations and appliances where it is installed.
- Restrict the use of Ettercap to controlled lab or authorized engagement networks until the upgrade is applied.
- Remove Ettercap from systems where it is not required for active security testing.
Patch Information
The issue is fixed in Ettercap 0.8.4. The upstream fix is tracked by commit feeae6fa366e01a3dd9f1857ec6aae847b2ae00c and pull request GitHub Pull Request #1307. Issue tracking details are available in GitHub Issue #1306. Source code and release artifacts are published in the GitHub Ettercap Repository.
Workarounds
- Disable the GG dissector at runtime if a patched version cannot be deployed immediately.
- Avoid running Ettercap on untrusted network segments where attacker-controlled GG traffic may be present.
- Operate Ettercap inside an isolated virtual machine or container to limit the impact of process-level memory corruption.
# Configuration example: upgrade and verify Ettercap version
sudo apt-get update
sudo apt-get install --only-upgrade ettercap-common ettercap-graphical
ettercap -v
# Expected: ettercap 0.8.4 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
