CVE-2026-43671

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

SwiftNIO: Out-of-bounds write via ByteBuffer index and length UInt32 overflow

Summary

A program using swift-nio is vulnerable to a potential out-of-bounds write when attacker-controlled index or length values exceeding UInt32.max are passed to some ByteBuffer methods. This affects all swift-nio versions from 1.0.0 to 2.99.0. It is fixed in 2.100.0 and later releases.

Details

ByteBuffer internally stores indices and capacities as UInt32 values. The internal helper functions _toIndex and _toCapacity, which convert from Int to UInt32, used UInt32(truncatingIfNeeded:). On 64-bit platforms, this silently discards the upper 32 bits of the value rather than trapping on overflow. For example, a value of UInt32.max + 1 (0x100000000) would be truncated to 0.

This truncation can cause safety preconditions to pass when they should fail. Subsequent operations would then use the incorrect truncated value, potentially leading to out-of-bounds memory writes or reads.

The affected ByteBuffer methods that may lead to out-of-bounds writes are:

  • copyBytes(at:to:length:) — a crafted destination index exceeding UInt32.max could copy bytes to an incorrect offset.
  • writeWithUnsafeMutableBytes(minimumWritableBytes:) — a crafted minimumWritableBytes exceeding UInt32.max could provide the caller with a buffer pointer of incorrect length, which can easily be subsequently overflowed.

The affected ByteBuffer methods that have logic errors but do neither expose out-of-bounds reads nor out-of-bounds writes:

  • moveReaderIndex(forwardBy:) / moveWriterIndex(forwardBy:) — a crafted offset exceeding UInt32.max could move indices to incorrect positions, bypassing bounds checks. These indices cannot be out of the bounds of the buffer, so they do not expose access to uninitialized memory or produce wild pointers.
  • The ByteBuffer(takingOwnershipOf:allocator:) initialiser — passing a buffer larger than UInt32.max bytes could create a ByteBuffer with an incorrect capacity.

Outside of these methods, there are still impacts, but they are simply logical bugs. In these cases applications can be forced to read from or write to unexpected parts of the buffer. This does not cause memory-safety issues, but it can cause logical issues or corruption of outbound packets.

Impact

Exploitation requires an attacker to influence the index, offset, or length parameter of the affected ByteBuffer methods with a value exceeding UInt32.max (approximately 4 GiB). This is a high bar for most applications: attacker-controlled length parameters to ByteBuffer are typically used on the read path, and the above methods are typically not used on the read paths. However, applications that calculate buffer positions arithmetically from untrusted input when attempting to do writes, or that process very large payloads, may be at risk of memory safety issues.

Other applications may encounter logical issues due to reading unexpected bytes, or writing to unexpected parts of the buffer.

When the memory-safety issue is exploitable, the consequences are severe. Because truncatingIfNeeded silently produces an incorrect but valid UInt32 value, subsequent operations may write to or read from memory outside the valid buffer region. In optimised (release) builds where preconditions are not checked, this could lead to out-of-bounds memory writes, potentially corrupting adjacent heap memory.

In debug builds, some of these conditions are caught by assertions, but truncatingIfNeeded occurs before the assertion checks the (already-truncated) value, so even assertions may not reliably catch the issue.

Patches

The issue is fixed by replacing UInt32(truncatingIfNeeded:) with UInt32(_:) in the _toIndex and _toCapacity helper functions. The UInt32(_:) initialiser traps on overflow in both debug and release builds, converting a potential silent memory corruption into a deterministic crash.

One call site in getSlice(at:length:) retains truncatingIfNeeded because prior bounds checks against the non-truncated Int values mathematically guarantee the values fit within UInt32.

Workarounds

Applications can mitigate this issue by validating that all index and length values passed to ByteBuffer methods do not exceed UInt32.max (4,294,967,295). In practice, most applications are not affected because buffer indices are derived from protocol parsing rather than raw untrusted input.

CVSS v3
EG Score
0.0(none)
EPSS
13.3%
KEV
Not listed

Published

June 12, 2026

Last Modified

June 12, 2026

Vendor Advisories for CVE-2026-43671(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 0× in last 7d / 4× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-15 12:25 UTCEG score recompute
  2. 2026-06-14 23:18 UTCEPSS rescore
  3. 2026-06-13 23:00 UTCEPSS rescore
  4. 2026-06-12 15:11 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-43671?
CVE-2026-43671 is a high vulnerability published on June 12, 2026. SwiftNIO: Out-of-bounds write via ByteBuffer index and length UInt32 overflow Summary A program using swift-nio is vulnerable to a potential out-of-bounds write when attacker-controlled index or length values exceeding UInt32.max are passed to some ByteBuffer methods. This affects all swift-nio…
When was CVE-2026-43671 disclosed?
CVE-2026-43671 was first published in the National Vulnerability Database on June 12, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-43671 actively exploited?
CVE-2026-43671 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 13.3% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-43671?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-43671, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-43671

Explore →

Is Your Infrastructure Affected by CVE-2026-43671?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.