Skip to main content

CWE-125

Out-of-bounds Read

6972 CVEs Avg CVSS 6.7 MITRE
553
CRITICAL
2961
HIGH
3145
MEDIUM
293
LOW
1134
POC
18
KEV

Monthly

CVE-2026-44452 MEDIUM This Month

Denial-of-service via malformed TLS/QUIC ClientHello in h2o HTTP server allows remote unauthenticated attackers to crash the server process by sending a zero-length SNI extension. The hostname-copy routine assumes NULL-termination on the empty SNI buffer (CWE-125 out-of-bounds read), reading beyond the allocation boundary and triggering a segmentation fault. No public exploit or active exploitation (CISA KEV) has been identified; the fix is available as an upstream commit but no confirmed tagged release exists at time of analysis.

Information Disclosure Buffer Overflow
NVD GitHub
CVSS 3.1
5.9
CVE-2026-57077 PATCH This Week

YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len. In the bundled libsyck newline_len and is_newline dereference the scan pointer, and the following byte for a "\r\n" pair, with no NUL-terminator or bounds check. During block-scalar lexing at a document boundary the scan runs one byte past the heap lexer buffer. This is an incomplete fix of CVE-2025-11683, on a lexer path the earlier fix did not cover. Any caller that runs Load or LoadFile on an untrusted document with a block scalar at a document boundary reaches the over-read.

Information Disclosure Buffer Overflow Yaml
NVD GitHub
CVE-2026-57075 PATCH This Week

YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64dec. The base64 decoder in the bundled libsyck indexes the 256-entry static table b64_xtable with a signed char, so any !!binary byte >= 0x80 sign-extends to a negative index and reads before the table. The decoder receives the raw bytes of any !!binary node, a standard YAML type not gated by $LoadBlessed or $LoadCode, so it is reached on the default Load path. Any caller that runs Load or LoadFile on an untrusted document containing a !!binary scalar with a high-bit byte triggers the read, and the value read can surface in the decoded result.

Information Disclosure Buffer Overflow Yaml
NVD GitHub
CVE-2026-60073 MEDIUM This Month

Out-of-bounds read in AutomationDirect Productivity Suite exposes kernel memory and system stability to a physically-present, low-privileged attacker via manipulated USB data length values. Exploitation can result in disclosure of sensitive kernel memory contents or a full system crash - both significant outcomes in an OT/ICS environment where availability and data integrity are critical. Reported by ICS-CERT under advisory ICSA-26-197-04, with no public exploit code or CISA KEV listing identified at time of analysis.

Information Disclosure Buffer Overflow Productivity Suite
NVD GitHub
CVSS 4.0
5.2
CVE-2026-57896 MEDIUM This Month

Out-of-bounds read in AutomationDirect Productivity Suite enables a local low-privileged attacker to corrupt kernel memory by submitting a crafted IOCTL request, resulting in high availability impact (system or application disruption) and limited kernel memory disclosure. The vulnerability affects all documented versions per the CPE wildcard and was reported by ICS-CERT, placing it squarely in the operational technology threat landscape where availability is mission-critical. No public exploit code and no CISA KEV listing exist at time of analysis, placing current exploitation risk as low but warranting prompt patching in industrial environments.

Information Disclosure Buffer Overflow Productivity Suite
NVD GitHub
CVSS 4.0
6.9
CVE-2026-54542 Cargo LOW PATCH GHSA Monitor

Crash-inducing out-of-bounds panic in core-rs-albatross 1.5.1 and earlier allows a malicious state-sync peer to repeatedly restart a syncing Nimiq node without supplying a valid cryptographic proof. The panic fires in `KeyNibbles::Add` before `proof.verify()` is reached, meaning an unauthenticated network peer positioned as the victim's sync source can trigger the denial-of-service with a single crafted `TrieChunk` message. No CISA KEV listing exists and no public exploit code has been identified at time of analysis.

Deserialization Information Disclosure Buffer Overflow
NVD GitHub
CVSS 3.1
3.7
CVE-2026-60140 MEDIUM This Month

Out-of-bounds read in AutomationDirect Productivity Suite exposes kernel memory and enables denial-of-service on engineering workstations via a crafted IOCTL request sent by a local low-privileged attacker. Affecting all versions per CPE wildcard, the CWE-125 flaw causes the vulnerable kernel-mode driver to read memory outside intended buffer bounds, leaking sensitive kernel contents or triggering a kernel panic (BSOD). Reported by ICS-CERT under advisory ICSA-26-197-04, no public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure Buffer Overflow Productivity Suite
NVD GitHub
CVSS 4.0
6.9
CVE-2026-45612 MEDIUM PATCH This Month

Out-of-bounds read in rz-libdemangle's Rust v0 demangler leaks process memory when a caller invokes the demangling routine before the internal rust_v0_t structure is properly initialized. All builds of the library prior to commit 6bf56d3 are affected, putting security analysts and reverse engineers who process untrusted Rust binaries through the Rizin framework at risk of memory disclosure. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis; the fix is available as an upstream commit but a versioned release is not independently confirmed.

Buffer Overflow Information Disclosure Rz Libdemangle
NVD GitHub
CVSS 3.1
5.5
CVE-2026-57074 PATCH This Week

XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read.

Buffer Overflow Information Disclosure Xml
NVD GitHub
CVE-2026-57073 PATCH This Week

HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.

Buffer Overflow Information Disclosure Html
NVD GitHub
CVSS 5.9
MEDIUM This Month

Denial-of-service via malformed TLS/QUIC ClientHello in h2o HTTP server allows remote unauthenticated attackers to crash the server process by sending a zero-length SNI extension. The hostname-copy routine assumes NULL-termination on the empty SNI buffer (CWE-125 out-of-bounds read), reading beyond the allocation boundary and triggering a segmentation fault. No public exploit or active exploitation (CISA KEV) has been identified; the fix is available as an upstream commit but no confirmed tagged release exists at time of analysis.

Information Disclosure Buffer Overflow
NVD GitHub
PATCH This Week

YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len. In the bundled libsyck newline_len and is_newline dereference the scan pointer, and the following byte for a "\r\n" pair, with no NUL-terminator or bounds check. During block-scalar lexing at a document boundary the scan runs one byte past the heap lexer buffer. This is an incomplete fix of CVE-2025-11683, on a lexer path the earlier fix did not cover. Any caller that runs Load or LoadFile on an untrusted document with a block scalar at a document boundary reaches the over-read.

Information Disclosure Buffer Overflow Yaml
NVD GitHub
PATCH This Week

YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64dec. The base64 decoder in the bundled libsyck indexes the 256-entry static table b64_xtable with a signed char, so any !!binary byte >= 0x80 sign-extends to a negative index and reads before the table. The decoder receives the raw bytes of any !!binary node, a standard YAML type not gated by $LoadBlessed or $LoadCode, so it is reached on the default Load path. Any caller that runs Load or LoadFile on an untrusted document containing a !!binary scalar with a high-bit byte triggers the read, and the value read can surface in the decoded result.

Information Disclosure Buffer Overflow Yaml
NVD GitHub
CVSS 5.2
MEDIUM This Month

Out-of-bounds read in AutomationDirect Productivity Suite exposes kernel memory and system stability to a physically-present, low-privileged attacker via manipulated USB data length values. Exploitation can result in disclosure of sensitive kernel memory contents or a full system crash - both significant outcomes in an OT/ICS environment where availability and data integrity are critical. Reported by ICS-CERT under advisory ICSA-26-197-04, with no public exploit code or CISA KEV listing identified at time of analysis.

Information Disclosure Buffer Overflow Productivity Suite
NVD GitHub
CVSS 6.9
MEDIUM This Month

Out-of-bounds read in AutomationDirect Productivity Suite enables a local low-privileged attacker to corrupt kernel memory by submitting a crafted IOCTL request, resulting in high availability impact (system or application disruption) and limited kernel memory disclosure. The vulnerability affects all documented versions per the CPE wildcard and was reported by ICS-CERT, placing it squarely in the operational technology threat landscape where availability is mission-critical. No public exploit code and no CISA KEV listing exist at time of analysis, placing current exploitation risk as low but warranting prompt patching in industrial environments.

Information Disclosure Buffer Overflow Productivity Suite
NVD GitHub
CVSS 3.7
LOW PATCH Monitor

Crash-inducing out-of-bounds panic in core-rs-albatross 1.5.1 and earlier allows a malicious state-sync peer to repeatedly restart a syncing Nimiq node without supplying a valid cryptographic proof. The panic fires in `KeyNibbles::Add` before `proof.verify()` is reached, meaning an unauthenticated network peer positioned as the victim's sync source can trigger the denial-of-service with a single crafted `TrieChunk` message. No CISA KEV listing exists and no public exploit code has been identified at time of analysis.

Deserialization Information Disclosure Buffer Overflow
NVD GitHub
CVSS 6.9
MEDIUM This Month

Out-of-bounds read in AutomationDirect Productivity Suite exposes kernel memory and enables denial-of-service on engineering workstations via a crafted IOCTL request sent by a local low-privileged attacker. Affecting all versions per CPE wildcard, the CWE-125 flaw causes the vulnerable kernel-mode driver to read memory outside intended buffer bounds, leaking sensitive kernel contents or triggering a kernel panic (BSOD). Reported by ICS-CERT under advisory ICSA-26-197-04, no public exploit code or active exploitation has been identified at time of analysis.

Information Disclosure Buffer Overflow Productivity Suite
NVD GitHub
CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds read in rz-libdemangle's Rust v0 demangler leaks process memory when a caller invokes the demangling routine before the internal rust_v0_t structure is properly initialized. All builds of the library prior to commit 6bf56d3 are affected, putting security analysts and reverse engineers who process untrusted Rust binaries through the Rizin framework at risk of memory disclosure. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis; the fix is available as an upstream commit but a versioned release is not independently confirmed.

Buffer Overflow Information Disclosure Rz Libdemangle
NVD GitHub
PATCH This Week

XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read.

Buffer Overflow Information Disclosure Xml
NVD GitHub
PATCH This Week

HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.

Buffer Overflow Information Disclosure Html
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy