Memory corruption in the Linux kernel virtual terminal (vt) subsystem allows local authenticated users to trigger kernel crashes and potentially escalate privileges. When a console switches to an alternate screen and then gets resized, the saved Unicode buffer retains stale dimensions. Upon returning to the primary screen, operations like screen clearing (csi_J) access memory out of bounds using current dimensions against the old buffer, causing kernel oops. EPSS exploitation probability is low (0.02%, 4th percentile), no active exploitation confirmed, but vendor patches are available across multiple stable kernel branches (5.x, 6.18.x, 6.19.x).
Kernel memory access and privilege escalation in PassMark DirectIo64.sys driver affect BurnInTest 11.0 Build 1011, OSForensics 11.1 Build 1007, and PerformanceTest 11.1 Build 1004. Local authenticated attackers can send crafted IOCTL 0x8011E044 calls to the vulnerable driver to read arbitrary kernel memory and elevate privileges to SYSTEM level. Public exploit code is available in the researcher's GitHub repository. EPSS data not available; no CISA KEV listing indicates no confirmed widespread exploitation, though POC availability lowers the barrier for local attacks.
Local privilege escalation in Imagination Technologies Graphics DDK allows low-privileged users to corrupt kernel memory and driver data structures through malicious GPU system calls. The vulnerability affects DDK versions 1.18 RTM, 23.2 RTM, 24.1-24.2 RTM, and 25.1-25.3 RTM. Attackers with local access can force the GPU to write to arbitrary physical memory pages, including restricted internal GPU buffers and kernel memory regions, achieving complete system compromise (CVSS 7.8). EPSS data not available; no active exploitation confirmed per CISA SSVC framework (exploitation status: none), but the local attack vector and total technical impact make this critical for systems with untrusted local users.
Local privilege escalation in Automotive Grade Linux (AGL) app-framework-binder (afb-daemon) through v19.90.0 allows authenticated users to execute arbitrary registered APIs with nullified credentials. The supervision Do command in src/afb-supervision.c explicitly zeroes request credentials before dispatching attacker-controlled API calls, causing authorization checks to fail open when encountering NULL credential contexts. This enables low-privileged users to bypass access controls and execute privileged operations. EPSS data not available; no public exploit code or active exploitation confirmed at time of analysis.
Command injection in Totolink NR1800X router firmware 9.1.0u.6279_B20210910 allows authenticated remote attackers to execute arbitrary system commands via the setUssd parameter in /cgi-bin/cstecgi.cgi. Publicly available exploit code exists (POC confirmed via GitHub). EPSS data not provided, but CVSS v4.0 base score of 7.4 with low attack complexity (AC:L) and network attack vector (AV:N) indicates moderate-to-high severity for internet-facing devices with default credentials or weak authentication.
Command injection in the Aver PTC320UV2 web management interface allows unauthenticated remote attackers to execute arbitrary system commands via crafted web requests. Version 0.1.0000.65 and potentially earlier versions are affected. The vulnerability has a CVSS score of 6.5 (medium severity) with network attack vector and no authentication required, though scope is unchanged and confidentiality/integrity impact is limited. CISA SSVC assessment indicates automation is possible but current exploitation is unconfirmed.
Resource exhaustion in Linux kernel ksmbd server allows remote unauthenticated attackers to permanently deny SMB service by consuming connection slots through forced allocation failures. The vulnerability leaks active_num_conn counter values when alloc_transport() fails during TCP connection setup on port 445, permanently consuming slots from the max_connections pool until module reload. Attackers can accelerate exhaustion by holding open connections with large RFC1002 lengths (up to 16MB) to trigger memory pressure. EPSS score of 0.11% suggests low observed exploitation probability, and no public exploit or CISA KEV listing exists. Vendor patches available for kernel versions 6.6.136, 6.12.84, 7.0.2, and 7.1-rc1.
Remote denial of service in Eprosima Micro-XRCE-DDS Agent 3.0.1 allows unauthenticated network attackers to crash the DDS agent by sending malformed packets containing invalid boolean field values. The vulnerability is automatable (per SSVC) with proof-of-concept code publicly available, requiring no privileges or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making it trivial to exploit against internet-exposed DDS deployments. EPSS data not available but SSVC classifies as automatable with partial technical impact.
