Buffer Overflow
Monthly
Out-of-bounds write in libde265 prior to version 1.0.20 allows remote attackers to corrupt memory by tricking a user into processing a maliciously crafted H.265 bitstream. The flaw resides in the short-term reference picture set handling and can lead to denial of service or potential code execution in any application that links libde265 for HEVC decoding. No public exploit identified at time of analysis, though the upstream patch and commit-level root-cause disclosure provide a clear roadmap for exploit development.
Heap buffer overflow in the Ruby Oj gem (versions before 3.17.3) occurs when Oj.dump serializes Exception objects in :object mode with an extreme :indent value. The pre-allocated output buffer does not account for indent padding bytes, allowing writes past the heap region and corrupting adjacent memory. No public exploit identified at time of analysis; the issue is triggered by developer-chosen serialization options rather than typical attacker-supplied input.
Denial of service in the Oj Ruby JSON parser (versions <3.17.3) allows remote unauthenticated attackers to crash any process that parses untrusted JSON via Oj::Doc.open followed by a recursive each_child call. A deeply nested JSON document drives doc->where past the 100-element where_path array, causing a subsequent memcpy to overflow an 800-byte stack buffer and trigger the stack canary (SIGABRT). No public exploit identified at time of analysis beyond the vendor-published PoC, and EPSS data was not supplied; the issue is not listed in CISA KEV.
Stack memory disclosure in the Oj RubyGem (all versions before 3.17.3) allows remote unauthenticated callers to recover uninitialized process stack contents by supplying a JSON object with keys of 254 bytes or longer to `Oj.load` in `:object` mode. The root cause is a copy-paste defect in `ext/oj/intern.c` where `form_attr()` allocates and fills a correct heap buffer `b` but then erroneously passes the uninitialized 256-byte stack buffer `buf` to `rb_intern3()`, causing leaked bytes to surface in the returned Symbol or an `EncodingError` message. A proof-of-concept is publicly available in the GHSA advisory; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Stack-based buffer overflow in the Oj Ruby JSON gem (versions prior to 3.17.3) allows a developer-controlled large :indent value passed to Oj.dump to overwrite up to 2 GB of stack memory, crashing the Ruby process. The flaw is reachable only when application code forwards an untrusted or extreme indent value into Oj.dump, and no public exploit identified at time of analysis demonstrates code execution beyond denial of service.
Pre-authentication heap memory corruption in ProxySQL 2.0.18 through 3.0.8 allows remote unauthenticated attackers to corrupt heap memory by sending a crafted first packet declaring an oversized length, which is passed directly to recv() into a fixed 32 KB input queue on both MySQL and PostgreSQL protocol listeners. The flaw carries a CVSS 9.8 rating and is fixed in 3.0.9; no public exploit identified at time of analysis, but the trivial trigger condition and out-of-bounds write primitive create strong potential for weaponization.
Remote code execution in libaom (reference AV1 codec) is possible when services use the SVC encoder with attacker-supplied frames, allowing crafted pixel data to overlap encoder layer context structures and hijack the cyclic refresh map pointer. The flaw chains a heap out-of-bounds write (CWE-787) with a crash-oracle ASLR bypass to redirect control flow in fork-based video processing services. No public exploit identified at time of analysis, but the issue is tracked under Red Hat and Chromium security trackers and an upstream fix commit has landed in aomedia.
Out-of-bounds heap read in libaom's SVC layer ID control function allows remote attackers to leak approximately 40,728 bytes of heap memory or crash AV1 encoder processes by supplying a spatial_layer_id value exceeding the configured number of scalable video coding layers. The flaw affects network-facing services that pass attacker-influenced SVC encoder parameters into the reference AV1 codec, enabling information disclosure or denial of service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary address write in libaom, the reference AV1 video codec implementation, allows remote attackers to corrupt memory by supplying crafted pixel values to an encoder that has Scalable Video Coding (SVC) enabled, leading to denial of service or potential code execution. The flaw stems from a missing bounds check in the SVC layer ID control function that lets pixel data inject an attacker-controlled pointer into the cyclic refresh map, after which ~1,200 bytes are written deterministically to the chosen address. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap buffer overflow in libaom's AV1 encoder allows attackers who influence encoder configuration to trigger a 232-byte out-of-bounds heap write on every frame after the second, when Look-Ahead Processing (LAP) mode is active with g_lag_in_frames >= 1. Affected deployments include transcoding pipelines and WebRTC servers that pass user-controlled encoder parameters to libaom. No public exploit identified at time of analysis, and the flaw primarily yields a reliable denial of service with a theoretical path to remote code execution via heap corruption.
Remote code execution in Tenda AC7 routers (firmware v15.03.06.44) is possible via a stack buffer overflow in the wanSpeed parameter of the /goform/AdvSetMacMtuWan endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network-based exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the device is not listed in CISA KEV.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote unauthenticated attackers to corrupt memory via the mac parameter in the /goform/AdvSetMacMtuWan web interface endpoint. The flaw carries a CVSS 9.8 critical rating with network attack vector and no authentication required, though no public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV. Tenda SOHO routers in this family have a well-documented history of similar /goform/* stack overflows being weaponized for botnet recruitment.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory via an oversized cloneType parameter sent to the /goform/AdvSetMacMtuWan web interface endpoint. The CVSS 9.8 vector indicates unauthenticated network exploitation with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory through the wanMTU parameter of the /goform/AdvSetMacMtuWan web management endpoint. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis. The flaw is classified as CWE-121 (stack-based buffer overflow), a class historically leveraged for code execution or denial of service on embedded MIPS/ARM SOHO routers.
Heap out-of-bounds write in QEMU's virtio-snd paravirtualized sound device allows a malicious guest to corrupt host memory by sending oversized audio input that the `virtio_snd_pcm_in_cb` callback fails to size-check against the iov buffer. The flaw represents an incomplete fix for CVE-2024-7730 and affects hypervisor hosts exposing virtio-snd to untrusted guests. No public exploit identified at time of analysis, but the high CIA impact (C:H/I:H/A:H) and guest-to-host boundary crossing make this a meaningful VM escape candidate.
Out-of-bounds heap read in libheif's uncompressed HEIF decoder allows a remote attacker to crash any application processing crafted HEIF files. Versions prior to 1.22.1 fail to safely validate icef compressed-unit offsets because the addition of unit_offset + unit_size can integer-wrap, bypassing the range check and permitting a C++ vector to be constructed from iterators pointing outside the compressed item buffer. Exploitation requires a user or automated pipeline to open an attacker-supplied HEIF file; no public exploit or CISA KEV listing exists at time of analysis.
Local privilege escalation / memory corruption in the Linux kernel's SO_REUSEPORT BPF handling allows a local user to trigger a use-after-free (vmalloc out-of-bounds read) by replacing a classic BPF (cBPF) reuseport program via setsockopt() while another thread routes UDP traffic through the same reuseport group. Because the cBPF program is freed immediately by sk_reuseport_prog_free() without waiting for an RCU grace period, in-flight readers in reuseport_select_sock() dereference freed memory; the fix defers freeing until after one RCU grace period. No public exploit identified at time of analysis and EPSS probability is low (0.17%), but the bug is confirmed and fixed upstream.
