Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a segfault when an application accesses an XML attribute's child node and subsequently replaces that attribute's value via `Attr#value=` or `#content=`. The underlying libxml2 wrapper frees the native child node while a Ruby object in the document node cache retains a stale pointer, which a later GC mark pass or direct access can dereference. With a CVSS 4.0 score of 1.7, no KEV listing, and no public exploit identified at time of analysis, real-world risk is low and constrained to application availability.
Null pointer dereference in Nokogiri prior to 1.19.4 crashes the Ruby process when application code incorrectly calls `.allocate` directly on a native-backed class inheriting from `Nokogiri::XML::Node` and then invokes methods on the resulting uninitialized object. Only CRuby is affected - JRuby is explicitly not vulnerable. No public exploit has been identified; the CVSS 4.0 base score of 1.7 with E:U accurately reflects that this defect requires a developer programming error rather than any crafted external input, placing it firmly in the low-priority category.
Use-after-free in Nokogiri's CRuby (libxml2) implementation allows freed heap memory to be read on subsequent calls to Document#encoding, potentially causing a segmentation fault or leaking stale heap bytes into a Ruby String object. Versions prior to 1.19.4 are affected when the three-step exploitation pattern occurs: an invalid encoding assignment, exception rescue, and continued document use. No public exploit has been identified and this vulnerability is not listed in CISA KEV; the CVSS 4.0 score of 1.7 accurately reflects the low real-world priority.
Buffer overflow in wolfSSL's PKCS#7 decoder (versions 5.9.0 and earlier) allows attackers with low-privilege account access on an adjacent network to corrupt memory by providing crafted encrypted messages to applications using undersized output buffers in wc_PKCS7_DecodeEncryptedData. Real-world exploitation is severely constrained by requirements for adjacent network access, low privilege, user interaction, and specific attack target conditions, resulting in minimal integrity impact with no availability or confidentiality effects. No public exploit code or active exploitation is known at the time of analysis.
Certificate Revocation List processing in wolfSSL silently accepts CRLs containing unrecognized critical extensions rather than rejecting them as mandated by RFC 5280, constituting an improper certificate validation flaw (CWE-295). Affected are only wolfSSL builds explicitly compiled with CRL support (HAVE_CRL preprocessor flag) where the attacker can present a crafted CRL carrying a trusted CA signature - conditions that substantially limit the attack surface. An adversary satisfying these prerequisites could cause a revoked certificate to be treated as valid, enabling an authentication bypass. No public exploit has been identified and this CVE is absent from CISA KEV; the CVSS 4.0 score of 1.0 accurately reflects the extreme exploitation constraints.
Integer underflow in wolfSSL's PKCS#7 ORI decryption path allows a local low-privileged attacker to cause incorrect length computation during EnvelopedData parsing, resulting in low-severity availability impact. Specifically, when the OID embedded inside an implicit `[4] CONSTRUCTED` Other Recipient Info sequence consumes more bytes than the field's declared length, the `word32` subtraction for `oriValueSz` wraps around to a near-maximal unsigned value, feeding corrupted length data to downstream decryption logic. No public exploit has been identified and no CISA KEV listing exists; exploitation requires local access, high complexity, and passive processing of crafted input by the target application.
OAuth2/OIDC token forgery in OpenIdentity Platform's OpenAM Community Edition (through 16.0.6) lets an attacker mint OAuth2 bearer tokens and OIDC ID tokens with arbitrary subject (userName), clientID, realm, and scope by abusing the stateful token-read path's failure to namespace and type-check Core Token Store (CTS) rows. The flaw is an Authorization Bypass Through User-Controlled Key (CWE-639): any CTS row whose BLOB merely claims to be an OAuth token is trusted on read with no integrity check, so an attacker who can write attacker-controlled JSON to CTS under a known identifier can impersonate any user or client. No public exploit has been identified at time of analysis, and the issue is fixed in version 16.1.1; it does not by itself grant an OpenAM SSO session or admin-console access.
Unsafe Java deserialization (CWE-502) in OpenAM Community Edition through 16.0.6 lets attackers abuse the anonymous Push Notification SNS callback REST route to force the server to load an attacker-named class and construct it from attacker-controlled JSON via Jackson. A low-privileged user who starts Push Registration can plant a malicious CTS predicate blob, then drive anonymous callbacks that yield a reliable class-loading and Jackson-construction primitive with classpath-dependent impacts ranging from token-record corruption and DoS to potential process execution and file writes. No public exploit is identified at time of analysis and confirmed arbitrary command execution was not demonstrated on stock classpaths; the issue is fixed in 16.1.1.