Buffer Overflow
Monthly
Denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the bindMACAddr parameter of the fromSetDhcpRules function. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-based exploitation with high availability impact but no confidentiality or integrity loss, and no public exploit identified at time of analysis beyond a research repository reference.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request containing an oversized macAddr parameter to the formDelStaState handler. The flaw is a stack-based buffer overflow with high availability impact and no confidentiality/integrity loss per CVSS, and no public exploit identified at time of analysis beyond a research repository on GitHub.
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser function. No public exploit identified at time of analysis, though a research repository documenting the flaw is referenced. The CVSS 7.5 (High) score reflects pure availability impact with no confidentiality or integrity loss.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device by supplying an oversized wl_radio parameter to the formwrlSSIDget function. Impact is limited strictly to Denial of Service (availability loss); no confidentiality or integrity impact is possible per CVSS vector analysis. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02% (5th percentile), placing this firmly in the lower-priority tier despite the High availability impact rating.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request with an oversized picName parameter to the formDelwebAuthPic handler. No public exploit identified at time of analysis, and EPSS rates real-world exploitation probability at just 0.02% (4th percentile), but the affected SOHO/SMB router class is a frequent target once weaponized PoCs emerge.
Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sending crafted bzip2 data when the application reuses the decompressor object after catching a prior OSError. The flaw stems from libbz2's internal state being left inconsistent after a decompression error, and reuse causes out-of-bounds writes to a stack buffer. No public exploit identified at time of analysis and the issue is not in CISA KEV; the practical impact is denial of service against Python services that process untrusted bzip2 streams.
Stack-based buffer overflow in the Tenda F451 router (firmware 1.0.0.7 and 1.0.0.9) Web Management Interface allows remote authenticated attackers to corrupt memory by sending a crafted 'page' argument to the fromNatlimit handler at /goform/Natlimit. Publicly available exploit code exists, raising practical risk for exposed or LAN-reachable devices, though no public exploit identified as actively used in CISA KEV at time of analysis.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 XPON ONT routers (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory via the encodename parameter of the formPPPEdit handler at /boaform/formPPPEdit. Publicly available exploit code exists (hosted on GitHub by researcher xiezhihua-1127), elevating practical risk despite no confirmed active exploitation in CISA KEV. Successful exploitation yields high impact to confidentiality, integrity, and availability on the affected device.
Out-of-bounds array write in the Linux kernel's ath5k wireless driver allows a stray write of a -1 sentinel value into adjacent struct memory when ts_final_idx reaches 3 on Atheros 5212 chipsets. The kernel maintainers and the original reporter explicitly describe the impact as negligible, as the only field overwritten is info->status.ack_signal, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile).
Out-of-bounds kernel memory write in the Linux kernel device-mapper ioctl subsystem (dm-ioctl) affects the retrieve_status function, where an unchecked align_ptr() call on the output pointer can advance it past the end of the caller-supplied buffer, causing a wrapped-around 'remaining' length calculation and subsequent overflow writes. Exploitation requires local privileges to issue device-mapper ioctls (root/CAP_SYS_ADMIN), and there is no public exploit identified at time of analysis; EPSS is negligible at 0.03% (9th percentile). The upstream maintainers explicitly note the flaw has no practical security impact because only root can trigger it and standard libraries (libdevmapper, devicemapper-rs) use 8-byte-aligned buffers that never overshoot.
Out-of-bounds memory access in the Linux kernel's Microchip PolarFire SoC clock conditioning circuit driver (clk-mpfs-ccc) occurs during registration of the final clock outputs, because the driver's hws array is sized only for two PLLs and their four dividers while the defined clock IDs also enumerate two unsupported DLLs and their outputs. On affected Microchip PolarFire SoC hardware this leads to reads past the allocated array (flagged by UBSAN), enabling information disclosure or a kernel crash. There is no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).
Array out-of-bounds read in the Linux kernel's Qualcomm Light Pulse Generator (qcom-lpg) LED driver allows a local low-privileged user to crash the kernel via denial of service on affected Qualcomm SoC-based systems. The flaw stems from using FIELD_GET() to extract a 3-bit register value (range 0-7) as an index into an array with only 5 elements, enabling reads beyond array bounds and subsequent hardware misconfiguration or kernel panic. No public exploit has been identified and EPSS stands at the 5th percentile, placing this firmly in lower-priority triage despite the technically High availability impact per CVSS.
Out-of-bounds write in the Linux kernel's vmalloc subsystem (vrealloc_node_align()) lets a local low-privileged actor trigger heap memory corruption when a vmalloc-backed object is shrunk while also forcing reallocation for NUMA-node or alignment reasons. Introduced by commit 4c5d3365882d in the 6.18 development series and carried into stable trees, the flaw causes the code to memcpy the old (larger) size into a smaller new buffer. There is no public exploit identified at time of analysis and EPSS is very low (0.02%), reflecting a subsystem-internal bug rather than a broadly reachable network attack surface.
Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 allows remote unauthenticated attackers to crash the server by submitting untrusted XML content processed by the mod_xml2enc module's xml2StartParse function. The flaw is a CWE-122 heap-based buffer overflow with a CVSS 7.5 score reflecting high availability impact only, and no public exploit has been identified at time of analysis.
Buffer over-read in Apache HTTP Server 2.4.0 through 2.4.67 allows remote attackers to trigger memory disclosure or limited integrity and availability impact via outbound OCSP requests sent to an attacker-controlled OCSP responder. The flaw stems from improper bounds handling (CWE-126) when parsing OCSP response data, and currently shows no public exploit identified at time of analysis despite a CVSS 7.3 rating reflecting unauthenticated network reachability with low complexity.
Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 stems from a heap buffer overflow in the mod_proxy_html output filter, where a malicious or compromised backend can return crafted HTML that corrupts memory in the proxying httpd worker. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) reflects unauthenticated network exploitation with availability-only impact, and no public exploit was identified at time of analysis.
Out-of-bounds read in Apache HTTP Server 2.4.0 through 2.4.67 arises from an interaction between mod_headers, mod_mime, and multi-language content negotiation, allowing unauthenticated remote attackers to trigger memory reads beyond allocated buffer boundaries. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) confirms low-complexity, unauthenticated network exploitation yielding limited confidentiality and integrity impact with no availability consequence. No active exploitation confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.
Stack-based buffer overflow in the Tenda AC18 router (firmware 15.03.05.05) Web Management Interface allows remote attackers with low privileges to corrupt memory by manipulating the callback argument sent to /goform/getRebootStatus. The flaw, handled by the sub_45304 function, has publicly available exploit code and enables high impact to confidentiality, integrity, and availability of the device. No public exploit identified as actively exploited in CISA KEV, but POC publication raises the risk of opportunistic attacks against exposed management interfaces.
Denial of service in Apache HTTP Server versions 2.4.0 through 2.4.67 stems from a heap-based buffer overflow triggered when the server processes responses from a malicious backend while ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath directives are in use. Remote attackers controlling or compromising an upstream backend can crash the front-end Apache process, impacting availability of the reverse proxy without affecting confidentiality or integrity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the wifiFilterListRemark parameter of the /goform/modifyWifiFilterRules endpoint in the Web Management Interface. Publicly available exploit code exists per VulDB disclosure, raising the practical risk for exposed management interfaces, though no public exploit identified at time of analysis confirms active in-the-wild exploitation. CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privileges required.
Kernel heap memory corruption in Imagination Technologies Graphics DDK allows a non-privileged local user to crash or destabilize the kernel by issuing crafted GPU system calls. The flaw affects Graphics DDK 24.2 RTM, 25.1 RTM through 25.3 RTM, and 26.1 RTM, and impacts any device shipping the affected PowerVR/IMG GPU driver stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stack-based buffer overflow in Tenda W20E firmware 15.11.0.6 allows authenticated remote attackers to corrupt memory via the gotoUrl parameter handled by the formPortalAuth function in /goform/PortalAuth of the Web Management Interface. Publicly available exploit code exists, raising the likelihood of opportunistic targeting of internet-exposed router management interfaces, though no public exploit identified as actively exploited per CISA KEV at time of analysis.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the portMirrorMirroredPorts parameter handled by formSetPortMirror in /goform/setPortMirror. Publicly available exploit code exists, raising the practical risk for exposed management interfaces, though no CISA KEV listing or EPSS data is provided to confirm widespread exploitation. The flaw enables high impact on confidentiality, integrity, and availability of the device per the CVSS 4.0 vector.
Stack buffer overflow in UTT HiPER 2610G routers (firmware through 3.0.0-171107) allows authenticated remote attackers to corrupt memory by submitting an oversized GroupName parameter to the /goform/formConfigDnsFilterGlobal endpoint, which passes the input to an unsafe strcpy call. Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), and successful exploitation can compromise confidentiality, integrity, and availability of the device - typically meaning router takeover or denial of service. The issue is not listed in CISA KEV, so it is not confirmed actively exploited at this time.
Buffer overflow in UTT HiPER 2610G firmware (up to 3.0.0-171107) enables an authenticated, adjacent-network attacker to corrupt memory via an unsafe strcpy call in the web management NAT static mapping form handler. By supplying an oversized NatBinds argument to /goform/formNatStaticMap, an attacker can achieve low-level impacts across confidentiality, integrity, and availability on the targeted device. No KEV listing is present, but a public proof-of-concept is confirmed on GitHub, materially lowering the exploitation barrier for any attacker already on the local network.
Stack-based buffer overflow in Tenda CX12L 16.03.53.12 routers allows remote attackers with low privileges to corrupt memory via the setSchedWifi function in /goform/openSchedWifi by manipulating the schedStartTime or schedEndTime parameters. Publicly available exploit code exists per VulDB, raising the practical risk despite the vulnerability not yet being listed in CISA KEV. The flaw impacts the Wi-Fi Schedule Configuration Endpoint and can lead to high confidentiality, integrity, and availability impact on the device.
Stack-based buffer overflow in the Tenda CX12L router (firmware 16.03.53.12) allows authenticated remote attackers to corrupt memory via the ssid parameter of the /goform/fast_setting_wifi_set endpoint, handled by the form_fast_setting_wifi_set function. Publicly available exploit code exists per VulDB disclosure, raising the likelihood of opportunistic exploitation against exposed management interfaces. The CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact bounded by a low-privilege requirement.
Stack-based buffer overflow in Tenda HG7HG9 and HG10 routers (firmware 300001138_en_xpon) allows remote attackers to corrupt memory via the blkDomain parameter in the formDOMAINBLK handler at /boaform/formDOMAINBLK. The CVSS 4.0 score of 9.3 reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and a public proof-of-concept repository has been published on GitHub by researcher ssaaaa1234, though no public exploit has been confirmed as active exploitation.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 ONT/router devices (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory by manipulating the funckey_transfer parameter sent to the /boaform/voip_other_set endpoint handled by the asp_voip_OtherSet function. Publicly available exploit code exists via a dedicated GitHub proof-of-concept repository, and the flaw scores CVSS 4.0 8.7 with full confidentiality, integrity, and availability impact. No public exploit identified in CISA KEV at time of analysis, but exposure of the Web Management Interface to untrusted networks materially raises real-world risk.
Denial of service in Tenda AC1206 routers (firmware v15.03.06.23) is triggered by stack-based buffer overflows in the fromGstDhcpSetSer function reachable through the username and password parameters of a crafted HTTP request. Remote attackers with network reach to the device's web management interface can crash the service without authentication, and no public exploit identified at time of analysis although proof-of-concept research material is hosted on GitHub.
Denial of service in Tenda FH451 router firmware V1.0.0.9 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the list1 parameter of the fromDhcpListClient function. Publicly available exploit code exists in a GitHub research repository, though the vulnerability is not listed in CISA KEV and no EPSS score has been published at time of analysis. Impact is limited to availability - no confidentiality or integrity loss is indicated.
Remote denial of service in Comodo Internet Security's Inspect.sys firewall driver lets an unauthenticated attacker crash any Windows host running the product by sending a single crafted IPv6 packet, even when all ports are blocked at the firewall. The flaw is an integer underflow (CWE-191) in IPv6 extension-header parsing that occurs before firewall rule enforcement, producing an out-of-bounds read and an oversized memcpy at DISPATCH_LEVEL and an immediate BSOD. Publicly available exploit code exists, published alongside MalwareTech's technical writeup and a working PoC named ComoDoS.
Stack-based buffer overflow in JingDong JD Cloud Box AX6600 firmware 4.5.3.r4546 allows authenticated remote attackers to corrupt memory via the set_macfilter function in /sbin/jdcweb_rpc, potentially achieving arbitrary code execution on the router. Publicly available exploit code exists (archive hosted on cdn2.v50to.cc), increasing the likelihood of opportunistic abuse against exposed devices. The vendor did not respond to coordinated disclosure, so no fix is currently confirmed.
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to crash the device's ONVIF service by submitting a crafted DeleteUsers request containing an excessive number of user identifiers, causing a denial-of-service condition that disrupts camera management and monitoring functionality. The CVSS:4.0 vector (VC:N/VI:N/VA:H) confirms impact is strictly limited to availability - no confidentiality or integrity compromise is achievable. No public exploit identified at time of analysis and no active exploitation has been confirmed.
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authenticated, adjacent-network attacker to crash the ONVIF management process by sending a crafted request with an excessive number of XML user nodes. Exploitation results in a denial-of-service condition that disrupts ONVIF-based device configuration and management until the service recovers or the device is rebooted. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor (TP-Link) has released a firmware patch.
Heap out-of-bounds read in 7-Zip's Unix ar archive parser (versions 9.18 through 26.00) allows a remote unauthenticated attacker to leak uninitialized heap memory contents by convincing a user to open a specially crafted archive. The ParseLibSymbols function mishandles the BSD-style __.SYMDEF symbol table by reading 4 bytes past the end of a heap allocation when the namesSize field position equals the buffer boundary, exposing heap data with high confidentiality impact. No public exploit has been identified at time of analysis, and no KEV listing exists; version 26.01 patches the issue.
Off-by-one out-of-bounds read in 7-Zip's UEFI firmware image parser (versions 9.21-26.00) allows a network-adjacent attacker to trigger either a denial of service (application crash) or minor information disclosure of an adjacent static .rdata string literal into archive metadata, simply by convincing a user to open a crafted UEFI-containing archive. The vulnerability is reached automatically upon archive open with no special user action beyond opening the file, and affects default 7-Zip installations because the UEFI handler is enabled out-of-the-box. No public exploit code has been identified at time of analysis, no KEV listing exists, and the impact is bounded: there is no write primitive and no disclosure of heap data, secrets, or ASLR base addresses.
Off-by-one heap out-of-bounds read in 7-Zip's WIM archive handler (versions 9.34-26.00) allows a remote unauthenticated attacker to trigger denial of service - and potentially minor information disclosure - by delivering a crafted WIM file. The vulnerability is zero-click exploitable in the GUI: 7zFM.exe automatically calls GetRawProp(kpidNtSecure) for every listed item, triggering the OOB read without any additional user interaction beyond opening or navigating to the malicious archive. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Heap out-of-bounds read in 7-Zip versions 9.11 through 26.00 exposes up to 3 bytes of heap memory during UDF disc image parsing, triggering when a user opens or extracts a crafted .iso or .udf file. Impact is constrained to a 1-bit information-disclosure oracle per out-of-bounds byte (inferred from open/fail behavior) and potential denial of service under hardened allocators; no write primitive exists. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS Low score of 3.1 accurately reflects the limited real-world severity.
Heap buffer overflow in the Perl DBI module versions before 1.648 occurs when the preparse() function processes SQL statements containing 10 or more placeholder binders. The fixed-size buffer allocation (three characters per binder) is insufficient for multi-digit binder names like :p10 through :p99 (four chars) or :p100+ (five chars), enabling memory corruption. EPSS rates exploitation probability at only 0.02% (5th percentile) and no public exploit identified at time of analysis, but the upstream maintainer has shipped a fix expanding the allocation.
Remote code execution in 7-Zip versions 26.00 and earlier is achievable via a crafted NTFS image that triggers a heap buffer overflow in the archive handler, overwriting an adjacent C++ object's vtable pointer to hijack control flow. The flaw stems from an undefined-behavior shift in CInStream::GetCuSize() that under-allocates a buffer to just one byte, which is then written up to 256 MB of attacker-controlled data. Exploitation requires the victim to open or extract a malicious archive (UI:R), but the NTFS handler is enabled by default and is selected via signature matching regardless of file extension; no public exploit identified at time of analysis.
Heap memory disclosure in 7-Zip 9.34 through 26.00 (32-bit builds only) allows a remote unauthenticated attacker to leak arbitrary heap contents into attacker-controlled extracted files by supplying a crafted SquashFS archive. The root cause is a 32-bit integer overflow in the SquashFS ReadBlock function: because size_t is 32 bits on 32-bit builds, the addition of offsetInBlock and blockSize wraps modulo 2³², bypassing the fragment bounds check and directing memcpy to read heap memory preceding the intended cache buffer. No public exploit has been identified at time of analysis, and no CISA KEV listing exists. Version 26.01 patches the issue.
Out-of-bounds read in X.Org X server and Xwayland's GLX extension handler `__glXDisp_ChangeDrawableAttributes()` allows a local low-privileged user to disclose sensitive memory contents from the X server process. Faulty size validation permits reading a client-controlled number of bytes beyond the request buffer boundary, resulting in high confidentiality impact per CVSS. A secondary write path exists in the same function but is gated behind byte-swapped client support, which is disabled by default, substantially limiting its practical exposure. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Out-of-bounds heap write in X.Org X server and Xwayland DRI2 buffer handling allows a local authenticated client to corrupt server memory by requesting multiple DRI2BufferBackLeft attachments alongside one DRI2BufferFrontLeft. Successful exploitation crashes the display server or, when the X server runs setuid root (a still-common legacy deployment), enables local privilege escalation to root. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in X.Org X server and Xwayland stems from an incomplete fix for CVE-2025-26597, where CheckKeyTypes() fails to clamp non-canonical key types to XkbMaxShiftLevel, enabling stack-based buffer overflows. Authenticated local users on Red Hat Enterprise Linux 6 through 10 can crash the display server or, when X runs as root, escalate to root privileges. No public exploit identified at time of analysis, though the upstream commit reveals the vulnerable code path and the prior CVE-2025-26597 has known exploitation history.
Stack-based buffer overflow in X.Org X server and Xwayland's _XkbSetMapChecks() function allows local authenticated attackers to crash the server or potentially escalate privileges to root when the X server runs with elevated privileges. The flaw resides in CheckKeyTypes() writing to a fixed mapWidths[256] stack buffer at a client-controlled offset, affecting Red Hat Enterprise Linux versions 6 through 10. No public exploit identified at time of analysis, but an upstream fix has been merged into the xserver repository.
Local privilege escalation in the X.Org X server and Xwayland stems from a stack-based buffer overflow during font alias resolution, where a 256-byte server-side stack buffer is overrun by libXfont2 alias target names of up to 1023 bytes. An authenticated local attacker who can influence font alias files can crash the server or, when the X server runs as root, escalate to root privileges. No public exploit is identified at time of analysis and CVSS is 7.8 (Local/Low complexity/Low privileges).
Out-of-bounds memory access in Samsung Android USB Driver for Windows (all versions prior to 1.9.5.0) allows a local attacker without elevated privileges to corrupt or read memory beyond allocated bounds, resulting in high availability impact and low integrity impact on the affected Windows host. Samsung has released version 1.9.5.0 as the corrective patch, documented under EUVD-2026-34810. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis, though the CVSS 4.0 AT:P modifier signals a required target-specific condition that narrows exploitability.
Out-of-bounds write in the SIL Graphite smart-font rendering engine before 1.3.15 allows attackers to corrupt memory by supplying a malicious font file that triggers an integer underflow in the slotat macro. Exploitation requires a victim to render attacker-controlled font content in an application that embeds Graphite (such as Firefox, LibreOffice, or Pango-based renderers), and no public exploit has been identified at time of analysis.
Remote unauthenticated code execution and denial-of-service in Morse Micro HaLowLink 2 (versions prior to 2.11.13) allows attackers within radio range to corrupt kernel memory via a malformed 802.11ah beacon frame. The flaw resides in the morse.ko HaLow Wi-Fi kernel driver, which processes broadcast beacons during passive scanning, requiring no authentication or user interaction. No public exploit identified at time of analysis, but SSVC rates the technical impact as total and the issue as automatable, and a vendor patch is available.
Remote code execution and kernel-level denial of service in Morse Micro HaLowLink 2 devices running software prior to 2.11.13 allows any attacker within 802.11ah radio range to corrupt kernel heap memory by broadcasting a malformed S1G Capabilities IE in a beacon or probe response frame. The flaw sits in the dot11ah.ko HaLow Wi-Fi driver and triggers during normal passive scanning, requiring no authentication, association, or user interaction. A vendor patch exists, but no public exploit identified at time of analysis and EPSS sits at 0.05% despite the CVSS 9.8 rating.
Out-of-bounds memory access in Google Chrome's LiveCaption component prior to version 149.0.7827.53 allows a remote attacker to read beyond allocated buffers by delivering crafted network traffic to a user with the feature in use. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis, though Google's Chromium tracker rated severity Low while NVD's CVSS scored it 8.8 High - a notable disparity worth weighing when prioritizing.
Integer overflow in Google Chrome's Fonts component (versions prior to 149.0.7827.53) enables remote attackers to read out-of-bounds process memory, potentially leaking sensitive in-memory data such as credentials or tokens. Exploitation is constrained by a mandatory user-interaction requirement - a victim must visit a specially crafted HTML page - and Chromium's own severity rating of Low tempers urgency relative to the NVD CVSS Medium score. No public exploit identified at time of analysis, and EPSS stands at 0.03% (11th percentile), indicating very low near-term exploitation probability.
Remote code execution in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. The flaw stems from an out-of-bounds read (CWE-125) and carries a CVSS 8.8 rating, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as 'none'. Code execution is confined to the renderer sandbox, requiring chaining with a sandbox escape for full system compromise.
Sandbox escape in Google Chrome's GPU process prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers an integer overflow. The flaw, tagged as a buffer overflow with information disclosure potential, requires user interaction and a chained renderer compromise, and no public exploit has been identified at time of analysis despite Chromium rating the underlying severity as Low.
Denial of service in Tenda FH451 V1.0.0.9 routers allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the page parameter handler of the fromDhcpListClient function. EPSS exploitation probability is very low (0.01%, 3rd percentile) and no public exploit identified at time of analysis, though proof-of-concept artifacts appear to be hosted in a public GitHub research repository. The flaw is not listed in CISA KEV.
Out-of-bounds memory access in the ANGLE graphics translation layer of Google Chrome before 149.0.7827.53 allows a remote attacker to read or corrupt memory by luring a user to a crafted HTML page. The flaw carries a CVSS 8.8 rating due to high impact on confidentiality, integrity, and availability, though Chromium rates the security severity as Medium and EPSS is very low (0.03%). No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Out-of-bounds read in Chrome's GWP-ASan memory safety subsystem (versions prior to 149.0.7827.53) enables a local attacker to disclose potentially sensitive contents from process memory by delivering a malicious file to the target. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact but no integrity or availability impact, consistent with a pure information-disclosure class. No public exploit code has been identified at time of analysis, EPSS exploitation probability is extremely low at 0.01% (1st percentile), and SSVC assessment confirms no known active exploitation, collectively indicating a low near-term threat priority despite the notable confidentiality impact rating.
Out-of-bounds write in the V8 JavaScript engine of Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to execute arbitrary code within the sandbox via a crafted HTML page. The flaw requires user interaction (visiting a malicious page) and prior renderer compromise, and no public exploit identified at time of analysis. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, though Google classifies the Chromium severity as Medium.
Out-of-bounds read in the Input component of Google Chrome on Linux (all versions prior to 149.0.7827.53) exposes potentially sensitive process memory to remote attackers. Exploitation requires delivering a crafted HTML page and inducing a Linux user to visit it (CVSS UI:R), after which the browser's Input handler reads beyond allocated buffer bounds, leaking in-memory data. No public exploit has been identified at time of analysis, EPSS sits at 0.03% (11th percentile) indicating low current exploitation probability, and there is no CISA KEV listing - though the High confidentiality impact (C:H) warrants timely patching given Chrome's broad deployment on Linux.
Out-of-bounds heap read in Google Chrome's Extensions component on Linux exposes sensitive process memory to a malicious extension author. Affected versions are Chrome on Linux prior to 149.0.7827.53; Windows and macOS are not listed as affected. Exploitation requires convincing a target user to install a crafted malicious extension, limiting exposure compared to the CVSS 6.5 score implies - no public exploit identified at time of analysis, and EPSS of 0.01% (1st percentile) reflects low current exploitation probability.
Out-of-bounds read in the Chromecast component of Google Chrome prior to version 149.0.7827.53 enables a remote attacker - who has already compromised the renderer process - to leak potentially sensitive data from process memory by delivering a crafted HTML page. This is a chained vulnerability: exploitation is conditional on a prior renderer compromise, making it a second-stage information-disclosure step rather than a standalone attack. No public exploit code has been identified and EPSS probability stands at 0.05% (15th percentile), consistent with a medium-severity, constrained attack path. Google has released a fix in stable channel 149.0.7827.53.
Heap corruption in Google Chrome versions prior to 149.0.7827.53 stems from an integer overflow in the Skia graphics library that can be triggered by a crafted HTML page. Remote attackers can lure a victim to a malicious web page to potentially achieve arbitrary code execution within the renderer process. No public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.03% (11th percentile), though Chrome rendering bugs historically attract exploit development.
Out-of-bounds memory read in the ANGLE graphics translation layer of Google Chrome before 149.0.7827.53 allows a remote attacker to leak adjacent memory contents when a victim visits a crafted HTML page. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.03%, but the CVSS 8.1 score reflects the user-interaction-only barrier combined with high confidentiality and availability impact. Google has shipped a stable-channel fix and Chromium rates the underlying severity as Medium.
Out-of-bounds read in the WebRTC component of Google Chrome prior to 149.0.7827.53 exposes potentially sensitive process memory contents to remote attackers. Exploitation requires no authentication (CVSS PR:N) but does require user interaction - a victim must visit a specially crafted HTML page (CVSS UI:R). The confidentiality impact is rated High (C:H) with no integrity or availability consequence, meaning a successful attack leaks memory contents rather than enabling code execution. No public exploit identified at time of analysis, and EPSS at 0.03% (10th percentile) reflects low observed exploitation probability.
Out-of-bounds memory read in the Dawn WebGPU implementation of Google Chrome prior to 149.0.7827.53 allows a remote attacker to access memory outside intended bounds via a crafted HTML page. Exploitation requires the victim to visit an attacker-controlled page, and no public exploit identified at time of analysis. Google rates the Chromium-internal severity as Medium, while NVD assigns CVSS 8.8 reflecting the broad impact on confidentiality, integrity, and availability if successfully triggered.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page. The flaw stems from an integer overflow (CWE-472) in ANGLE and requires user interaction (visiting a malicious page) plus a prior renderer compromise to chain into full sandbox escape. No public exploit identified at time of analysis, and EPSS is very low (0.03%), but Google rates the underlying issue as Medium severity within Chromium.
