Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther*(dimReal+2)*sizeof(kiss_fft_scalar) overflows signed 32-bit integer arithmetic before being widened to size_t, causing malloc() to allocate an undersized buffer. Attackers can trigger heap buffer overflow by providing crafted dimensions that cause the multiplication to exceed INT_MAX, allowing writes beyond the allocated buffer region when kiss_fftndr() processes the data.
AnalysisAI
Heap buffer overflow in KissFFT library (all versions before commit 8a8e66e) enables remote code execution when applications process attacker-controlled FFT dimensions. Integer overflow in kiss_fftndr_alloc() causes malloc() to allocate undersized buffers, allowing heap memory corruption during multidimensional FFT operations. CVSS 8.8 (network vector, no authentication, user interaction required). EPSS and KEV data not provided; no public exploit confirmed at time of analysis. Upstream fix available via GitHub commit, but released patched version number not independently confirmed.
Technical ContextAI
KissFFT is a widely-used Fast Fourier Transform library (cpe:2.3:a:mborgerding:kissfft) designed for embedded systems and signal processing applications. The vulnerability resides in kiss_fftndr.c's allocation function for N-dimensional real FFTs. The function calculates buffer size as dimOther*(dimReal+2)*sizeof(kiss_fft_scalar) using signed 32-bit arithmetic. When dimOther and dimReal are sufficiently large, their multiplication exceeds INT_MAX (2,147,483,647), causing integer wraparound before the result is widened to size_t for malloc(). This CWE-190 (Integer Overflow to Buffer Overflow) root cause results in a heap buffer that is orders of magnitude smaller than required. Subsequent kiss_fftndr() processing writes FFT coefficient data based on the original (large) dimensions into the undersized buffer, corrupting adjacent heap metadata and objects.
RemediationAI
Upstream fix available via GitHub commit 8a8e66e33d692bad1376fe7904d87d767730537f (https://github.com/mborgerding/kissfft/commit/8a8e66e33d692bad1376fe7904d87d767730537f), which adds overflow checks before size_t conversion. Applications statically linking KissFFT must rebuild against the patched source. Since KissFFT does not publish versioned releases (development occurs via Git commits), integrators should verify their embedded copy is at or beyond commit 8a8e66e by checking git log or source file checksums. For systems unable to update immediately, implement input validation on FFT dimension parameters: reject dimOther and dimReal values where dimOther * (dimReal + 2) * sizeof(kiss_fft_scalar) would exceed INT_MAX on the target platform (typically dimOther * dimReal > 500 million on 32-bit systems with 4-byte scalars). This workaround reduces functionality for legitimate large-scale FFT operations. Additionally, deploy heap corruption mitigations (ASLR, heap allocator hardening) to raise exploitation cost, though these do not prevent the vulnerability. Applications using only 1D FFTs (kiss_fft_alloc) or complex FFTs (kiss_fftnd_alloc) are not affected by this specific issue in kiss_fftndr.c.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23905
GHSA-xpr7-5899-f5vj