External risk intelligence

socat Heap Buffer Overflow Vulnerability in SOCKS5 Parser.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-56123

Socat is a command-line networking utility typically used for local data routing, bridging, or testing by administrators. While it can be configured to listen on a network, it is not a common internet-facing service or appliance by design, and its use as a SOCKS5 client or proxy in an internet-exposed capacity is non-standard and highly circumstantial.

Buffer Overflow

Dest Unreach Socat

1.8.0.0 to before 1.8.1.2

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in socat, a utility for data transfer and redirection, that could allow a malicious SOCKS5 proxy server to cause a heap-based buffer overflow. This flaw stems from how domain name lengths are handled during connection setup, potentially enabling an attacker to write arbitrary data into adjacent memory. The main concern is confirming relevance and exposure due to the specific technical nature and typical use of the affected technology.

  • Flaw in handling network connection data.
  • Attackers could impact adjacent memory.
  • Confirm relevance and exposure of this tool.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by setting up a malicious SOCKS5 proxy server that manipulates the domain name length during connection setup. This manipulation causes a flaw in how socat parses the reply, allowing the attacker to overwrite adjacent memory on the heap, potentially leading to code execution.

  • Network access required.
  • Malicious SOCKS5 proxy reply.
  • Heap corruption and code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in socat could allow a malicious SOCKS5 proxy server to cause a heap-based buffer overflow. This occurs when a crafted DOMAINNAME reply is sent, exploiting a sign-extension flaw during connection setup. The flaw leads to an unbounded write into adjacent heap memory, potentially impacting service availability and integrity.

  • Network-accessible heap memory.
  • Exploiting a crafted SOCKS5 reply.
  • Denial of service or code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability, a heap-based buffer overflow in socat's SOCKS5 reply parser, could be exploited by a malicious SOCKS5 proxy. Identifying where socat is deployed, determining its network exposure and criticality, and locating the accountable owner are the immediate first steps to managing this risk before planning remediation.

  • Application owners and infrastructure teams.
  • Confirm socat's network reachability and business criticality.
  • Plan remediation based on confirmed exposure.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is socat?

Socat is a versatile command-line utility used by administrators and developers to transfer data and establish bidirectional byte streams between two locations. It functions as a multipurpose relay, often used for tasks like data redirection, bridging network connections, or testing complex networking scenarios across various protocols.

How does the CVE-2026-56123 vulnerability work?

This is a heap-based buffer overflow, classified as CWE-122. It occurs in the SOCKS5 reply parser when a negative domain name length is misinterpreted due to a sign-extension flaw. This error causes the software to write data beyond its allocated 262-byte reply buffer, potentially overwriting adjacent memory with attacker-controlled content.

What triggers this overflow in socat?

The vulnerability is triggered during connection setup when a client interacts with a malicious SOCKS5 proxy server that provides a crafted DOMAINNAME reply. Normal, well-formed proxy traffic does not trigger this flaw; the overflow specifically requires the proxy to manipulate the length byte to induce the memory write error.

Is my socat instance at risk?

Halo Surface Signal indicates that risk is unlikely for most users, as socat is typically a local utility for routing or testing rather than an internet-facing appliance. You should focus on instances where socat is explicitly configured to operate as a SOCKS5 client or proxy for untrusted external connections.

How should I respond to this threat?

First, identify all systems running socat versions 1.8.0.0 through 1.8.1.1. Determine if any of these deployments are configured to connect to external, untrusted SOCKS5 proxies. Once identified, evaluate the criticality of those specific connections and plan for updates to a patched version to eliminate the underlying memory handling defect.

References