CVE-2006-5647 in Sophos
Summary
by MITRE
Sophos Anti-Virus and Endpoint Security before 6.0.5, Anti-Virus for Linux before 5.0.10, and other platforms before 4.11 allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via a malformed CHM file with a large name length in the CHM chunk header, aka "CHM name length memory consumption vulnerability."
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/26/2026
The vulnerability described in CVE-2006-5647 represents a critical memory corruption issue affecting multiple Sophos security products including Anti-Virus and Endpoint Security versions prior to 6.0.5, Anti-Virus for Linux versions before 5.0.10, and other platforms before 4.11. This vulnerability specifically targets the handling of Compiled HTML Help (.chm) files, which are commonly used documentation formats that can be embedded within various software applications. The flaw occurs when the software processes CHM files containing malformed chunk headers with excessively long name fields, creating a condition where memory allocation becomes unpredictable and potentially exploitable.
The technical implementation of this vulnerability stems from inadequate input validation within Sophos's CHM file parsing engine. When processing a specially crafted CHM file, the software fails to properly validate the length of name fields within the CHM chunk headers, allowing attackers to specify name lengths that exceed normal boundaries. This leads to memory corruption through buffer overflow conditions or heap corruption, as the application attempts to allocate memory based on the malformed length values provided in the CHM file structure. The vulnerability operates at the binary parsing level where the software's file format handlers do not adequately sanitize input parameters before processing them, creating a pathway for malicious memory manipulation.
The operational impact of this vulnerability extends beyond simple denial of service to potentially enabling remote code execution, making it particularly dangerous in enterprise environments where security solutions are often targeted by attackers seeking to compromise endpoint protection. Attackers can leverage this vulnerability by delivering malicious CHM files through various attack vectors including email attachments, web downloads, or removable media, without requiring any special privileges or authentication. The memory corruption can manifest as application crashes, system instability, or more critically, provide attackers with opportunities to inject and execute arbitrary code within the context of the affected security software, effectively compromising the very protection mechanisms designed to defend against such threats.
This vulnerability aligns with CWE-122, which describes "Heap-based Buffer Overflow," and demonstrates characteristics consistent with ATT&CK technique T1203, "Exploitation for Client Execution," where attackers exploit vulnerabilities in software to execute malicious code. The attack surface is particularly concerning given that CHM files are commonly encountered in legitimate software installations and documentation, making detection and prevention challenging. Organizations using affected Sophos products face significant risk of exploitation, as the vulnerability can be triggered through routine file processing activities without user interaction, potentially allowing attackers to escalate privileges or establish persistent access points within network environments.
Mitigation strategies should prioritize immediate patching of all affected Sophos products to version 6.0.5 or later for Endpoint Security, 5.0.10 for Linux Anti-Virus, and 4.11 for other platforms. Network administrators should implement strict file filtering policies to block CHM files from untrusted sources and consider deploying additional security controls such as application whitelisting to prevent execution of potentially malicious CHM files. Regular vulnerability assessments and security monitoring should be conducted to identify any remaining instances of affected software within the organization, while incident response procedures should be updated to address potential exploitation attempts targeting this specific vulnerability.