External risk intelligence

OpenS100 can be tricked into running attacker commands when importing a chart

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-22208

A critical flaw in OpenS100 allows remote attackers to run commands by tricking users into importing a malicious chart, potentially compromising the application.

1Halo Surface Signal

Remote Code Execution

External exposure likelihood

Halo Surface Signal score for CVE-2026-22208

OpenS100 is a client-side Electronic Navigational Chart viewer application. Exploiting this vulnerability requires a local user to manually import a malicious chart file or portrayal catalogue containing Lua scripts. Because the software is run locally on a client machine and has no typical public internet network exposure, the likelihood of public-facing exposure is very low.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The OpenS100 viewer has a vulnerability that allows remote code execution if a user imports a malicious chart file. This happens because the software improperly handles Lua scripts within these files, enabling them to run standard system commands. Attention is warranted because an attacker could potentially take control of the affected application.

  • Can execute arbitrary commands.
  • Requires user interaction to import files.
  • Affects the OpenS100 viewer application.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by crafting a malicious S-100 portrayal catalogue with embedded Lua scripts. When a user imports this catalogue and loads a chart within OpenS100, the untrusted Lua interpreter will execute these scripts, allowing arbitrary command execution with the privileges of the OpenS100 process. This bypasses security controls by leveraging the standard Lua libraries.

  • Requires user to import catalogue.
  • Targets the portrayal engine.
  • Uses standard Lua libraries.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in OpenS100 allows for remote code execution through an unrestricted Lua interpreter when a user imports a malicious chart. Attackers might find this less appealing due to the required user interaction and the niche nature of the software, limiting widespread impact. The vulnerability is present in the reference implementation before a specific commit.

  • Requires user interaction for exploitation.
  • Limited public exploit availability observed.
  • Vendor implementation status is deferred.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize reviewing logs for any signs of untrusted S-100 chart imports or unusual process activity, especially on systems that handle chart data. Isolate any affected systems immediately if malicious activity is detected, given the critical nature of remote code execution.

  • Monitor for unauthorized Lua execution.
  • Block S-100 chart imports from untrusted sources.
  • Isolate systems processing untrusted charts.

Frequently asked questions

What is OpenS100 and its purpose?

OpenS100 is the reference implementation for an S-100 viewer, a specialized software designed for displaying electronic navigational charts. It enables users to import and visualize digital maritime chart data.

How does the OpenS100 vulnerability manifest?

The vulnerability stems from an unrestricted Lua interpreter (CWE-829). OpenS100 initializes Lua without adequate security restrictions. This allows malicious S-100 chart files to execute arbitrary commands by accessing standard Lua libraries like 'os' and 'io'.

What is needed for an attacker to exploit this CVE?

An attacker must provide a malicious S-100 portrayal catalogue containing Lua scripts. Exploitation requires a user to import this catalogue and load a chart within OpenS100, which then executes the embedded scripts with the application's privileges.

What is the relevance of the OpenS100 vulnerability?

The OpenS100 viewer contains a critical remote code execution flaw. While requiring user interaction to import malicious charts, an attacker could potentially gain control of the application, impacting the display and handling of navigational data.

How can OpenS100 security be practically addressed?

Focus on monitoring system logs for unusual process activity or signs of untrusted S-100 chart imports. If malicious activity is suspected, isolate affected systems immediately. Blocking chart imports from unknown sources is also a key preventative measure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified