CVE-2026-3606 is a security vulnerability identified in Ettercap version 0.8.4-Garofalo, a popular open-source network security tool used for man-in-the-middle attacks and network protocol analysis. The vulnerability resides in the add_data_segment function within the etterfilter component, specifically in the source file src/ettercap/utils/etterfilter/ef_output.c. The flaw is an out-of-bounds read, meaning the program reads memory beyond the allocated buffer boundaries. This can lead to unintended information disclosure or cause the application to behave unpredictably, potentially crashing or leaking sensitive data. Exploitation requires local access with low privileges, meaning an attacker must have some level of access to the affected system but does not need elevated permissions or user interaction. The vulnerability was responsibly disclosed early to the project maintainers, but as of the publication date, no patch or response has been provided. The CVSS v4.0 base score of 4.8 reflects a medium severity, considering the attack vector is local, the complexity is low, and no authentication or user interaction is required. No known exploits are currently active in the wild, but the public disclosure increases the risk of future exploitation attempts. Ettercap is widely used by security professionals and penetration testers, so the presence of this vulnerability could impact environments where Ettercap is installed and used.

The primary impact of CVE-2026-3606 is potential information disclosure or application instability due to out-of-bounds memory reads. While it does not allow remote exploitation or privilege escalation directly, an attacker with local access could leverage this flaw to read sensitive memory contents, which might include credentials, cryptographic keys, or other confidential data. This could undermine the confidentiality of the affected system. Additionally, the vulnerability might cause Ettercap to crash or behave erratically, impacting availability of the tool for legitimate users. Organizations relying on Ettercap for network monitoring or security testing could experience disruptions or data leaks if this vulnerability is exploited. Since Ettercap is often used in security-sensitive environments, the presence of this flaw could weaken overall security posture. The medium severity rating reflects that while the impact is limited to local attackers and does not affect system-wide integrity or availability directly, the confidentiality risks and potential for denial of service are non-negligible.

1. Restrict local access to systems running Ettercap to trusted users only, minimizing the risk of local exploitation. 2. Monitor and audit usage of Ettercap binaries to detect unauthorized or suspicious activity. 3. Consider running Ettercap in a sandboxed or containerized environment to limit the impact of potential memory corruption. 4. Until an official patch is released, review the source code of the affected function (add_data_segment in etterfilter) to identify and apply manual code fixes or bounds checking if feasible. 5. Keep Ettercap installations updated and subscribe to vendor or community advisories for patch releases. 6. Employ host-based intrusion detection systems (HIDS) to detect anomalous behavior related to Ettercap processes. 7. Limit the installation of Ettercap to systems where it is strictly necessary, avoiding its presence on general-purpose or high-value servers. 8. Educate local users about the risks of running untrusted code or commands that could exploit this vulnerability.