Skip to main content

CWE-126

Buffer Over-read

149 CVEs Avg CVSS 6.8 MITRE
1
CRITICAL
81
HIGH
60
MEDIUM
7
LOW
5
POC
0
KEV

Monthly

CVE-2026-58013 HIGH PATCH This Week

Buffer over-read in GLib's giochannel line-reading code (g_io_channel_read_line_backend) affects the GNOME GLib library prior to version 2.88.1, where an application that configures a multi-byte custom line terminator triggers memcmp to read past the end of the internal GString buffer. Depending on memory layout, this leaks up to 7 bytes of adjacent heap memory (minor information disclosure) or crashes the process when the over-read crosses an unmapped page boundary (denial of service). There is no public exploit identified at time of analysis, EPSS is low (0.27%), and CISA SSVC rates exploitation as none.

Buffer Overflow Denial Of Service Information Disclosure Enterprise Linux Glib
NVD VulDB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-58012 HIGH PATCH This Week

Buffer over-read in GNOME GLib's g_regex_replace() lets remote attackers leak 1-5 adjacent bytes of process memory and crash applications when regex replacement is performed with the G_REGEX_RAW compile flag combined with case-change replacement escapes. The internal string_append helper applies UTF-8 aware routines to matched substrings even though G_REGEX_RAW treats the buffer as raw bytes, reading past the intended boundary. There is no public exploit identified at time of analysis and EPSS is low (0.26%, 18th percentile), but the flaw is broadly reachable because GLib underpins the GNOME stack and ships across Red Hat Enterprise Linux 6-10.

Buffer Overflow Denial Of Service Information Disclosure Enterprise Linux Glib
NVD VulDB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-58010 HIGH PATCH This Week

Out-of-bounds read in GNOME GLib's GVariant serialiser allows remote attackers to leak a single byte of adjacent memory and to crash applications that deserialise untrusted GVariant data. The flaw sits in gvs_tuple_is_normal() in glib/gvariant-serialiser.c, where an alignment-padding bounds check uses '>' instead of '>=', reading one byte past the buffer; when that byte falls across a page boundary the process faults, producing a denial of service. No public exploit identified at time of analysis, and EPSS is low (0.26%), but GLib's near-universal presence on Linux systems makes the exposure broad.

Buffer Overflow Denial Of Service Information Disclosure Enterprise Linux Glib
NVD VulDB
CVSS 3.1
8.2
EPSS
0.3%
CVE-2026-41992 MEDIUM This Month

Out-of-bounds read in GNU gzip's LZH decompression logic allows an unprivileged local attacker to disclose memory contents by supplying two specially crafted archives - an LZW file followed by an LZH file - in a single gzip -d invocation. The shared global decompression array, never reinitialized between files in the same process invocation, is poisoned by the LZW pass and subsequently causes the LZH decoder to read past the end of the allocated buffer, yielding high confidentiality impact per the CVSS 4.0 vector (VC:H). No public exploit or CISA KEV listing has been identified at time of analysis; the fix exists as an upstream source commit only, with no confirmed packaged release.

Buffer Overflow Gzip
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-40210 MEDIUM PATCH This Month

dnsdist's SetMacAddrAction handler exposes operators to uninitialized memory leakage in DNS responses and potential service crashes when the action is configured in the ruleset. The flaw is reachable over the network without authentication (AV:N/PR:N), but the high attack complexity (AC:H) constrains real-world impact to deployments that have explicitly enabled SetMacAddrAction - a non-default configuration. No public exploit code exists and no CISA KEV listing is present at time of analysis; the PowerDNS security team (Open-Xchange) reported this internally, suggesting responsible disclosure rather than observed active exploitation.