Out-of-bounds memory access in Google Chrome on Android before version 149.0.7827.53 allows remote attackers to corrupt GPU process memory by luring a user to a crafted HTML page that triggers an integer overflow. The flaw carries a CVSS 8.8 (high) rating with high confidentiality, integrity, and availability impact, but EPSS is only 0.03% and no public exploit identified at time of analysis, suggesting low near-term mass-exploitation likelihood despite the severity of the underlying bug class.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a bad cast in the Dawn WebGPU implementation. The flaw carries a CVSS 8.8 rating with user interaction required (visiting a malicious page), and no public exploit has been identified at time of analysis despite Google rating the underlying Chromium severity as Medium. The vendor has released a patched stable channel build addressing this issue alongside other fixes.
Out-of-bounds read in Chrome's V8 JavaScript engine (versions prior to 149.0.7827.53) exposes sensitive process memory to remote attackers who can lure a victim to a crafted HTML page. The CVSS vector (PR:N/UI:R/C:H) confirms unauthenticated remote triggering with high confidentiality impact, though exploitation requires one click of user interaction. No public exploit identified at time of analysis, and EPSS sits at the 11th percentile (0.03%), suggesting low observed exploitation pressure despite the medium-severity classification.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 stems from a type confusion bug in the ANGLE graphics translation layer that a remote attacker can trigger via a crafted HTML page. Despite a CVSS of 9.6 and a vendor-released patch, EPSS is only 0.03% and no public exploit identified at time of analysis, though Chromium-rated Medium browser bugs are routinely targeted once details are public.
Out-of-bounds read in ANGLE (Google's graphics abstraction layer) within Chrome on Linux exposes sensitive process memory to remote attackers via a crafted HTML page. All Chrome for Linux versions prior to 149.0.7827.53 are affected; Windows and macOS are not in scope. The CVSS vector confirms unauthenticated remote exploitability at low complexity, though user interaction is required, and no public exploit has been identified at time of analysis - EPSS at 0.03% (11th percentile) signals minimal current exploitation pressure.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via an out-of-bounds write in ANGLE triggered by a crafted HTML page. The flaw carries a high CVSS of 9.6 due to scope change and full CIA impact, though no public exploit has been identified and EPSS exploitation probability remains very low at 0.03%.
Out-of-bounds write in Google Chrome's media Codecs component prior to version 149.0.7827.53 allows a remote attacker to potentially escape the renderer sandbox via a crafted video file. Successful exploitation requires the victim to load attacker-controlled video content, but the resulting scope change (S:C) means the attacker can break out of Chrome's renderer sandbox and impact resources beyond it. No public exploit has been identified at time of analysis and EPSS is very low (0.03%), but the high CVSS reflects the severe impact of a successful sandbox escape.
Stack-based buffer overflow in the Skia graphics library shipped with Google Chrome versions prior to 149.0.7827.53 lets a remote attacker corrupt the renderer process stack by serving a crafted HTML page, with potential for arbitrary code execution within the sandbox. The flaw carries a CVSS 3.1 base score of 8.8 (network vector, user interaction required) and no public exploit identified at time of analysis, while a very low EPSS score of 0.03% (10th percentile) suggests no current mass-exploitation pressure despite the high impact rating.
Out-of-bounds memory read in the WebGPU component of Google Chrome before 149.0.7827.53 allows a remote attacker to read memory outside intended buffer boundaries when a victim visits a crafted HTML page. The flaw carries a CVSS 8.1 score due to network reachability and high confidentiality/availability impact, but EPSS sits at 0.03% and SSVC reports no observed exploitation, so the practical risk is currently low despite the high CVSS. No public exploit identified at time of analysis.
Out-of-bounds read in Chrome's Dawn WebGPU subsystem (versions prior to 149.0.7827.53) allows unauthenticated remote attackers to read arbitrary memory contents by tricking a user into visiting a crafted HTML page. The vulnerability carries a CVSS 6.5 (Medium) with high confidentiality impact and no integrity or availability impact, indicating targeted data-disclosure potential rather than code execution. EPSS is 0.03% (11th percentile) and the vulnerability is not listed in the CISA KEV catalog - no public exploit has been identified at time of analysis.
Out-of-bounds read in Chrome's ANGLE graphics layer on Windows exposes sensitive process memory to an attacker who has already achieved renderer compromise. Affected are all Chrome for Windows installations prior to 149.0.7827.53; macOS, Linux, Android, and iOS are not in scope per available data. No public exploit code exists and no active exploitation is confirmed - EPSS at 0.03% (11th percentile) and SSVC exploitation status of 'none' jointly indicate this is a low-priority real-world threat, functioning primarily as a post-exploitation information-disclosure step in a multi-stage browser attack chain rather than a standalone critical vulnerability.
Out-of-bounds read in ANGLE (Almost Native Graphics Layer Engine) within Google Chrome prior to 149.0.7827.53 enables an attacker who has already compromised the renderer process to leak potentially sensitive data from process memory via a crafted HTML page. The CVSS vector (AC:H, UI:R) reflects a two-stage exploitation requirement: the attacker must first achieve renderer compromise through a separate vulnerability, then chain this ANGLE flaw as a second-stage information disclosure primitive. No public exploit code has been identified and EPSS sits at 0.03% (11th percentile), indicating low real-world exploitation probability at time of analysis.
Out-of-bounds memory read in Chrome's Media component allows a local-network-adjacent attacker to leak partial memory contents via specially crafted network traffic. Affects all Chrome releases prior to 149.0.7827.53 on desktop platforms, as confirmed by Google's stable channel advisory. No public exploit code exists and no active exploitation has been identified; SSVC assessment rates technical impact as partial with exploitation status none, placing this in a lower-priority remediation tier despite the unauthenticated vector.
Heap corruption in Google Chrome's TabStrip component before 149.0.7827.53 lets a remote attacker who can lure a user into specific UI interactions on a malicious HTML page trigger memory corruption with high impact to confidentiality, integrity, and availability. The flaw carries a CVSS 8.8 due to network reachability and lack of authentication, though user interaction is required; there is no public exploit identified at time of analysis and EPSS is very low at 0.03%.
Heap-based buffer overflow in the Skia graphics rendering library within Google Chrome versions prior to 149.0.7827.53 enables remote attackers to read sensitive data from renderer process memory. Exploitation requires no authentication (PR:N) but does require user interaction - a victim must visit a specially crafted HTML page - and yields high confidentiality impact (C:H) with no integrity or availability impact per the CVSS vector. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) indicates very low current exploitation probability; CISA KEV active exploitation status is not confirmed.
Heap corruption in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution when a user visits a crafted HTML page and performs specific UI interactions. The flaw is rated High severity by Chromium and CVSS 8.8, though no public exploit identified at time of analysis and EPSS scoring places near-term mass exploitation probability at 0.03%. A vendor patch is already available through the Stable Channel update.
Cross-origin data leakage in Google Chrome's Skia graphics library prior to version 149.0.7827.53 enables unauthenticated remote attackers to read out-of-bounds memory and exfiltrate data from foreign origins via a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms high confidentiality impact with no privileges required, though a victim must visit an attacker-controlled page to trigger the read. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (11th percentile) suggests limited exploitation activity; however, same-origin policy bypass in a mainstream browser is a meaningful web security concern warranting prompt patching.
Out-of-bounds read in ANGLE (Chrome's graphics abstraction layer) affects all Google Chrome versions prior to 149.0.7827.53, enabling remote information disclosure from process memory. An unauthenticated remote attacker can trigger the memory leak by inducing a victim to visit a crafted HTML page - no privileges are required on the attacker's side, though user interaction is necessary. No public exploit identified at time of analysis and EPSS sits at 0.03% (11th percentile), indicating low current exploitation probability despite Google's 'High' Chromium severity rating.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 stems from a heap buffer overflow in the Video component, allowing a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Chromium rates the severity as High and a vendor patch is available; no public exploit identified at time of analysis. The CVSS 8.3 score reflects the scope change (S:C) that occurs when sandbox boundaries are crossed, though the attack requires high complexity and user interaction.
Heap buffer overflow in the Media component of Google Chrome before 149.0.7827.53 enables remote attackers to achieve arbitrary code execution within the renderer sandbox after luring a user to a crafted HTML page and tricking them into performing specific UI gestures. Google rates the underlying Chromium issue as High severity, and while publicly available exploit code exists is not confirmed, vendor patches have been released through the Stable channel update. No active exploitation has been reported via CISA KEV at time of analysis.
Out-of-bounds memory access in the Skia graphics library shipped with Google Chrome before 149.0.7827.53 allows a remote attacker to execute arbitrary code within Chrome's renderer sandbox when a victim visits a malicious page. Google rates the Chromium severity as High and a vendor patch is available; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Out-of-bounds memory read in Google Chrome's ANGLE graphics layer on macOS versions prior to 149.0.7827.53 allows remote attackers to disclose memory contents or crash the renderer by enticing a user to visit a crafted HTML page. Google rates the underlying Chromium issue as High severity, and while no public exploit is identified at time of analysis, the EPSS score of 0.03% suggests low near-term mass exploitation likelihood. The flaw requires user interaction (visiting a page) but no authentication, making drive-by web attacks the realistic threat model.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the bindMACAddr parameter of the fromSetDhcpRules function. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-based exploitation with high availability impact but no confidentiality or integrity loss, and no public exploit identified at time of analysis beyond a research repository reference.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request containing an oversized macAddr parameter to the formDelStaState handler. The flaw is a stack-based buffer overflow with high availability impact and no confidentiality/integrity loss per CVSS, and no public exploit identified at time of analysis beyond a research repository on GitHub.
An issue was discovered in Malwarebytes 4.x and 5.x (and Nebula 2020-10-21 and later). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser function. No public exploit identified at time of analysis, though a research repository documenting the flaw is referenced. The CVSS 7.5 (High) score reflects pure availability impact with no confidentiality or integrity loss.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device by supplying an oversized wl_radio parameter to the formwrlSSIDget function. Impact is limited strictly to Denial of Service (availability loss); no confidentiality or integrity impact is possible per CVSS vector analysis. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02% (5th percentile), placing this firmly in the lower-priority tier despite the High availability impact rating.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request with an oversized picName parameter to the formDelwebAuthPic handler. No public exploit identified at time of analysis, and EPSS rates real-world exploitation probability at just 0.02% (4th percentile), but the affected SOHO/SMB router class is a frequent target once weaponized PoCs emerge.
Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sending crafted bzip2 data when the application reuses the decompressor object after catching a prior OSError. The flaw stems from libbz2's internal state being left inconsistent after a decompression error, and reuse causes out-of-bounds writes to a stack buffer. No public exploit identified at time of analysis and the issue is not in CISA KEV; the practical impact is denial of service against Python services that process untrusted bzip2 streams.
Stack-based buffer overflow in the Tenda F451 router (firmware 1.0.0.7 and 1.0.0.9) Web Management Interface allows remote authenticated attackers to corrupt memory by sending a crafted 'page' argument to the fromNatlimit handler at /goform/Natlimit. Publicly available exploit code exists, raising practical risk for exposed or LAN-reachable devices, though no public exploit identified as actively used in CISA KEV at time of analysis.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 XPON ONT routers (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory via the encodename parameter of the formPPPEdit handler at /boaform/formPPPEdit. Publicly available exploit code exists (hosted on GitHub by researcher xiezhihua-1127), elevating practical risk despite no confirmed active exploitation in CISA KEV. Successful exploitation yields high impact to confidentiality, integrity, and availability on the affected device.
Out-of-bounds array write in the Linux kernel's ath5k wireless driver allows a stray write of a -1 sentinel value into adjacent struct memory when ts_final_idx reaches 3 on Atheros 5212 chipsets. The kernel maintainers and the original reporter explicitly describe the impact as negligible, as the only field overwritten is info->status.ack_signal, with no public exploit identified at time of analysis and an EPSS score of 0.02% (7th percentile).
Out-of-bounds kernel memory write in the Linux kernel device-mapper ioctl subsystem (dm-ioctl) affects the retrieve_status function, where an unchecked align_ptr() call on the output pointer can advance it past the end of the caller-supplied buffer, causing a wrapped-around 'remaining' length calculation and subsequent overflow writes. Exploitation requires local privileges to issue device-mapper ioctls (root/CAP_SYS_ADMIN), and there is no public exploit identified at time of analysis; EPSS is negligible at 0.03% (9th percentile). The upstream maintainers explicitly note the flaw has no practical security impact because only root can trigger it and standard libraries (libdevmapper, devicemapper-rs) use 8-byte-aligned buffers that never overshoot.
Out-of-bounds memory access in the Linux kernel's Microchip PolarFire SoC clock conditioning circuit driver (clk-mpfs-ccc) occurs during registration of the final clock outputs, because the driver's hws array is sized only for two PLLs and their four dividers while the defined clock IDs also enumerate two unsupported DLLs and their outputs. On affected Microchip PolarFire SoC hardware this leads to reads past the allocated array (flagged by UBSAN), enabling information disclosure or a kernel crash. There is no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%).
Array out-of-bounds read in the Linux kernel's Qualcomm Light Pulse Generator (qcom-lpg) LED driver allows a local low-privileged user to crash the kernel via denial of service on affected Qualcomm SoC-based systems. The flaw stems from using FIELD_GET() to extract a 3-bit register value (range 0-7) as an index into an array with only 5 elements, enabling reads beyond array bounds and subsequent hardware misconfiguration or kernel panic. No public exploit has been identified and EPSS stands at the 5th percentile, placing this firmly in lower-priority triage despite the technically High availability impact per CVSS.
Out-of-bounds write in the Linux kernel's vmalloc subsystem (vrealloc_node_align()) lets a local low-privileged actor trigger heap memory corruption when a vmalloc-backed object is shrunk while also forcing reallocation for NUMA-node or alignment reasons. Introduced by commit 4c5d3365882d in the 6.18 development series and carried into stable trees, the flaw causes the code to memcpy the old (larger) size into a smaller new buffer. There is no public exploit identified at time of analysis and EPSS is very low (0.02%), reflecting a subsystem-internal bug rather than a broadly reachable network attack surface.
Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 allows remote unauthenticated attackers to crash the server by submitting untrusted XML content processed by the mod_xml2enc module's xml2StartParse function. The flaw is a CWE-122 heap-based buffer overflow with a CVSS 7.5 score reflecting high availability impact only, and no public exploit has been identified at time of analysis.
Buffer over-read in Apache HTTP Server 2.4.0 through 2.4.67 allows remote attackers to trigger memory disclosure or limited integrity and availability impact via outbound OCSP requests sent to an attacker-controlled OCSP responder. The flaw stems from improper bounds handling (CWE-126) when parsing OCSP response data, and currently shows no public exploit identified at time of analysis despite a CVSS 7.3 rating reflecting unauthenticated network reachability with low complexity.
Denial of service in Apache HTTP Server 2.4.0 through 2.4.67 stems from a heap buffer overflow in the mod_proxy_html output filter, where a malicious or compromised backend can return crafted HTML that corrupts memory in the proxying httpd worker. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) reflects unauthenticated network exploitation with availability-only impact, and no public exploit was identified at time of analysis.
Out-of-bounds read in Apache HTTP Server 2.4.0 through 2.4.67 arises from an interaction between mod_headers, mod_mime, and multi-language content negotiation, allowing unauthenticated remote attackers to trigger memory reads beyond allocated buffer boundaries. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) confirms low-complexity, unauthenticated network exploitation yielding limited confidentiality and integrity impact with no availability consequence. No active exploitation confirmed in CISA KEV, and no public exploit code has been identified at time of analysis.
Stack-based buffer overflow in the Tenda AC18 router (firmware 15.03.05.05) Web Management Interface allows remote attackers with low privileges to corrupt memory by manipulating the callback argument sent to /goform/getRebootStatus. The flaw, handled by the sub_45304 function, has publicly available exploit code and enables high impact to confidentiality, integrity, and availability of the device. No public exploit identified as actively exploited in CISA KEV, but POC publication raises the risk of opportunistic attacks against exposed management interfaces.
Denial of service in Apache HTTP Server versions 2.4.0 through 2.4.67 stems from a heap-based buffer overflow triggered when the server processes responses from a malicious backend while ProxyPassReverseCookieDomain or ProxyPassReverseCookiePath directives are in use. Remote attackers controlling or compromising an upstream backend can crash the front-end Apache process, impacting availability of the reverse proxy without affecting confidentiality or integrity. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the wifiFilterListRemark parameter of the /goform/modifyWifiFilterRules endpoint in the Web Management Interface. Publicly available exploit code exists per VulDB disclosure, raising the practical risk for exposed management interfaces, though no public exploit identified at time of analysis confirms active in-the-wild exploitation. CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privileges required.
Kernel heap memory corruption in Imagination Technologies Graphics DDK allows a non-privileged local user to crash or destabilize the kernel by issuing crafted GPU system calls. The flaw affects Graphics DDK 24.2 RTM, 25.1 RTM through 25.3 RTM, and 26.1 RTM, and impacts any device shipping the affected PowerVR/IMG GPU driver stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stack-based buffer overflow in Tenda W20E firmware 15.11.0.6 allows authenticated remote attackers to corrupt memory via the gotoUrl parameter handled by the formPortalAuth function in /goform/PortalAuth of the Web Management Interface. Publicly available exploit code exists, raising the likelihood of opportunistic targeting of internet-exposed router management interfaces, though no public exploit identified as actively exploited per CISA KEV at time of analysis.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the portMirrorMirroredPorts parameter handled by formSetPortMirror in /goform/setPortMirror. Publicly available exploit code exists, raising the practical risk for exposed management interfaces, though no CISA KEV listing or EPSS data is provided to confirm widespread exploitation. The flaw enables high impact on confidentiality, integrity, and availability of the device per the CVSS 4.0 vector.
Stack buffer overflow in UTT HiPER 2610G routers (firmware through 3.0.0-171107) allows authenticated remote attackers to corrupt memory by submitting an oversized GroupName parameter to the /goform/formConfigDnsFilterGlobal endpoint, which passes the input to an unsafe strcpy call. Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), and successful exploitation can compromise confidentiality, integrity, and availability of the device - typically meaning router takeover or denial of service. The issue is not listed in CISA KEV, so it is not confirmed actively exploited at this time.
Buffer overflow in UTT HiPER 2610G firmware (up to 3.0.0-171107) enables an authenticated, adjacent-network attacker to corrupt memory via an unsafe strcpy call in the web management NAT static mapping form handler. By supplying an oversized NatBinds argument to /goform/formNatStaticMap, an attacker can achieve low-level impacts across confidentiality, integrity, and availability on the targeted device. No KEV listing is present, but a public proof-of-concept is confirmed on GitHub, materially lowering the exploitation barrier for any attacker already on the local network.
