cbcvebase.
CVE-2012-4409
published 2012-11-21

CVE-2012-4409: Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary…

PriorityP344medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
15.02%
96.3th percentile
Stack-based buffer overflow in the check_file_head function in extra.c in mcrypt 2.6.8 and earlier allows user-assisted remote attackers to execute arbitrary code via an encrypted file with a crafted header containing long salt data that is not properly handled during decryption.

Affected

10 ranges
VendorProductVersion rangeFixed in
debianmcrypt< mcrypt 2.6.8-1.1 (bookworm)mcrypt 2.6.8-1.1 (bookworm)
mcryptmcrypt<= 2.6.8
mcryptmcrypt
mcryptmcrypt
mcryptmcrypt
mcryptmcrypt
mcryptmcrypt>= 0 < 2.6.8-1.12.6.8-1.1
mcryptmcrypt>= 0 < 2.6.8-1.12.6.8-1.1
mcryptmcrypt>= 0 < 2.6.8-1.12.6.8-1.1
mcryptmcrypt>= 0 < 2.6.8-1.12.6.8-1.1

Detection & IOCsextracted from sources · hover to see the quote

filenamecyberpunk.nc
commandmcrypt -d cyberpunk.nc
pathsrc/extra.c
bytes
\x00\x6d\x03\x40\x73\x65\x72\x70\x65\x6e\x74\x00\x20\x00\x63\x62\x63\x00\x6d\x63\x72\x79\x70\x74\x2d\x73\x68\x61\x31\x00
  • The exploit triggers a stack-based buffer overflow in check_file_head() when mcrypt decrypts a .nc file with a crafted header containing an oversized salt field (105+ bytes). Monitor for mcrypt -d invocations on .nc files, especially those with unusually large salt data in the header.
  • The malicious .nc file header begins with the magic bytes \x00\x6d\x03 followed by crafted algorithm/mode strings and a salt length byte (0x69 = 105) with 105 'A' bytes of padding. Scan .nc files for headers where the salt length field exceeds expected bounds.
  • If FORTIFY_SOURCE is enabled (e.g., on Fedora/RHEL builds), exploitation is reduced to a crash. Monitor for abnormal mcrypt process terminations (SIGABRT/SIGSEGV) as an indicator of attempted exploitation.
  • Vulnerable function is check_file_head() in extra.c. Audit or instrument this function for salt buffer length checks when processing encrypted file headers.
  • ·The vulnerability affects mcrypt 2.6.8 and earlier (command-line tool, not the library). The attack requires user interaction — the victim must attempt to decrypt the crafted .nc file.
  • ·Debian fixed this in package version 2.6.8-1.1 across bookworm, bullseye, forky, sid, and trixie. Fedora/EPEL fixed it in mcrypt-2.6.8-9. Ensure patched versions are deployed.
  • ·A separate but related CVE (CVE-2012-4527) covers a stack overflow triggered by overly long filenames (~128 bytes) passed to mcrypt, distinct from the crafted .nc header salt overflow of CVE-2012-4409.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.