Buffer Overflow Suse
NVD VulDB
CVSS 3.1
4.8
EPSS
0.3%
CVE-2026-49854 PyPI LOW PATCH GHSA Monitor

Out-of-bounds memory read in Tornado's optional C extension `tornado.speedups` exposes up to 3 bytes of uninitialized memory via a missing length validation in the `websocket_mask` function. Applications running Tornado versions prior to 6.5.6 with the native extension active and `xsrf_cookies=True` are reachable from the network without authentication (CVSS AV:N/PR:N), though high attack complexity (AC:H) is indicated by the dual configuration prerequisite. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS stands at 0.04% (11th percentile), consistent with the low exploitation probability for a constrained information-disclosure primitive. Vendor-released patch is Tornado 6.5.6.

Buffer Overflow Python
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-45460 MEDIUM PATCH NEWS This Month

Out-of-bounds read (buffer over-read) in Microsoft Office exposes sensitive memory contents to a local attacker who can induce a user to open a specially crafted file. Affecting a broad surface including Microsoft 365 Apps for Enterprise, Office LTSC 2021/2024, Office 2019, and mobile/Mac variants, the vulnerability carries a CVSS 4.7 (Medium) with high confidentiality impact but no integrity or availability consequence. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the wide deployment footprint of Microsoft Office makes even targeted information disclosure attacks operationally significant.

Buffer Overflow Microsoft 365 Apps 365 Copilot Microsoft 365 +3
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2026-42828 HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Projected File System (ProjFS) Filter Driver enables an authorized low-privileged user to elevate to higher privileges through a buffer over-read condition. The flaw affects Microsoft Windows installations where the ProjFS filter driver is present, and exploitation yields high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Buffer Overflow Microsoft
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-11787 MEDIUM This Month

Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confidentiality, integrity, and availability impact via crafted string filter input. The flaw affects authenticated, network-accessible LDAP servers running Red Hat Directory Server 11, 12, and 13 as well as the 389-ds component shipped across Red Hat Enterprise Linux 6 through 10. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; however, its presence in filter parsing logic - a core LDAP code path - warrants prompt patching in internet-exposed or multi-tenant directory environments.

Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +4
NVD VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-44185 HIGH PATCH This Week

Buffer over-read in Apache HTTP Server 2.4.0 through 2.4.67 allows remote attackers to trigger memory disclosure or limited integrity and availability impact via outbound OCSP requests sent to an attacker-controlled OCSP responder. The flaw stems from improper bounds handling (CWE-126) when parsing OCSP response data, and currently shows no public exploit identified at time of analysis despite a CVSS 7.3 rating reflecting unauthenticated network reachability with low complexity.

Buffer Overflow Apache Apache Http Server
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Buffer over-read in GLib's giochannel line-reading code (g_io_channel_read_line_backend) affects the GNOME GLib library prior to version 2.88.1, where an application that configures a multi-byte custom line terminator triggers memcmp to read past the end of the internal GString buffer. Depending on memory layout, this leaks up to 7 bytes of adjacent heap memory (minor information disclosure) or crashes the process when the over-read crosses an unmapped page boundary (denial of service). There is no public exploit identified at time of analysis, EPSS is low (0.27%), and CISA SSVC rates exploitation as none.

Buffer Overflow Denial Of Service Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Buffer over-read in GNOME GLib's g_regex_replace() lets remote attackers leak 1-5 adjacent bytes of process memory and crash applications when regex replacement is performed with the G_REGEX_RAW compile flag combined with case-change replacement escapes. The internal string_append helper applies UTF-8 aware routines to matched substrings even though G_REGEX_RAW treats the buffer as raw bytes, reading past the intended boundary. There is no public exploit identified at time of analysis and EPSS is low (0.26%, 18th percentile), but the flaw is broadly reachable because GLib underpins the GNOME stack and ships across Red Hat Enterprise Linux 6-10.

