Monthly
Out-of-bounds heap read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 stems from AppArmor SAUCE patches miscomputing an internal buffer size during notification handling, allowing an unprivileged local user to feed invalid data into the AppArmor DFA policy engine. The flaw carries a CVSS 7.8 (high) and currently has no public exploit identified at time of analysis, though Canonical has shipped an upstream kernel fix. Impact is limited to local attackers but high-severity given full CIA impact in the CVSS vector.
Out-of-bounds read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 exposes adjacent slab allocator memory to any local low-privileged user. The flaw originates in Canonical's Ubuntu-specific AppArmor SAUCE patches, which incorrectly validate the size of an internal structure during notification handling, enabling controlled reads past the intended memory boundary. No public exploit identified at time of analysis, and exploitation is strictly local; however, C:H in the CVSS vector confirms that successful exploitation can yield high-sensitivity kernel or cross-process data from slab neighbors.
Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.
Out-of-bounds read in libusb's parse_iad_array() function (descriptor.c) affects all releases before 1.0.30, enabling local attackers in virtualized environments with USB passthrough to crash libusb-dependent processes via a crafted USB descriptor. The off-by-one error causes the bounds check to evaluate against the original total buffer size rather than the remaining unparsed size, allowing a one-byte read past the end of the malloc allocation when a descriptor's bLength is set to exactly (total_size - 1). No public exploit code exists and the vulnerability is absent from CISA KEV; a vendor-released patch is confirmed in v1.0.30.
NULL pointer dereference in libusb's USB descriptor parser allows any attacker who can supply a crafted configuration descriptor to crash any application that uses libusb for USB device enumeration. Affected versions are all libusb releases before 1.0.30; the flaw resides in parse_interface() within descriptor.c and is reachable through the public APIs libusb_get_active_config_descriptor and libusb_get_config_descriptor. No public exploit code is identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the availability impact is confirmed high (CVSS 4.0 VA:H) and regression corpus files in the fix commit demonstrate reliable crash reproduction.
Out-of-bounds read in Apple macOS (all versions prior to macOS Tahoe 26) allows a locally authenticated, low-privileged application to trigger unexpected system termination, constituting a local denial-of-service condition. The root cause is insufficient bounds checking in a macOS component, addressed by Apple in macOS Tahoe 26. No public exploit code exists and this vulnerability is not listed in CISA KEV, though a vendor-confirmed patch is available.
Out-of-bounds read in libheif versions 1.21.2 and prior crashes any application that parses attacker-controlled HEIF sequence files, resulting in denial of service. The defect lives in the SampleAuxInfoReader constructor, which enters its processing loop when saiz.sample_count > 0 even though stco.entry_count == 0 left the chunks vector empty; dereferencing chunks[0] then triggers the crash. No public exploit code has been identified at time of analysis, but the attack requires only that a user open or process a specially crafted HEIF file, making it relevant wherever libheif is embedded in image-handling applications (browsers, media libraries, operating-system image stacks). Vendor-released patch v1.22.0 is available.
Heap buffer over-read in ImageMagick's distributed pixel cache server affects all Magick.NET NuGet package variants prior to version 14.12.0. An attacker with the ability to connect to a running `magick -distribute-cache` service can trigger an out-of-bounds read (CWE-125) in the server process, resulting in high-severity confidentiality impact (memory disclosure) and availability impact (potential crash). No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.7 reflects meaningful mitigating constraints: high attack complexity and high privileges required per the vector.
Heap over-read in Netatalk's extended attribute (EA) header parser affects all releases from 2.1.0 through 4.4.2, allowing authenticated remote attackers to read beyond allocated heap boundaries under high-complexity conditions. The impact is limited to partial memory disclosure (C:L) and minor availability degradation (A:L) with no integrity impact, consistent with a read-only out-of-bounds primitive. No public exploit code exists and no active exploitation has been identified; vendor-released fix 4.5.0 is available.
Heap out-of-bounds read in Netatalk 3.1.0 through 4.4.2 allows authenticated remote attackers to disclose sensitive memory contents and potentially crash the daemon by sending malformed Spotlight RPC requests. The flaw stems from improper bounds checking during Spotlight RPC unmarshalling and is fixed in version 4.4.3. No public exploit identified at time of analysis, and there is no evidence of active exploitation in CISA KEV.
