External risk intelligence

JS8Call could allow external attacker to compromise the system

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-42996

JS8Call and JS8Call-improved have a flaw where an external attacker can use a crafted radio signal to run unauthorized code on a connected workstation. This could allow the attacker to take full control of the system or disrupt communication services.

1Halo Surface Signal

Buffer Overflow

External exposure likelihood

Halo Surface Signal score for CVE-2026-42996

The vulnerability is triggered over the air via amateur radio frequencies, requiring an attacker to be physically within transmission range of the radio equipment. This relies on non-internet-based radio propagation rather than public-facing network services, making it effectively isolated from the public internet.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:D/RE:M/U:Green

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in JS8Call allows for a critical remote code execution by sending a specifically crafted radio transmission. It's important to pay attention because this issue could let an attacker take control of affected devices without needing any prior access.

  • Remote attackers can exploit this.
  • Affects devices using JS8Call versions before 3.0.
  • Can lead to full system compromise.

Attack Path

How an attacker could exploit the issue

An attacker could trigger this vulnerability by sending a specially crafted radio transmission to a vulnerable JS8Call instance. This would likely involve an attacker being in radio range and sending a malformed `@APRSIS GRID` command with an excessively long locator string. Successful exploitation could lead to a stack-based buffer overflow, potentially allowing for remote code execution.

  • Target is radio transmission.
  • Requires no authentication.
  • Needs vulnerable software version.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability involves a stack-based buffer overflow in JS8Call, a software used in amateur radio. While theoretically exploitable remotely via radio transmission, its practical weaponization is unlikely due to the significant physical and technical barriers. Attackers would need to be in radio range and possess specialized knowledge of amateur radio protocols to leverage this flaw, which significantly limits its appeal compared to more accessible internet-facing vulnerabilities.

  • Exploitation requires proximity.
  • No public exploit code is known.
  • The vulnerability affects niche amateur radio software.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating affected services due to the critical severity and buffer overflow vulnerability. Investigate logs for unusual radio transmission patterns or locator data that could indicate exploitation.

  • Block malformed @APRSIS GRID transmissions.
  • Monitor for abnormal locator data.
  • Update JS8Call to version 3.0 or later.

Frequently asked questions

What is JS8Call and its primary use in amateur radio communications?

JS8Call is a digital communication software for amateur radio operators, enabling message exchange for coordination, especially during emergencies. It excels in weak-signal communication, extending reach beyond typical voice capabilities.

What type of vulnerability does CVE-2026-42996 describe and where is it located?

CVE-2026-42996 details a stack-based buffer overflow vulnerability within JS8Call. This weakness is found in the grid2deg function in the APRSISClient.cpp file, affecting versions up to 2.3.1 and JS8Call-improved before 3.0.

How can an attacker exploit the CVE-2026-42996 vulnerability?

Exploitation of CVE-2026-42996 is triggered by a radio transmission of '@APRSIS GRID' followed by a long Maidenhead locator. This specific input can cause a buffer overflow in the affected function, potentially allowing an attacker to execute arbitrary code.

What is the practical relevance of CVE-2026-42996 for external attackers?

The practical relevance of CVE-2026-42996 for external attackers is very unlikely. Exploitation requires an attacker to be within radio transmission range and possess specialized knowledge, making it less appealing than internet-facing vulnerabilities.

What steps should be taken to address the JS8Call vulnerability?

To mitigate the JS8Call vulnerability, update the software to version 3.0 or later. Additionally, monitor logs for unusual '@APRSIS GRID' transmissions or malformed locator data, and consider isolating affected services as a precautionary measure.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished