CVE-2026-33250

March 24, 2026, 3:53 p.m.

7.5
High

Description

Freeciv21 is a free open source, turn-based, empire-building strategy game. Versions prior to 3.1.1 crash with a stack overflow when receiving specially-crafted packets. A remote attacker can use this to take down any public server. A malicious server can use this to crash the game on the player's machine. Authentication is not needed and, by default, logs do not contain any useful information. All users should upgrade to Freeciv21 version 3.1.1. Running the server behind a firewall can help mitigate the issue for non-public servers. For local games, Freeciv21 restricts connections to the current user and is therefore not affected.

Product(s) Impacted

Vendor Product Versions
Freeciv
  • Freeciv
  • 3.1.1, <3.1.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a freeciv freeciv 3.1.1 / / / / / / /
a freeciv freeciv <3.1.1 / / / / / / /

References

https://github.com/longturn/freeciv21/commit/ad8e18ca22595529599782b2984bf44df8d69ed6
https://github.com/longturn/freeciv21/releases/tag/v3.1.1
https://github.com/longturn/freeciv21/security/advisories/GHSA-f76g-6w3f-f6r3
https://redmine.freeciv.org/issues/1955

Tags

CWE-20
[email protected]
2026-03-24
CVE-2026-33250

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: March 24, 2026, 12:16 a.m.
Last Modified: March 24, 2026, 3:53 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.