Monthly
Heap out-of-bounds read in wolfSSL versions prior to 5.9.1 allows unauthenticated attackers on an adjacent network to trigger information disclosure via a crafted PKCS7 message that bypasses bounds checking in the indefinite-length end-of-content verification loop. The vulnerability has a low CVSS score of 2.3 due to restricted attack vector (adjacent network only) and limited integrity impact, with no public exploit code identified at time of analysis.
Out-of-bounds read in wolfSSL's dual-algorithm CertificateVerify processing allows remote attackers to trigger information disclosure and data integrity violations through crafted input, but only when the library is compiled with both --enable-experimental and --enable-dual-alg-certs flags. The vulnerability affects wolfSSL versions before 5.9.1 and requires network access with low attack complexity, though the attack triggering mechanism involves a passive timing or state condition (AT:P). No public exploit code or active exploitation has been identified.
Memory sandbox escape in Wasmtime's Winch compiler (versions 25.0.0 to before 36.0.7, 42.0.2, 43.0.1) enables authenticated WebAssembly guests to access arbitrary host process memory outside linear-memory boundaries. Exploitation requires non-default Winch backend activation via -Ccompiler=winch flag. Attackers can read up to 32KiB before memory start or ~4GiB after, with theoretical potential for unlimited in-process memory access due to improper 32-bit offset handling in 64-bit registers. Consequences include host process crashes (DoS), sensitive data exfiltration, or remote code execution through memory writes. Affects aarch64 (confirmed PoC) and x86-64 (theoretical). Publicly available exploit code exists.
Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 allows authenticated remote attackers to escape WebAssembly sandbox restrictions. The Cranelift compilation backend on aarch64 architecture miscompiles specific heap access patterns, creating divergent address computations where bounds checks validate one address while loads access another, enabling sandbox escape through unrestricted host memory access. Exploitation requires 64-bit WebAssembly linear memories with Spectre mitigations and signals-based-traps disabled. No public exploit identified at time of analysis.
Wasmtime runtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1 incorrectly validate UTF-16 string byte lengths during component-model encoding transcoding, causing out-of-bounds memory reads that trigger process termination via segfault in default configurations or potentially expose host memory when guard pages are disabled. Authenticated users with UI interaction can trigger this denial-of-service vulnerability; reading beyond linear memory requires non-standard Wasmtime configuration without guard pages. No public exploit code has been identified at time of analysis.
Out-of-bounds read in osslsigncode versions 2.12 and earlier allows local attackers to crash the application via crafted PE files with malicious section headers during page-hash computation. The vulnerability exists in the pe_page_hash_calc() function, which fails to validate that section headers' PointerToRawData and SizeOfRawData values reference valid file regions. An attacker can trigger the flaw by providing a malicious PE file for signing with page hashing enabled (-ph flag) or by providing an already-signed malicious PE file for verification, where verification does not require the -ph flag. CVSS 5.5 with high availability impact; no public exploit identified at time of analysis.
Osslsigncode 2.12 and earlier contains an integer underflow in PE page-hash computation that allows local attackers to trigger an out-of-bounds heap read and crash the process via a specially crafted PE file with SizeOfHeaders larger than SectionAlignment. The vulnerability is triggered either when signing a malicious PE file with page hashing enabled (-ph flag) or when verifying an already-signed PE file containing page hashes, making verification particularly dangerous since no special flags are required. This is a denial-of-service vulnerability with no public exploit code identified at time of analysis, though the root cause (missing validation in integer subtraction) is straightforward to exploit.
Out-of-bounds read in The Sleuth Kit through 4.14.0 allows local attackers with user interaction to disclose sensitive information via a crafted ISO9660 image, exploiting the parse_susp() function's failure to validate field lengths before copying SUSP extension data into stack buffers. The vulnerability can also trigger infinite parsing loops with malformed zero-length SUSP entries. Patch available from upstream repository.
Out-of-bounds read in Sleuth Kit through version 4.14.0 allows local attackers to disclose heap memory or crash the application via a malicious APFS disk image with crafted length fields in the keybag parser. The vulnerability requires user interaction to process the malicious image but affects all Sleuth Kit tools that parse APFS volumes, with a public fix available on GitHub.
Out of bounds read in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low)
Heap out-of-bounds read in wolfSSL versions prior to 5.9.1 allows unauthenticated attackers on an adjacent network to trigger information disclosure via a crafted PKCS7 message that bypasses bounds checking in the indefinite-length end-of-content verification loop. The vulnerability has a low CVSS score of 2.3 due to restricted attack vector (adjacent network only) and limited integrity impact, with no public exploit code identified at time of analysis.
Out-of-bounds read in wolfSSL's dual-algorithm CertificateVerify processing allows remote attackers to trigger information disclosure and data integrity violations through crafted input, but only when the library is compiled with both --enable-experimental and --enable-dual-alg-certs flags. The vulnerability affects wolfSSL versions before 5.9.1 and requires network access with low attack complexity, though the attack triggering mechanism involves a passive timing or state condition (AT:P). No public exploit code or active exploitation has been identified.
Memory sandbox escape in Wasmtime's Winch compiler (versions 25.0.0 to before 36.0.7, 42.0.2, 43.0.1) enables authenticated WebAssembly guests to access arbitrary host process memory outside linear-memory boundaries. Exploitation requires non-default Winch backend activation via -Ccompiler=winch flag. Attackers can read up to 32KiB before memory start or ~4GiB after, with theoretical potential for unlimited in-process memory access due to improper 32-bit offset handling in 64-bit registers. Consequences include host process crashes (DoS), sensitive data exfiltration, or remote code execution through memory writes. Affects aarch64 (confirmed PoC) and x86-64 (theoretical). Publicly available exploit code exists.
Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 allows authenticated remote attackers to escape WebAssembly sandbox restrictions. The Cranelift compilation backend on aarch64 architecture miscompiles specific heap access patterns, creating divergent address computations where bounds checks validate one address while loads access another, enabling sandbox escape through unrestricted host memory access. Exploitation requires 64-bit WebAssembly linear memories with Spectre mitigations and signals-based-traps disabled. No public exploit identified at time of analysis.
Wasmtime runtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1 incorrectly validate UTF-16 string byte lengths during component-model encoding transcoding, causing out-of-bounds memory reads that trigger process termination via segfault in default configurations or potentially expose host memory when guard pages are disabled. Authenticated users with UI interaction can trigger this denial-of-service vulnerability; reading beyond linear memory requires non-standard Wasmtime configuration without guard pages. No public exploit code has been identified at time of analysis.
Out-of-bounds read in osslsigncode versions 2.12 and earlier allows local attackers to crash the application via crafted PE files with malicious section headers during page-hash computation. The vulnerability exists in the pe_page_hash_calc() function, which fails to validate that section headers' PointerToRawData and SizeOfRawData values reference valid file regions. An attacker can trigger the flaw by providing a malicious PE file for signing with page hashing enabled (-ph flag) or by providing an already-signed malicious PE file for verification, where verification does not require the -ph flag. CVSS 5.5 with high availability impact; no public exploit identified at time of analysis.
Osslsigncode 2.12 and earlier contains an integer underflow in PE page-hash computation that allows local attackers to trigger an out-of-bounds heap read and crash the process via a specially crafted PE file with SizeOfHeaders larger than SectionAlignment. The vulnerability is triggered either when signing a malicious PE file with page hashing enabled (-ph flag) or when verifying an already-signed PE file containing page hashes, making verification particularly dangerous since no special flags are required. This is a denial-of-service vulnerability with no public exploit code identified at time of analysis, though the root cause (missing validation in integer subtraction) is straightforward to exploit.
Out-of-bounds read in The Sleuth Kit through 4.14.0 allows local attackers with user interaction to disclose sensitive information via a crafted ISO9660 image, exploiting the parse_susp() function's failure to validate field lengths before copying SUSP extension data into stack buffers. The vulnerability can also trigger infinite parsing loops with malformed zero-length SUSP entries. Patch available from upstream repository.
Out-of-bounds read in Sleuth Kit through version 4.14.0 allows local attackers to disclose heap memory or crash the application via a malicious APFS disk image with crafted length fields in the keybag parser. The vulnerability requires user interaction to process the malicious image but affects all Sleuth Kit tools that parse APFS volumes, with a public fix available on GitHub.
Out of bounds read in Blink in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Low)