NetHack: NetHack Call command buffer overflow

Severity: High
Affected versions: 3.6.2 through 3.6.6
First Patched Version: 3.6.7

Basic Information:
Using the Call (C) command with a very long string can cause a buffer overflow.

This vulnerability may be a security issue for systems that have NetHack installed suid/sgid and for shared systems. For all systems, it may result in a process crash.

Users are encouraged to upgrade as soon as possible.

Additional information related to this advisory, if any, will be made available at

16-Feb-2023 Fixed version 3.6.7 released.
01-Jan-2023 Bug reported.

The NetHack Development Team gratefully acknowledges Keith Simpson for discovering this issue and for responsibly reporting it.
Revision History:
16-Feb-2023 Initial Version.

Known Bug List
Version 3.6.7
Known Bug Search
Site Map
Old News
Security Issues
Developer Resources
Old Versions
Contact Us

Hosted courtesy of

NetHack is Copyright 1985-2023 by Stichting Mathematisch Centrum and M. Stephenson. See our license for details.
This site is Copyright 1999-2023 by Kenneth Lorber, Kensington, Maryland.