Buffer-Over-Read

IP Total Length over-read via Ethernet frame padding is not a solved problem. CVE-2003-0001 (2003), CVE-2021-3031 (Palo Alto, 2021), and multiple 2026 findings prove the mechanism survives across architectures and vendors. This post breaks down the math, the invisibility cloak, and the PoC.

ArubaOS 8.13.2.0 reads 18 bytes past packet boundaries via inflated IP Total Length. TTL=0 packets — which RFC 791 mandates must be destroyed — are processed and replied to, making the attack invisible. 27/27 crafted packets confirmed. Bugcrowd said zeroed bytes mean no vulnerability. CVE-2003-0001 and CVE-2021-3031 were accepted on the identical mechanism.