Remote denial of service in Eprosima Micro-XRCE-DDS Agent 3.0.1 allows unauthenticated network attackers to crash the agent via malformed packets targeting the MTU length field. The vulnerability is remotely exploitable with no authentication required (CVSS AV:N/AC:L/PR:N/UI:N) and is classified as automatable by SSVC analysis. No active exploitation confirmed at time of analysis, but GitHub issue and researcher documentation provide technical details. EPSS data not available; CVSS 7.5 reflects high availability impact suitable for targeting DDS middleware deployments.
Remote unauthenticated denial of service crashes Vanetza V2X v26.02 receivers via malformed GeoNetworking packets containing invalid ECC points. Uncaught OpenSSL exceptions from elliptic curve point validation (invalid compressed points, points not on curve) in the security layer escape through the Router::indicate() call chain, triggering std::terminate and process termination. No public exploit identified at time of analysis, though EPSS risk assessment unavailable. Attack requires only network access to the V2X receiver endpoint with no authentication or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making this a significant operational risk for deployed V2X infrastructure relying on continuous availability for vehicle safety communications.
Remote unauthenticated attackers can crash socketcand 0.4.2 daemon by sending a malformed CAN bus name that triggers a stack-based buffer overflow in the main function's socketcand.c implementation. The CVSS vector indicates network-accessible denial of service with no authentication required. A publicly available proof-of-concept exists (GitHub Gist reference), but CISA KEV status is not confirmed, and EPSS data is unavailable. The low attack complexity (AC:L) and network attack vector (AV:N) make this readily exploitable against exposed instances, though the impact is currently limited to availability (A:H) with no confirmed confidentiality or integrity impacts.
Remote denial of service in Open-SAE-J1939 library (commit b6caf884 and prior, November 2025) allows unauthenticated attackers to crash SAE J1939 protocol implementations by sending malformed CAN frames to the J1939 bus. Exploitation is straightforward (CVSS AC:L, SSVC automatable:yes) and requires only network access to the CAN bus. No public exploit code confirmed, but GIST reference suggests proof-of-concept research exists. EPSS data unavailable; not in CISA KEV.
Stack buffer overflow in AGL agl-service-can-low-level's uds-c library enables remote code execution on vulnerable automotive ECUs. The send_diagnostic_request function copies up to 7 bytes into a 6-byte stack buffer without bounds checking, allowing 1-4 bytes of controlled stack corruption. On 32-bit ARM ECUs without stack canaries (common in automotive deployments), attackers can overwrite return addresses to achieve arbitrary code execution. CVSS 7.5 with network attack vector and no authentication required indicates critical exposure, though CVSS impact vector (C:N/I:N/A:H) appears inconsistent with RCE capability described - vendor assessment may undervalue confidentiality/integrity impact of code execution.
Remote denial of service in FRRouting stable/10.0 allows unauthenticated attackers to crash the BGP daemon via malformed FlowSpec NLRI messages. The off-by-one vulnerability in bgp_flowspec_op_decode() enables out-of-bounds writes when parsing crafted BGP FlowSpec components, causing process termination. EPSS exploitation probability data not available, but SSVC marks this as automatable with partial technical impact. No public exploit code identified at time of analysis, and not listed in CISA KEV, suggesting theoretical rather than actively exploited risk.
A denial-of-service vulnerability in the Linux kernel's IPv6 checksum GSO fallback logic allows remote unauthenticated attackers to trigger system instability via specially crafted tunneled IPv6 packets with extension headers. The flaw affects network packet processing when NETIF_F_IPV6_CSUM offload is enabled, causing incorrect handling of tunneled traffic that requires software checksumming. EPSS score is low (0.02%, 7th percentile), indicating minimal observed exploitation activity. Vendor-released patches are available across multiple kernel version branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0), confirmed by upstream Linux kernel commits. No public exploit identified at time of analysis, though CVSS vector indicates straightforward network-based exploitation (AV:N/AC:L/PR:N/UI:N).
Integrity verification bypass in Linux kernel crypto subsystem's Kerberos 5 encryption module allows remote unauthenticated attackers to bypass cryptographic hash checks when asynchronous decryption completes. The vulnerability stems from incorrect callback chaining that skips krb5enc_dispatch_decrypt_hash() verification entirely during async operations. Exploitation likelihood is low (EPSS 2%, percentile 4%) despite high CVSS severity, though EUVD classifies this as an authentication bypass affecting Linux 6.15+ with patches available for stable branches 6.18.25, 7.0.2, and mainline 7.1-rc1.
