Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-670
Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
CVE-2026-6608 (GCVE-0-2026-6608)
Vulnerability from cvelistv5 – Published: 2026-04-20 05:15 – Updated: 2026-04-20 14:57
VLAI
EPSS
VEX
Title
lm-sys fastchat Arena Side-by-Side View add_text control flow
Summary
A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function add_text of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used. The root cause was fixed in commit 34eca62 for gradio_block_arena_named.py, but three other files were missed.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-670 - Incorrect Control Flow
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/358243 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/358243/cti | signaturepermissions-required |
| https://vuldb.com/submit/792228 | third-party-advisory |
| https://github.com/lm-sys/FastChat/issues/3834 | issue-tracking |
| https://gist.github.com/YLChen-007/e45039d23e6982… | exploit |
| https://github.com/lm-sys/FastChat/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| lm-sys | fastchat |
Affected:
0.2.0
Affected: 0.2.1 Affected: 0.2.2 Affected: 0.2.3 Affected: 0.2.4 Affected: 0.2.5 Affected: 0.2.6 Affected: 0.2.7 Affected: 0.2.8 Affected: 0.2.9 Affected: 0.2.10 Affected: 0.2.11 Affected: 0.2.12 Affected: 0.2.13 Affected: 0.2.14 Affected: 0.2.15 Affected: 0.2.16 Affected: 0.2.17 Affected: 0.2.18 Affected: 0.2.19 Affected: 0.2.20 Affected: 0.2.21 Affected: 0.2.22 Affected: 0.2.23 Affected: 0.2.24 Affected: 0.2.25 Affected: 0.2.26 Affected: 0.2.27 Affected: 0.2.28 Affected: 0.2.29 Affected: 0.2.30 Affected: 0.2.31 Affected: 0.2.32 Affected: 0.2.33 Affected: 0.2.34 Affected: 0.2.35 Affected: 0.2.36 cpe:2.3:a:lm-sys:fastchat:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6608",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T14:57:43.886595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:57:55.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:lm-sys:fastchat:*:*:*:*:*:*:*:*"
],
"modules": [
"Arena Side-by-Side View Handler"
],
"product": "fastchat",
"vendor": "lm-sys",
"versions": [
{
"status": "affected",
"version": "0.2.0"
},
{
"status": "affected",
"version": "0.2.1"
},
{
"status": "affected",
"version": "0.2.2"
},
{
"status": "affected",
"version": "0.2.3"
},
{
"status": "affected",
"version": "0.2.4"
},
{
"status": "affected",
"version": "0.2.5"
},
{
"status": "affected",
"version": "0.2.6"
},
{
"status": "affected",
"version": "0.2.7"
},
{
"status": "affected",
"version": "0.2.8"
},
{
"status": "affected",
"version": "0.2.9"
},
{
"status": "affected",
"version": "0.2.10"
},
{
"status": "affected",
"version": "0.2.11"
},
{
"status": "affected",
"version": "0.2.12"
},
{
"status": "affected",
"version": "0.2.13"
},
{
"status": "affected",
"version": "0.2.14"
},
{
"status": "affected",
"version": "0.2.15"
},
{
"status": "affected",
"version": "0.2.16"
},
{
"status": "affected",
"version": "0.2.17"
},
{
"status": "affected",
"version": "0.2.18"
},
{
"status": "affected",
"version": "0.2.19"
},
{
"status": "affected",
"version": "0.2.20"
},
{
"status": "affected",
"version": "0.2.21"
},
{
"status": "affected",
"version": "0.2.22"
},
{
"status": "affected",
"version": "0.2.23"
},
{
"status": "affected",
"version": "0.2.24"
},
{
"status": "affected",
"version": "0.2.25"
},
{
"status": "affected",
"version": "0.2.26"
},
{
"status": "affected",
"version": "0.2.27"
},
{
"status": "affected",
"version": "0.2.28"
},
{
"status": "affected",
"version": "0.2.29"
},
{
"status": "affected",
"version": "0.2.30"
},
{
"status": "affected",
"version": "0.2.31"
},
{
"status": "affected",
"version": "0.2.32"
},
{
"status": "affected",
"version": "0.2.33"
},
{
"status": "affected",
"version": "0.2.34"
},
{
"status": "affected",
"version": "0.2.35"
},
{
"status": "affected",
"version": "0.2.36"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Eric-f (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function add_text of the component Arena Side-by-Side View Handler. The manipulation results in incorrect control flow. The attack can be launched remotely. The exploit is now public and may be used. The root cause was fixed in commit 34eca62 for gradio_block_arena_named.py, but three other files were missed."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "Incorrect Control Flow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T05:15:12.337Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-358243 | lm-sys fastchat Arena Side-by-Side View add_text control flow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/358243"
},
{
"name": "VDB-358243 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/358243/cti"
},
{
"name": "Submit #792228 | LM-Sys FastChat \u003c= 0.2.36 Content Moderation Bypass (CWE-670)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/792228"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/lm-sys/FastChat/issues/3834"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/YLChen-007/e45039d23e698222d887ee09735d9d36"
},
{
"tags": [
"product"
],
"url": "https://github.com/lm-sys/FastChat/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-19T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-19T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-19T18:04:52.000Z",
"value": "VulDB entry last update"
}
],
"title": "lm-sys fastchat Arena Side-by-Side View add_text control flow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6608",
"datePublished": "2026-04-20T05:15:12.337Z",
"dateReserved": "2026-04-19T15:59:43.122Z",
"dateUpdated": "2026-04-20T14:57:55.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7656 (GCVE-0-2026-7656)
