CVE-2018-25220 CRITICAL

CVE-2018-25220: Bochs 2.6-5 Buffer Overflow Remote Code Execution

Vendor Bochs

Product BOCHS

Weakness CWE-787

Published March 28, 2026

Last update March 30, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Bochs 2.6-5 contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized input string to the application. Attackers can craft a malicious payload with 1200 bytes of padding followed by a return-oriented programming chain to overwrite the instruction pointer and execute shell commands with application privileges.

Key dates

02Disclosure timeline

March 28, 2026 CVE published

March 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2018-25220 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/787.html

Related vulnerabilities

CVE-2018-25220: Bochs 2.6-5 Buffer Overflow Remote Code Execution

01Description

02Disclosure timeline

03References

04Related CVE