Remote denial of service in NI grpc-device 2.17.0 and earlier allows unauthenticated network attackers to crash the streaming API by sending a specially crafted write request that triggers an out-of-bounds read (CWE-125). The flaw was reported by NI itself and is documented in both an NI security bulletin and a GitHub security advisory (GHSA-8rjh-429j-f6gw); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Eclipse ThreadX NetX Duo HTTP server arises from a flawed remediation of CVE-2025-0728, where the refactored shared cleanup label invokes fx_file_close() on an uninitialized file handle whenever an error occurs before file open. Remote attackers can reach the vulnerable PUT path over the network without authentication, triggering undefined behavior, double-close conditions, or memory corruption that can crash the embedded HTTP service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap-based buffer overflow in libexpat before 2.8.2 allows heap memory corruption in applications that process externally-supplied XML with external entity parameter parsing enabled. The flaw resides in the doProlog function of xmlparse.c, where the scaffold backing array (scaffIndex) - used to index DTD content model tree nodes - is reallocated using the child parser's m_groupSize counter, which diverges from the actual allocated capacity of the shared scaffIndex inherited from the parent parser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the upstream fix PR includes a functional reproduction test case confirming exploitability.
Denial-of-service in Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP module (versions 1.000 and prior) allows a remote unauthenticated attacker to crash the device by rapidly opening many TCP connections, which trips an integer overflow in the EtherNet/IP connection-management logic and triggers improper memory access. No public exploit identified at time of analysis, but the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) and high availability impact make this a meaningful operational-technology (OT) concern for plants relying on the affected PLC module. Reported by the vendor and tracked in vendor PSIRT advisory 2026-002, JVN VU#97140216, and CISA ICS advisory ICSA-26-169-05.
Out-of-bounds read in Microsoft HEIF Image Extensions 1.2.22.0 allows remote attackers to disclose memory contents and crash the process by serving a crafted HEIF image. The flaw stems from CHEIFItemInfoEntry_GetDataSize returning success with a reported data size of zero, leading to a 1-byte allocation that is later overrun by a memmove in CopyPixels. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Heap-buffer-overflow READ in OpenEXR 3.4.0 through 3.4.11 occurs in the HTJ2K decoder's ht_undo_impl() function when processing a crafted EXR file with mismatched codestream and channel widths, producing a deterministic crash and potential adjacent-heap memory disclosure. Any application that opens untrusted EXR files - including thumbnailers, asset pipelines, and the exrcheck utility - is reachable via the standard scanline-decode entry point. No public exploit identified at time of analysis, but the upstream fix is shipped in v3.4.12.
Heap out-of-bounds write in OpenEXR 3.4.0 through 3.4.11 lets an attacker who supplies a crafted HTJ2K-compressed EXR file trigger memory corruption during decoding, via an integer overflow in the HTJ2K decoder ht_undo_impl(). Any application that decodes untrusted EXR images using the affected OpenEXRCore library is at risk, with potential for memory corruption and possible code execution. No public exploit has been identified at time of analysis; EPSS risk is low (0.17%, 7th percentile) and CISA SSVC rates exploitation as none.
Out-of-bounds heap read in libssh2 through 1.11.1 enables a malicious SFTP server or man-in-the-middle attacker to leak heap memory or crash client applications by sending a crafted SSH_FXP_NAME response with an inflated link_len during READLINK or REALPATH operations. The library is embedded in many SSH/SFTP clients (curl, Git tooling, language bindings), so impact extends to anywhere libssh2 is used as a client. No public exploit identified at time of analysis, but a vendor patch (commit 2dae302) is available and the issue was reported by VulnCheck.
Stack buffer overflow in Coturn's OAuth token decoder (decode_oauth_token_gcm()) lets remote unauthenticated attackers corrupt the server stack in all versions prior to 4.10.0. An attacker-controlled uint16_t nonce_len value (up to 65535) read from an OAuth access token is passed straight into memcpy() against a 256-byte stack buffer before any AES-GCM authentication, so no OAuth key or valid token is required to write up to 735 bytes past the buffer. Publicly available exploit code exists (SSVC: PoC) but it is not in CISA KEV, EPSS is low at 0.36% (27th percentile), and exploitation is gated on the non-default --oauth mode being enabled.
Kernel stack memory disclosure in OpenBSD's MPLS input processing exposes arbitrary kernel stack contents to unauthenticated remote attackers via crafted MPLS frames. The flaw exists in `mpls_do_error` within `sys/netmpls/mpls_input.c` (revision 1.81), where a label-stack iterator lacked an upper-bounds guard, allowing a 16-label frame with no Bottom-of-Stack bit to drive an out-of-bounds read. A publicly available exploit exists per the Argus Systems advisory; this vulnerability is not confirmed as actively exploited in the CISA KEV catalog, and the CVSS 4.0 score is 6.9.
FastCGI framing desynchronization in HAProxy through 3.4.0 stems from a 16-bit integer overflow in the fcgi_conn demux record length (drl) field, which wraps to zero when a malicious backend sends a record with contentLength 65535 and paddingLength of 1 or more. A hostile FastCGI backend can leverage the misparse to desynchronize HAProxy's FCGI parser, leading to request routing errors, response smuggling, or memory safety issues. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the upstream commit 5985276 widens drl to uint32_t.
Integer overflow in tract-nnef's NNEF .dat tensor parser allows loading a crafted model archive to produce a Tensor whose reported element count (e.g. 2^61+7) vastly exceeds its 56-byte heap allocation, causing a bounded heap out-of-bounds read during model build and a reliable SIGSEGV (DoS) on any access past the mapped region. Affected are all applications using tract-nnef < 0.21.16, 0.22.0-0.22.2, or 0.23.0-0.23.1 that load attacker-controlled NNEF model archives via the public `model_for_path` / `model_for_read` API. No public exploit is available at time of analysis, though the reporter demonstrated the issue against affected crate versions; no CISA KEV entry exists.
Out-of-bounds write in FFmpeg's libavcodec MagicYUV decoder (libavcodec/magicyuv.c) affects all FFmpeg versions before 8.1.2, allowing remote attackers to cause denial-of-service and potentially achieve remote code execution when a victim processes a crafted MagicYUV-encoded media file. No public exploit identified at time of analysis, but the broad deployment of FFmpeg across media players, transcoding pipelines, browsers, and server-side processing makes this a high-priority patch. EPSS and CISA KEV data were not provided in the input.
Out-of-bounds read in 8cc, a small C compiler by rui314, allows a local attacker to crash the compiler and potentially disclose compiler process memory by supplying a crafted source file containing malicious #line directives or GNU linemarkers with oversized line numbers. The vulnerability arises because attacker-controlled filename and line number metadata embedded in source files is accepted and used without bounds validation when 8cc accesses internal source line arrays. No patch is available at time of analysis; the maintainer did not respond to CERT-PL's coordinated disclosure. No public exploit identified at time of analysis, though CERT-PL confirmed the vulnerability at commit b480958.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a buffer overflow vulnerability in the device registration function. This vulnerability could allow an attacker to cause a denial of service attack on the remote target device.
