Monthly
Buffer underflow in vorbis-tools 1.4.3's ogg123 utility allows remote attackers to crash the application or potentially execute code through malformed remote control input. The vulnerability achieves an EPSS score indicating moderate exploitation likelihood, with proof-of-concept code available according to SSVC assessment, though it has not been added to CISA's KEV catalog indicating no confirmed active exploitation.
Buffer underflow in YAML::Syck for Perl versions before 1.38 allows remote unauthenticated attackers to trigger out-of-bounds memory reads when parsing specially crafted base60 (sexagesimal) YAML values. The vulnerability affects both integer and floating-point base60 handlers in perl_syck.h, where processing leftmost colon-separated segments causes a pointer to decrement past allocated buffer boundaries. EPSS exploitation probability is minimal (0.01%, 3rd percentile) with no active exploitation or public weaponized exploit identified. Vendor-released patch available in version 1.38, confirmed by CPANSec and upstream commit.
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agents and contains a dangerous code pattern that appears in 4 locations within the same function: writing to strlen(ptr) - 1 without checking for empty strings. When the string is empty, strlen() returns 0, and 0 - 1 wraps to SIZE_MAX due to unsigned integer underflow. Due to pointer arithmetic wrapping, SIZE_MAX effectively becomes -1, causing a write exactly 1 byte before the allocated buffer. This corrupts heap metadata (e.g., the chunk size field in glibc malloc), leading to heap corruption. This issue has been patched in version 4.14.4.
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4.
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon processes via malformed GSSAPI authentication OID payloads. The vulnerability affects the ssh_get_hexa() API function when processing zero-length input, exploitable remotely when GSSAPI authentication is enabled and logging verbosity is set to SSH_LOG_PATCH (level 3) or higher. Red Hat, Ubuntu, SUSE, and Debian have released patches (libssh 0.11.4 and 0.12.0). EPSS score of 0.09% and SSVC assessment indicate low real-world exploitation likelihood despite network attack vector, with no active exploitation confirmed. Ubuntu classified this as low priority, and CISA SSVC notes exploitation as 'none' but 'automatable' with partial impact.
This vulnerability in Cisco IOS XE Software bootloader affects Catalyst 9200, ESS9300, IE9310/9320, and IE3500/3505 series switches, allowing authenticated local attackers with level-15 privileges or unauthenticated attackers with physical access to execute arbitrary code at boot time and bypass the chain of trust. An attacker can manipulate loaded binaries to circumvent integrity checks during boot, enabling execution of non-Cisco-signed images. While the CVSS score is 6.1 (Medium), Cisco assigned it a High Security Impact Rating due to the critical nature of breaking the secure boot mechanism, a foundational security control.
Vim versions prior to 9.2.0075 contain a heap buffer underflow in the tags file parser that triggers when processing malformed tag files with delimiters at line starts, potentially allowing local attackers with user interaction to read out-of-bounds memory and cause information disclosure or crashes. The vulnerability requires local file system access and user interaction to exploit, with a CVSS score of 5.3 indicating medium severity. A patch is available in Vim 9.2.0075 and later versions.
Improper input validation in the SMM communications buffer could allow a privileged attacker to perform an out of bounds read or write to SMRAM potentially resulting in loss of confidentiality or integrity.
A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. [CVSS 2.8 LOW]
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. Public exploit code available.
Buffer underflow in vorbis-tools 1.4.3's ogg123 utility allows remote attackers to crash the application or potentially execute code through malformed remote control input. The vulnerability achieves an EPSS score indicating moderate exploitation likelihood, with proof-of-concept code available according to SSVC assessment, though it has not been added to CISA's KEV catalog indicating no confirmed active exploitation.
Buffer underflow in YAML::Syck for Perl versions before 1.38 allows remote unauthenticated attackers to trigger out-of-bounds memory reads when parsing specially crafted base60 (sexagesimal) YAML values. The vulnerability affects both integer and floating-point base60 handlers in perl_syck.h, where processing leftmost colon-separated segments causes a pointer to decrement past allocated buffer boundaries. EPSS exploitation probability is minimal (0.01%, 3rd percentile) with no active exploitation or public weaponized exploit identified. Vendor-released patch available in version 1.38, confirmed by CPANSec and upstream commit.
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agents and contains a dangerous code pattern that appears in 4 locations within the same function: writing to strlen(ptr) - 1 without checking for empty strings. When the string is empty, strlen() returns 0, and 0 - 1 wraps to SIZE_MAX due to unsigned integer underflow. Due to pointer arithmetic wrapping, SIZE_MAX effectively becomes -1, causing a write exactly 1 byte before the allocated buffer. This corrupts heap metadata (e.g., the chunk size field in glibc malloc), leading to heap corruption. This issue has been patched in version 4.14.4.
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4.
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon processes via malformed GSSAPI authentication OID payloads. The vulnerability affects the ssh_get_hexa() API function when processing zero-length input, exploitable remotely when GSSAPI authentication is enabled and logging verbosity is set to SSH_LOG_PATCH (level 3) or higher. Red Hat, Ubuntu, SUSE, and Debian have released patches (libssh 0.11.4 and 0.12.0). EPSS score of 0.09% and SSVC assessment indicate low real-world exploitation likelihood despite network attack vector, with no active exploitation confirmed. Ubuntu classified this as low priority, and CISA SSVC notes exploitation as 'none' but 'automatable' with partial impact.
This vulnerability in Cisco IOS XE Software bootloader affects Catalyst 9200, ESS9300, IE9310/9320, and IE3500/3505 series switches, allowing authenticated local attackers with level-15 privileges or unauthenticated attackers with physical access to execute arbitrary code at boot time and bypass the chain of trust. An attacker can manipulate loaded binaries to circumvent integrity checks during boot, enabling execution of non-Cisco-signed images. While the CVSS score is 6.1 (Medium), Cisco assigned it a High Security Impact Rating due to the critical nature of breaking the secure boot mechanism, a foundational security control.
Vim versions prior to 9.2.0075 contain a heap buffer underflow in the tags file parser that triggers when processing malformed tag files with delimiters at line starts, potentially allowing local attackers with user interaction to read out-of-bounds memory and cause information disclosure or crashes. The vulnerability requires local file system access and user interaction to exploit, with a CVSS score of 5.3 indicating medium severity. A patch is available in Vim 9.2.0075 and later versions.
Improper input validation in the SMM communications buffer could allow a privileged attacker to perform an out of bounds read or write to SMRAM potentially resulting in loss of confidentiality or integrity.
A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. [CVSS 2.8 LOW]
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. Public exploit code available.