--- a/src/helpers/CommonCLI.h
+++ b/src/helpers/CommonCLI.h
@@ -8,6 +8,10 @@
 #define WITH_BRIDGE
 #endif
 
+// Smallest reply buffer among all callers (serial main.cpp: char reply[160]).
+// Used by snprintf() in CLI handlers to prevent stack buffer overflows.
+#define CLI_REPLY_MAX  160
+
 #define ADVERT_LOC_NONE       0
 #define ADVERT_LOC_SHARE      1
 #define ADVERT_LOC_PREFS      2
--- a/src/helpers/CommonCLI.cpp
+++ b/src/helpers/CommonCLI.cpp
@@ -726,7 +726,7 @@
       strcpy(reply, "Error: unsupported by this board");
     };
   } else {
-    sprintf(reply, "unknown config: %s", config);
+    snprintf(reply, CLI_REPLY_MAX, "unknown config: %.128s", config);
   }
 }
 
@@ -784,11 +784,13 @@
     sprintf(reply, "> %s", StrHelper::ftoa(_prefs->direct_tx_delay_factor));
   } else if (memcmp(config, "owner.info", 10) == 0) {
-    *reply++ = '>';
-    *reply++ = ' ';
+    char* reply_end = reply + CLI_REPLY_MAX - 1;  // leave room for null
+    *reply++ = '>'; *reply++ = ' ';
     const char* sp = _prefs->owner_info;
-    while (*sp) {
+    while (*sp && reply < reply_end) {
       *reply++ = (*sp == '\n') ? '|' : *sp;    // translate newline back to orig '|'
       sp++;
     }
     *reply = 0;  // set null terminator
   } else if (memcmp(config, "path.hash.mode", 14) == 0) {
@@ -887,7 +889,7 @@
     strcpy(reply, "ERROR: Power management not supported");
 #endif
   } else {
-    sprintf(reply, "??: %s", config);
+    snprintf(reply, CLI_REPLY_MAX, "??: %.128s", config);
   }
 }