Stack-based buffer overflow in Tenda CX12L 16.03.53.12 routers allows remote attackers with low privileges to corrupt memory via the setSchedWifi function in /goform/openSchedWifi by manipulating the schedStartTime or schedEndTime parameters. Publicly available exploit code exists per VulDB, raising the practical risk despite the vulnerability not yet being listed in CISA KEV. The flaw impacts the Wi-Fi Schedule Configuration Endpoint and can lead to high confidentiality, integrity, and availability impact on the device.
Stack-based buffer overflow in the Tenda CX12L router (firmware 16.03.53.12) allows authenticated remote attackers to corrupt memory via the ssid parameter of the /goform/fast_setting_wifi_set endpoint, handled by the form_fast_setting_wifi_set function. Publicly available exploit code exists per VulDB disclosure, raising the likelihood of opportunistic exploitation against exposed management interfaces. The CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact bounded by a low-privilege requirement.
Stack-based buffer overflow in Tenda HG7HG9 and HG10 routers (firmware 300001138_en_xpon) allows remote attackers to corrupt memory via the blkDomain parameter in the formDOMAINBLK handler at /boaform/formDOMAINBLK. The CVSS 4.0 score of 9.3 reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and a public proof-of-concept repository has been published on GitHub by researcher ssaaaa1234, though no public exploit has been confirmed as active exploitation.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 ONT/router devices (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory by manipulating the funckey_transfer parameter sent to the /boaform/voip_other_set endpoint handled by the asp_voip_OtherSet function. Publicly available exploit code exists via a dedicated GitHub proof-of-concept repository, and the flaw scores CVSS 4.0 8.7 with full confidentiality, integrity, and availability impact. No public exploit identified in CISA KEV at time of analysis, but exposure of the Web Management Interface to untrusted networks materially raises real-world risk.
Denial of service in Tenda AC1206 routers (firmware v15.03.06.23) is triggered by stack-based buffer overflows in the fromGstDhcpSetSer function reachable through the username and password parameters of a crafted HTTP request. Remote attackers with network reach to the device's web management interface can crash the service without authentication, and no public exploit identified at time of analysis although proof-of-concept research material is hosted on GitHub.
Denial of service in Tenda FH451 router firmware V1.0.0.9 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the list1 parameter of the fromDhcpListClient function. Publicly available exploit code exists in a GitHub research repository, though the vulnerability is not listed in CISA KEV and no EPSS score has been published at time of analysis. Impact is limited to availability - no confidentiality or integrity loss is indicated.
Remote denial of service in Comodo Internet Security's Inspect.sys firewall driver lets an unauthenticated attacker crash any Windows host running the product by sending a single crafted IPv6 packet, even when all ports are blocked at the firewall. The flaw is an integer underflow (CWE-191) in IPv6 extension-header parsing that occurs before firewall rule enforcement, producing an out-of-bounds read and an oversized memcpy at DISPATCH_LEVEL and an immediate BSOD. Publicly available exploit code exists, published alongside MalwareTech's technical writeup and a working PoC named ComoDoS.
Stack-based buffer overflow in JingDong JD Cloud Box AX6600 firmware 4.5.3.r4546 allows authenticated remote attackers to corrupt memory via the set_macfilter function in /sbin/jdcweb_rpc, potentially achieving arbitrary code execution on the router. Publicly available exploit code exists (archive hosted on cdn2.v50to.cc), increasing the likelihood of opportunistic abuse against exposed devices. The vendor did not respond to coordinated disclosure, so no fix is currently confirmed.
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to crash the device's ONVIF service by submitting a crafted DeleteUsers request containing an excessive number of user identifiers, causing a denial-of-service condition that disrupts camera management and monitoring functionality. The CVSS:4.0 vector (VC:N/VI:N/VA:H) confirms impact is strictly limited to availability - no confidentiality or integrity compromise is achievable. No public exploit identified at time of analysis and no active exploitation has been confirmed.
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authenticated, adjacent-network attacker to crash the ONVIF management process by sending a crafted request with an excessive number of XML user nodes. Exploitation results in a denial-of-service condition that disrupts ONVIF-based device configuration and management until the service recovers or the device is rebooted. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor (TP-Link) has released a firmware patch.
Heap out-of-bounds read in 7-Zip's Unix ar archive parser (versions 9.18 through 26.00) allows a remote unauthenticated attacker to leak uninitialized heap memory contents by convincing a user to open a specially crafted archive. The ParseLibSymbols function mishandles the BSD-style __.SYMDEF symbol table by reading 4 bytes past the end of a heap allocation when the namesSize field position equals the buffer boundary, exposing heap data with high confidentiality impact. No public exploit has been identified at time of analysis, and no KEV listing exists; version 26.01 patches the issue.
Off-by-one out-of-bounds read in 7-Zip's UEFI firmware image parser (versions 9.21-26.00) allows a network-adjacent attacker to trigger either a denial of service (application crash) or minor information disclosure of an adjacent static .rdata string literal into archive metadata, simply by convincing a user to open a crafted UEFI-containing archive. The vulnerability is reached automatically upon archive open with no special user action beyond opening the file, and affects default 7-Zip installations because the UEFI handler is enabled out-of-the-box. No public exploit code has been identified at time of analysis, no KEV listing exists, and the impact is bounded: there is no write primitive and no disclosure of heap data, secrets, or ASLR base addresses.
Off-by-one heap out-of-bounds read in 7-Zip's WIM archive handler (versions 9.34-26.00) allows a remote unauthenticated attacker to trigger denial of service - and potentially minor information disclosure - by delivering a crafted WIM file. The vulnerability is zero-click exploitable in the GUI: 7zFM.exe automatically calls GetRawProp(kpidNtSecure) for every listed item, triggering the OOB read without any additional user interaction beyond opening or navigating to the malicious archive. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Heap out-of-bounds read in 7-Zip versions 9.11 through 26.00 exposes up to 3 bytes of heap memory during UDF disc image parsing, triggering when a user opens or extracts a crafted .iso or .udf file. Impact is constrained to a 1-bit information-disclosure oracle per out-of-bounds byte (inferred from open/fail behavior) and potential denial of service under hardened allocators; no write primitive exists. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS Low score of 3.1 accurately reflects the limited real-world severity.
Heap buffer overflow in the Perl DBI module versions before 1.648 occurs when the preparse() function processes SQL statements containing 10 or more placeholder binders. The fixed-size buffer allocation (three characters per binder) is insufficient for multi-digit binder names like :p10 through :p99 (four chars) or :p100+ (five chars), enabling memory corruption. EPSS rates exploitation probability at only 0.02% (5th percentile) and no public exploit identified at time of analysis, but the upstream maintainer has shipped a fix expanding the allocation.
Remote code execution in 7-Zip versions 26.00 and earlier is achievable via a crafted NTFS image that triggers a heap buffer overflow in the archive handler, overwriting an adjacent C++ object's vtable pointer to hijack control flow. The flaw stems from an undefined-behavior shift in CInStream::GetCuSize() that under-allocates a buffer to just one byte, which is then written up to 256 MB of attacker-controlled data. Exploitation requires the victim to open or extract a malicious archive (UI:R), but the NTFS handler is enabled by default and is selected via signature matching regardless of file extension; no public exploit identified at time of analysis.
Heap memory disclosure in 7-Zip 9.34 through 26.00 (32-bit builds only) allows a remote unauthenticated attacker to leak arbitrary heap contents into attacker-controlled extracted files by supplying a crafted SquashFS archive. The root cause is a 32-bit integer overflow in the SquashFS ReadBlock function: because size_t is 32 bits on 32-bit builds, the addition of offsetInBlock and blockSize wraps modulo 2³², bypassing the fragment bounds check and directing memcpy to read heap memory preceding the intended cache buffer. No public exploit has been identified at time of analysis, and no CISA KEV listing exists. Version 26.01 patches the issue.
Out-of-bounds read in X.Org X server and Xwayland's GLX extension handler `__glXDisp_ChangeDrawableAttributes()` allows a local low-privileged user to disclose sensitive memory contents from the X server process. Faulty size validation permits reading a client-controlled number of bytes beyond the request buffer boundary, resulting in high confidentiality impact per CVSS. A secondary write path exists in the same function but is gated behind byte-swapped client support, which is disabled by default, substantially limiting its practical exposure. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Out-of-bounds heap write in X.Org X server and Xwayland DRI2 buffer handling allows a local authenticated client to corrupt server memory by requesting multiple DRI2BufferBackLeft attachments alongside one DRI2BufferFrontLeft. Successful exploitation crashes the display server or, when the X server runs setuid root (a still-common legacy deployment), enables local privilege escalation to root. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in X.Org X server and Xwayland stems from an incomplete fix for CVE-2025-26597, where CheckKeyTypes() fails to clamp non-canonical key types to XkbMaxShiftLevel, enabling stack-based buffer overflows. Authenticated local users on Red Hat Enterprise Linux 6 through 10 can crash the display server or, when X runs as root, escalate to root privileges. No public exploit identified at time of analysis, though the upstream commit reveals the vulnerable code path and the prior CVE-2025-26597 has known exploitation history.
