CVE-2016-2233 Hexchat Project CVE debrief

Who should care

Anyone running HexChat 2.10.2, especially users or administrators who connect to untrusted IRC servers or rely on HexChat in environments where a client crash would be disruptive.

Technical summary

The vulnerable code path is in common/inbound.c, function inbound_cap_ls, where parsing of CAP LS options can overflow a stack buffer. The attack is network-reachable over IRC, requires no privileges, and no user interaction is listed in the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The vulnerability is categorized as CWE-119 and the reported effect is client crash/denial of service.

Defensive priority

High. This is a network-reachable memory-safety flaw in a client-facing parser that processes untrusted server input. Prioritize remediation anywhere HexChat 2.10.2 is still in use.

Recommended defensive actions

• Identify systems and user endpoints running HexChat 2.10.2.
• Upgrade to a vendor-fixed HexChat release as soon as one is available in your environment.
• If immediate upgrading is not possible, reduce exposure by limiting connections to trusted IRC servers only.
• Monitor for unexpected HexChat crashes or repeated restarts that may indicate triggering traffic.
• Remove or replace unsupported deployments that cannot be patched promptly.

Evidence notes

Source corpus evidence ties the issue to HexChat 2.10.2 via the NVD CPE entry and describes a stack-based buffer overflow in inbound_cap_ls in common/inbound.c. NVD lists CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and CWE-119. The provided references include a Packet Storm advisory, SecurityFocus BID 95920, and Exploit-DB entry 39657; their presence confirms public third-party discussion, but this debrief does not summarize exploit details.

Official resources