CVE-2026-33250

EUVD-2026-14642

24.03.2026, 00:16

Freeciv21 is a free open source, turn-based, empire-building strategy game. Versions prior to 3.1.1 crash with a stack overflow when receiving specially-crafted packets. A remote attacker can use this to take down any public server. A malicious server can use this to crash the game on the player's machine. Authentication is not needed and, by default, logs do not contain any useful information. All users should upgrade to Freeciv21 version 3.1.1. Running the server behind a firewall can help mitigate the issue for non-public servers. For local games, Freeciv21 restricts connections to the current user and is therefore not affected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_M	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

freeciv

bookworm	vulnerable
bookworm (security)	3.0.6-1+deb12u1 fixed
bullseye	vulnerable
forky	vulnerable
sid	3.2.4+ds-1 fixed
trixie	vulnerable
trixie (security)	3.1.4+ds-2+deb13u1 fixed

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/longturn/freeciv21/commit/ad8e18ca22595529599782b2984bf44df8d69ed6

https://github.com/longturn/freeciv21/releases/tag/v3.1.1

https://github.com/longturn/freeciv21/security/advisories/GHSA-f76g-6w3f-f6r3

https://redmine.freeciv.org/issues/1955