Stack-based buffer overflow in X.Org X server and Xwayland's _XkbSetMapChecks() function allows local authenticated attackers to crash the server or potentially escalate privileges to root when the X server runs with elevated privileges. The flaw resides in CheckKeyTypes() writing to a fixed mapWidths[256] stack buffer at a client-controlled offset, affecting Red Hat Enterprise Linux versions 6 through 10. No public exploit identified at time of analysis, but an upstream fix has been merged into the xserver repository.
Local privilege escalation in the X.Org X server and Xwayland stems from a stack-based buffer overflow during font alias resolution, where a 256-byte server-side stack buffer is overrun by libXfont2 alias target names of up to 1023 bytes. An authenticated local attacker who can influence font alias files can crash the server or, when the X server runs as root, escalate to root privileges. No public exploit is identified at time of analysis and CVSS is 7.8 (Local/Low complexity/Low privileges).
Out-of-bounds memory access in Samsung Android USB Driver for Windows (all versions prior to 1.9.5.0) allows a local attacker without elevated privileges to corrupt or read memory beyond allocated bounds, resulting in high availability impact and low integrity impact on the affected Windows host. Samsung has released version 1.9.5.0 as the corrective patch, documented under EUVD-2026-34810. No public exploit code exists and the vulnerability is not listed in CISA KEV at time of analysis, though the CVSS 4.0 AT:P modifier signals a required target-specific condition that narrows exploitability.
Out-of-bounds write in the SIL Graphite smart-font rendering engine before 1.3.15 allows attackers to corrupt memory by supplying a malicious font file that triggers an integer underflow in the slotat macro. Exploitation requires a victim to render attacker-controlled font content in an application that embeds Graphite (such as Firefox, LibreOffice, or Pango-based renderers), and no public exploit has been identified at time of analysis.
Remote unauthenticated code execution and denial-of-service in Morse Micro HaLowLink 2 (versions prior to 2.11.13) allows attackers within radio range to corrupt kernel memory via a malformed 802.11ah beacon frame. The flaw resides in the morse.ko HaLow Wi-Fi kernel driver, which processes broadcast beacons during passive scanning, requiring no authentication or user interaction. No public exploit identified at time of analysis, but SSVC rates the technical impact as total and the issue as automatable, and a vendor patch is available.
Remote code execution and kernel-level denial of service in Morse Micro HaLowLink 2 devices running software prior to 2.11.13 allows any attacker within 802.11ah radio range to corrupt kernel heap memory by broadcasting a malformed S1G Capabilities IE in a beacon or probe response frame. The flaw sits in the dot11ah.ko HaLow Wi-Fi driver and triggers during normal passive scanning, requiring no authentication, association, or user interaction. A vendor patch exists, but no public exploit identified at time of analysis and EPSS sits at 0.05% despite the CVSS 9.8 rating.
Out-of-bounds memory access in Google Chrome's LiveCaption component prior to version 149.0.7827.53 allows a remote attacker to read beyond allocated buffers by delivering crafted network traffic to a user with the feature in use. EPSS is very low (0.03%, 11th percentile) and there is no public exploit identified at time of analysis, though Google's Chromium tracker rated severity Low while NVD's CVSS scored it 8.8 High - a notable disparity worth weighing when prioritizing.
Integer overflow in Google Chrome's Fonts component (versions prior to 149.0.7827.53) enables remote attackers to read out-of-bounds process memory, potentially leaking sensitive in-memory data such as credentials or tokens. Exploitation is constrained by a mandatory user-interaction requirement - a victim must visit a specially crafted HTML page - and Chromium's own severity rating of Low tempers urgency relative to the NVD CVSS Medium score. No public exploit identified at time of analysis, and EPSS stands at 0.03% (11th percentile), indicating very low near-term exploitation probability.
Remote code execution in Google Chrome's DevTools component prior to version 149.0.7827.53 allows a remote attacker to execute arbitrary code within the browser sandbox by luring a user to a crafted HTML page. The flaw stems from an out-of-bounds read (CWE-125) and carries a CVSS 8.8 rating, though no public exploit has been identified at time of analysis and CISA SSVC marks exploitation status as 'none'. Code execution is confined to the renderer sandbox, requiring chaining with a sandbox escape for full system compromise.
Sandbox escape in Google Chrome's GPU process prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers an integer overflow. The flaw, tagged as a buffer overflow with information disclosure potential, requires user interaction and a chained renderer compromise, and no public exploit has been identified at time of analysis despite Chromium rating the underlying severity as Low.
Denial of service in Tenda FH451 V1.0.0.9 routers allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the page parameter handler of the fromDhcpListClient function. EPSS exploitation probability is very low (0.01%, 3rd percentile) and no public exploit identified at time of analysis, though proof-of-concept artifacts appear to be hosted in a public GitHub research repository. The flaw is not listed in CISA KEV.
Out-of-bounds memory access in the ANGLE graphics translation layer of Google Chrome before 149.0.7827.53 allows a remote attacker to read or corrupt memory by luring a user to a crafted HTML page. The flaw carries a CVSS 8.8 rating due to high impact on confidentiality, integrity, and availability, though Chromium rates the security severity as Medium and EPSS is very low (0.03%). No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Out-of-bounds read in Chrome's GWP-ASan memory safety subsystem (versions prior to 149.0.7827.53) enables a local attacker to disclose potentially sensitive contents from process memory by delivering a malicious file to the target. The vulnerability carries a CVSS 6.5 Medium score with high confidentiality impact but no integrity or availability impact, consistent with a pure information-disclosure class. No public exploit code has been identified at time of analysis, EPSS exploitation probability is extremely low at 0.01% (1st percentile), and SSVC assessment confirms no known active exploitation, collectively indicating a low near-term threat priority despite the notable confidentiality impact rating.
Out-of-bounds write in the V8 JavaScript engine of Google Chrome prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to execute arbitrary code within the sandbox via a crafted HTML page. The flaw requires user interaction (visiting a malicious page) and prior renderer compromise, and no public exploit identified at time of analysis. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, though Google classifies the Chromium severity as Medium.
Out-of-bounds read in the Input component of Google Chrome on Linux (all versions prior to 149.0.7827.53) exposes potentially sensitive process memory to remote attackers. Exploitation requires delivering a crafted HTML page and inducing a Linux user to visit it (CVSS UI:R), after which the browser's Input handler reads beyond allocated buffer bounds, leaking in-memory data. No public exploit has been identified at time of analysis, EPSS sits at 0.03% (11th percentile) indicating low current exploitation probability, and there is no CISA KEV listing - though the High confidentiality impact (C:H) warrants timely patching given Chrome's broad deployment on Linux.
Out-of-bounds heap read in Google Chrome's Extensions component on Linux exposes sensitive process memory to a malicious extension author. Affected versions are Chrome on Linux prior to 149.0.7827.53; Windows and macOS are not listed as affected. Exploitation requires convincing a target user to install a crafted malicious extension, limiting exposure compared to the CVSS 6.5 score implies - no public exploit identified at time of analysis, and EPSS of 0.01% (1st percentile) reflects low current exploitation probability.
Out-of-bounds read in the Chromecast component of Google Chrome prior to version 149.0.7827.53 enables a remote attacker - who has already compromised the renderer process - to leak potentially sensitive data from process memory by delivering a crafted HTML page. This is a chained vulnerability: exploitation is conditional on a prior renderer compromise, making it a second-stage information-disclosure step rather than a standalone attack. No public exploit code has been identified and EPSS probability stands at 0.05% (15th percentile), consistent with a medium-severity, constrained attack path. Google has released a fix in stable channel 149.0.7827.53.
Heap corruption in Google Chrome versions prior to 149.0.7827.53 stems from an integer overflow in the Skia graphics library that can be triggered by a crafted HTML page. Remote attackers can lure a victim to a malicious web page to potentially achieve arbitrary code execution within the renderer process. No public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.03% (11th percentile), though Chrome rendering bugs historically attract exploit development.
Out-of-bounds memory read in the ANGLE graphics translation layer of Google Chrome before 149.0.7827.53 allows a remote attacker to leak adjacent memory contents when a victim visits a crafted HTML page. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.03%, but the CVSS 8.1 score reflects the user-interaction-only barrier combined with high confidentiality and availability impact. Google has shipped a stable-channel fix and Chromium rates the underlying severity as Medium.
Out-of-bounds read in the WebRTC component of Google Chrome prior to 149.0.7827.53 exposes potentially sensitive process memory contents to remote attackers. Exploitation requires no authentication (CVSS PR:N) but does require user interaction - a victim must visit a specially crafted HTML page (CVSS UI:R). The confidentiality impact is rated High (C:H) with no integrity or availability consequence, meaning a successful attack leaks memory contents rather than enabling code execution. No public exploit identified at time of analysis, and EPSS at 0.03% (10th percentile) reflects low observed exploitation probability.
Out-of-bounds memory read in the Dawn WebGPU implementation of Google Chrome prior to 149.0.7827.53 allows a remote attacker to access memory outside intended bounds via a crafted HTML page. Exploitation requires the victim to visit an attacker-controlled page, and no public exploit identified at time of analysis. Google rates the Chromium-internal severity as Medium, while NVD assigns CVSS 8.8 reflecting the broad impact on confidentiality, integrity, and availability if successfully triggered.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page. The flaw stems from an integer overflow (CWE-472) in ANGLE and requires user interaction (visiting a malicious page) plus a prior renderer compromise to chain into full sandbox escape. No public exploit identified at time of analysis, and EPSS is very low (0.03%), but Google rates the underlying issue as Medium severity within Chromium.
