From 892ba78ee814ca50ff57aead02911d96c8ae29d5 Mon Sep 17 00:00:00 2001
From: TristanInSec <tristan.mtn@gmail.com>
Date: Thu, 18 Jun 2026 19:31:31 -0400
Subject: [PATCH] netstat: add cycle detection to Next pointer walk

The enumerate_structures_by_port method walks a singly-linked list
of TCP_LISTENER/UDP_ENDPOINT objects via the Next field without
checking for cycles. A memory dump with a self-referential Next
pointer causes an infinite loop.

Add a seen_addresses set to detect and break cycles, consistent
with cycle detection in LIST_ENTRY.to_list, pidhashtable._walk_upid,
and pagecache._walk_dentry.
---
 volatility3/framework/plugins/windows/netstat.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/volatility3/framework/plugins/windows/netstat.py b/volatility3/framework/plugins/windows/netstat.py
index cf7f5272ac..c7ba61fefc 100644
--- a/volatility3/framework/plugins/windows/netstat.py
+++ b/volatility3/framework/plugins/windows/netstat.py
@@ -220,7 +220,16 @@ def enumerate_structures_by_port(
 
             # if the same port is used on different interfaces multiple objects are created
             # those can be found by following the pointer within the object's `Next` field until it is empty
+            seen_addresses = set()
             while next_obj_address:
+                if next_obj_address in seen_addresses:
+                    vollog.warning(
+                        "Cycle detected in Next pointer at %#x, stopping walk",
+                        next_obj_address,
+                    )
+                    return
+                seen_addresses.add(next_obj_address)
+
                 try:
                     curr_obj = context.object(
                         obj_name,