CVE-2006-5646 in Sophosinfo

Summary

by MITRE

Heap-based buffer overflow in Sophos Anti-Virus and Endpoint Security before 6.0.5, Anti-Virus for Linux before 5.0.10, and other platforms before 4.11, when archive scanning is enabled, allows remote attackers to trigger a denial of service (memory corruption) via a CHM file with an LZX decompression header that specifies a Window_size of 0.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/26/2026

The vulnerability identified as CVE-2006-5646 represents a critical heap-based buffer overflow affecting multiple Sophos security products including Anti-Virus and Endpoint Security versions prior to 6.0.5, Anti-Virus for Linux versions before 5.0.10, and other platforms before 4.11. This flaw specifically manifests when the software performs archive scanning operations, creating a pathway for remote attackers to exploit memory corruption issues through carefully crafted CHM (Compiled HTML Help) files. The vulnerability stems from inadequate input validation within the LZX decompression header processing mechanism, where the Window_size parameter is set to zero, triggering unexpected behavior in the memory allocation routines.

The technical exploitation of this vulnerability occurs during the processing of CHM files that contain malicious LZX decompression headers with a Window_size value of zero. When Sophos Anti-Virus software attempts to decompress such files, the zero window size parameter causes the decompression algorithm to allocate insufficient memory or attempt invalid memory operations, resulting in heap corruption. This heap-based buffer overflow directly violates the principles of memory safety and can lead to arbitrary code execution or system instability. The vulnerability aligns with CWE-121, which describes heap-based buffer overflow conditions, and demonstrates how improper validation of decompression parameters can create dangerous memory corruption scenarios. The attack vector is particularly concerning as it requires no local privileges and can be executed remotely through the archive scanning functionality that is commonly enabled in enterprise security solutions.

The operational impact of this vulnerability extends beyond simple denial of service conditions to potentially enable more sophisticated attacks within compromised environments. When successfully exploited, the memory corruption can cause the targeted security software to crash or behave unpredictably, creating potential gaps in system protection. Organizations relying on Sophos products for endpoint security may experience service interruptions, false positive detections, or complete software failure during scanning operations. The vulnerability affects not only the primary anti-virus functionality but also the broader security infrastructure since endpoint security solutions often serve as critical components in enterprise defense stacks. This weakness can be leveraged by attackers to bypass security controls or create conditions that allow further exploitation of the compromised systems. The attack model aligns with ATT&CK technique T1059.007 for command and script interpreter execution, as the memory corruption may enable execution of malicious code within the compromised software environment.

Mitigation strategies for this vulnerability require immediate patching of affected Sophos products to versions 6.0.5 or later for Endpoint Security, 5.0.10 or later for Linux Anti-Virus, and 4.11 or later for other platforms. Organizations should disable archive scanning functionality where possible until patches are applied, particularly in environments where CHM files might be encountered in untrusted contexts. Network administrators should implement monitoring for suspicious CHM file transfers and consider implementing file type restrictions to prevent the delivery of potentially malicious archive files. Security teams should also review their incident response procedures to account for potential memory corruption events that could affect security software integrity. The vulnerability demonstrates the critical importance of input validation in decompression algorithms and highlights the need for comprehensive security testing of file processing components within enterprise security solutions. Additionally, organizations should consider implementing multiple layers of defense including network segmentation, application whitelisting, and regular security assessments to reduce the attack surface and prevent exploitation of similar vulnerabilities in the future.

Reservation

11/01/2006

Disclosure

11/01/2006

Moderation

accepted

Entry

VDB-33069

CPE

ready

Exploit

Download

EPSS

0.17430

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!