Stack-Based Buffer Overflow in JS8Call by JS8Call-improved
CVE-2026-42996

10CRITICAL

Key Information:

Vendor: Js8call
Status: Js8call; Js8call-improved
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-42996?

A stack-based buffer overflow exists in JS8Call versions up to 2.3.1 and JS8Call-improved prior to 3.0. This vulnerability occurs when processing a radio transmission of the @APRSIS GRID, which is followed by an excessively long Maidenhead locator string. The flaw is located in the grid2deg function within the APRSISClient.cpp file, allowing attackers to exploit the vulnerability by crafting malicious radio messages, potentially leading to unexpected behavior and system crashes.

Affected Version(s)

JS8Call 0 <= 2.3.1

JS8Call-improved 0 < 3.0

References

https://github.com/JS8Call-improved/JS8Call-improved/secu...

https://amateur-radio-resources.sourceforge.io/PDF/JS8APR...

https://github.com/js8call/js8call/blob/fd721e8b67eed84cb...

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-42996 Data

JSON

Js8call

What is CVE-2026-42996?

Affected Version(s)

References

CVSS V4

Timeline