Out-of-bounds heap read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 stems from AppArmor SAUCE patches miscomputing an internal buffer size during notification handling, allowing an unprivileged local user to feed invalid data into the AppArmor DFA policy engine. The flaw carries a CVSS 7.8 (high) and currently has no public exploit identified at time of analysis, though Canonical has shipped an upstream kernel fix. Impact is limited to local attackers but high-severity given full CIA impact in the CVSS vector.
Out-of-bounds read in Ubuntu Linux kernels 6.8, 6.17, and 7.0 exposes adjacent slab allocator memory to any local low-privileged user. The flaw originates in Canonical's Ubuntu-specific AppArmor SAUCE patches, which incorrectly validate the size of an internal structure during notification handling, enabling controlled reads past the intended memory boundary. No public exploit identified at time of analysis, and exploitation is strictly local; however, C:H in the CVSS vector confirms that successful exploitation can yield high-sensitivity kernel or cross-process data from slab neighbors.
Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.
Out-of-bounds read in libusb's parse_iad_array() function (descriptor.c) affects all releases before 1.0.30, enabling local attackers in virtualized environments with USB passthrough to crash libusb-dependent processes via a crafted USB descriptor. The off-by-one error causes the bounds check to evaluate against the original total buffer size rather than the remaining unparsed size, allowing a one-byte read past the end of the malloc allocation when a descriptor's bLength is set to exactly (total_size - 1). No public exploit code exists and the vulnerability is absent from CISA KEV; a vendor-released patch is confirmed in v1.0.30.
NULL pointer dereference in libusb's USB descriptor parser allows any attacker who can supply a crafted configuration descriptor to crash any application that uses libusb for USB device enumeration. Affected versions are all libusb releases before 1.0.30; the flaw resides in parse_interface() within descriptor.c and is reachable through the public APIs libusb_get_active_config_descriptor and libusb_get_config_descriptor. No public exploit code is identified at time of analysis and this CVE does not appear in the CISA KEV catalog, but the availability impact is confirmed high (CVSS 4.0 VA:H) and regression corpus files in the fix commit demonstrate reliable crash reproduction.
Out-of-bounds read in Apple macOS (all versions prior to macOS Tahoe 26) allows a locally authenticated, low-privileged application to trigger unexpected system termination, constituting a local denial-of-service condition. The root cause is insufficient bounds checking in a macOS component, addressed by Apple in macOS Tahoe 26. No public exploit code exists and this vulnerability is not listed in CISA KEV, though a vendor-confirmed patch is available.
Out-of-bounds read in libheif versions 1.21.2 and prior crashes any application that parses attacker-controlled HEIF sequence files, resulting in denial of service. The defect lives in the SampleAuxInfoReader constructor, which enters its processing loop when saiz.sample_count > 0 even though stco.entry_count == 0 left the chunks vector empty; dereferencing chunks[0] then triggers the crash. No public exploit code has been identified at time of analysis, but the attack requires only that a user open or process a specially crafted HEIF file, making it relevant wherever libheif is embedded in image-handling applications (browsers, media libraries, operating-system image stacks). Vendor-released patch v1.22.0 is available.
Heap buffer over-read in ImageMagick's distributed pixel cache server affects all Magick.NET NuGet package variants prior to version 14.12.0. An attacker with the ability to connect to a running `magick -distribute-cache` service can trigger an out-of-bounds read (CWE-125) in the server process, resulting in high-severity confidentiality impact (memory disclosure) and availability impact (potential crash). No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.7 reflects meaningful mitigating constraints: high attack complexity and high privileges required per the vector.
Heap over-read in Netatalk's extended attribute (EA) header parser affects all releases from 2.1.0 through 4.4.2, allowing authenticated remote attackers to read beyond allocated heap boundaries under high-complexity conditions. The impact is limited to partial memory disclosure (C:L) and minor availability degradation (A:L) with no integrity impact, consistent with a read-only out-of-bounds primitive. No public exploit code exists and no active exploitation has been identified; vendor-released fix 4.5.0 is available.
Heap out-of-bounds read in Netatalk 3.1.0 through 4.4.2 allows authenticated remote attackers to disclose sensitive memory contents and potentially crash the daemon by sending malformed Spotlight RPC requests. The flaw stems from improper bounds checking during Spotlight RPC unmarshalling and is fixed in version 4.4.3. No public exploit identified at time of analysis, and there is no evidence of active exploitation in CISA KEV.