Remote code execution in libssh2 through version 1.11.1 stems from an unchecked packet_length field in ssh2_transport_read() that allows attackers to send oversized SSH packets and corrupt heap memory. The flaw was reported by VulnCheck and is fixed upstream in commit 97acf3df (PR #2052), which adds an upper-bound check against LIBSSH2_PACKET_MAXPAYLOAD. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects pre-authentication network reach with high impact on confidentiality, integrity, and availability.
Out-of-bounds write conditions in RTI Connext Professional affect three distinct components - Queueing Service, Core Libraries, and Persistence Service - enabling a locally authenticated low-privileged user to corrupt memory and produce limited integrity and availability impacts on the vulnerable system. The vulnerability spans multiple release branches (6.1.x, 7.0.x-7.3.x, and 7.4.x-7.6.x) and is resolved in versions 7.7.0 and 7.3.1.3 per vendor guidance. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog.
Out-of-bounds read in RTI Connext Micro Core Libraries (versions 4.0.0 up to but not including 4.3.0) allows remote unauthenticated attackers to read beyond allocated buffer boundaries, leading to limited information disclosure and a high availability impact (likely process crash of the DDS middleware). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. The CVSS 4.0 base score of 8.8 reflects network reachability of the DDS protocol stack with no privileges or user interaction required.
Remote denial of service and partial data exposure in RTI Connext Professional's Web Integration Service results from a classic buffer overflow (CWE-120) reachable over the network without authentication. Versions 7.4.0 before 7.x, 7.0.0 before 7.3.1.3, and 6.1.2 before 6.1.x are vulnerable, and no public exploit identified at time of analysis. The CVSS 4.0 score of 8.8 reflects high availability impact with low confidentiality and integrity impact, consistent with a filter-failure overflow that crashes the service rather than yielding full code execution.
Out-of-bounds read in RTI Connext Professional Core Libraries allows remote unauthenticated attackers to read beyond intended buffer bounds, with the CVSS 4.0 vector (9.2 Critical) indicating high availability impact on both the vulnerable component and downstream systems consuming its data. The flaw affects a wide range of Connext Professional releases used as DDS middleware in defense, autonomous, and industrial deployments. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Remote heap-based buffer overflow in RTI Connext Professional Core Libraries allows unauthenticated network attackers to corrupt heap memory in the DDS middleware, impacting integrity and availability of both the vulnerable component and downstream subsystems. The flaw spans a wide range of long-supported branches (5.0.x through 7.6.x) and carries a CVSS 4.0 score of 9.2, though no public exploit identified at time of analysis.
Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to the `aci` attribute to silently corrupt heap memory in the directory server process by submitting a malformed Access Control Instruction string. The `__aclp__normalize_acltxt()` function in `aclparse.c` performs pointer arithmetic on the keyword portion of an ACI string without validating minimum remaining buffer length after whitespace stripping, resulting in a 1-byte out-of-bounds write followed by out-of-bounds reads (CWE-787). No public exploit or CISA KEV listing has been identified at time of analysis; an upstream fix is available via GitHub PR #7542 but a released patched version has not been independently confirmed.
Heap buffer over-read in NGINX Plus and NGINX Open Source's ngx_http_charset_module exposes limited worker process memory or triggers a worker restart when remote unauthenticated attackers send crafted requests against a non-default charset conversion configuration. Exploitation requires both a specific dual-directive configuration (source_charset utf-8 alongside a differing charset directive such as koi8-r in the same location block) and content-dependent conditions outside the attacker's direct control, reflected in the CVSS AC:H rating. No public exploit code exists and this CVE does not appear in the CISA KEV catalog; the vendor F5 has published advisory K000161585 with patched version guidance.
Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic upstream when ignore_invalid_headers is off and large_client_header_buffers exceeds 2 MB. Remote unauthenticated attackers sending oversized headers can crash the worker process, and where ASLR is disabled or bypassable, achieve arbitrary code execution. No public exploit identified at time of analysis and CISA SSVC marks exploitation as 'none', but technical impact is rated total.
Stack-based buffer overflow in rxi microtar 0.1.0 allows remote attackers to crash or potentially execute arbitrary code in applications that parse attacker-supplied TAR archives. The flaw lies in raw_to_header() (src/microtar.c:112), which uses strcpy() on fixed-width 100-byte ustar name/linkname fields that are not guaranteed to be null-terminated, enabling a 356-byte out-of-bounds read confirmed via AddressSanitizer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Out-of-bounds write in Zephyr RTOS Bluetooth Classic Hands-Free Profile (HFP) parser allows an adjacent Bluetooth peer acting as an Audio Gateway to corrupt heap/static memory on devices with CONFIG_BT_HFP_HF enabled. A single malformed +CIND response sent during Service Level Connection setup can crash the Bluetooth host or corrupt adjacent connection state with no user interaction. No public exploit identified at time of analysis, and the upstream fix is available via commit cf7693a in the zephyrproject-rtos repository.
Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High)
Out-of-bounds write in snes9x 1.63's UPS patch file parser allows a crafted .ups ROM patch file to trigger memory corruption and a denial-of-service crash. The flaw resides in the ReadUPSPatch loop in memmap.cpp, where the loop iterator `relative` was not bounded against CMemory::MAX_ROM_SIZE, permitting writes past the end of the allocated ROM buffer. Impact is limited to availability (crash) per the CVSS vector, though the underlying CWE-787 out-of-bounds write class carries broader memory-safety implications. No public exploit identified at time of analysis, and CVSS rates this Low (2.9) due to local attack vector and high complexity.
In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.
In several functions of the RTCP packet decoder, there is a possible out-of-bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
Remote code execution in the Android Modem component (per the Pixel 2026-06-01 security bulletin) is possible via an out-of-bounds write triggered without user interaction. Authenticated remote attackers (PR:L per CVSS) can corrupt memory to execute arbitrary code at the same privilege level as the Modem process. No public exploit identified at time of analysis, EPSS is low at 0.23% (13th percentile), and the issue is not listed in CISA KEV.
In ParsePayloads of AudioSdpParser.cpp, there is a possible memory corruption due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In numberOfReportBlocks of RtpSession.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In Modem, there is a possible way to trigger a modem crash during a SIP REFER request due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In Write of msg_to_host_buffer.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In IntfGraphCreate of intfgraph.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In ExecuteGraph command handler of EdgeTPU firmware, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with root privileges needed. User interaction is not needed for exploitation.
In RtpSession::rtpSendRtcpPacket, there is a possible OOB write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In multiple functions of VideoRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In __mfc_core_nal_q_get_dec_metadata_sei_nal of mfc_core_nal_q.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In mfc_core_get_dec_metadata_sei_nal of mfc_core_reg_api.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In lwis_device_external_event_emit of lwis_event.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
In iavb_parse_key_data of avb_rsa.c, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In RtpPacket::decodePacket, there is a possible out-of-bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In lwis_io_buffer_write of lwis_io_buffer.c, there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In Modem, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In RtcpChunk::decodeRtcpChunk, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
Remote information disclosure in Android's RTCP Feedback packet decoder allows a network attacker to read out-of-bounds process memory on a target device by delivering a maliciously crafted RTCP FB packet. The root cause is a CWE-190 integer overflow in RtcpFbPacket::decodeRtcpFbPacket that causes a miscalculated buffer boundary, enabling the out-of-bounds read. Exploitation requires user interaction (the target must participate in an attacker-influenced media session), and no public exploit has been identified at time of analysis; EPSS of 0.16% (6th percentile) confirms low current exploitation probability.
In NrmmMsgCodec::DecodeUPUTransparentContext of cn_NrmmDecoder.cpp, there is a possible out-of-bounds read due to memory corruption. This could lead to remote denial of service causing a communication processor crash with no additional execution privileges needed. User interaction is not needed for exploitation.
Remote code execution in the WC-Radio component on Google Android (Pixel) devices allows network-adjacent attackers to corrupt memory via an out-of-bounds write with no authentication or user interaction. The flaw carries a CVSS 9.8 rating and is addressed in the Pixel security bulletin dated 2026-06-01; no public exploit identified at time of analysis and EPSS is low at 0.15%.
Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely achieve code execution when a victim loads a maliciously crafted checkpoint file. The flaw stems from sign confusion in the BINUNICODE opcode length field, causing memcpy to be called with an attacker-controlled, effectively gigantic size derived from a negative signed integer. No public exploit identified at time of analysis, and the issue is fixed in master-584-0a7ae07.
Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user or host application loads a maliciously crafted checkpoint file. The flaw resides in the GLOBAL opcode handler within src/model.cpp, where missing newline validation lets a -1 length value drive a heap memory copy, corrupting the heap of the diffusion inference process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the attack surface (community model-sharing sites) makes weaponization plausible.
Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and potentially achieve code execution when a victim loads a malicious PyTorch .ckpt checkpoint file. The flaw resides in the SHORT_BINUNICODE opcode handler of the pickle parser in src/model.cpp, where a signed length field is mishandled and passed to memcpy. No public exploit identified at time of analysis, but the upstream fix is committed and the attack surface (untrusted model files from sharing sites) is realistic for AI/ML workloads.
Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) allow a crafted or truncated .ckpt file to crash the loading application or leak process memory contents. The pickle opcode handlers in src/model.cpp advanced the buffer pointer without verifying remaining bytes before each read, meaning any application using this library to load untrusted .ckpt model files is exposed to denial-of-service and potential memory disclosure. No public exploit has been identified at time of analysis, though LibFuzzer triggered crashing inputs in under one second, indicating an extremely low barrier for generating working crash payloads.
Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory when a victim opens a specially crafted Digital Negative (DNG) image file. The vulnerability is confined to information disclosure - no code execution or data modification is achievable - and requires local file delivery combined with explicit user interaction, as reflected by the CVSS AV:L/UI:R metrics. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this as a moderate-priority patching target, though risk scales with how broadly the SDK is embedded in applications that process untrusted DNG files.
Out-of-bounds memory read in Adobe DNG SDK 1.7.1 build 2536 and earlier enables sensitive process memory disclosure when a victim opens a specially crafted DNG raw image file. The vulnerability is local-vector, requiring attacker-controlled file delivery and victim interaction, making phishing or malicious file distribution the primary delivery mechanism. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this as a medium-priority information disclosure risk consistent with its CVSS 5.5 rating.
Heap-based buffer overflow in Adobe DNG SDK versions 1.7.1 (build 2536) and earlier enables arbitrary code execution in the context of the current user when a victim opens a maliciously crafted DNG file. The flaw affects any application or workflow that links the DNG SDK for parsing Digital Negative raw image files, and no public exploit identified at time of analysis. With a CVSS 7.8 (AV:L/UI:R) and user-interaction requirement, exploitation is realistic via social-engineered file delivery rather than remote network attack.
Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory contents when a victim opens a specially crafted DNG image file. The attacker requires no privileges of their own - the attack surface is entirely dependent on social engineering a user into opening a malicious file processed by any application embedding the vulnerable SDK. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed active exploitation.
Denial of service in Pacemaker's CIB remote listener allows unauthenticated remote attackers to crash the cluster service by sending a specially crafted compressed message. The vulnerability is an integer overflow (CWE-190) triggered during pre-authentication message decompression, leading to memory corruption. No public exploit identified at time of analysis, but the pre-auth attack vector and high availability impact on cluster-management infrastructure make this a meaningful risk for exposed deployments.
Denial of service (and potential limited memory corruption) in the Zephyr RTOS IPv6 networking stack (versions 3.3.0 through 4.4.0) stems from a use-after-free in the IPv6 Neighbor Discovery send paths, where per-interface ICMP statistics are updated by reading from a network packet after the stack has already freed it. Any unauthenticated on-link node can trigger the Neighbor Advertisement path simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 and CONFIG_NET_STATISTICS_PER_INTERFACE enabled, causing a freed slab block to be dereferenced. There is no public exploit identified at time of analysis and EPSS is low (0.14%, 4th percentile); a vendor patch is available, and impact is largely limited to crashes/DoS with only theoretical limited memory corruption.
Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the networking stack and potentially corrupt memory by sending a standard ICMPv6 Echo Request or any IPv6 packet that elicits an ICMPv6 error response. Both `icmpv6_handle_echo_request()` and `net_icmpv6_send_error()` call `net_pkt_iface()` on a packet after transferring it to `net_try_send_data()`, which may synchronously or asynchronously free the packet's memory slab before the statistics update executes. When `CONFIG_NET_STATISTICS_PER_INTERFACE` is enabled, the stale interface pointer is written through (`iface->stats.icmp.sent++`), escalating the read UAF into an attacker-influenced memory write; no public exploit has been identified at time of analysis, but the trigger is a universally available IPv6 primitive.
Remotely triggerable denial of service in the Zephyr RTOS networking stack (versions 1.12.0 through 4.4.x) arises from a use-after-free in the IPv6 MLD code path, where mld_send() reads net_pkt_iface(pkt) after net_send_data() has already transferred packet ownership and the L2 driver freed it back to its memory slab. An unauthenticated attacker on the local link can elicit the vulnerable path by sending a crafted MLDv2 General Query, causing a NULL-pointer dereference crash or, in a narrow race, memory corruption via a stray statistics increment. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and the issue is not in CISA KEV; a vendor patch is available.
Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12 and Firefox ESR 115.37.
Memory safety bug fixed in Firefox ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12.
Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but the high CVSS (8.1) and total technical impact warrant prompt patching.
Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.
Out-of-bounds write in libde265 prior to version 1.0.20 allows remote attackers to corrupt memory by tricking a user into processing a maliciously crafted H.265 bitstream. The flaw resides in the short-term reference picture set handling and can lead to denial of service or potential code execution in any application that links libde265 for HEVC decoding. No public exploit identified at time of analysis, though the upstream patch and commit-level root-cause disclosure provide a clear roadmap for exploit development.
Heap buffer overflow in the Ruby Oj gem (versions before 3.17.3) occurs when Oj.dump serializes Exception objects in :object mode with an extreme :indent value. The pre-allocated output buffer does not account for indent padding bytes, allowing writes past the heap region and corrupting adjacent memory. No public exploit identified at time of analysis; the issue is triggered by developer-chosen serialization options rather than typical attacker-supplied input.
Denial of service in the Oj Ruby JSON parser (versions <3.17.3) allows remote unauthenticated attackers to crash any process that parses untrusted JSON via Oj::Doc.open followed by a recursive each_child call. A deeply nested JSON document drives doc->where past the 100-element where_path array, causing a subsequent memcpy to overflow an 800-byte stack buffer and trigger the stack canary (SIGABRT). No public exploit identified at time of analysis beyond the vendor-published PoC, and EPSS data was not supplied; the issue is not listed in CISA KEV.
Stack memory disclosure in the Oj RubyGem (all versions before 3.17.3) allows remote unauthenticated callers to recover uninitialized process stack contents by supplying a JSON object with keys of 254 bytes or longer to `Oj.load` in `:object` mode. The root cause is a copy-paste defect in `ext/oj/intern.c` where `form_attr()` allocates and fills a correct heap buffer `b` but then erroneously passes the uninitialized 256-byte stack buffer `buf` to `rb_intern3()`, causing leaked bytes to surface in the returned Symbol or an `EncodingError` message. A proof-of-concept is publicly available in the GHSA advisory; no confirmed active exploitation (CISA KEV) has been identified at time of analysis.
Stack-based buffer overflow in the Oj Ruby JSON gem (versions prior to 3.17.3) allows a developer-controlled large :indent value passed to Oj.dump to overwrite up to 2 GB of stack memory, crashing the Ruby process. The flaw is reachable only when application code forwards an untrusted or extreme indent value into Oj.dump, and no public exploit identified at time of analysis demonstrates code execution beyond denial of service.
Pre-authentication heap memory corruption in ProxySQL 2.0.18 through 3.0.8 allows remote unauthenticated attackers to corrupt heap memory by sending a crafted first packet declaring an oversized length, which is passed directly to recv() into a fixed 32 KB input queue on both MySQL and PostgreSQL protocol listeners. The flaw carries a CVSS 9.8 rating and is fixed in 3.0.9; no public exploit identified at time of analysis, but the trivial trigger condition and out-of-bounds write primitive create strong potential for weaponization.
Remote code execution in libaom (reference AV1 codec) is possible when services use the SVC encoder with attacker-supplied frames, allowing crafted pixel data to overlap encoder layer context structures and hijack the cyclic refresh map pointer. The flaw chains a heap out-of-bounds write (CWE-787) with a crash-oracle ASLR bypass to redirect control flow in fork-based video processing services. No public exploit identified at time of analysis, but the issue is tracked under Red Hat and Chromium security trackers and an upstream fix commit has landed in aomedia.
Out-of-bounds heap read in libaom's SVC layer ID control function allows remote attackers to leak approximately 40,728 bytes of heap memory or crash AV1 encoder processes by supplying a spatial_layer_id value exceeding the configured number of scalable video coding layers. The flaw affects network-facing services that pass attacker-influenced SVC encoder parameters into the reference AV1 codec, enabling information disclosure or denial of service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary address write in libaom, the reference AV1 video codec implementation, allows remote attackers to corrupt memory by supplying crafted pixel values to an encoder that has Scalable Video Coding (SVC) enabled, leading to denial of service or potential code execution. The flaw stems from a missing bounds check in the SVC layer ID control function that lets pixel data inject an attacker-controlled pointer into the cyclic refresh map, after which ~1,200 bytes are written deterministically to the chosen address. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap buffer overflow in libaom's AV1 encoder allows attackers who influence encoder configuration to trigger a 232-byte out-of-bounds heap write on every frame after the second, when Look-Ahead Processing (LAP) mode is active with g_lag_in_frames >= 1. Affected deployments include transcoding pipelines and WebRTC servers that pass user-controlled encoder parameters to libaom. No public exploit identified at time of analysis, and the flaw primarily yields a reliable denial of service with a theoretical path to remote code execution via heap corruption.
Remote code execution in Tenda AC7 routers (firmware v15.03.06.44) is possible via a stack buffer overflow in the wanSpeed parameter of the /goform/AdvSetMacMtuWan endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network-based exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the device is not listed in CISA KEV.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote unauthenticated attackers to corrupt memory via the mac parameter in the /goform/AdvSetMacMtuWan web interface endpoint. The flaw carries a CVSS 9.8 critical rating with network attack vector and no authentication required, though no public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV. Tenda SOHO routers in this family have a well-documented history of similar /goform/* stack overflows being weaponized for botnet recruitment.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory via an oversized cloneType parameter sent to the /goform/AdvSetMacMtuWan web interface endpoint. The CVSS 9.8 vector indicates unauthenticated network exploitation with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory through the wanMTU parameter of the /goform/AdvSetMacMtuWan web management endpoint. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis. The flaw is classified as CWE-121 (stack-based buffer overflow), a class historically leveraged for code execution or denial of service on embedded MIPS/ARM SOHO routers.
Heap out-of-bounds write in QEMU's virtio-snd paravirtualized sound device allows a malicious guest to corrupt host memory by sending oversized audio input that the `virtio_snd_pcm_in_cb` callback fails to size-check against the iov buffer. The flaw represents an incomplete fix for CVE-2024-7730 and affects hypervisor hosts exposing virtio-snd to untrusted guests. No public exploit identified at time of analysis, but the high CIA impact (C:H/I:H/A:H) and guest-to-host boundary crossing make this a meaningful VM escape candidate.
Out-of-bounds heap read in libheif's uncompressed HEIF decoder allows a remote attacker to crash any application processing crafted HEIF files. Versions prior to 1.22.1 fail to safely validate icef compressed-unit offsets because the addition of unit_offset + unit_size can integer-wrap, bypassing the range check and permitting a C++ vector to be constructed from iterators pointing outside the compressed item buffer. Exploitation requires a user or automated pipeline to open an attacker-supplied HEIF file; no public exploit or CISA KEV listing exists at time of analysis.
Local privilege escalation / memory corruption in the Linux kernel's SO_REUSEPORT BPF handling allows a local user to trigger a use-after-free (vmalloc out-of-bounds read) by replacing a classic BPF (cBPF) reuseport program via setsockopt() while another thread routes UDP traffic through the same reuseport group. Because the cBPF program is freed immediately by sk_reuseport_prog_free() without waiting for an RCU grace period, in-flight readers in reuseport_select_sock() dereference freed memory; the fix defers freeing until after one RCU grace period. No public exploit identified at time of analysis and EPSS probability is low (0.17%), but the bug is confirmed and fixed upstream.
Remote denial of service in NI grpc-device 2.17.0 and earlier allows unauthenticated network attackers to crash the streaming API by sending a specially crafted write request that triggers an out-of-bounds read (CWE-125). The flaw was reported by NI itself and is documented in both an NI security bulletin and a GitHub security advisory (GHSA-8rjh-429j-f6gw); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Eclipse ThreadX NetX Duo HTTP server arises from a flawed remediation of CVE-2025-0728, where the refactored shared cleanup label invokes fx_file_close() on an uninitialized file handle whenever an error occurs before file open. Remote attackers can reach the vulnerable PUT path over the network without authentication, triggering undefined behavior, double-close conditions, or memory corruption that can crash the embedded HTTP service. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap-based buffer overflow in libexpat before 2.8.2 allows heap memory corruption in applications that process externally-supplied XML with external entity parameter parsing enabled. The flaw resides in the doProlog function of xmlparse.c, where the scaffold backing array (scaffIndex) - used to index DTD content model tree nodes - is reallocated using the child parser's m_groupSize counter, which diverges from the actual allocated capacity of the shared scaffIndex inherited from the parent parser. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis, but the upstream fix PR includes a functional reproduction test case confirming exploitability.