Uninitialized memory in the Linux kernel SCSI target subsystem (target_core_file) causes write operations to fail unpredictably when bogus ki_write_stream values trigger block device validation checks. Affected versions span Linux kernel 6.16 through development branches, with stable patches released for 6.18.22, 6.19.12, and 7.0. While CVSS scores this as 7.5 High with network vector (AV:N), the description indicates a local kernel subsystem issue affecting SCSI target configurations, suggesting a vector/impact mismatch. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation or public POC, indicating minimal real-world targeting despite the high CVSS score.
Linux kernel axienet driver can permanently stall network transmit queues due to incorrect Byte Queue Limits (BQL) accounting when scatter-gather TX packets span multiple NAPI polls. When a multi-buffer-descriptor packet completes across different polling cycles, only partial byte counts are credited to BQL, causing the subsystem to incorrectly believe bytes remain in-flight indefinitely and halting transmission. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is 2% (4th percentile), no active exploitation confirmed, indicating low real-world targeting despite the 7.5 CVSS score.
Denial of service via soft lockup in Linux kernel MPTCP (Multipath TCP) receive function allows remote unauthenticated attackers to lock up a CPU core indefinitely when applications use MSG_PEEK with MSG_WAITALL flags. The vulnerability stems from improper handling of peeked socket buffers that remain in the receive queue, causing sk_wait_data() to never actually wait and spinning in an infinite loop. EPSS score is low (0.02%, 4th percentile) indicating minimal observed exploitation probability. Vendor patches available for kernel versions 6.18.x and 6.19.x series.
Algorithmic complexity denial of service in Apache Neethi allows remote unauthenticated attackers to exhaust JVM heap memory via malicious WS-Policy documents. Specially crafted policy documents trigger exponential Cartesian cross-product expansion during normalization, generating unbounded policy alternatives that consume all available memory. Apache has released version 3.2.2 with normalization limits to prevent exploitation. EPSS data not available; no CISA KEV listing identified at time of analysis.
Denial of Service in Apache Neethi WS-Policy processor allows remote unauthenticated attackers to crash applications or cause resource exhaustion by sending crafted policy documents with circular references. The vulnerability (CVSS 7.5) triggers infinite loops or stack overflow during policy normalization when Policy A references Policy B which references Policy A. Apache released version 3.2.2 to address this flaw. With network vector, low complexity, and no authentication required (AV:N/AC:L/PR:N), this represents a readily exploitable attack surface for applications parsing untrusted WS-Policy documents, though no public exploit or active exploitation (KEV) has been identified at time of analysis.
Stack buffer overflow in AGL agl-service-can-low-level through version 17.1.12 enables remote code execution on automotive ECUs. The vulnerability exists in the uds-c library's send_diagnostic_request function, where a miscalculation between buffer size (6 bytes) and copy length (7 bytes) allows 1-4 bytes of controlled stack overflow. On 32-bit ARM automotive systems without stack protection, attackers can overwrite return addresses to achieve arbitrary code execution. CVSS 7.5 High severity with network attack vector and no authentication required, though CVSS impact ratings (C:N/I:N/A:H) appear inconsistent with the RCE capability described. No public exploit identified at time of analysis, EPSS data unavailable.
Arbitrary code execution in OpenStack ironic-python-agent (IPA) versions 1.0.0 through 11.5.0 occurs because IPA runs grub-install from inside a chroot of the partition image it is deploying, so binaries supplied by a malicious image execute on the provisioning ramdisk. An attacker able to have a crafted partition image deployed can run code in the IPA context (typically root on the bare-metal node being provisioned). No public exploit identified at time of analysis; EPSS is negligible (0.01%) and CISA SSVC records exploitation status as none, but the technical impact is rated total.
Denial of service in Open CASCADE Technology (OCCT) V8_0_0_rc5 occurs when a crafted VRML V2.0 file triggers null pointer dereference during shape construction in the VrmlData_IndexedFaceSet::TShape parser. Remote unauthenticated attackers can crash applications using libTKDEVRML.so by delivering malformed VRML files, requiring no user interaction (CVSS AV:N/AC:L/PR:N/UI:N). EPSS score not available; no public exploit identified at time of analysis. Affects 3D CAD/visualization applications integrating OCCT for VRML import.
Buffer overflow in UTT HiPER 1200GW routers (versions up to 2.5.3-170306) allows authenticated remote attackers to execute arbitrary code or cause denial of service through the strcpy function in the /goform/formRemoteControl endpoint. Public exploit code exists (CVSS 7.4, E:P modifier). EPSS data not available, but low-privilege authenticated requirement and IoT router context suggest targeted attacks against exposed management interfaces rather than mass exploitation.
Buffer overflow in UTT HiPER 1200GW router (versions up to 2.5.3-1703) allows authenticated remote attackers to execute arbitrary code with elevated privileges via crafted input to the strcpy function in the /goform/formUser endpoint. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation. While requiring low-privilege authentication (CVSS PR:L), the vulnerability enables full system compromise (VC:H/VI:H/VA:H) and has been assigned an E:P (Proof-of-concept) exploit maturity rating, indicating working demonstration code is available.
A buffer overflow in the Linux kernel netfilter ctnetlink subsystem allows authenticated local attackers to read arbitrary kernel memory. The vulnerability arises when userspace provides a helper name for a new expectation that differs from the master conntrack helper, causing the kernel to read 4 bytes beyond the expectation boundary. Vendor-released patches are available across multiple stable kernel branches (6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Despite a CVSS base score of 7.3, the EPSS score is exceptionally low (0.02%, 7th percentile), indicating minimal observed exploitation attempts, and the vulnerability is not listed in CISA KEV, suggesting no confirmed active exploitation.
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ndisc: fix ndisc_ra_useropt to initialize nduseropt_padX fields to zero to prevent an info-leak When processing Router Advertisements with user options the kernel builds an RTM_NEWNDUSEROPT netlink message. The nduseroptmsg struct has three padding fields that are never zeroed and can leak kernel data The fix is simple, just zeroes the padding fields.
Local privilege escalation and information disclosure in Linux kernel netfilter x_tables subsystem allows authenticated local users to leak memory contents or crash the system due to improper null-termination validation of string names passed to c-string functions. CVSS 7.1 (High/Confidentiality, High/Availability impact) but low real-world priority: EPSS 0.02% (7th percentile) indicates minimal observed exploitation likelihood. Patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). No active exploitation confirmed, no POC identified, requires local authenticated access with low privileges.
Stack buffer out-of-bounds read in Linux kernel ALSA snd_usb_caiaq driver allows local authenticated users to disclose kernel stack memory and potentially trigger denial of service. The vulnerability affects systems with USB audio devices using the caiaq driver when product names contain many non-ASCII characters. Present since kernel v2.6.31-rc1 (June 2009), this 16-year-old off-by-one error lacks null terminator validation during whitespace stripping. EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability. Vendor patches available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0).
Integer overflow in Linux kernel's ksmbd (SMB server) allows local authenticated attackers to bypass size validation and trigger memory corruption via crafted daemon responses. The vulnerability affects three IPC message handlers that fail to detect arithmetic overflow when computing expected message sizes from attacker-controlled fields (payload_sz, ngroups), enabling out-of-bounds memcpy operations. Vendor patches available for affected 5.15+ kernels. EPSS score 0.02% (5th percentile) indicates low observed exploitation probability. No CISA KEV listing or public exploit identified at time of analysis.
Buffer overflow in Linux kernel's AMD CCP (Cryptographic Coprocessor) driver leaks kernel memory to userspace when retrieving PEK CSR (Platform Endorsement Key Certificate Signing Request). Affecting Linux kernel 4.16+ through 7.0.x, the vulnerability allows local authenticated users to read arbitrary kernel memory due to improper error handling when firmware returns invalid buffer length requirements. Patches available across stable branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1). EPSS score of 0.02% indicates minimal observed exploitation probability, though the CVSS 7.1 reflects significant confidentiality impact. No CISA KEV listing or public exploit identified at time of analysis.
Information disclosure in Linux kernel's AMD Cryptographic Coprocessor (CCP) driver allows local authenticated attackers to leak kernel memory to userspace via out-of-bounds read. When retrieving PDH certificates through SEV ioctl, the driver incorrectly copies data to userspace even after firmware command failures, potentially reading 2084+ bytes beyond allocated buffer boundaries. EPSS score of 0.02% (5th percentile) indicates minimal observed exploitation probability. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1) per upstream commits.