Vulnerability from cvelistv5 – Published: 2026-06-29 22:09 – Updated: 2026-06-30 13:11
VLAI
EPSS
VEX
Title
Broken IPv6 Neighbor Discovery input validation allows spoofed RA/NS/NA acceptance in Zephyr net stack
Summary
The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code check using the wrong operator precedence: the form was '((length/hop/source/target checks) && (icmp_hdr-code != 0))'. Because every legitimate ND message carries ICMPv6 code 0, an attacker setting code == 0 (the normal value) caused the entire predicate to evaluate false, so the packet was never dropped and all of the other checks were silently skipped. The bypassed checks include the mandatory Hop Limit == 255 verification (which proves an ND packet originated on-link and was not forwarded) and, for Router Advertisements, the requirement that the source be a link-local address, as well as multicast-target sanity checks. As a result, an adjacent on-link attacker — and, because the Hop-Limit-255 guard is bypassed, potentially a remote/off-link attacker whose packets would otherwise be rejected — can have forged Router Advertisement, Neighbor Solicitation, and Neighbor Advertisement messages accepted. A forged RA lets the attacker reconfigure the victim's default router, on-link prefixes (SLAAC), MTU, reachable/retransmit timers, and (with CONFIG_NET_IPV6_RA_RDNSS) DNS servers, while forged NS/NA enable neighbor-cache poisoning, enabling man-in-the-middle, traffic redirection, and denial of service. The flaw is an input-validation/authentication weakness rather than a memory-safety issue: the underlying packet-parsing primitives (net_pkt_get_data, net_pkt_read, net_pkt_skip) are independently bounds-safe and the validated 'length' is the true buffer length, so skipping the length check causes no out-of-bounds access. The defect has existed since the logic was introduced in 2018 and shipped in all releases through v4.4.0; it is fixed by splitting the condition so any failing check drops the packet.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zephyrproject | zephyr |
Affected:
1.14.0 , < 4.5.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7656",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T13:10:33.227842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T13:11:01.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-cpjw-rvwx-ph9f"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/zephyrproject-rtos/zephyr",
"defaultStatus": "unaffected",
"packageName": "zephyr",
"product": "zephyr",
"vendor": "zephyrproject",
"versions": [
{
"lessThan": "4.5.0",
"status": "affected",
"version": "1.14.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The IPv6 Neighbor Discovery handlers in subsys/net/ip/ipv6_nbr.c (handle_ra_input, handle_ns_input, handle_na_input) used an incorrect boolean expression that combined the RFC 4861 validity checks with the ICMPv6 code check using the wrong operator precedence: the form was \u0027((length/hop/source/target checks) \u0026\u0026 (icmp_hdr-code != 0))\u0027. Because every legitimate ND message carries ICMPv6 code 0, an attacker setting code == 0 (the normal value) caused the entire predicate to evaluate false, so the packet was never dropped and all of the other checks were silently skipped. The bypassed checks include the mandatory Hop Limit == 255 verification (which proves an ND packet originated on-link and was not forwarded) and, for Router Advertisements, the requirement that the source be a link-local address, as well as multicast-target sanity checks. As a result, an adjacent on-link attacker \u2014 and, because the Hop-Limit-255 guard is bypassed, potentially a remote/off-link attacker whose packets would otherwise be rejected \u2014 can have forged Router Advertisement, Neighbor Solicitation, and Neighbor Advertisement messages accepted. A forged RA lets the attacker reconfigure the victim\u0027s default router, on-link prefixes (SLAAC), MTU, reachable/retransmit timers, and (with CONFIG_NET_IPV6_RA_RDNSS) DNS servers, while forged NS/NA enable neighbor-cache poisoning, enabling man-in-the-middle, traffic redirection, and denial of service. The flaw is an input-validation/authentication weakness rather than a memory-safety issue: the underlying packet-parsing primitives (net_pkt_get_data, net_pkt_read, net_pkt_skip) are independently bounds-safe and the validated \u0027length\u0027 is the true buffer length, so skipping the length check causes no out-of-bounds access. The defect has existed since the logic was introduced in 2018 and shipped in all releases through v4.4.0; it is fixed by splitting the condition so any failing check drops the packet."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "Always-Incorrect Control Flow Implementation",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-290",
"description": "Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T22:09:10.460Z",
"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad",
"shortName": "zephyr"
},
"references": [
{
"name": "Fix commit",
"tags": [
"patch"
],
"url": "https://github.com/zephyrproject-rtos/zephyr/commit/095f064c94b95f9c35e05602e693dc268f0cb865"
},
{
"name": "GHSA-cpjw-rvwx-ph9f",
"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-cpjw-rvwx-ph9f"
}
],
"title": "Broken IPv6 Neighbor Discovery input validation allows spoofed RA/NS/NA acceptance in Zephyr net stack",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad",
"assignerShortName": "zephyr",
"cveId": "CVE-2026-7656",
"datePublished": "2026-06-29T22:09:10.460Z",
"dateReserved": "2026-05-01T18:40:20.792Z",
"dateUpdated": "2026-06-30T13:11:01.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.