Denial-of-service in Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP module (versions 1.000 and prior) allows a remote unauthenticated attacker to crash the device by rapidly opening many TCP connections, which trips an integer overflow in the EtherNet/IP connection-management logic and triggers improper memory access. No public exploit identified at time of analysis, but the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) and high availability impact make this a meaningful operational-technology (OT) concern for plants relying on the affected PLC module. Reported by the vendor and tracked in vendor PSIRT advisory 2026-002, JVN VU#97140216, and CISA ICS advisory ICSA-26-169-05.
Out-of-bounds read in Microsoft HEIF Image Extensions 1.2.22.0 allows remote attackers to disclose memory contents and crash the process by serving a crafted HEIF image. The flaw stems from CHEIFItemInfoEntry_GetDataSize returning success with a reported data size of zero, leading to a 1-byte allocation that is later overrun by a memmove in CopyPixels. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Heap-buffer-overflow READ in OpenEXR 3.4.0 through 3.4.11 occurs in the HTJ2K decoder's ht_undo_impl() function when processing a crafted EXR file with mismatched codestream and channel widths, producing a deterministic crash and potential adjacent-heap memory disclosure. Any application that opens untrusted EXR files - including thumbnailers, asset pipelines, and the exrcheck utility - is reachable via the standard scanline-decode entry point. No public exploit identified at time of analysis, but the upstream fix is shipped in v3.4.12.
Heap out-of-bounds write in OpenEXR 3.4.0 through 3.4.11 lets an attacker who supplies a crafted HTJ2K-compressed EXR file trigger memory corruption during decoding, via an integer overflow in the HTJ2K decoder ht_undo_impl(). Any application that decodes untrusted EXR images using the affected OpenEXRCore library is at risk, with potential for memory corruption and possible code execution. No public exploit has been identified at time of analysis; EPSS risk is low (0.17%, 7th percentile) and CISA SSVC rates exploitation as none.
Out-of-bounds heap read in libssh2 through 1.11.1 enables a malicious SFTP server or man-in-the-middle attacker to leak heap memory or crash client applications by sending a crafted SSH_FXP_NAME response with an inflated link_len during READLINK or REALPATH operations. The library is embedded in many SSH/SFTP clients (curl, Git tooling, language bindings), so impact extends to anywhere libssh2 is used as a client. No public exploit identified at time of analysis, but a vendor patch (commit 2dae302) is available and the issue was reported by VulnCheck.
Stack buffer overflow in Coturn's OAuth token decoder (decode_oauth_token_gcm()) lets remote unauthenticated attackers corrupt the server stack in all versions prior to 4.10.0. An attacker-controlled uint16_t nonce_len value (up to 65535) read from an OAuth access token is passed straight into memcpy() against a 256-byte stack buffer before any AES-GCM authentication, so no OAuth key or valid token is required to write up to 735 bytes past the buffer. Publicly available exploit code exists (SSVC: PoC) but it is not in CISA KEV, EPSS is low at 0.36% (27th percentile), and exploitation is gated on the non-default --oauth mode being enabled.
Kernel stack memory disclosure in OpenBSD's MPLS input processing exposes arbitrary kernel stack contents to unauthenticated remote attackers via crafted MPLS frames. The flaw exists in `mpls_do_error` within `sys/netmpls/mpls_input.c` (revision 1.81), where a label-stack iterator lacked an upper-bounds guard, allowing a 16-label frame with no Bottom-of-Stack bit to drive an out-of-bounds read. A publicly available exploit exists per the Argus Systems advisory; this vulnerability is not confirmed as actively exploited in the CISA KEV catalog, and the CVSS 4.0 score is 6.9.
FastCGI framing desynchronization in HAProxy through 3.4.0 stems from a 16-bit integer overflow in the fcgi_conn demux record length (drl) field, which wraps to zero when a malicious backend sends a record with contentLength 65535 and paddingLength of 1 or more. A hostile FastCGI backend can leverage the misparse to desynchronize HAProxy's FCGI parser, leading to request routing errors, response smuggling, or memory safety issues. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the upstream commit 5985276 widens drl to uint32_t.
Integer overflow in tract-nnef's NNEF .dat tensor parser allows loading a crafted model archive to produce a Tensor whose reported element count (e.g. 2^61+7) vastly exceeds its 56-byte heap allocation, causing a bounded heap out-of-bounds read during model build and a reliable SIGSEGV (DoS) on any access past the mapped region. Affected are all applications using tract-nnef < 0.21.16, 0.22.0-0.22.2, or 0.23.0-0.23.1 that load attacker-controlled NNEF model archives via the public `model_for_path` / `model_for_read` API. No public exploit is available at time of analysis, though the reporter demonstrated the issue against affected crate versions; no CISA KEV entry exists.
Out-of-bounds write in FFmpeg's libavcodec MagicYUV decoder (libavcodec/magicyuv.c) affects all FFmpeg versions before 8.1.2, allowing remote attackers to cause denial-of-service and potentially achieve remote code execution when a victim processes a crafted MagicYUV-encoded media file. No public exploit identified at time of analysis, but the broad deployment of FFmpeg across media players, transcoding pipelines, browsers, and server-side processing makes this a high-priority patch. EPSS and CISA KEV data were not provided in the input.
Out-of-bounds read in 8cc, a small C compiler by rui314, allows a local attacker to crash the compiler and potentially disclose compiler process memory by supplying a crafted source file containing malicious #line directives or GNU linemarkers with oversized line numbers. The vulnerability arises because attacker-controlled filename and line number metadata embedded in source files is accepted and used without bounds validation when 8cc accesses internal source line arrays. No patch is available at time of analysis; the maintainer did not respond to CERT-PL's coordinated disclosure. No public exploit identified at time of analysis, though CERT-PL confirmed the vulnerability at commit b480958.
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a buffer overflow vulnerability in the device registration function. This vulnerability could allow an attacker to cause a denial of service attack on the remote target device.
Remote code execution in libssh2 through version 1.11.1 stems from an unchecked packet_length field in ssh2_transport_read() that allows attackers to send oversized SSH packets and corrupt heap memory. The flaw was reported by VulnCheck and is fixed upstream in commit 97acf3df (PR #2052), which adds an upper-bound check against LIBSSH2_PACKET_MAXPAYLOAD. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects pre-authentication network reach with high impact on confidentiality, integrity, and availability.
Out-of-bounds write conditions in RTI Connext Professional affect three distinct components - Queueing Service, Core Libraries, and Persistence Service - enabling a locally authenticated low-privileged user to corrupt memory and produce limited integrity and availability impacts on the vulnerable system. The vulnerability spans multiple release branches (6.1.x, 7.0.x-7.3.x, and 7.4.x-7.6.x) and is resolved in versions 7.7.0 and 7.3.1.3 per vendor guidance. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA Known Exploited Vulnerabilities catalog.
Out-of-bounds read in RTI Connext Micro Core Libraries (versions 4.0.0 up to but not including 4.3.0) allows remote unauthenticated attackers to read beyond allocated buffer boundaries, leading to limited information disclosure and a high availability impact (likely process crash of the DDS middleware). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. The CVSS 4.0 base score of 8.8 reflects network reachability of the DDS protocol stack with no privileges or user interaction required.
Remote denial of service and partial data exposure in RTI Connext Professional's Web Integration Service results from a classic buffer overflow (CWE-120) reachable over the network without authentication. Versions 7.4.0 before 7.x, 7.0.0 before 7.3.1.3, and 6.1.2 before 6.1.x are vulnerable, and no public exploit identified at time of analysis. The CVSS 4.0 score of 8.8 reflects high availability impact with low confidentiality and integrity impact, consistent with a filter-failure overflow that crashes the service rather than yielding full code execution.
Out-of-bounds read in RTI Connext Professional Core Libraries allows remote unauthenticated attackers to read beyond intended buffer bounds, with the CVSS 4.0 vector (9.2 Critical) indicating high availability impact on both the vulnerable component and downstream systems consuming its data. The flaw affects a wide range of Connext Professional releases used as DDS middleware in defense, autonomous, and industrial deployments. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Remote heap-based buffer overflow in RTI Connext Professional Core Libraries allows unauthenticated network attackers to corrupt heap memory in the DDS middleware, impacting integrity and availability of both the vulnerable component and downstream subsystems. The flaw spans a wide range of long-supported branches (5.0.x through 7.6.x) and carries a CVSS 4.0 score of 9.2, though no public exploit identified at time of analysis.
Heap buffer overflow in 389 Directory Server's ACI parsing layer allows an authenticated LDAP user with write access to the `aci` attribute to silently corrupt heap memory in the directory server process by submitting a malformed Access Control Instruction string. The `__aclp__normalize_acltxt()` function in `aclparse.c` performs pointer arithmetic on the keyword portion of an ACI string without validating minimum remaining buffer length after whitespace stripping, resulting in a 1-byte out-of-bounds write followed by out-of-bounds reads (CWE-787). No public exploit or CISA KEV listing has been identified at time of analysis; an upstream fix is available via GitHub PR #7542 but a released patched version has not been independently confirmed.
Heap buffer over-read in NGINX Plus and NGINX Open Source's ngx_http_charset_module exposes limited worker process memory or triggers a worker restart when remote unauthenticated attackers send crafted requests against a non-default charset conversion configuration. Exploitation requires both a specific dual-directive configuration (source_charset utf-8 alongside a differing charset directive such as koi8-r in the same location block) and content-dependent conditions outside the attacker's direct control, reflected in the CVSS AC:H rating. No public exploit code exists and this CVE does not appear in the CISA KEV catalog; the vendor F5 has published advisory K000161585 with patched version guidance.
Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic upstream when ignore_invalid_headers is off and large_client_header_buffers exceeds 2 MB. Remote unauthenticated attackers sending oversized headers can crash the worker process, and where ASLR is disabled or bypassable, achieve arbitrary code execution. No public exploit identified at time of analysis and CISA SSVC marks exploitation as 'none', but technical impact is rated total.
Stack-based buffer overflow in rxi microtar 0.1.0 allows remote attackers to crash or potentially execute arbitrary code in applications that parse attacker-supplied TAR archives. The flaw lies in raw_to_header() (src/microtar.c:112), which uses strcpy() on fixed-width 100-byte ustar name/linkname fields that are not guaranteed to be null-terminated, enabling a 356-byte out-of-bounds read confirmed via AddressSanitizer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Out-of-bounds write in Zephyr RTOS Bluetooth Classic Hands-Free Profile (HFP) parser allows an adjacent Bluetooth peer acting as an Audio Gateway to corrupt heap/static memory on devices with CONFIG_BT_HFP_HF enabled. A single malformed +CIND response sent during Service Level Connection setup can crash the Bluetooth host or corrupt adjacent connection state with no user interaction. No public exploit identified at time of analysis, and the upstream fix is available via commit cf7693a in the zephyrproject-rtos repository.
Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High)
Out-of-bounds write in snes9x 1.63's UPS patch file parser allows a crafted .ups ROM patch file to trigger memory corruption and a denial-of-service crash. The flaw resides in the ReadUPSPatch loop in memmap.cpp, where the loop iterator `relative` was not bounded against CMemory::MAX_ROM_SIZE, permitting writes past the end of the allocated ROM buffer. Impact is limited to availability (crash) per the CVSS vector, though the underlying CWE-787 out-of-bounds write class carries broader memory-safety implications. No public exploit identified at time of analysis, and CVSS rates this Low (2.9) due to local attack vector and high complexity.
In JazzCore python-pdfkit 1.0.0, the from_string method enables the execution of JavaScript code within the context of the server application and the exfiltration of local files.
In several functions of the RTCP packet decoder, there is a possible out-of-bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
Remote code execution in the Android Modem component (per the Pixel 2026-06-01 security bulletin) is possible via an out-of-bounds write triggered without user interaction. Authenticated remote attackers (PR:L per CVSS) can corrupt memory to execute arbitrary code at the same privilege level as the Modem process. No public exploit identified at time of analysis, EPSS is low at 0.23% (13th percentile), and the issue is not listed in CISA KEV.
In ParsePayloads of AudioSdpParser.cpp, there is a possible memory corruption due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In numberOfReportBlocks of RtpSession.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In TextRtpPayloadDecoderNode::DecodeT140 of TextRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In Modem, there is a possible way to trigger a modem crash during a SIP REFER request due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In Write of msg_to_host_buffer.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
In IntfGraphCreate of intfgraph.c, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In ExecuteGraph command handler of EdgeTPU firmware, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with root privileges needed. User interaction is not needed for exploitation.
In RtpSession::rtpSendRtcpPacket, there is a possible OOB write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In multiple functions of VideoRtpPayloadDecoderNode.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In __mfc_core_nal_q_get_dec_metadata_sei_nal of mfc_core_nal_q.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In mfc_core_get_dec_metadata_sei_nal of mfc_core_reg_api.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In lwis_device_external_event_emit of lwis_event.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
In iavb_parse_key_data of avb_rsa.c, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In RtpPacket::decodePacket, there is a possible out-of-bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In lwis_io_buffer_write of lwis_io_buffer.c, there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
In Modem, there is a possible out of bounds read due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In Modem, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
In RtcpChunk::decodeRtcpChunk, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.
Remote information disclosure in Android's RTCP Feedback packet decoder allows a network attacker to read out-of-bounds process memory on a target device by delivering a maliciously crafted RTCP FB packet. The root cause is a CWE-190 integer overflow in RtcpFbPacket::decodeRtcpFbPacket that causes a miscalculated buffer boundary, enabling the out-of-bounds read. Exploitation requires user interaction (the target must participate in an attacker-influenced media session), and no public exploit has been identified at time of analysis; EPSS of 0.16% (6th percentile) confirms low current exploitation probability.
In NrmmMsgCodec::DecodeUPUTransparentContext of cn_NrmmDecoder.cpp, there is a possible out-of-bounds read due to memory corruption. This could lead to remote denial of service causing a communication processor crash with no additional execution privileges needed. User interaction is not needed for exploitation.
Remote code execution in the WC-Radio component on Google Android (Pixel) devices allows network-adjacent attackers to corrupt memory via an out-of-bounds write with no authentication or user interaction. The flaw carries a CVSS 9.8 rating and is addressed in the Pixel security bulletin dated 2026-06-01; no public exploit identified at time of analysis and EPSS is low at 0.15%.
Heap-based buffer overflow in stable-diffusion.cpp's pickle .ckpt parser allows attackers to corrupt memory and likely achieve code execution when a victim loads a maliciously crafted checkpoint file. The flaw stems from sign confusion in the BINUNICODE opcode length field, causing memcpy to be called with an attacker-controlled, effectively gigantic size derived from a negative signed integer. No public exploit identified at time of analysis, and the issue is fixed in master-584-0a7ae07.
Heap buffer overflow in the leejet stable-diffusion.cpp pickle .ckpt parser allows arbitrary code execution when a user or host application loads a maliciously crafted checkpoint file. The flaw resides in the GLOBAL opcode handler within src/model.cpp, where missing newline validation lets a -1 length value drive a heap memory copy, corrupting the heap of the diffusion inference process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the attack surface (community model-sharing sites) makes weaponization plausible.
Heap buffer overflow in stable-diffusion.cpp versions prior to master-584-0a7ae07 allows attackers to corrupt memory and potentially achieve code execution when a victim loads a malicious PyTorch .ckpt checkpoint file. The flaw resides in the SHORT_BINUNICODE opcode handler of the pickle parser in src/model.cpp, where a signed length field is mishandled and passed to memcpy. No public exploit identified at time of analysis, but the upstream fix is committed and the attack surface (untrusted model files from sharing sites) is realistic for AI/ML workloads.
Out-of-bounds reads in stable-diffusion.cpp's PyTorch pickle checkpoint parser (versions prior to master-584-0a7ae07) allow a crafted or truncated .ckpt file to crash the loading application or leak process memory contents. The pickle opcode handlers in src/model.cpp advanced the buffer pointer without verifying remaining bytes before each read, meaning any application using this library to load untrusted .ckpt model files is exposed to denial-of-service and potential memory disclosure. No public exploit has been identified at time of analysis, though LibFuzzer triggered crashing inputs in under one second, indicating an extremely low barrier for generating working crash payloads.
Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory when a victim opens a specially crafted Digital Negative (DNG) image file. The vulnerability is confined to information disclosure - no code execution or data modification is achievable - and requires local file delivery combined with explicit user interaction, as reflected by the CVSS AV:L/UI:R metrics. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this as a moderate-priority patching target, though risk scales with how broadly the SDK is embedded in applications that process untrusted DNG files.
Out-of-bounds memory read in Adobe DNG SDK 1.7.1 build 2536 and earlier enables sensitive process memory disclosure when a victim opens a specially crafted DNG raw image file. The vulnerability is local-vector, requiring attacker-controlled file delivery and victim interaction, making phishing or malicious file distribution the primary delivery mechanism. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this as a medium-priority information disclosure risk consistent with its CVSS 5.5 rating.
Heap-based buffer overflow in Adobe DNG SDK versions 1.7.1 (build 2536) and earlier enables arbitrary code execution in the context of the current user when a victim opens a maliciously crafted DNG file. The flaw affects any application or workflow that links the DNG SDK for parsing Digital Negative raw image files, and no public exploit identified at time of analysis. With a CVSS 7.8 (AV:L/UI:R) and user-interaction requirement, exploitation is realistic via social-engineered file delivery rather than remote network attack.
Out-of-bounds read in Adobe DNG SDK 1.7.1 build 2536 and earlier exposes sensitive process memory contents when a victim opens a specially crafted DNG image file. The attacker requires no privileges of their own - the attack surface is entirely dependent on social engineering a user into opening a malicious file processed by any application embedding the vulnerable SDK. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed active exploitation.
Denial of service in Pacemaker's CIB remote listener allows unauthenticated remote attackers to crash the cluster service by sending a specially crafted compressed message. The vulnerability is an integer overflow (CWE-190) triggered during pre-authentication message decompression, leading to memory corruption. No public exploit identified at time of analysis, but the pre-auth attack vector and high availability impact on cluster-management infrastructure make this a meaningful risk for exposed deployments.
Denial of service (and potential limited memory corruption) in the Zephyr RTOS IPv6 networking stack (versions 3.3.0 through 4.4.0) stems from a use-after-free in the IPv6 Neighbor Discovery send paths, where per-interface ICMP statistics are updated by reading from a network packet after the stack has already freed it. Any unauthenticated on-link node can trigger the Neighbor Advertisement path simply by sending ICMPv6 Neighbor Solicitations to a Zephyr node with native IPv6 and CONFIG_NET_STATISTICS_PER_INTERFACE enabled, causing a freed slab block to be dereferenced. There is no public exploit identified at time of analysis and EPSS is low (0.14%, 4th percentile); a vendor patch is available, and impact is largely limited to crashes/DoS with only theoretical limited memory corruption.
Use-after-free in Zephyr RTOS's ICMPv6 stack (v4.2.0-v4.4.0) allows an unauthenticated remote attacker to crash the networking stack and potentially corrupt memory by sending a standard ICMPv6 Echo Request or any IPv6 packet that elicits an ICMPv6 error response. Both `icmpv6_handle_echo_request()` and `net_icmpv6_send_error()` call `net_pkt_iface()` on a packet after transferring it to `net_try_send_data()`, which may synchronously or asynchronously free the packet's memory slab before the statistics update executes. When `CONFIG_NET_STATISTICS_PER_INTERFACE` is enabled, the stale interface pointer is written through (`iface->stats.icmp.sent++`), escalating the read UAF into an attacker-influenced memory write; no public exploit has been identified at time of analysis, but the trigger is a universally available IPv6 primitive.
Remotely triggerable denial of service in the Zephyr RTOS networking stack (versions 1.12.0 through 4.4.x) arises from a use-after-free in the IPv6 MLD code path, where mld_send() reads net_pkt_iface(pkt) after net_send_data() has already transferred packet ownership and the L2 driver freed it back to its memory slab. An unauthenticated attacker on the local link can elicit the vulnerable path by sending a crafted MLDv2 General Query, causing a NULL-pointer dereference crash or, in a narrow race, memory corruption via a stray statistics increment. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and the issue is not in CISA KEV; a vendor patch is available.
Incorrect boundary conditions in the Internationalization component. This vulnerability was fixed in Firefox ESR 140.12 and Firefox ESR 115.37.
Memory safety bug fixed in Firefox ESR 140.12. This vulnerability was fixed in Firefox ESR 140.12.
Memory corruption vulnerabilities in Mozilla Firefox 151, Firefox ESR 115.36/140.11, and Thunderbird 151/ESR 140.11 allow remote attackers to potentially execute arbitrary code by serving crafted web content that triggers internal memory safety bugs. Mozilla developers observed evidence of memory corruption in several of these bugs and assess that sufficient effort could yield arbitrary code execution in the browser process. No public exploit identified at time of analysis, and SSVC reports no observed exploitation, but the high CVSS (8.1) and total technical impact warrant prompt patching.
Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.