JS8Call through 2.3.1 and JS8Call-improved before 3.0 have a stack-based buffer overflow via a radio transmission of @APRSIS GRID followed by a long Maidenhead locator. This occurs in grid2deg in APRSISClient.cpp.
The vulnerability lies in the grid2deg function in APRSISClient.cpp. When the application receives an APRS-IS message via radio with the @APRSIS GRID command, it passes the Maidenhead locator to the aforementioned function without proper data length verification. An excessively long string causes a stack-based buffer overflow (CWE-121). An attacker can deliver a malicious payload via radio transmission — without any authentication and without interaction from the victim.
Successful exploitation of the vulnerability may enable an attacker to execute arbitrary code remotely (RCE) on the machine running JS8Call. In the worst case, this could lead to complete takeover of the victim's system.
JS8Call-improved should be updated to version 3.0 or later, where the vulnerability has been patched (commit a6c7a19b82bbd7c2c0c892576f84d7449e8c7088). For the original JS8Call (up to version 2.3.1), manufacturer references should be monitored to obtain available patches. Until updating, it is recommended to limit exposure to untrusted APRS-IS radio transmissions.
JS8Call version 2.3.1 and earlier, and JS8Call-improved versions before 3.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:D/RE:M/U:Green