Buffer Overflow Denial Of Service Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read in GNOME GLib's GVariant serialiser allows remote attackers to leak a single byte of adjacent memory and to crash applications that deserialise untrusted GVariant data. The flaw sits in gvs_tuple_is_normal() in glib/gvariant-serialiser.c, where an alignment-padding bounds check uses '>' instead of '>=', reading one byte past the buffer; when that byte falls across a page boundary the process faults, producing a denial of service. No public exploit identified at time of analysis, and EPSS is low (0.26%), but GLib's near-universal presence on Linux systems makes the exposure broad.

Buffer Overflow Denial Of Service Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Out-of-bounds read in GNU gzip's LZH decompression logic allows an unprivileged local attacker to disclose memory contents by supplying two specially crafted archives - an LZW file followed by an LZH file - in a single gzip -d invocation. The shared global decompression array, never reinitialized between files in the same process invocation, is poisoned by the LZW pass and subsequently causes the LZH decoder to read past the end of the allocated buffer, yielding high confidentiality impact per the CVSS 4.0 vector (VC:H). No public exploit or CISA KEV listing has been identified at time of analysis; the fix exists as an upstream source commit only, with no confirmed packaged release.

Buffer Overflow Gzip
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

dnsdist's SetMacAddrAction handler exposes operators to uninitialized memory leakage in DNS responses and potential service crashes when the action is configured in the ruleset. The flaw is reachable over the network without authentication (AV:N/PR:N), but the high attack complexity (AC:H) constrains real-world impact to deployments that have explicitly enabled SetMacAddrAction - a non-default configuration. No public exploit code exists and no CISA KEV listing is present at time of analysis; the PowerDNS security team (Open-Xchange) reported this internally, suggesting responsible disclosure rather than observed active exploitation.

Buffer Overflow Suse
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Out-of-bounds memory read in Tornado's optional C extension `tornado.speedups` exposes up to 3 bytes of uninitialized memory via a missing length validation in the `websocket_mask` function. Applications running Tornado versions prior to 6.5.6 with the native extension active and `xsrf_cookies=True` are reachable from the network without authentication (CVSS AV:N/PR:N), though high attack complexity (AC:H) is indicated by the dual configuration prerequisite. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS stands at 0.04% (11th percentile), consistent with the low exploitation probability for a constrained information-disclosure primitive. Vendor-released patch is Tornado 6.5.6.

Buffer Overflow Python
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Out-of-bounds read (buffer over-read) in Microsoft Office exposes sensitive memory contents to a local attacker who can induce a user to open a specially crafted file. Affecting a broad surface including Microsoft 365 Apps for Enterprise, Office LTSC 2021/2024, Office 2019, and mobile/Mac variants, the vulnerability carries a CVSS 4.7 (Medium) with high confidentiality impact but no integrity or availability consequence. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the wide deployment footprint of Microsoft Office makes even targeted information disclosure attacks operationally significant.

Buffer Overflow Microsoft 365 Apps +5
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH Exploit Unlikely This Week

Local privilege escalation in the Windows Projected File System (ProjFS) Filter Driver enables an authorized low-privileged user to elevate to higher privileges through a buffer over-read condition. The flaw affects Microsoft Windows installations where the ProjFS filter driver is present, and exploitation yields high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Buffer Overflow Microsoft
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM This Month

Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confidentiality, integrity, and availability impact via crafted string filter input. The flaw affects authenticated, network-accessible LDAP servers running Red Hat Directory Server 11, 12, and 13 as well as the 389-ds component shipped across Red Hat Enterprise Linux 6 through 10. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; however, its presence in filter parsing logic - a core LDAP code path - warrants prompt patching in internet-exposed or multi-tenant directory environments.

Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +6
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Buffer over-read in Apache HTTP Server 2.4.0 through 2.4.67 allows remote attackers to trigger memory disclosure or limited integrity and availability impact via outbound OCSP requests sent to an attacker-controlled OCSP responder. The flaw stems from improper bounds handling (CWE-126) when parsing OCSP response data, and currently shows no public exploit identified at time of analysis despite a CVSS 7.3 rating reflecting unauthenticated network reachability with low complexity.

Buffer Overflow Apache Apache Http Server
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy