### Vulnerability Summary **Vulnerability Overview** * **CVE ID**: CVE-2026-26738 * **Affected Software**: Uderzo Software SpaceSniffer * **Affected Version**: 2.0.5.18 * **Vulnerability Type**: Stack-based Buffer Overflow * **Detailed Description**: SpaceSniffer uses an attacker-controlled length value as the size argument for `fread()` when parsing proprietary snapshot files (.sns), writing to a fixed-size 8192-byte stack buffer without performing boundary checks. A crafted .sns file can trigger stack memory corruption and enable arbitrary code execution when a user opens the snapshot. **Scope of Impact** * **Affected Functionality**: Snapshot open/import (.sns) functionality within the SpaceSniffer GUI. * **Attack Vector**: A remote attacker can distribute malicious .sns files and use social engineering to induce victims to open or import the file. * **Security Impact**: * **Confirmed Impact**: Stack memory corruption and application crash occur when opening a crafted .sns file. * **Proof of Concept (PoC) Impact**: Arbitrary code execution is achieved within the context of the user running SpaceSniffer. (The PoC uses `MessageBoxW` as benign evidence of execution and demonstrates bypassing Data Execution Prevention (DEP) via Return-Oriented Programming (ROP)). **Remediation** * This issue has been resolved in version **2.1.0.21**. **PoC Code** * The provided screenshots do not display the complete PoC source code; they only show a screenshot of "PoC generator execution using Python." * **Exploit Payload Description**: A crafted .sns snapshot file containing an oversized length value that causes a stack overflow during parsing.