35327 – tcpflow new security issue CVE-2026-25061

Bug 35327 - tcpflow new security issue CVE-2026-25061

Summary: tcpflow new security issue CVE-2026-25061

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-32-OK MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-04-07 09:57 CEST by Nicolas Salguero
Modified:	2026-05-07 07:08 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	tcpflow-1.6.1-3.mga9.src.rpm
CVE:	CVE-2026-25061
Status comment:

Flags:	mageia: test_passed_mga9_64+ mageia: test_passed_mga9_32+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-04-07 09:57:50 CEST

Fedora has issued an advisory on April 3:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWJ2HTXROZUA6IP467KMWZFIYTXEGVZK/

Nicolas Salguero 2026-04-07 09:58:31 CEST

Flags: (none) => affects_mga9+
CVE: (none) => CVS-2026-25061
Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in future version 1.6.2
Source RPM: (none) => tcpflow-1.6.1-5.mga10.src.rpm, tcpflow-1.6.1-3.mga9.src.rpm

Nicolas Salguero 2026-04-07 15:09:46 CEST

CVE: CVS-2026-25061 => CVE-2026-25061
Summary: tcpflow new security issue CVS-2026-25061 => tcpflow new security issue CVE-2026-25061

Comment 1 Nicolas Salguero 2026-04-07 15:34:24 CEST

For Cauldron, tcpflow-1.6.1-6.mga10 fixes the issue.


Suggested advisory:
========================

The updated package fixes a security vulnerability:

tcpflow has TIM Element OOB Write in wifipcap. (CVE-2026-25061)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CWJ2HTXROZUA6IP467KMWZFIYTXEGVZK/
========================

Updated package in core/updates_testing:
========================
tcpflow-1.6.1-3.1.mga9

from SRPM:
tcpflow-1.6.1-3.1.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in future version 1.6.2 => (none)
Flags: affects_mga9+ => (none)
Source RPM: tcpflow-1.6.1-5.mga10.src.rpm, tcpflow-1.6.1-3.mga9.src.rpm => tcpflow-1.6.1-3.mga9.src.rpm
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 2 PC LX 2026-04-07 23:32:11 CEST

Installed and tested without issues.

Tested by capturing a bunch of HTTP connections and checking the captured data.



System: Mageia 9, x86_64, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.130-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Mar 26 01:48:01 UTC 2026 x86_64 GNU/Linux
$ rpm -q tcpflow
tcpflow-1.6.1-3.mga9
$ LANGUAGE=C su -c 'tcpflow -i wg0 -a -v'
tcpflow: TCPFLOW version 1.6.1 
tcpflow: looking for handler for datalink type 12 for interface wg0
tcpflow: listening on wg0
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[10.0.0.3:40546->10.0.0.2:80]. path:  next seq num (nsn):936462348
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[10.0.0.2:80->10.0.0.3:40546]. path:  next seq num (nsn):-39782712
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=010.000.000.003.40546-010.000.000.002.00080,oflag=xc2,mask:x1b6)=6
tcpflow: 010.000.000.003.40546-010.000.000.002.00080: created new file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=010.000.000.002.00080-010.000.000.003.40546,oflag=xc2,mask:x1b6)=7
tcpflow: 010.000.000.002.00080-010.000.000.003.40546: created new file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: 010.000.000.003.40546-010.000.000.002.00080: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=010.000.000.002.00080-010.000.000.003.40546-HTTPBODY-001.html,oflag=x241,mask:x1a4)=6
tcpflow: 010.000.000.002.00080-010.000.000.003.40546: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[10.0.0.3:39026->10.0.0.2:80]. path:  next seq num (nsn):-1758984071
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[10.0.0.2:80->10.0.0.3:39026]. path:  next seq num (nsn):523917573
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=010.000.000.003.39026-010.000.000.002.00080,oflag=xc2,mask:x1b6)=6
tcpflow: 010.000.000.003.39026-010.000.000.002.00080: created new file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=010.000.000.002.00080-010.000.000.003.39026,oflag=xc2,mask:x1b6)=7
tcpflow: 010.000.000.002.00080-010.000.000.003.39026: created new file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: 010.000.000.003.39026-010.000.000.002.00080: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=010.000.000.002.00080-010.000.000.003.39026-HTTPBODY-001.html,oflag=x241,mask:x1a4)=6
tcpflow: 010.000.000.002.00080-010.000.000.003.39026: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[10.0.0.3:34132->10.0.0.2:80]. path:  next seq num (nsn):663349452
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[10.0.0.2:80->10.0.0.3:34132]. path:  next seq num (nsn):1739951114
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=010.000.000.003.34132-010.000.000.002.00080,oflag=xc2,mask:x1b6)=6
tcpflow: 010.000.000.003.34132-010.000.000.002.00080: created new file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=010.000.000.002.00080-010.000.000.003.34132,oflag=xc2,mask:x1b6)=7
tcpflow: 010.000.000.002.00080-010.000.000.003.34132: created new file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: 010.000.000.003.34132-010.000.000.002.00080: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=010.000.000.002.00080-010.000.000.003.34132-HTTPBODY-001.html,oflag=x241,mask:x1a4)=6
tcpflow: 010.000.000.002.00080-010.000.000.003.34132: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
^Ctcpflow: terminating orderly
tcpflow: Open FDs at end of processing:      0
tcpflow: demux.max_open_flows:               2
tcpflow: Flow map size at end of processing: 0
tcpflow: Flows seen:                         6
tcpflow: Cleaning up flows
tcpflow: Total flows processed: 6
tcpflow: Total packets processed: 27

CC: (none) => mageia

katnatek 2026-04-08 02:46:37 CEST

Keywords: (none) => advisory

Comment 3 Herman Viaene 2026-04-08 16:43:18 CEST

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Problem on trying to capture from wifi connection, ethernet present but not physically connected.
# tcpflow -i wlo1 -v -a
reportfilename: ./report.xml
tcpflow: TCPFLOW version 1.6.1
tcpflow: looking for handler for datalink type 1 for interface wlo1
tcpflow: listening on wlo1
tcpflow: warning: received ethernet frame with unknown type 0x88e1
tcpflow: warning: received ethernet frame with unknown type 0x8912
tcpflow: warning: received ethernet frame with unknown type 0x88e1
tcpflow: warning: received ethernet frame with unknown type 0x8912
tcpflow: warning: received ethernet frame with unknown type 0x88e1
tcpflow: warning: received ethernet frame with unknown type 0x8912
tcpflow: warning: received ethernet frame with unknown type 0x88e1
tcpflow: warning: received ethernet frame with unknown type 0x8912
tcpflow: warning: received ethernet frame with unknown type 0x88e1
tcpflow: warning: received ethernet frame with unknown type 0x8912
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: warning: received ethernet frame with unknown type 0x88e1
tcpflow: warning: received ethernet frame with unknown type 0x8912
tcpflow: warning: received ethernet frame with unknown type 0x88e1
etc.....
Did "Remove interface" in MCC for the ethernet device, but same result..

CC: (none) => herman.viaene

Comment 4 PC LX 2026-04-23 12:26:36 CEST

I tested this update again, including ethernet and wifi (using a USB wifi thingy). I works without issues.

Herman Viaene, can you try to capture some HTTP (not HTTPS) requests and check if the captured files look correct?
If the look correct, then I think those warnings can be ignored, and this update can be pushed forward.



$ uname -a
Linux jupiter 6.6.130-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Thu Mar 26 01:48:01 UTC 2026 x86_64 GNU/Linux
$ lsusb | grep WLAN
Bus 001 Device 007: ID 0bda:818b Realtek Semiconductor Corp. RTL8192EU 802.11b/g/n WLAN Adapter
$ LANGUAGE=C su -c 'tcpflow -i wlan0 -a -v'
Password: 
reportfilename: ./report.xml
tcpflow: TCPFLOW version 1.6.1 
tcpflow: looking for handler for datalink type 1 for interface wlan0
tcpflow: listening on wlan0
tcpflow: process_pkt..............................................................................
<SNIP repeated lines>
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[192.168.1.166:57464->192.168.1.2:443]. path:  next seq num (nsn):-1241451045
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[192.168.1.2:443->192.168.1.166:57464]. path:  next seq num (nsn):-205396016
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=192.168.001.166.57464-192.168.001.002.00443,oflag=xc2,mask:x1b6)=6
tcpflow: 192.168.001.166.57464-192.168.001.002.00443: created new file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=192.168.001.002.00443-192.168.001.166.57464,oflag=xc2,mask:x1b6)=7
tcpflow: 192.168.001.002.00443-192.168.001.166.57464: created new file
tcpflow: process_pkt..............................................................................
<SNIP repeated lines>
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[192.168.1.3:993->192.168.1.2:47698]. path:  next seq num (nsn):-1561433550
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=192.168.001.003.00993-192.168.001.002.47698,oflag=xc2,mask:x1b6)=8
tcpflow: 192.168.001.003.00993-192.168.001.002.47698: created new file
tcpflow: process_pkt..............................................................................
<SNIP repeated lines>
tcpflow: process_pkt..............................................................................
tcpflow: 192.168.001.003.00993-192.168.001.002.47698: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
<SNIP repeated lines>
tcpflow: process_pkt..............................................................................
tcpflow: 192.168.001.002.00443-192.168.001.166.57464: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
tcpflow: 192.168.001.166.57464-192.168.001.002.00443: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
<SNIP repeated lines>
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[192.168.1.166:40884->192.168.1.2:80]. path:  next seq num (nsn):1811447043
tcpflow: process_pkt..............................................................................
tcpflow: new flow flow[192.168.1.2:80->192.168.1.166:40884]. path:  next seq num (nsn):1694025868
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=192.168.001.166.40884-192.168.001.002.00080,oflag=xc2,mask:x1b6)=6
tcpflow: 192.168.001.166.40884-192.168.001.002.00080: created new file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=192.168.001.002.00080-192.168.001.166.40884,oflag=xc2,mask:x1b6)=7
tcpflow: 192.168.001.002.00080-192.168.001.166.40884: created new file
tcpflow: process_pkt..............................................................................
tcpflow: process_pkt..............................................................................
tcpflow: 192.168.001.166.40884-192.168.001.002.00080: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
tcpflow: retrying_open ::open(fn=192.168.001.002.00080-192.168.001.166.40884-HTTPBODY-001.html,oflag=x241,mask:x1a4)=6
tcpflow: 192.168.001.002.00080-192.168.001.166.40884: closing file in tcpip::close_file
tcpflow: process_pkt..............................................................................
^Ctcpflow: terminating orderly
tcpflow: Open FDs at end of processing:      0
tcpflow: demux.max_open_flows:               3
tcpflow: Flow map size at end of processing: 0
tcpflow: Flows seen:                         5
tcpflow: Cleaning up flows
tcpflow: Total flows processed: 5
tcpflow: Total packets processed: 51

Comment 5 Herman Viaene 2026-04-23 17:04:22 CEST

Do you know of any site that still uses http. I can for some still use the http command, but it switches immediately to https. I guess I should see dstport=80 in the file, but none seen.

Comment 6 PC LX 2026-04-23 18:40:02 CEST

(In reply to Herman Viaene from comment #5)
> Do you know of any site that still uses http. I can for some still use the
> http command, but it switches immediately to https. I guess I should see
> dstport=80 in the file, but none seen.

Instead of a browser, use curl with a http URL to generate the traffic to be captured.
For example:

$ curl -i http://example.com/
HTTP/1.1 200 OK
Date: Thu, 23 Apr 2026 16:36:29 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Server: cloudflare
Last-Modified: Sat, 18 Apr 2026 00:49:31 GMT
Allow: GET, HEAD
Accept-Ranges: bytes
Age: 9458
cf-cache-status: HIT
CF-RAY: 9f0e49950a1e34fe-LIS

<!doctype html><html lang="en"><head><title>Example Domain</title><meta name="viewport" content="width=device-width, initial-scale=1"><style>body{background:#eee;width:60vw;margin:15vh auto;font-family:system-ui,sans-serif}h1{font-size:1.5em}div{opacity:0.8}a:link,a:visited{color:#348}</style></head><body><div><h1>Example Domain</h1><p>This domain is for use in documentation examples without needing permission. Avoid use in operations.</p><p><a href="https://iana.org/domains/example">Learn more</a></p></div></body></html>

Comment 7 Brian Rockwell 2026-05-02 16:02:52 CEST

(In reply to Herman Viaene from comment #5)
> Do you know of any site that still uses http. I can for some still use the
> http command, but it switches immediately to https. I guess I should see
> dstport=80 in the file, but none seen.

You can hit the http://mageia-highland.us mirror.

CC: (none) => brtians1

Comment 8 Brian Rockwell 2026-05-03 23:09:06 CEST

MGA9-32

Tested with 32 bit.

Ran against curl command.


--- giving this the go.

Whiteboard: (none) => MGA9-32-OK

Comment 9 PC LX 2026-05-05 19:21:19 CEST

Following comment 2 and comment 4, I'm giving this the OK for x86_64.
Also adding the flag for x86 on account of comment 8.

Whiteboard: MGA9-32-OK => MGA9-32-OK MGA9-64-OK
Flags: (none) => test_passed_mga9_64+, test_passed_mga9_32+

Comment 10 Thomas Andrews 2026-05-06 14:29:40 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 11 Mageia Robot 2026-05-07 07:08:30 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0113.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.