{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/proftpd-mod_sftp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-53994"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ProFTPD mod_sftp"],"_cs_severities":["high"],"_cs_tags":["vulnerability","denial-of-service","sftp","linux-server"],"_cs_type":"advisory","_cs_vendors":["ProFTPD"],"content_html":"\u003cp\u003eCVE-2026-53994 impacts ProFTPD's \u003ccode\u003emod_sftp\u003c/code\u003e module, enabling an authenticated SFTP user to trigger a heap-based buffer overflow. The vulnerability stems from the \u003ccode\u003efxp_packet_read()\u003c/code\u003e function, which accepts an attacker-controlled 32-bit big-endian SFTP packet length without adequate sanity checks. Specifically, a zero-value packet length causes an unsigned integer underflow elsewhere in the read path, leading to an attempt to allocate approximately 4 GB of memory. Due to a type conversion issue, a much smaller buffer (approximately 544 bytes) is actually allocated. Subsequent attacker-controlled data streaming then overwrites heap memory beyond this small buffer, resulting in a reliable remote denial of service by crashing the ProFTPD session child process. This flaw was published on 2026-07-18 and allows for immediate disruption of SFTP services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker establishes an SFTP connection to a vulnerable ProFTPD server running \u003ccode\u003emod_sftp\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a specially crafted SFTP packet to the server, targeting the \u003ccode\u003efxp_packet_read()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThis packet intentionally sets the 32-bit big-endian length field to a value of 0.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eread\u003c/code\u003e path, an unsigned subtraction operation with the zero length causes an integer underflow, resulting in a computed size of approximately 4 GB (0x100000000).\u003c/li\u003e\n\u003cli\u003eThe core memory allocator is requested to allocate memory for this oversized request, but due to a 32-bit integer conversion, \u003ccode\u003enew_block()\u003c/code\u003e returns an actual allocation of a significantly smaller block (approximately 544 bytes).\u003c/li\u003e\n\u003cli\u003eThe subsequent fill loop attempts to write attacker-controlled bytes into the buffer, assuming the previously reported 4 GB allocation, leading to a heap buffer overflow that writes past the end of the 544-byte allocated memory.\u003c/li\u003e\n\u003cli\u003eThis heap overflow corrupts adjacent memory, causing the ProFTPD session child process to crash.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves reliable authenticated remote denial of service for the connected user, with potential for further heap metadata corruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-53994 leads to a reliable remote denial of service (DoS) for authenticated users. An attacker can crash the per-connection ProFTPD session child process on demand, disrupting SFTP services provided by the server. While the primary observed impact is DoS, the underlying heap buffer overflow mechanism could potentially lead to heap metadata corruption, which might theoretically open avenues for more severe consequences like arbitrary code execution, though only denial of service is demonstrated by the supplied proof of concept. The number of potentially affected organizations is substantial, given ProFTPD's widespread use in Linux environments for secure file transfer services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch ProFTPD servers running \u003ccode\u003emod_sftp\u003c/code\u003e to a version that addresses CVE-2026-53994.\u003c/li\u003e\n\u003cli\u003eMonitor ProFTPD server logs for abnormal termination events or restarts of \u003ccode\u003eproftpd\u003c/code\u003e child processes, as these may indicate exploitation attempts of CVE-2026-53994.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T20:18:46Z","date_published":"2026-07-18T20:18:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-proftpd-mod-sftp-dos/","summary":"An authenticated SFTP user can trigger a heap-based buffer overflow in ProFTPD's mod_sftp module (CVE-2026-53994) by sending a malformed SFTP packet, leading to an integer underflow, an undersized buffer allocation, and subsequent heap corruption, which results in a reliable remote denial of service.","title":"ProFTPD mod_sftp Heap Overflow Allows Authenticated Denial of Service (CVE-2026-53994)","url":"https://feed.craftedsignal.io/briefs/2026-07-proftpd-mod-sftp-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - ProFTPD Mod_sftp","version":"https://jsonfeed.org/version/1.1"}