Buffer overflow in Linux kernel CCP SEV driver allows local authenticated users to leak kernel memory to userspace. When the PSP firmware command to retrieve SEV CPU ID fails due to insufficient buffer size, the driver attempts to copy data beyond the allocated kernel buffer boundary, exposing up to 64 bytes of kernel memory. Exploitation requires local access with low privileges (CVSS PR:L) to invoke the SEV ioctl interface. EPSS score is very low (0.02%, 5th percentile) indicating minimal real-world exploitation observed. No public exploit identified at time of analysis, though the KASAN stack trace in the CVE description provides a clear exploitation path. Patches available across multiple stable kernel branches (6.6.136, 6.12.84, 6.18.25, 7.0.2, 7.1-rc1).
Logic error in Linux kernel mac80211 TDLS handling allows local authenticated users to modify wireless channel context and HT protection settings by invoking NL80211_TDLS_ENABLE_LINK on non-TDLS stations. Missing validation causes the kernel to apply TDLS-specific operations to regular Wi-Fi stations, potentially disrupting wireless connectivity and creating integrity/availability impacts. Vendor patches available for kernel 6.12.81, 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (5th percentile) indicates very low probability of exploitation despite CVSS 7.1 rating. No evidence of active exploitation or public POC identified at time of analysis.
Race condition in Linux kernel MPLS subsystem allows local authenticated users to trigger out-of-bounds memory access via concurrent label table resizing. The vulnerability affects RCU-protected codepaths (mpls_forward, mpls_dump_routes) that can obtain inconsistent snapshots of platform_labels array metadata during resize operations, potentially leading to information disclosure or denial of service. Vendor patch available addressing the issue through seqcount-based synchronization. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability, and no active exploitation or public POC identified.
Integer overflow in Linux kernel io_uring subsystem allows local authenticated users to trigger slab-out-of-bounds memory reads and denial of service. The vulnerability stems from improper type casting of user-supplied length values in network bundled receive/send operations, where values exceeding INT_MAX cause negative overflow leading to infinite loops and out-of-bounds array access. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. Vendor patches available for affected stable kernel branches (6.12.81, 6.18.22, 6.19.12, 7.0), making this a straightforward patching priority for systems running vulnerable versions with io_uring enabled.
Out-of-bounds memory read in Linux kernel io_uring subsystem allows local authenticated users to leak kernel memory or trigger denial of service. The vulnerability exists in io_uring's fixed buffer import logic when registering zero-length buffer regions, causing the bvec skip logic to read beyond allocated slab memory. Patches available across stable kernel branches (6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (4th percentile) indicates low likelihood of widespread exploitation. No active exploitation confirmed (not in CISA KEV), no public POC identified at time of analysis.
In the Linux kernel, the following vulnerability has been resolved: hwmon: (tps53679) Fix array access with zero-length block read i2c_smbus_read_block_data() can return 0, indicating a zero-length read. When this happens, tps53679_identify_chip() accesses buf[ret - 1] which is buf[-1], reading one byte before the buffer on the stack. Fix by changing the check from "ret < 0" to "ret <= 0", treating a zero-length read as an error (-EIO), which prevents the out-of-bounds array access. Also fix a typo in the adjacent comment: "if present" instead of duplicate "if".
Integer overflow in AMD GPU driver's user queue doorbell handling allows local authenticated users to corrupt kernel memory and potentially escalate privileges. The amdgpu driver fails to validate user-supplied doorbell_offset values before calculating buffer offsets, enabling out-of-bounds writes to kernel doorbell space. Patches available in Linux 6.18.22, 6.19.12, and 7.0. EPSS score of 0.02% (4th percentile) indicates low probability of mass exploitation, though CVSS 7.1 reflects serious local privilege escalation potential. No active exploitation confirmed; attack requires local authenticated access to systems with AMD GPU hardware.
Out-of-bounds memory read in openxc/isotp-c ISO-TP Single Frame handler allows adjacent network attackers to trigger denial of service or extract sensitive information via malicious CAN frames. The vulnerability exists in all versions through commit 5a5d19245f65 (August 2021) and stems from unchecked use of a 4-bit payload length field directly as memcpy buffer size. EPSS data unavailable; no CISA KEV listing indicates no confirmed widespread exploitation, though publicly available technical analysis exists (GitHub Gist reference).
