ProFTPD Heap-Based Buffer Overflow Vulnerability in SFTP Module Allowing Denial-of-Service

Vulnerability

A heap-based buffer overflow vulnerability has been identified in the ProFTPD SFTP module (mod_sftp) versions prior to 1.3.10. This vulnerability is accessible to authenticated SFTP users and is caused by the fxp_packet_read() function, which improperly handles the 32-bit big-endian SFTP packet length. The lack of a minimum sanity check allows an attacker to craft a packet that triggers an unsigned integer underflow, leading to a request size of approximately 4 GB. This oversized request is mismanaged by the memory allocator, causing a small block to be allocated while the caller is misled into believing a much larger size was received. Exploitation involves sending a malformed SFTP packet with a length of 0, followed by a body exceeding 544 bytes, which results in a controlled buffer overflow on the heap.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the affected ProFTPD session. However, there is potential for heap metadata corruption, which could lead to more severe consequences, although such impacts have not been demonstrated.

Reproduction

To reproduce this vulnerability, an authenticated SFTP user can send a SFTP packet with a length of 0, followed by a payload that exceeds approximately 544 bytes. This can be done using an SFTP client that allows for packet manipulation or by scripting the SFTP protocol to include the crafted packet. The vulnerability can be verified by observing the crash of the ProFTPD session handling the request.

Remediation

Users can upgrade to ProFTPD version 1.3.10 or later, where this vulnerability has been addressed.

Added: Jul 18, 2026, 8:23 PM
Updated: Jul 18, 2026, 8:23 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
1.3
exploitability
6.4
remediation
7.7
relevance
9.9
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.