Skip to main content

CWE-805

Buffer Access with Incorrect Length Value

28 CVEs Avg CVSS 7.1 MITRE
0
CRITICAL
21
HIGH
7
MEDIUM
0
LOW
0
POC
0
KEV

Monthly

CVE-2026-53016 HIGH PATCH This Week

Out-of-bounds write in the Linux kernel's AMD Cryptographic Coprocessor (ccp) driver allows a local low-privileged user to overrun a caller-supplied IV buffer by 8 bytes when issuing rfc3686(ctr(aes)) requests through the AF_ALG socket interface. The ccp_aes_complete() handler unconditionally copies AES_BLOCK_SIZE (16 bytes) back into the IV buffer, but RFC3686 skciphers expose only an 8-byte IV, corrupting adjacent memory. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is low (0.18%, 7th percentile).

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-12549 MEDIUM This Month

Malformed HTTP Range request handling in libsoup (GNOME's HTTP client/server library, packaged across Red Hat Enterprise Linux 6-10) re-introduces a signed integer underflow originally patched in CVE-2026-2443. A rework commit replaced specific overflow guards with a general signed comparison, meaning a suffix-byte Range request whose length exceeds the resource content size now produces a negative start offset that is passed unclamped to buffer operations, generating malformed HTTP 206 responses and log flooding. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector makes any exposed libsoup HTTP server reachable without credentials.

Buffer Overflow Red Hat Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +3
NVD VulDB
CVSS 3.1
4.8
EPSS
0.3%
CVE-2026-1767 HIGH PATCH This Week

Heap buffer overflow in GNOME localsearch (formerly tracker-miners) tracker-extract-mp3 component on Red Hat Enterprise Linux 8/9/10, Ubuntu, Debian, and SUSE allows remote attackers to trigger an out-of-bounds heap read by delivering a malformed MP3 file with crafted ID3 performer tags, leading to crashes (DoS) or disclosure of process memory contents. No public exploit identified at time of analysis, and the EPSS score of 0.19% (9th percentile) plus CISA SSVC 'Exploitation: none' indicate low real-world exploitation activity despite the 8.1 CVSS rating. Vendor patches are available across Red Hat (RHSA), Ubuntu USN-8019-1, Debian, and SUSE-SU-2026:0780/21854.

Buffer Overflow Denial Of Service Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-1766 MEDIUM PATCH This Month

Heap buffer overflow in GNOME localsearch's tracker-extract-mp3 component enables a local attacker to crash the metadata extraction daemon and potentially disclose heap memory contents by supplying a specially crafted MP3 file with malformed ID3v2.3 COMM tags. Affected platforms confirmed by Red Hat include RHEL 8, 9, and 10, where GNOME localsearch (formerly tracker-miners) runs as a background desktop search indexing service. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; exploitation is further constrained by the requirement for local access, low privileges, and user interaction.

Buffer Overflow Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-34002 MEDIUM PATCH This Month

Out-of-bounds read in X.Org X Server XKB modifier map handling allows local authenticated attackers to read sensitive memory or crash the server by sending malformed X11 requests. The vulnerability affects RHEL 6 through 10 and requires local access with user-level privileges; exploitation results in information disclosure or denial of service.

Buffer Overflow Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-6245 MEDIUM PATCH This Month

A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).

Buffer Overflow Denial Of Service Red Hat Suse
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20033 HIGH This Week

Cisco Nexus 9000 Series Fabric Switches in ACI mode contains a vulnerability that allows attackers to cause the device to reload unexpectedly, resulting in a DoS condition (CVSS 7.4).

Denial Of Service Cisco
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-20010 HIGH This Week

Cisco NX-OS devices can be forced to reload through a crafted LLDP packet sent by an adjacent, unauthenticated attacker, causing a denial of service condition. The vulnerability stems from improper frame field validation in the LLDP process, exploitable only from directly connected network segments. No patch is currently available for affected systems.

Denial Of Service Cisco
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-1837 HIGH PATCH This Week

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.

Information Disclosure Libjxl
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-0716 MEDIUM PATCH This Month

Libsoup WebSocket implementations with unset maximum payload size limits are vulnerable to out-of-bounds memory reads during frame processing, potentially exposing sensitive data or causing application crashes. This vulnerability affects applications using non-default WebSocket configurations and requires no user interaction or authentication to exploit. No patch is currently available.

Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
4.8
EPSS
0.1%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in the Linux kernel's AMD Cryptographic Coprocessor (ccp) driver allows a local low-privileged user to overrun a caller-supplied IV buffer by 8 bytes when issuing rfc3686(ctr(aes)) requests through the AF_ALG socket interface. The ccp_aes_complete() handler unconditionally copies AES_BLOCK_SIZE (16 bytes) back into the IV buffer, but RFC3686 skciphers expose only an 8-byte IV, corrupting adjacent memory. There is no public exploit identified at time of analysis, it is not listed in CISA KEV, and the EPSS probability is low (0.18%, 7th percentile).

Information Disclosure Linux
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM This Month

Malformed HTTP Range request handling in libsoup (GNOME's HTTP client/server library, packaged across Red Hat Enterprise Linux 6-10) re-introduces a signed integer underflow originally patched in CVE-2026-2443. A rework commit replaced specific overflow guards with a general signed comparison, meaning a suffix-byte Range request whose length exceeds the resource content size now produces a negative start offset that is passed unclamped to buffer operations, generating malformed HTTP 206 responses and log flooding. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector makes any exposed libsoup HTTP server reachable without credentials.

Buffer Overflow Red Hat Red Hat Enterprise Linux 10 +5
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Heap buffer overflow in GNOME localsearch (formerly tracker-miners) tracker-extract-mp3 component on Red Hat Enterprise Linux 8/9/10, Ubuntu, Debian, and SUSE allows remote attackers to trigger an out-of-bounds heap read by delivering a malformed MP3 file with crafted ID3 performer tags, leading to crashes (DoS) or disclosure of process memory contents. No public exploit identified at time of analysis, and the EPSS score of 0.19% (9th percentile) plus CISA SSVC 'Exploitation: none' indicate low real-world exploitation activity despite the 8.1 CVSS rating. Vendor patches are available across Red Hat (RHSA), Ubuntu USN-8019-1, Debian, and SUSE-SU-2026:0780/21854.

Buffer Overflow Denial Of Service Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Heap buffer overflow in GNOME localsearch's tracker-extract-mp3 component enables a local attacker to crash the metadata extraction daemon and potentially disclose heap memory contents by supplying a specially crafted MP3 file with malformed ID3v2.3 COMM tags. Affected platforms confirmed by Red Hat include RHEL 8, 9, and 10, where GNOME localsearch (formerly tracker-miners) runs as a background desktop search indexing service. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; exploitation is further constrained by the requirement for local access, low privileges, and user interaction.

Buffer Overflow Denial Of Service Red Hat Enterprise Linux 10 +2
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Out-of-bounds read in X.Org X Server XKB modifier map handling allows local authenticated attackers to read sensitive memory or crash the server by sending malformed X11 requests. The vulnerability affects RHEL 6 through 10 and requires local access with user-level privileges; exploitation results in information disclosure or denial of service.

Buffer Overflow Denial Of Service Red Hat Enterprise Linux 10 +4
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).

Buffer Overflow Denial Of Service Red Hat +1
NVD
EPSS 0% CVSS 7.4
HIGH This Week

Cisco Nexus 9000 Series Fabric Switches in ACI mode contains a vulnerability that allows attackers to cause the device to reload unexpectedly, resulting in a DoS condition (CVSS 7.4).

Denial Of Service Cisco
NVD
EPSS 0% CVSS 7.4
HIGH This Week

Cisco NX-OS devices can be forced to reload through a crafted LLDP packet sent by an adjacent, unauthenticated attacker, causing a denial of service condition. The vulnerability stems from improper frame field validation in the LLDP process, exploitable only from directly connected network segments. No patch is currently available for affected systems.

Denial Of Service Cisco
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.

Information Disclosure Libjxl
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Libsoup WebSocket implementations with unset maximum payload size limits are vulnerable to out-of-bounds memory reads during frame processing, potentially exposing sensitive data or causing application crashes. This vulnerability affects applications using non-default WebSocket configurations and requires no user interaction or authentication to exploit. No patch is currently available.

Denial Of Service Red Hat Suse
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy