Buffer Overflow
Monthly
Local code execution in Microsoft Office is possible when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122), allowing the attacker to run arbitrary code in the context of the opened Office process. The CVSS 7.8 (AV:L/AC:L/PR:N/UI:R) reflects a user-interaction-driven local exploit rather than a remote network attack, and no public exploit identified at time of analysis. The flaw was reported through Microsoft Security Response Center (secure@microsoft.com) and is tracked in MSRC's update guide.
Remote code execution in the Windows DHCP Client is possible when a stack-based buffer overflow (CWE-121) is triggered by a crafted DHCP server response, allowing an unauthorized network attacker to run arbitrary code with no user interaction. The flaw carries a CVSS 9.8 critical rating reflecting network reachability, low complexity, and full impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because the DHCP client runs early in the network stack on virtually every Windows host, successful exploitation grants attacker-controlled code execution in a highly privileged context.
Out-of-bounds heap read in the Windows Desktop Window Manager (DWM) Core Library on Windows 11 26H1 enables authenticated local attackers to disclose high-confidence confidentiality data without user interaction. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms low-complexity local exploitation limited to a single authenticated session, with no integrity or availability impact. No public exploit code has been identified at time of analysis, and the vulnerability does not appear in the CISA KEV catalog.
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local access to run arbitrary code by triggering an integer overflow, after coaxing a user into interacting with a crafted graphics object. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, though Win32K bugs historically attract rapid exploit development for privilege escalation in post-compromise chains.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library stems from a use-after-free condition (CWE-122) that lets an authenticated low-privileged user gain elevated rights on affected Windows systems. The flaw was reported by Microsoft (secure@microsoft.com) and tracked via MSRC, with no public exploit identified at time of analysis and no CISA KEV listing. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability once the attacker has local foothold.
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to run code locally to escalate privileges through an integer overflow. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8, but requires user interaction (UI:R) and local access (AV:L), and no public exploit identified at time of analysis.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled RDP server, where a heap-based buffer overflow (linked to use-after-free memory corruption per vendor tags) enables arbitrary code execution on the client machine. The CVSS 7.5 score reflects high attack complexity and required user interaction, and no public exploit identified at time of analysis. SSVC assessment from CISA rates exploitation as 'none' and automatable as 'no', though technical impact is total.
Remote code execution in Microsoft Remote Desktop Client arises from a heap-based buffer overflow (CWE-122) that an unauthenticated network attacker can trigger when a victim connects to or interacts with a malicious server. Microsoft (secure@microsoft.com) is the originating reporter and has published an advisory in the MSRC update guide, with no public exploit identified at time of analysis. The CVSS 7.5 (High) rating reflects high attack complexity and required user interaction, but successful exploitation yields full confidentiality, integrity, and availability impact on the client host.
Remote code execution in Microsoft Remote Desktop Client is possible when a user is lured into connecting to an attacker-controlled RDP server, where a heap-based buffer overflow (CWE-122) can be triggered to run arbitrary code on the client machine. The flaw was reported by Microsoft (secure@microsoft.com) and carries a CVSS 3.1 score of 7.5, reflecting high attack complexity and the requirement for user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Microsoft Remote Desktop Client is possible when a user is enticed to connect to an attacker-controlled RDP server, triggering a heap-based buffer overflow (CWE-122). The flaw scores CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) and, while no public exploit is identified at time of analysis, the network-reachable nature and full CIA impact make it a meaningful client-side risk for users connecting to untrusted endpoints.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that runs attacker code in the client's context. The flaw (CWE-416 use-after-free / heap corruption) carries CVSS 8.8 and requires user interaction, with no public exploit identified at time of analysis. A vendor patch is available via Microsoft MSRC.
Local privilege escalation in the Windows NT OS Kernel allows an authenticated low-privileged attacker to elevate to SYSTEM by triggering an integer underflow condition. With a CVSS of 7.8 and no public exploit identified at time of analysis, this issue is primarily a post-compromise escalation vector commonly chained after initial access via phishing or commodity malware. Microsoft has released a patch through MSRC, and given Windows kernel EoP bugs are frequently weaponized by ransomware and APT actors historically, prompt patching is warranted despite the absence of confirmed in-the-wild exploitation.
Out-of-bounds read in the Windows Telephony Service exposes sensitive memory contents to locally authenticated attackers across a broad range of Windows client and server versions. The flaw (CWE-125) is exploitable with only low privileges and no user interaction, yielding high confidentiality impact while leaving integrity and availability unaffected. No public exploit code or active exploitation has been identified; CISA's SSVC framework rates this as non-automatable with partial technical impact, placing it at medium operational priority.
Windows Kerberos out-of-bounds read (CWE-125) allows a low-privilege network attacker to crash the Kerberos authentication service across all actively supported Windows client and server platforms, from Windows Server 2012 through Windows Server 2025 and Windows 11 26H1. The attack requires prior domain authentication and high-complexity triggering conditions (CVSS AC:H), limiting opportunistic mass exploitation, though a successful attack against a domain controller can deny authentication domain-wide by crashing the KDC. Vendor patches are available via the Microsoft MSRC advisory; no public exploit code exists and SSVC confirms no observed exploitation at time of analysis.
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled RDP server, where a heap-based buffer overflow triggered by a race condition (CWE-362) allows arbitrary code execution on the client machine. The flaw carries a CVSS 7.5 (High) rating with high attack complexity and required user interaction, and no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory CVE-2026-42913.
Local privilege escalation in the Windows Hotpatch Monitoring Service enables an authenticated low-privileged attacker to gain elevated privileges through an out-of-bounds write (CWE-787) memory corruption flaw. The CVSS 7.8 (AV:L/AC:L/PR:L) reflects local attack vector with low complexity once a foothold is obtained, and no public exploit identified at time of analysis. The vulnerability was reported by Microsoft's own security team (secure@microsoft.com), suggesting internal discovery prior to disclosure.
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled or compromised RDP endpoint, where a race condition (CWE-362) can be triggered to corrupt heap memory and execute arbitrary code in the client process. The flaw is unauthenticated from the network attacker's perspective but requires user interaction to initiate the connection, and no public exploit has been identified at time of analysis.
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows unauthenticated remote attackers to read out-of-bounds memory contents over the network, potentially leaking sensitive data from the RDP service process. The vulnerability requires no authentication or user interaction and is rated CVSS 7.5 with high confidentiality impact only. At time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Privilege elevation in the Windows TCP/IP networking stack allows an unauthenticated attacker on an adjacent network to gain elevated privileges by triggering a heap-based buffer overflow (CWE-122). The CVSS 9.6 score with scope change (S:C) indicates the compromise crosses security boundaries beyond the vulnerable component itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Local privilege escalation in the Windows Projected File System (ProjFS) Filter Driver allows an authenticated low-privileged user on a Windows host to escalate to higher privileges by triggering a buffer over-read in the kernel-mode driver. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 7.8 with low attack complexity and no user interaction makes it an attractive post-compromise target for endpoint operators.
Local privilege escalation in the Windows Projected File System (ProjFS) Filter Driver enables an authorized low-privileged user to elevate to higher privileges through a buffer over-read condition. The flaw affects Microsoft Windows installations where the ProjFS filter driver is present, and exploitation yields high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Local privilege escalation in Microsoft Windows DNS allows an authenticated low-privileged user to gain elevated privileges via a heap-based buffer overflow (CWE-122). The CVSS 7.0 score reflects high attack complexity and local-only access, and no public exploit is identified at time of analysis. The flaw was reported privately by Microsoft (MSRC) and is tracked under MSRC advisory CVE-2026-41108.
Local privilege escalation in the Microsoft Windows Universal Disk Format File System (UDFS) driver allows an authenticated low-privileged user to gain SYSTEM-level code execution by triggering a heap-based buffer overflow (CWE-122). The flaw affects Windows endpoints where the UDFS kernel driver parses attacker-controlled UDF-formatted media (typically optical discs or mounted disc images). No public exploit identified at time of analysis and the issue is not currently listed on CISA KEV.
Heap-based buffer overflow in NVIDIA DALI enables local authenticated attackers to achieve code execution, data tampering, denial of service, or information disclosure when a victim user interacts with attacker-supplied input. The flaw affects the Data Loading Library used in GPU-accelerated deep learning data pipelines and carries a CVSS 3.1 score of 7.3 (High). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt up to ~8 MiB of heap memory by sending a crafted HTTP POST request with an oversized Content-Length header. The flaw is triggered before HTTP basic-auth validation runs, enabling pre-authentication exploitation against any exposed mod_verto HTTP endpoint, with CVSS 9.8 reflecting potential for remote code execution; no public exploit identified at time of analysis.
Out-of-bounds memory access in FreeSWITCH versions prior to 1.11.0 allows remote unauthenticated attackers to crash the telephony stack by sending a malformed STUN packet whose declared attribute length is smaller than the structure the parser casts it to. No public exploit has been identified at time of analysis, but the network-reachable nature of STUN on media-handling deployments makes this a denial-of-service risk for any exposed FreeSWITCH instance handling WebRTC or NAT-traversal traffic.
Stack-based buffer overflow in NETGEAR Orbi mesh router firmware (RBE, RBR, RBS series) enables authenticated administrators with local network access to submit malformed buffer input that bypasses validation and triggers unauthorized modification of router software and functionality. The attack surface is significantly constrained by the requirement for both administrative credentials (PR:H) and adjacent network positioning (AV:A), limiting realistic exposure to insider threats or scenarios where an attacker has already compromised admin credentials within the LAN. No public exploit identified at time of analysis, SSVC confirms exploitation status as none, and vendor-released patches are available across all affected model lines.
Denial-of-service via out-of-bounds write in NETGEAR Orbi mesh router and satellite firmware allows unauthenticated, adjacent-network attackers to render affected devices unavailable by sending specially crafted requests. The vulnerability affects multiple Orbi 860/950/960/970/971-series devices across a broad firmware version range, with fixed builds available per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis (CVSS E:U), though the low attack complexity and absence of any authentication requirement make this straightforward to reproduce for any attacker with local network access.
Remote command execution in NETGEAR Orbi 370 series routers (firmware before V12.1.2.7) is achievable by a network-positioned adversary who can intercept and tamper with traffic between the device and the internet. Exploitation requires the device administrator to perform specific management actions while the attacker holds a man-in-the-middle position, at which point a buffer overflow (CWE-119) is triggered allowing arbitrary command execution on the device. No public exploit exists at time of analysis and the vendor has released a patching firmware (V12.1.2.7); no KEV listing has been issued by CISA.
Shadow paging error paths in Xen Hypervisor 4.15+ on x86 allow 64-bit PV guests operating in shadow mode to corrupt mapcache metadata by triggering a page-table switch that does not update the currently running vCPU reference. Successful exploitation by a guest can result in privilege escalation into the hypervisor, host-wide denial of service, and information leaks affecting all co-resident guests. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; vendor-released patches are available for all supported stable branches.
Heap buffer overflow in Red Hat Directory Server's audit logging subsystem allows an authenticated high-privilege attacker to corrupt heap memory and tamper with audit log output. The vulnerable function create_masked_entry_string() in auditlog.c writes a fixed-length password mask into a precisely-sized heap buffer without bounds checking, overflowing when a short cleartext password is processed. Exploitation requires two non-default preconditions - audit logging must be enabled AND either CLEAR password storage must be configured or a replication peer must already be compromised - limiting real-world exposure significantly. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. FORTIFY_SOURCE compiler hardening constrains impact to denial of service - preventing arbitrary code execution - but service disruption against a critical authentication infrastructure component remains operationally significant. No public exploit identified at time of analysis.
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confidentiality, integrity, and availability impact via crafted string filter input. The flaw affects authenticated, network-accessible LDAP servers running Red Hat Directory Server 11, 12, and 13 as well as the 389-ds component shipped across Red Hat Enterprise Linux 6 through 10. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; however, its presence in filter parsing logic - a core LDAP code path - warrants prompt patching in internet-exposed or multi-tenant directory environments.
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attacker during database import operations. Exploitation requires local system access, high attack complexity, and high privileges (administrator-level), producing only minor confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis and no KEV listing; the CVSS score of 1.9 reflects the extremely constrained exploitation conditions, making this a low operational priority absent specific threat model considerations.
Buffer overflow in the Linux kernel's greybus gb-beagleplay driver allows an adjacent attacker with control over the cc1352 bootloader serial data stream to overflow the fixed rx_buffer used to stage bootloader packets. The cc1352_bootloader_rx() handler appends serdev chunks without validating they fit in remaining buffer space, enabling memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Out-of-bounds read in OpenSSL 4.0.0's `X509_VERIFY_PARAM_set1_email()` function can crash applications performing email-based X.509 certificate verification when processing attacker-influenced email input, resulting in a denial-of-service condition. The vulnerability is scoped to OpenSSL 4.0.0 only and was patched in the June 9, 2026 security release (4.0.1), which bundled fixes for 18 CVEs. No public exploit identified at time of analysis and no CISA KEV listing.
Denial-of-service in OpenSSL's ASN.1 content parser allows remote unauthenticated attackers to trigger a heap buffer over-read that can crash applications relying on the library for cryptographic parsing. Disclosed via the OpenSSL 4.0.1 security release on 2026-06-09 alongside more than a dozen other fixes, this issue affects every supported branch from 1.0.2 through 3.6 and 4.0. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the broad install base of OpenSSL across servers, clients, and embedded devices makes patching a priority.
Out-of-bounds read in OpenSSL's CMS password-based decryption code (CVE-2026-9076) allows remote attackers to cause denial of service against applications that decrypt attacker-supplied CMS messages. The flaw is fixed in OpenSSL 4.0.1 alongside a batch of other cryptographic vulnerabilities, with no public exploit identified at time of analysis and no CISA KEV listing. Multiple OpenSSL branches (1.0.2, 1.1.1, 3.0, 3.4, 3.5, 3.6, and 4.0.0) require updates per the upstream advisory.
Heap buffer overflow in OpenSSL's ASN.1 multibyte string conversion routine allows remote attackers to corrupt memory and potentially achieve code execution against applications using affected OpenSSL versions prior to 4.0.1. The flaw was disclosed via the OpenSSL 4.0.1 security patch release alongside 17 other CVEs and is classified as a high-severity issue (CVSS 8.1) with no public exploit identified at time of analysis.
Stack-based buffer overflow in Perl DBI module versions prior to 1.648 allows attackers who can influence database error message content to corrupt memory via a fixed 200-byte stack buffer used during error formatting. The flaw is triggered when applications enable RaiseError, PrintError, or HandleError handlers - a near-universal configuration in production Perl database code. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02% despite the CVSS 9.8 rating.
Heap-based buffer overflow in the HarmonyOS IPC (Inter-Process Communication) module allows a local low-privileged attacker to impact confidentiality, integrity, and availability of the affected system. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) confirms exploitation requires local authenticated access with low complexity, limiting but not eliminating real-world risk on consumer and wearable Huawei devices. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Out-of-bounds heap write in the Zephyr RTOS Bluetooth host allows a remote, unauthenticated BLE peer within radio range to corrupt memory during L2CAP LE Connection-oriented Channel (CoC) SDU reassembly. The flaw affects builds where the application enables SDU segmentation via chan_ops.alloc_buf and selects an RX net_buf pool whose user_data_size is smaller than 2 bytes, causing the reassembly segmentation counter in l2cap_chan_le_recv_seg() to be written past the allocated user_data region. There is no public exploit identified at time of analysis and EPSS probability is negligible (0.01%), so realistic impact is a triggered fatal error / heap corruption rather than demonstrated code execution.
Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to corrupt stack memory or crash processes via a network-accessible attack path. Affected versions span QTS 5.2.x and multiple QuTS hero release trains (h5.2.x, h5.3.x, h6.0.x), with vendor-released patches dated February-May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory high-privilege prerequisite substantially limits realistic attack surface.
Remote code execution and denial of service in Zephyr RTOS HTTP server (versions 3.7.0 through 4.3.0) allow unauthenticated network attackers to corrupt stack memory by sending a crafted Sec-WebSocket-Key header during WebSocket upgrade. The flaw is a CWE-170 improper NUL-termination issue where a bounded copy fails to terminate the header buffer, causing strlen() and subsequent concatenation to read and write past stack bounds. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivially reachable attack surface make this a high-priority issue for any Zephyr deployment with CONFIG_HTTP_SERVER_WEBSOCKET enabled.
Unauthenticated remote memory corruption in the SAP Kernel of SAP NetWeaver Application Server ABAP and ABAP Platform allows attackers to compromise confidentiality, integrity, and availability by sending crafted RFC requests that trigger logical errors in memory management. The CVSS 9.8 score reflects network-reachable, no-privileges, no-interaction exploitation against a foundational SAP component, though no public exploit identified at time of analysis and exploitation status beyond the vendor disclosure is not confirmed in CISA KEV.
Sandbox-confined arbitrary code execution in Google Chrome on macOS versions prior to 149.0.7827.103 stems from an out-of-bounds read and write in the Media component, exploitable by a remote attacker who has already compromised the renderer process and lures a user to a crafted HTML page. Google rates the Chromium severity as High and has released a patched stable channel update; no public exploit identified at time of analysis, and SSVC reports no observed exploitation.
Out-of-bounds read in Chrome's Skia graphics engine (versions prior to 149.0.7827.103) enables cross-origin data leakage via a crafted HTML page, but only after a prior renderer process compromise. The CVSS score of 3.1 (Low) reflects the constrained impact: confidentiality loss is limited in scope, and the prerequisite renderer compromise represents a significant barrier. No public exploit identified at time of analysis, and CISA SSVC confirms exploitation status as none with non-automatable attack surface.
Sandbox escape in Google Chrome on Android prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a heap buffer overflow in the GPU process triggered by a crafted HTML page. Rated High severity by Chromium with a CVSS 8.3 reflecting scope change and full CIA impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds read in Chrome's Media component on ChromeOS allows an attacker who has already compromised the renderer process to exfiltrate potentially sensitive data from process memory via a crafted HTML page. Affected are all Chrome for ChromeOS releases prior to 149.0.7827.103. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained by both the ChromeOS-only scope and the mandatory prerequisite of a pre-compromised renderer, making this a chained attack scenario rather than a standalone critical threat.
Out-of-bounds read in the WebRTC component of Google Chrome before 149.0.7827.103 enables a remote attacker who has already compromised the GPU process to escalate into heap corruption via a crafted HTML page. Google rates this High severity and a vendor patch is available; no public exploit identified at time of analysis. The flaw is a chained-exploitation primitive rather than a standalone RCE, requiring a prior sandbox-adjacent foothold plus user interaction.
Out-of-bounds read in Dawn, Chrome's WebGPU graphics API layer, on Windows enables unauthenticated remote attackers to leak cross-origin data by serving a crafted HTML page. Affected versions of Google Chrome on Windows are all releases prior to 149.0.7827.103. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) confirms this is a network-exploitable, low-complexity information disclosure with no authentication requirement - limited only by the need for a user to visit the attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis.
Sandbox escape in Google Chrome on Linux prior to 149.0.7827.103 can be triggered by an integer overflow in the browser's UI component when a victim visits a crafted HTML page. Rated CVSS 9.6 with scope change, this issue allows a remote attacker to break out of the Chrome renderer sandbox after one click or navigation, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Sandbox escape in Google Chrome on macOS prior to version 149.0.7827.103 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers an integer overflow in the Media component. Google rates the Chromium severity as High, and no public exploit has been identified at time of analysis. Because exploitation requires chaining with a separate renderer compromise plus user interaction (visiting a malicious page), the attack complexity is High despite the network attack vector.
Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development.
Sandbox escape in Google Chrome versions prior to 149.0.7827.103 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via an integer overflow in the libyuv image conversion library. Exploitation requires user interaction with a crafted HTML page and a chained renderer compromise, but Google rated the underlying issue Critical because a successful chain yields code execution outside Chrome's sandbox. There is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.03%.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device via the formSetCfm HTTP endpoint. The vulnerability resides in the param_1 parameter of the formSetCfm function, where insufficient input validation allows a crafted HTTP request to overflow a stack buffer, resulting in a Denial of Service. A public GitHub repository linked in the references (xhh0124/SemVulLLM) appears to document or demonstrate the issue; no public exploit identified at time of analysis beyond that reference, and the EPSS score of 0.01% (2nd percentile) reflects very low exploitation probability.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the webAuthUserPwd parameter of the formAddWebAuthUser handler. CVSS 7.5 reflects the network-reachable, no-auth attack path with high availability impact but no confidentiality or integrity loss, and EPSS is very low (0.01%) with no public exploit identified at time of analysis.
Stack-based buffer overflow in Tenda O3 Wireless Router firmware v1.0.0.5(4180) enables authenticated remote attackers to crash the device by submitting an oversized username value to the R7WebsSecurityHandler HTTP handler. The CVSS vector (PR:H) confirms that exploitation requires high-privilege authentication, constraining the attack surface to compromised admin credentials or insider threat scenarios. No public exploit identified at time of analysis and EPSS sits at the 2nd percentile (0.01%), reflecting low observed exploitation interest.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the bindMACAddr parameter of the fromSetDhcpRules function. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-based exploitation with high availability impact but no confidentiality or integrity loss, and no public exploit identified at time of analysis beyond a research repository reference.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows unauthenticated remote attackers to crash the device by sending crafted HTTP requests with oversized username or password parameters that overflow stack buffers in the R7WebsSecurityHandler function. The flaw affects the router's web management interface and carries a CVSS 7.5 (availability-only impact); no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request with an oversized picName parameter to the formDelwebAuthPic handler. No public exploit identified at time of analysis, and EPSS rates real-world exploitation probability at just 0.02% (4th percentile), but the affected SOHO/SMB router class is a frequent target once weaponized PoCs emerge.
Denial of service in Tenda PW201A v1.0.5 routers allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the page parameter of the SafeMacFilter function. EPSS scores exploitation probability at just 0.02% (4th percentile), and no public exploit identified at time of analysis, though a research repository on GitHub references the vulnerable function.
Remote denial of service in Tenda US_W3V1.0BR router firmware v1.0.0.3 allows unauthenticated network attackers to crash the device by sending a crafted value in the 'Go' parameter to the ask_to_reboot function, triggering a stack-based buffer overflow. No public exploit identified at time of analysis, though a third-party research repository on GitHub references the vulnerable function.
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the IPMacBindIndex parameter handler of the formIPMacBindDel function. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.01%, 2nd percentile), but the network-reachable, no-auth attack surface on an edge networking device warrants attention from operators of affected hardware.
Denial of service in Tenda W15E router firmware version 15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. No public exploit identified at time of analysis, and EPSS scoring of 0.01% indicates very low predicted exploitation probability, though a research repository hosting analysis artifacts exists on GitHub.
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers stack-based buffer overflows in the Saveqqlist function via the qqStr and markStr parameters. CVSS 7.5 reflects the network-reachable, no-privilege availability impact, while EPSS sits at 0.01% (2nd percentile) and no public exploit identified at time of analysis indicates limited near-term opportunistic exploitation despite the easy attack profile.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the webAuthUserPwd parameter of the formModifyWebAuthUser function. No public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.01% (2nd percentile), suggesting low near-term mass-exploitation likelihood despite the network-reachable attack surface. The flaw is not listed in CISA KEV.
Remote code execution and denial-of-service in bitbank2 AnimatedGIF v2.2.0 arises from a buffer overflow in the DecodeLZW function when processing a crafted GIF file. SSVC data indicates a proof-of-concept exists and exploitation is automatable, though it is not listed in CISA KEV; with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) the vulnerability is network-reachable wherever this library decodes attacker-supplied GIFs.
Denial-of-service in the Tenda W3 Wireless Router (firmware v1.0.0.3(2204)) allows remote unauthenticated attackers to crash the device by sending crafted input to the wl_radio parameter of the formwrlSSIDset function, triggering a stack-based buffer overflow. Publicly available exploit research exists in a GitHub repository, but no public exploit identified for weaponized use at time of analysis and the issue is not listed in CISA KEV. The CVSS 7.5 score reflects high availability impact without confidentiality or integrity loss.
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the formIPMacBindModify handler via the IPMacBindRuleIp parameter. No public exploit identified at time of analysis, EPSS is very low (0.01%), and SSVC reports no observed exploitation, though CISA's SSVC marks the attack as automatable with partial technical impact.
Denial of service in GPAC MP4Box v2.4 allows remote attackers to crash the application by supplying a crafted MP4 file that triggers a stack buffer overflow in the filein_process function. The flaw resides in in_file.c and impacts availability only, with no confirmed code-execution path; no public exploit identified at time of analysis, though POC details may surface via the linked infosec.exchange post.
Denial-of-service via stack buffer overflow affects the Tenda O3 wireless router firmware v1.0.0.5(4180), where the fromNetToolGet handler fails to bound-check the domain parameter supplied in HTTP requests. Remote attackers can crash the router's web management service by sending a crafted request, disrupting network connectivity for downstream clients. SSVC flags the issue as proof-of-concept with automatable exploitation and partial technical impact, though EPSS remains low at 0.01% and no in-the-wild exploitation has been confirmed.
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Remote denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated network attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the wewifiWhiteUserInfo parameter handled by the formAddWewifiWhiteUser function. EPSS scores exploitation probability at only 0.02% (4th percentile) and no public exploit code or active exploitation has been reported, though a research repository documenting the finding exists on GitHub. The vulnerability is not listed in CISA KEV.
Denial of service in Tenda O3 Wireless Router firmware v1.0.0.5(4180) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack buffer overflows in the fromVirtualSer function. Five distinct overflow sinks (puVar2, puVar1, __s2, __s1_00, puVar3) are reachable via the same handler. No public exploit identified at time of analysis, and EPSS rates exploitation likelihood at 0.01%, but a research repository with vulnerability artifacts is referenced.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser handler. EPSS is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, though a GitHub research repository documents the flaw. The CVSS 7.5 reflects high availability impact with no confidentiality or integrity compromise.
Denial of service in the Tenda O3 Wireless Router (firmware v1.0.0.5(4180)) allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the ip parameter of the fromNetToolGet function. Publicly available exploit code exists in a GitHub research repository, though EPSS rates exploitation probability at only 0.02% and the issue is not on CISA KEV. Impact is limited to availability (the CVSS A:H, C:N, I:N profile), making this primarily a device-crash bug rather than a code-execution vector based on the reported analysis.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request containing a malicious wl_radio parameter to the formWifiRadioSet function. EPSS scoring (0.01%, 2nd percentile) indicates very low real-world exploitation probability, and no public exploit identified at time of analysis beyond a research repository referencing the vulnerable function.
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that overflows the portalAuth parameter handled by the formPortalAuth function. No public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.01%), but a public proof-of-concept research repository on GitHub references the vulnerable function.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. EPSS is extremely low at 0.02% and no public exploit identified at time of analysis beyond a research repository, though the affected component is the web administration interface of a SOHO/SMB router.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the webAuthWhiteID parameter of the formModifyWebAuthWhiteUser function. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%), but the network-reachable attack surface on a customer-premises router warrants timely mitigation. The flaw is limited to availability impact per the CVSS vector, with no confidentiality or integrity consequences claimed.
Denial of service in Tenda W15E v15.11.0.10 routers can be triggered by remote unauthenticated attackers sending a crafted HTTP request that overflows the gotoUrl parameter in the formPortalAuth function. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and at the time of analysis no public exploit identified at time of analysis though a proof-of-concept research repository is referenced. EPSS is very low (0.02%, 4th percentile), suggesting limited real-world exploitation interest despite the network-reachable attack surface.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request containing an oversized hostname parameter to the formSetNetCheckTools handler. The classic stack buffer overflow (CWE-120) currently shows no public exploit identified at time of analysis and a very low EPSS score of 0.01%, but the network-reachable management interface makes any exposed device trivially disruptable.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that overflows a buffer in the wewifiWhiteUserInfo parameter handled by the formAddWewifiWhiteUser function. No public exploit identified at time of analysis, though a third-party research repository on GitHub references the vulnerable function, and EPSS is very low (0.02%, 4th percentile).
Multiple stack-based buffer overflows in Tenda G0 router firmware v15.11.0.5 allow network-adjacent or remote attackers to crash the device by sending crafted HTTP requests to the `formSetDebugCfgr` debug configuration endpoint, with three independent overflow vectors (`enable`, `level`, `module` parameters) each capable of triggering a denial-of-service condition. The official CVSS vector includes UI:R, suggesting a possible CSRF-style delivery mechanism requiring an authenticated administrator to be tricked into issuing the malicious request, which meaningfully constrains exploitation compared to a purely unauthenticated remote attack. No public exploit confirmed in CISA KEV; an associated GitHub repository referenced in the CVE may contain proof-of-concept material, though EPSS remains extremely low at 0.01% (2nd percentile).
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request with an oversized picCropName parameter to the formCropAndSetWewifiPic handler. The flaw is a classic stack buffer overflow in the web management interface, and while no public weaponized exploit is identified, proof-of-concept research artifacts are published on GitHub. EPSS scores exploitation probability at just 0.01%, reflecting limited attacker interest despite trivial reachability.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device by supplying an oversized wl_radio parameter to the formwrlSSIDget function. Impact is limited strictly to Denial of Service (availability loss); no confidentiality or integrity impact is possible per CVSS vector analysis. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02% (5th percentile), placing this firmly in the lower-priority tier despite the High availability impact rating.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) allows adjacent-network unauthenticated attackers to crash the device via a crafted Go parameter submitted to the ask_to_reboot function, resulting in a complete Denial of Service condition. The vulnerability carries a CVSS 6.5 score with High availability impact but no confidentiality or integrity loss, and the attack vector is constrained to adjacent network access. No public exploit confirmation or CISA KEV listing is present, and EPSS at 0.02% (5th percentile) indicates low observed exploitation probability at time of analysis.
Denial of service in Tenda O3v3 firmware v1.0.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the formSetCfm handler. No public exploit identified at time of analysis, and EPSS is very low (0.01%), but the network-reachable, no-authentication attack surface on a CPE/router device makes this relevant for exposed deployments.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack-based buffer overflows in the formwrlSSIDset handler. The flaw is reachable without authentication or user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but EPSS is only 0.01% and no public exploit identified at time of analysis suggests low near-term mass-exploitation likelihood despite the trivial attack surface.
Local code execution in Microsoft Office is possible when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122), allowing the attacker to run arbitrary code in the context of the opened Office process. The CVSS 7.8 (AV:L/AC:L/PR:N/UI:R) reflects a user-interaction-driven local exploit rather than a remote network attack, and no public exploit identified at time of analysis. The flaw was reported through Microsoft Security Response Center (secure@microsoft.com) and is tracked in MSRC's update guide.
Remote code execution in the Windows DHCP Client is possible when a stack-based buffer overflow (CWE-121) is triggered by a crafted DHCP server response, allowing an unauthorized network attacker to run arbitrary code with no user interaction. The flaw carries a CVSS 9.8 critical rating reflecting network reachability, low complexity, and full impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because the DHCP client runs early in the network stack on virtually every Windows host, successful exploitation grants attacker-controlled code execution in a highly privileged context.
Out-of-bounds heap read in the Windows Desktop Window Manager (DWM) Core Library on Windows 11 26H1 enables authenticated local attackers to disclose high-confidence confidentiality data without user interaction. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) confirms low-complexity local exploitation limited to a single authenticated session, with no integrity or availability impact. No public exploit code has been identified at time of analysis, and the vulnerability does not appear in the CISA KEV catalog.
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local access to run arbitrary code by triggering an integer overflow, after coaxing a user into interacting with a crafted graphics object. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, though Win32K bugs historically attract rapid exploit development for privilege escalation in post-compromise chains.
Local privilege escalation in the Windows Desktop Window Manager (DWM) Core Library stems from a use-after-free condition (CWE-122) that lets an authenticated low-privileged user gain elevated rights on affected Windows systems. The flaw was reported by Microsoft (secure@microsoft.com) and tracked via MSRC, with no public exploit identified at time of analysis and no CISA KEV listing. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability once the attacker has local foothold.
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to run code locally to escalate privileges through an integer overflow. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8, but requires user interaction (UI:R) and local access (AV:L), and no public exploit identified at time of analysis.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled RDP server, where a heap-based buffer overflow (linked to use-after-free memory corruption per vendor tags) enables arbitrary code execution on the client machine. The CVSS 7.5 score reflects high attack complexity and required user interaction, and no public exploit identified at time of analysis. SSVC assessment from CISA rates exploitation as 'none' and automatable as 'no', though technical impact is total.
Remote code execution in Microsoft Remote Desktop Client arises from a heap-based buffer overflow (CWE-122) that an unauthenticated network attacker can trigger when a victim connects to or interacts with a malicious server. Microsoft (secure@microsoft.com) is the originating reporter and has published an advisory in the MSRC update guide, with no public exploit identified at time of analysis. The CVSS 7.5 (High) rating reflects high attack complexity and required user interaction, but successful exploitation yields full confidentiality, integrity, and availability impact on the client host.
Remote code execution in Microsoft Remote Desktop Client is possible when a user is lured into connecting to an attacker-controlled RDP server, where a heap-based buffer overflow (CWE-122) can be triggered to run arbitrary code on the client machine. The flaw was reported by Microsoft (secure@microsoft.com) and carries a CVSS 3.1 score of 7.5, reflecting high attack complexity and the requirement for user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Remote code execution in Microsoft Remote Desktop Client is possible when a user is enticed to connect to an attacker-controlled RDP server, triggering a heap-based buffer overflow (CWE-122). The flaw scores CVSS 7.5 (AV:N/AC:H/PR:N/UI:R) and, while no public exploit is identified at time of analysis, the network-reachable nature and full CIA impact make it a meaningful client-side risk for users connecting to untrusted endpoints.
Remote code execution in Microsoft Remote Desktop Client is possible when a victim connects to an attacker-controlled or compromised RDP server, triggering a heap-based buffer overflow that runs attacker code in the client's context. The flaw (CWE-416 use-after-free / heap corruption) carries CVSS 8.8 and requires user interaction, with no public exploit identified at time of analysis. A vendor patch is available via Microsoft MSRC.
Local privilege escalation in the Windows NT OS Kernel allows an authenticated low-privileged attacker to elevate to SYSTEM by triggering an integer underflow condition. With a CVSS of 7.8 and no public exploit identified at time of analysis, this issue is primarily a post-compromise escalation vector commonly chained after initial access via phishing or commodity malware. Microsoft has released a patch through MSRC, and given Windows kernel EoP bugs are frequently weaponized by ransomware and APT actors historically, prompt patching is warranted despite the absence of confirmed in-the-wild exploitation.
Out-of-bounds read in the Windows Telephony Service exposes sensitive memory contents to locally authenticated attackers across a broad range of Windows client and server versions. The flaw (CWE-125) is exploitable with only low privileges and no user interaction, yielding high confidentiality impact while leaving integrity and availability unaffected. No public exploit code or active exploitation has been identified; CISA's SSVC framework rates this as non-automatable with partial technical impact, placing it at medium operational priority.
Windows Kerberos out-of-bounds read (CWE-125) allows a low-privilege network attacker to crash the Kerberos authentication service across all actively supported Windows client and server platforms, from Windows Server 2012 through Windows Server 2025 and Windows 11 26H1. The attack requires prior domain authentication and high-complexity triggering conditions (CVSS AC:H), limiting opportunistic mass exploitation, though a successful attack against a domain controller can deny authentication domain-wide by crashing the KDC. Vendor patches are available via the Microsoft MSRC advisory; no public exploit code exists and SSVC confirms no observed exploitation at time of analysis.
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled RDP server, where a heap-based buffer overflow triggered by a race condition (CWE-362) allows arbitrary code execution on the client machine. The flaw carries a CVSS 7.5 (High) rating with high attack complexity and required user interaction, and no public exploit identified at time of analysis. Microsoft has released a patch via MSRC advisory CVE-2026-42913.
Local privilege escalation in the Windows Hotpatch Monitoring Service enables an authenticated low-privileged attacker to gain elevated privileges through an out-of-bounds write (CWE-787) memory corruption flaw. The CVSS 7.8 (AV:L/AC:L/PR:L) reflects local attack vector with low complexity once a foothold is obtained, and no public exploit identified at time of analysis. The vulnerability was reported by Microsoft's own security team (secure@microsoft.com), suggesting internal discovery prior to disclosure.
Remote code execution in Microsoft Remote Desktop Client is possible when a user connects to an attacker-controlled or compromised RDP endpoint, where a race condition (CWE-362) can be triggered to corrupt heap memory and execute arbitrary code in the client process. The flaw is unauthenticated from the network attacker's perspective but requires user interaction to initiate the connection, and no public exploit has been identified at time of analysis.
Information disclosure in Microsoft Windows Remote Desktop Protocol (RDP) allows unauthenticated remote attackers to read out-of-bounds memory contents over the network, potentially leaking sensitive data from the RDP service process. The vulnerability requires no authentication or user interaction and is rated CVSS 7.5 with high confidentiality impact only. At time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
Privilege elevation in the Windows TCP/IP networking stack allows an unauthenticated attacker on an adjacent network to gain elevated privileges by triggering a heap-based buffer overflow (CWE-122). The CVSS 9.6 score with scope change (S:C) indicates the compromise crosses security boundaries beyond the vulnerable component itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Local privilege escalation in the Windows Projected File System (ProjFS) Filter Driver allows an authenticated low-privileged user on a Windows host to escalate to higher privileges by triggering a buffer over-read in the kernel-mode driver. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 7.8 with low attack complexity and no user interaction makes it an attractive post-compromise target for endpoint operators.
Local privilege escalation in the Windows Projected File System (ProjFS) Filter Driver enables an authorized low-privileged user to elevate to higher privileges through a buffer over-read condition. The flaw affects Microsoft Windows installations where the ProjFS filter driver is present, and exploitation yields high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Local privilege escalation in Microsoft Windows DNS allows an authenticated low-privileged user to gain elevated privileges via a heap-based buffer overflow (CWE-122). The CVSS 7.0 score reflects high attack complexity and local-only access, and no public exploit is identified at time of analysis. The flaw was reported privately by Microsoft (MSRC) and is tracked under MSRC advisory CVE-2026-41108.
Local privilege escalation in the Microsoft Windows Universal Disk Format File System (UDFS) driver allows an authenticated low-privileged user to gain SYSTEM-level code execution by triggering a heap-based buffer overflow (CWE-122). The flaw affects Windows endpoints where the UDFS kernel driver parses attacker-controlled UDF-formatted media (typically optical discs or mounted disc images). No public exploit identified at time of analysis and the issue is not currently listed on CISA KEV.
Heap-based buffer overflow in NVIDIA DALI enables local authenticated attackers to achieve code execution, data tampering, denial of service, or information disclosure when a victim user interacts with attacker-supplied input. The flaw affects the Data Loading Library used in GPU-accelerated deep learning data pipelines and carries a CVSS 3.1 score of 7.3 (High). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Heap buffer overflow in FreeSWITCH mod_verto prior to version 1.11.1 allows remote unauthenticated attackers to corrupt up to ~8 MiB of heap memory by sending a crafted HTTP POST request with an oversized Content-Length header. The flaw is triggered before HTTP basic-auth validation runs, enabling pre-authentication exploitation against any exposed mod_verto HTTP endpoint, with CVSS 9.8 reflecting potential for remote code execution; no public exploit identified at time of analysis.
Out-of-bounds memory access in FreeSWITCH versions prior to 1.11.0 allows remote unauthenticated attackers to crash the telephony stack by sending a malformed STUN packet whose declared attribute length is smaller than the structure the parser casts it to. No public exploit has been identified at time of analysis, but the network-reachable nature of STUN on media-handling deployments makes this a denial-of-service risk for any exposed FreeSWITCH instance handling WebRTC or NAT-traversal traffic.
Stack-based buffer overflow in NETGEAR Orbi mesh router firmware (RBE, RBR, RBS series) enables authenticated administrators with local network access to submit malformed buffer input that bypasses validation and triggers unauthorized modification of router software and functionality. The attack surface is significantly constrained by the requirement for both administrative credentials (PR:H) and adjacent network positioning (AV:A), limiting realistic exposure to insider threats or scenarios where an attacker has already compromised admin credentials within the LAN. No public exploit identified at time of analysis, SSVC confirms exploitation status as none, and vendor-released patches are available across all affected model lines.
Denial-of-service via out-of-bounds write in NETGEAR Orbi mesh router and satellite firmware allows unauthenticated, adjacent-network attackers to render affected devices unavailable by sending specially crafted requests. The vulnerability affects multiple Orbi 860/950/960/970/971-series devices across a broad firmware version range, with fixed builds available per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis (CVSS E:U), though the low attack complexity and absence of any authentication requirement make this straightforward to reproduce for any attacker with local network access.
Remote command execution in NETGEAR Orbi 370 series routers (firmware before V12.1.2.7) is achievable by a network-positioned adversary who can intercept and tamper with traffic between the device and the internet. Exploitation requires the device administrator to perform specific management actions while the attacker holds a man-in-the-middle position, at which point a buffer overflow (CWE-119) is triggered allowing arbitrary command execution on the device. No public exploit exists at time of analysis and the vendor has released a patching firmware (V12.1.2.7); no KEV listing has been issued by CISA.
Shadow paging error paths in Xen Hypervisor 4.15+ on x86 allow 64-bit PV guests operating in shadow mode to corrupt mapcache metadata by triggering a page-table switch that does not update the currently running vCPU reference. Successful exploitation by a guest can result in privilege escalation into the hypervisor, host-wide denial of service, and information leaks affecting all co-resident guests. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; vendor-released patches are available for all supported stable branches.
Heap buffer overflow in Red Hat Directory Server's audit logging subsystem allows an authenticated high-privilege attacker to corrupt heap memory and tamper with audit log output. The vulnerable function create_masked_entry_string() in auditlog.c writes a fixed-length password mask into a precisely-sized heap buffer without bounds checking, overflowing when a short cleartext password is processed. Exploitation requires two non-default preconditions - audit logging must be enabled AND either CLEAR password storage must be configured or a replication peer must already be compromised - limiting real-world exposure significantly. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. FORTIFY_SOURCE compiler hardening constrains impact to denial of service - preventing arbitrary code execution - but service disruption against a critical authentication infrastructure component remains operationally significant. No public exploit identified at time of analysis.
Heap buffer over-read in Red Hat Directory Server's ldap_utf8prev() function exposes LDAP deployments to potential confidentiality, integrity, and availability impact via crafted string filter input. The flaw affects authenticated, network-accessible LDAP servers running Red Hat Directory Server 11, 12, and 13 as well as the 389-ds component shipped across Red Hat Enterprise Linux 6 through 10. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; however, its presence in filter parsing logic - a core LDAP code path - warrants prompt patching in internet-exposed or multi-tenant directory environments.
Out-of-bounds read in 389 Directory Server's LDIF parser exposes limited heap memory to a highly privileged local attacker during database import operations. Exploitation requires local system access, high attack complexity, and high privileges (administrator-level), producing only minor confidentiality impact with no integrity or availability consequences. No public exploit identified at time of analysis and no KEV listing; the CVSS score of 1.9 reflects the extremely constrained exploitation conditions, making this a low operational priority absent specific threat model considerations.
Buffer overflow in the Linux kernel's greybus gb-beagleplay driver allows an adjacent attacker with control over the cc1352 bootloader serial data stream to overflow the fixed rx_buffer used to stage bootloader packets. The cc1352_bootloader_rx() handler appends serdev chunks without validating they fit in remaining buffer space, enabling memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.02%.
Out-of-bounds read in OpenSSL 4.0.0's `X509_VERIFY_PARAM_set1_email()` function can crash applications performing email-based X.509 certificate verification when processing attacker-influenced email input, resulting in a denial-of-service condition. The vulnerability is scoped to OpenSSL 4.0.0 only and was patched in the June 9, 2026 security release (4.0.1), which bundled fixes for 18 CVEs. No public exploit identified at time of analysis and no CISA KEV listing.
Denial-of-service in OpenSSL's ASN.1 content parser allows remote unauthenticated attackers to trigger a heap buffer over-read that can crash applications relying on the library for cryptographic parsing. Disclosed via the OpenSSL 4.0.1 security release on 2026-06-09 alongside more than a dozen other fixes, this issue affects every supported branch from 1.0.2 through 3.6 and 4.0. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but the broad install base of OpenSSL across servers, clients, and embedded devices makes patching a priority.
Out-of-bounds read in OpenSSL's CMS password-based decryption code (CVE-2026-9076) allows remote attackers to cause denial of service against applications that decrypt attacker-supplied CMS messages. The flaw is fixed in OpenSSL 4.0.1 alongside a batch of other cryptographic vulnerabilities, with no public exploit identified at time of analysis and no CISA KEV listing. Multiple OpenSSL branches (1.0.2, 1.1.1, 3.0, 3.4, 3.5, 3.6, and 4.0.0) require updates per the upstream advisory.
Heap buffer overflow in OpenSSL's ASN.1 multibyte string conversion routine allows remote attackers to corrupt memory and potentially achieve code execution against applications using affected OpenSSL versions prior to 4.0.1. The flaw was disclosed via the OpenSSL 4.0.1 security patch release alongside 17 other CVEs and is classified as a high-severity issue (CVSS 8.1) with no public exploit identified at time of analysis.
Stack-based buffer overflow in Perl DBI module versions prior to 1.648 allows attackers who can influence database error message content to corrupt memory via a fixed 200-byte stack buffer used during error formatting. The flaw is triggered when applications enable RaiseError, PrintError, or HandleError handlers - a near-universal configuration in production Perl database code. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02% despite the CVSS 9.8 rating.
Heap-based buffer overflow in the HarmonyOS IPC (Inter-Process Communication) module allows a local low-privileged attacker to impact confidentiality, integrity, and availability of the affected system. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) confirms exploitation requires local authenticated access with low complexity, limiting but not eliminating real-world risk on consumer and wearable Huawei devices. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Out-of-bounds heap write in the Zephyr RTOS Bluetooth host allows a remote, unauthenticated BLE peer within radio range to corrupt memory during L2CAP LE Connection-oriented Channel (CoC) SDU reassembly. The flaw affects builds where the application enables SDU segmentation via chan_ops.alloc_buf and selects an RX net_buf pool whose user_data_size is smaller than 2 bytes, causing the reassembly segmentation counter in l2cap_chan_le_recv_seg() to be written past the allocated user_data region. There is no public exploit identified at time of analysis and EPSS probability is negligible (0.01%), so realistic impact is a triggered fatal error / heap corruption rather than demonstrated code execution.
Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to corrupt stack memory or crash processes via a network-accessible attack path. Affected versions span QTS 5.2.x and multiple QuTS hero release trains (h5.2.x, h5.3.x, h6.0.x), with vendor-released patches dated February-May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory high-privilege prerequisite substantially limits realistic attack surface.
Remote code execution and denial of service in Zephyr RTOS HTTP server (versions 3.7.0 through 4.3.0) allow unauthenticated network attackers to corrupt stack memory by sending a crafted Sec-WebSocket-Key header during WebSocket upgrade. The flaw is a CWE-170 improper NUL-termination issue where a bounded copy fails to terminate the header buffer, causing strlen() and subsequent concatenation to read and write past stack bounds. No public exploit identified at time of analysis, but the CVSS 9.8 rating and trivially reachable attack surface make this a high-priority issue for any Zephyr deployment with CONFIG_HTTP_SERVER_WEBSOCKET enabled.
Unauthenticated remote memory corruption in the SAP Kernel of SAP NetWeaver Application Server ABAP and ABAP Platform allows attackers to compromise confidentiality, integrity, and availability by sending crafted RFC requests that trigger logical errors in memory management. The CVSS 9.8 score reflects network-reachable, no-privileges, no-interaction exploitation against a foundational SAP component, though no public exploit identified at time of analysis and exploitation status beyond the vendor disclosure is not confirmed in CISA KEV.
Sandbox-confined arbitrary code execution in Google Chrome on macOS versions prior to 149.0.7827.103 stems from an out-of-bounds read and write in the Media component, exploitable by a remote attacker who has already compromised the renderer process and lures a user to a crafted HTML page. Google rates the Chromium severity as High and has released a patched stable channel update; no public exploit identified at time of analysis, and SSVC reports no observed exploitation.
Out-of-bounds read in Chrome's Skia graphics engine (versions prior to 149.0.7827.103) enables cross-origin data leakage via a crafted HTML page, but only after a prior renderer process compromise. The CVSS score of 3.1 (Low) reflects the constrained impact: confidentiality loss is limited in scope, and the prerequisite renderer compromise represents a significant barrier. No public exploit identified at time of analysis, and CISA SSVC confirms exploitation status as none with non-automatable attack surface.
Sandbox escape in Google Chrome on Android prior to 149.0.7827.103 allows a remote attacker who has already compromised the renderer process to break out of Chrome's sandbox via a heap buffer overflow in the GPU process triggered by a crafted HTML page. Rated High severity by Chromium with a CVSS 8.3 reflecting scope change and full CIA impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds read in Chrome's Media component on ChromeOS allows an attacker who has already compromised the renderer process to exfiltrate potentially sensitive data from process memory via a crafted HTML page. Affected are all Chrome for ChromeOS releases prior to 149.0.7827.103. No public exploit code or CISA KEV listing has been identified at time of analysis, and exploitation is constrained by both the ChromeOS-only scope and the mandatory prerequisite of a pre-compromised renderer, making this a chained attack scenario rather than a standalone critical threat.
Out-of-bounds read in the WebRTC component of Google Chrome before 149.0.7827.103 enables a remote attacker who has already compromised the GPU process to escalate into heap corruption via a crafted HTML page. Google rates this High severity and a vendor patch is available; no public exploit identified at time of analysis. The flaw is a chained-exploitation primitive rather than a standalone RCE, requiring a prior sandbox-adjacent foothold plus user interaction.
Out-of-bounds read in Dawn, Chrome's WebGPU graphics API layer, on Windows enables unauthenticated remote attackers to leak cross-origin data by serving a crafted HTML page. Affected versions of Google Chrome on Windows are all releases prior to 149.0.7827.103. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) confirms this is a network-exploitable, low-complexity information disclosure with no authentication requirement - limited only by the need for a user to visit the attacker-controlled page. No public exploit code or CISA KEV listing has been identified at time of analysis.
Sandbox escape in Google Chrome on Linux prior to 149.0.7827.103 can be triggered by an integer overflow in the browser's UI component when a victim visits a crafted HTML page. Rated CVSS 9.6 with scope change, this issue allows a remote attacker to break out of the Chrome renderer sandbox after one click or navigation, though no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Sandbox escape in Google Chrome on macOS prior to version 149.0.7827.103 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that triggers an integer overflow in the Media component. Google rates the Chromium severity as High, and no public exploit has been identified at time of analysis. Because exploitation requires chaining with a separate renderer compromise plus user interaction (visiting a malicious page), the attack complexity is High despite the network attack vector.
Remote code execution in Google Chrome's V8 JavaScript engine prior to 149.0.7827.103 allows a remote attacker to execute arbitrary code inside the renderer sandbox by enticing a victim to visit a crafted HTML page. The flaw is an out-of-bounds read and write (CWE-125) rated High severity by Chromium with a CVSS 8.8, and no public exploit identified at time of analysis, though V8 memory-corruption issues historically attract exploit development.
Sandbox escape in Google Chrome versions prior to 149.0.7827.103 enables a remote attacker who has already compromised the renderer process to break out of the browser sandbox via an integer overflow in the libyuv image conversion library. Exploitation requires user interaction with a crafted HTML page and a chained renderer compromise, but Google rated the underlying issue Critical because a successful chain yields code execution outside Chrome's sandbox. There is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.03%.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device via the formSetCfm HTTP endpoint. The vulnerability resides in the param_1 parameter of the formSetCfm function, where insufficient input validation allows a crafted HTTP request to overflow a stack buffer, resulting in a Denial of Service. A public GitHub repository linked in the references (xhh0124/SemVulLLM) appears to document or demonstrate the issue; no public exploit identified at time of analysis beyond that reference, and the EPSS score of 0.01% (2nd percentile) reflects very low exploitation probability.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the webAuthUserPwd parameter of the formAddWebAuthUser handler. CVSS 7.5 reflects the network-reachable, no-auth attack path with high availability impact but no confidentiality or integrity loss, and EPSS is very low (0.01%) with no public exploit identified at time of analysis.
Stack-based buffer overflow in Tenda O3 Wireless Router firmware v1.0.0.5(4180) enables authenticated remote attackers to crash the device by submitting an oversized username value to the R7WebsSecurityHandler HTTP handler. The CVSS vector (PR:H) confirms that exploitation requires high-privilege authentication, constraining the attack surface to compromised admin credentials or insider threat scenarios. No public exploit identified at time of analysis and EPSS sits at the 2nd percentile (0.01%), reflecting low observed exploitation interest.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the bindMACAddr parameter of the fromSetDhcpRules function. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-based exploitation with high availability impact but no confidentiality or integrity loss, and no public exploit identified at time of analysis beyond a research repository reference.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows unauthenticated remote attackers to crash the device by sending crafted HTTP requests with oversized username or password parameters that overflow stack buffers in the R7WebsSecurityHandler function. The flaw affects the router's web management interface and carries a CVSS 7.5 (availability-only impact); no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request with an oversized picName parameter to the formDelwebAuthPic handler. No public exploit identified at time of analysis, and EPSS rates real-world exploitation probability at just 0.02% (4th percentile), but the affected SOHO/SMB router class is a frequent target once weaponized PoCs emerge.
Denial of service in Tenda PW201A v1.0.5 routers allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the page parameter of the SafeMacFilter function. EPSS scores exploitation probability at just 0.02% (4th percentile), and no public exploit identified at time of analysis, though a research repository on GitHub references the vulnerable function.
Remote denial of service in Tenda US_W3V1.0BR router firmware v1.0.0.3 allows unauthenticated network attackers to crash the device by sending a crafted value in the 'Go' parameter to the ask_to_reboot function, triggering a stack-based buffer overflow. No public exploit identified at time of analysis, though a third-party research repository on GitHub references the vulnerable function.
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the IPMacBindIndex parameter handler of the formIPMacBindDel function. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.01%, 2nd percentile), but the network-reachable, no-auth attack surface on an edge networking device warrants attention from operators of affected hardware.
Denial of service in Tenda W15E router firmware version 15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. No public exploit identified at time of analysis, and EPSS scoring of 0.01% indicates very low predicted exploitation probability, though a research repository hosting analysis artifacts exists on GitHub.
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers stack-based buffer overflows in the Saveqqlist function via the qqStr and markStr parameters. CVSS 7.5 reflects the network-reachable, no-privilege availability impact, while EPSS sits at 0.01% (2nd percentile) and no public exploit identified at time of analysis indicates limited near-term opportunistic exploitation despite the easy attack profile.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the webAuthUserPwd parameter of the formModifyWebAuthUser function. No public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.01% (2nd percentile), suggesting low near-term mass-exploitation likelihood despite the network-reachable attack surface. The flaw is not listed in CISA KEV.
Remote code execution and denial-of-service in bitbank2 AnimatedGIF v2.2.0 arises from a buffer overflow in the DecodeLZW function when processing a crafted GIF file. SSVC data indicates a proof-of-concept exists and exploitation is automatable, though it is not listed in CISA KEV; with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) the vulnerability is network-reachable wherever this library decodes attacker-supplied GIFs.
Denial-of-service in the Tenda W3 Wireless Router (firmware v1.0.0.3(2204)) allows remote unauthenticated attackers to crash the device by sending crafted input to the wl_radio parameter of the formwrlSSIDset function, triggering a stack-based buffer overflow. Publicly available exploit research exists in a GitHub repository, but no public exploit identified for weaponized use at time of analysis and the issue is not listed in CISA KEV. The CVSS 7.5 score reflects high availability impact without confidentiality or integrity loss.
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the formIPMacBindModify handler via the IPMacBindRuleIp parameter. No public exploit identified at time of analysis, EPSS is very low (0.01%), and SSVC reports no observed exploitation, though CISA's SSVC marks the attack as automatable with partial technical impact.
Denial of service in GPAC MP4Box v2.4 allows remote attackers to crash the application by supplying a crafted MP4 file that triggers a stack buffer overflow in the filein_process function. The flaw resides in in_file.c and impacts availability only, with no confirmed code-execution path; no public exploit identified at time of analysis, though POC details may surface via the linked infosec.exchange post.
Denial-of-service via stack buffer overflow affects the Tenda O3 wireless router firmware v1.0.0.5(4180), where the fromNetToolGet handler fails to bound-check the domain parameter supplied in HTTP requests. Remote attackers can crash the router's web management service by sending a crafted request, disrupting network connectivity for downstream clients. SSVC flags the issue as proof-of-concept with automatable exploitation and partial technical impact, though EPSS remains low at 0.01% and no in-the-wild exploitation has been confirmed.
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Remote denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated network attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the wewifiWhiteUserInfo parameter handled by the formAddWewifiWhiteUser function. EPSS scores exploitation probability at only 0.02% (4th percentile) and no public exploit code or active exploitation has been reported, though a research repository documenting the finding exists on GitHub. The vulnerability is not listed in CISA KEV.
Denial of service in Tenda O3 Wireless Router firmware v1.0.0.5(4180) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack buffer overflows in the fromVirtualSer function. Five distinct overflow sinks (puVar2, puVar1, __s2, __s1_00, puVar3) are reachable via the same handler. No public exploit identified at time of analysis, and EPSS rates exploitation likelihood at 0.01%, but a research repository with vulnerability artifacts is referenced.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser handler. EPSS is very low (0.02%, 4th percentile) and no public exploit identified at time of analysis, though a GitHub research repository documents the flaw. The CVSS 7.5 reflects high availability impact with no confidentiality or integrity compromise.
Denial of service in the Tenda O3 Wireless Router (firmware v1.0.0.5(4180)) allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the ip parameter of the fromNetToolGet function. Publicly available exploit code exists in a GitHub research repository, though EPSS rates exploitation probability at only 0.02% and the issue is not on CISA KEV. Impact is limited to availability (the CVSS A:H, C:N, I:N profile), making this primarily a device-crash bug rather than a code-execution vector based on the reported analysis.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request containing a malicious wl_radio parameter to the formWifiRadioSet function. EPSS scoring (0.01%, 2nd percentile) indicates very low real-world exploitation probability, and no public exploit identified at time of analysis beyond a research repository referencing the vulnerable function.
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that overflows the portalAuth parameter handled by the formPortalAuth function. No public exploit is identified at time of analysis and EPSS exploitation probability is very low (0.01%), but a public proof-of-concept research repository on GitHub references the vulnerable function.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. EPSS is extremely low at 0.02% and no public exploit identified at time of analysis beyond a research repository, though the affected component is the web administration interface of a SOHO/SMB router.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote attackers to crash the device by sending a crafted HTTP request that triggers a buffer overflow in the webAuthWhiteID parameter of the formModifyWebAuthWhiteUser function. No public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%), but the network-reachable attack surface on a customer-premises router warrants timely mitigation. The flaw is limited to availability impact per the CVSS vector, with no confidentiality or integrity consequences claimed.
Denial of service in Tenda W15E v15.11.0.10 routers can be triggered by remote unauthenticated attackers sending a crafted HTTP request that overflows the gotoUrl parameter in the formPortalAuth function. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and at the time of analysis no public exploit identified at time of analysis though a proof-of-concept research repository is referenced. EPSS is very low (0.02%, 4th percentile), suggesting limited real-world exploitation interest despite the network-reachable attack surface.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request containing an oversized hostname parameter to the formSetNetCheckTools handler. The classic stack buffer overflow (CWE-120) currently shows no public exploit identified at time of analysis and a very low EPSS score of 0.01%, but the network-reachable management interface makes any exposed device trivially disruptable.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that overflows a buffer in the wewifiWhiteUserInfo parameter handled by the formAddWewifiWhiteUser function. No public exploit identified at time of analysis, though a third-party research repository on GitHub references the vulnerable function, and EPSS is very low (0.02%, 4th percentile).
Multiple stack-based buffer overflows in Tenda G0 router firmware v15.11.0.5 allow network-adjacent or remote attackers to crash the device by sending crafted HTTP requests to the `formSetDebugCfgr` debug configuration endpoint, with three independent overflow vectors (`enable`, `level`, `module` parameters) each capable of triggering a denial-of-service condition. The official CVSS vector includes UI:R, suggesting a possible CSRF-style delivery mechanism requiring an authenticated administrator to be tricked into issuing the malicious request, which meaningfully constrains exploitation compared to a purely unauthenticated remote attack. No public exploit confirmed in CISA KEV; an associated GitHub repository referenced in the CVE may contain proof-of-concept material, though EPSS remains extremely low at 0.01% (2nd percentile).
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request with an oversized picCropName parameter to the formCropAndSetWewifiPic handler. The flaw is a classic stack buffer overflow in the web management interface, and while no public weaponized exploit is identified, proof-of-concept research artifacts are published on GitHub. EPSS scores exploitation probability at just 0.01%, reflecting limited attacker interest despite trivial reachability.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device by supplying an oversized wl_radio parameter to the formwrlSSIDget function. Impact is limited strictly to Denial of Service (availability loss); no confidentiality or integrity impact is possible per CVSS vector analysis. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02% (5th percentile), placing this firmly in the lower-priority tier despite the High availability impact rating.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) allows adjacent-network unauthenticated attackers to crash the device via a crafted Go parameter submitted to the ask_to_reboot function, resulting in a complete Denial of Service condition. The vulnerability carries a CVSS 6.5 score with High availability impact but no confidentiality or integrity loss, and the attack vector is constrained to adjacent network access. No public exploit confirmation or CISA KEV listing is present, and EPSS at 0.02% (5th percentile) indicates low observed exploitation probability at time of analysis.
Denial of service in Tenda O3v3 firmware v1.0.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the formSetCfm handler. No public exploit identified at time of analysis, and EPSS is very low (0.01%), but the network-reachable, no-authentication attack surface on a CPE/router device makes this relevant for exposed deployments.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack-based buffer overflows in the formwrlSSIDset handler. The flaw is reachable without authentication or user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but EPSS is only 0.01% and no public exploit identified at time of analysis suggests low near-term mass-exploitation likelihood despite the trivial attack surface.