Heap-based out-of-bounds read in Open CASCADE Technology V8_0_0_rc5 OBJ file parser allows local attackers to cause denial of service or leak sensitive memory contents when victims open malicious OBJ files. The vulnerability stems from missing buffer length validation in RWObj_Reader::read() after Standard_ReadLineBuffer::ReadLine() returns minimal 1-byte buffers, leading to unsafe memory access at aLine + 2. EPSS data not available; no confirmed active exploitation or public proof-of-concept identified at time of analysis. Requires user interaction, limiting automated exploitation potential.
Heap buffer over-read in AGL agl-service-can-low-level through version 17.1.12 allows adjacent network attackers to disclose memory contents and cause denial of service without authentication. The vulnerability stems from improper bounds checking in the isotp-c library's Single Frame handling, where a 4-bit payload length field (0-15) is trusted without validating against the 7-byte CAN frame payload capacity, enabling reads up to 8 bytes beyond the buffer. CVSS 7.1 (High) reflects adjacent network attack vector with low confidentiality and high availability impact. No public exploit code or active exploitation confirmed at time of analysis, though the specific line numbers and technical details in the description lower exploitation barriers.
Heap-based out-of-bounds reads in Open CASCADE Technology (OCCT) V8_0_0_rc5 STL ASCII parser allow local attackers to trigger denial of service or disclose process memory by convincing users to open maliciously crafted STL files with extremely short lines. The vulnerability stems from improper length validation of buffers returned by Standard_ReadLineBuffer::ReadLine() before strncasecmp operations or direct byte access in RWStl_Reader::ReadAscii. CVSS score of 7.1 reflects high confidentiality and availability impact requiring user interaction. No public exploit code, active exploitation (CISA KEV), or vendor patch information identified at time of analysis, though technical details are publicly available via GitHub Gist.
Race condition in Linux kernel ATM LEC driver allows local attackers with low privileges to trigger use-after-free memory corruption in sock_def_readable(), potentially achieving arbitrary code execution, privilege escalation, or denial of service. The flaw affects systems using ATM (Asynchronous Transfer Mode) LAN Emulation Client functionality, present since Linux kernel version 2.4 (commit 1da177e4c3f4). EPSS score of 0.02% (7th percentile) suggests low probability of mass exploitation. Vendor patches available across all maintained stable branches (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). Not listed in CISA KEV; no public exploit code identified at time of analysis.
Integer overflow in libssh2 up to version 1.11.1 allows remote unauthenticated attackers to cause memory corruption during SSH password authentication. The vulnerability exists in the userauth_password function where inadequate bounds checking on username_len and password_len parameters can trigger integer overflow when calculating buffer sizes, potentially leading to confidentiality breach, integrity compromise, and service disruption. Upstream fix available via GitHub commit 256d04b60d80bf1190e96b0ad1e91b2174d744b1. No active exploitation confirmed (not in CISA KEV), but publicly accessible patch reveals exact exploitation technique.
Weak password recovery in D-Link M60 up to version 1.20B02 allows remote attackers to compromise device authentication through manipulation of the /usr/bin/httpd binary, requiring high attack complexity but with publicly disclosed exploit code available. The vulnerability enables information disclosure and potential unauthorized access to device management functions despite the low CVSS score of 2.9 reflecting limited confidentiality impact.
Stored cross-site scripting in V2Board through version 1.7.4 allows authenticated administrators to inject arbitrary JavaScript into the custom_html theme configuration field via the saveThemeConfig API, which is rendered unescaped in the dashboard.blade.php template and executed in the browsers of all site visitors, enabling cookie theft, session hijacking, and phishing attacks.
Denial of service in mtrudel bandit via HTTP/2 frame deserialization allows unauthenticated remote attackers to exhaust server memory by sending oversized frames. The vulnerability exists because the HTTP/2 frame parser in 'Elixir.Bandit.HTTP2.Frame':deserialize/2 performs the max frame size check after pattern-matching the entire payload into memory, rather than before, allowing attackers to force buffering of up to 16 MiB frames regardless of negotiated limits. Confirmed actively exploited (CISA KEV status unknown but vendor advisory confirms vulnerability). Patch available in version 1.11.0.
SQL injection in MixPHP Framework versions 2.0 through 2.2.17 allows unauthenticated remote attackers to execute arbitrary SQL queries by supplying crafted array parameters to the joinOn function in BuildHelper.php. The vulnerability has a CVSS score of 6.5 with network-accessible exploitation requiring no authentication or user interaction. SSVC signals indicate exploitation is automatable, though no active exploitation in the wild has been reported at time of analysis.