Out-of-bounds memory access in Google Chrome on Android before version 149.0.7827.53 allows remote attackers to corrupt GPU process memory by luring a user to a crafted HTML page that triggers an integer overflow. The flaw carries a CVSS 8.8 (high) rating with high confidentiality, integrity, and availability impact, but EPSS is only 0.03% and no public exploit identified at time of analysis, suggesting low near-term mass-exploitation likelihood despite the severity of the underlying bug class.
Remote code execution in Google Chrome versions prior to 149.0.7827.53 allows a remote attacker to execute arbitrary code within the renderer sandbox by serving a crafted HTML page that triggers a bad cast in the Dawn WebGPU implementation. The flaw carries a CVSS 8.8 rating with user interaction required (visiting a malicious page), and no public exploit has been identified at time of analysis despite Google rating the underlying Chromium severity as Medium. The vendor has released a patched stable channel build addressing this issue alongside other fixes.
Out-of-bounds read in Chrome's V8 JavaScript engine (versions prior to 149.0.7827.53) exposes sensitive process memory to remote attackers who can lure a victim to a crafted HTML page. The CVSS vector (PR:N/UI:R/C:H) confirms unauthenticated remote triggering with high confidentiality impact, though exploitation requires one click of user interaction. No public exploit identified at time of analysis, and EPSS sits at the 11th percentile (0.03%), suggesting low observed exploitation pressure despite the medium-severity classification.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 stems from a type confusion bug in the ANGLE graphics translation layer that a remote attacker can trigger via a crafted HTML page. Despite a CVSS of 9.6 and a vendor-released patch, EPSS is only 0.03% and no public exploit identified at time of analysis, though Chromium-rated Medium browser bugs are routinely targeted once details are public.
Out-of-bounds read in ANGLE (Google's graphics abstraction layer) within Chrome on Linux exposes sensitive process memory to remote attackers via a crafted HTML page. All Chrome for Linux versions prior to 149.0.7827.53 are affected; Windows and macOS are not in scope. The CVSS vector confirms unauthenticated remote exploitability at low complexity, though user interaction is required, and no public exploit has been identified at time of analysis - EPSS at 0.03% (11th percentile) signals minimal current exploitation pressure.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via an out-of-bounds write in ANGLE triggered by a crafted HTML page. The flaw carries a high CVSS of 9.6 due to scope change and full CIA impact, though no public exploit has been identified and EPSS exploitation probability remains very low at 0.03%.
Out-of-bounds write in Google Chrome's media Codecs component prior to version 149.0.7827.53 allows a remote attacker to potentially escape the renderer sandbox via a crafted video file. Successful exploitation requires the victim to load attacker-controlled video content, but the resulting scope change (S:C) means the attacker can break out of Chrome's renderer sandbox and impact resources beyond it. No public exploit has been identified at time of analysis and EPSS is very low (0.03%), but the high CVSS reflects the severe impact of a successful sandbox escape.
Stack-based buffer overflow in the Skia graphics library shipped with Google Chrome versions prior to 149.0.7827.53 lets a remote attacker corrupt the renderer process stack by serving a crafted HTML page, with potential for arbitrary code execution within the sandbox. The flaw carries a CVSS 3.1 base score of 8.8 (network vector, user interaction required) and no public exploit identified at time of analysis, while a very low EPSS score of 0.03% (10th percentile) suggests no current mass-exploitation pressure despite the high impact rating.
Out-of-bounds memory read in the WebGPU component of Google Chrome before 149.0.7827.53 allows a remote attacker to read memory outside intended buffer boundaries when a victim visits a crafted HTML page. The flaw carries a CVSS 8.1 score due to network reachability and high confidentiality/availability impact, but EPSS sits at 0.03% and SSVC reports no observed exploitation, so the practical risk is currently low despite the high CVSS. No public exploit identified at time of analysis.
Out-of-bounds read in Chrome's Dawn WebGPU subsystem (versions prior to 149.0.7827.53) allows unauthenticated remote attackers to read arbitrary memory contents by tricking a user into visiting a crafted HTML page. The vulnerability carries a CVSS 6.5 (Medium) with high confidentiality impact and no integrity or availability impact, indicating targeted data-disclosure potential rather than code execution. EPSS is 0.03% (11th percentile) and the vulnerability is not listed in the CISA KEV catalog - no public exploit has been identified at time of analysis.
Out-of-bounds read in Chrome's ANGLE graphics layer on Windows exposes sensitive process memory to an attacker who has already achieved renderer compromise. Affected are all Chrome for Windows installations prior to 149.0.7827.53; macOS, Linux, Android, and iOS are not in scope per available data. No public exploit code exists and no active exploitation is confirmed - EPSS at 0.03% (11th percentile) and SSVC exploitation status of 'none' jointly indicate this is a low-priority real-world threat, functioning primarily as a post-exploitation information-disclosure step in a multi-stage browser attack chain rather than a standalone critical vulnerability.
Out-of-bounds read in ANGLE (Almost Native Graphics Layer Engine) within Google Chrome prior to 149.0.7827.53 enables an attacker who has already compromised the renderer process to leak potentially sensitive data from process memory via a crafted HTML page. The CVSS vector (AC:H, UI:R) reflects a two-stage exploitation requirement: the attacker must first achieve renderer compromise through a separate vulnerability, then chain this ANGLE flaw as a second-stage information disclosure primitive. No public exploit code has been identified and EPSS sits at 0.03% (11th percentile), indicating low real-world exploitation probability at time of analysis.
Out-of-bounds memory read in Chrome's Media component allows a local-network-adjacent attacker to leak partial memory contents via specially crafted network traffic. Affects all Chrome releases prior to 149.0.7827.53 on desktop platforms, as confirmed by Google's stable channel advisory. No public exploit code exists and no active exploitation has been identified; SSVC assessment rates technical impact as partial with exploitation status none, placing this in a lower-priority remediation tier despite the unauthenticated vector.
Heap corruption in Google Chrome's TabStrip component before 149.0.7827.53 lets a remote attacker who can lure a user into specific UI interactions on a malicious HTML page trigger memory corruption with high impact to confidentiality, integrity, and availability. The flaw carries a CVSS 8.8 due to network reachability and lack of authentication, though user interaction is required; there is no public exploit identified at time of analysis and EPSS is very low at 0.03%.
Heap-based buffer overflow in the Skia graphics rendering library within Google Chrome versions prior to 149.0.7827.53 enables remote attackers to read sensitive data from renderer process memory. Exploitation requires no authentication (PR:N) but does require user interaction - a victim must visit a specially crafted HTML page - and yields high confidentiality impact (C:H) with no integrity or availability impact per the CVSS vector. No public exploit has been identified at time of analysis, and the EPSS score of 0.03% (10th percentile) indicates very low current exploitation probability; CISA KEV active exploitation status is not confirmed.
Heap corruption in Google Chrome's V8 JavaScript engine prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution when a user visits a crafted HTML page and performs specific UI interactions. The flaw is rated High severity by Chromium and CVSS 8.8, though no public exploit identified at time of analysis and EPSS scoring places near-term mass exploitation probability at 0.03%. A vendor patch is already available through the Stable Channel update.
Cross-origin data leakage in Google Chrome's Skia graphics library prior to version 149.0.7827.53 enables unauthenticated remote attackers to read out-of-bounds memory and exfiltrate data from foreign origins via a crafted HTML page. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms high confidentiality impact with no privileges required, though a victim must visit an attacker-controlled page to trigger the read. No public exploit code has been identified at time of analysis, and the EPSS score of 0.03% (11th percentile) suggests limited exploitation activity; however, same-origin policy bypass in a mainstream browser is a meaningful web security concern warranting prompt patching.
Out-of-bounds read in ANGLE (Chrome's graphics abstraction layer) affects all Google Chrome versions prior to 149.0.7827.53, enabling remote information disclosure from process memory. An unauthenticated remote attacker can trigger the memory leak by inducing a victim to visit a crafted HTML page - no privileges are required on the attacker's side, though user interaction is necessary. No public exploit identified at time of analysis and EPSS sits at 0.03% (11th percentile), indicating low current exploitation probability despite Google's 'High' Chromium severity rating.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 stems from a heap buffer overflow in the Video component, allowing a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Chromium rates the severity as High and a vendor patch is available; no public exploit identified at time of analysis. The CVSS 8.3 score reflects the scope change (S:C) that occurs when sandbox boundaries are crossed, though the attack requires high complexity and user interaction.
Heap buffer overflow in the Media component of Google Chrome before 149.0.7827.53 enables remote attackers to achieve arbitrary code execution within the renderer sandbox after luring a user to a crafted HTML page and tricking them into performing specific UI gestures. Google rates the underlying Chromium issue as High severity, and while publicly available exploit code exists is not confirmed, vendor patches have been released through the Stable channel update. No active exploitation has been reported via CISA KEV at time of analysis.
Out-of-bounds memory access in the Skia graphics library shipped with Google Chrome before 149.0.7827.53 allows a remote attacker to execute arbitrary code within Chrome's renderer sandbox when a victim visits a malicious page. Google rates the Chromium severity as High and a vendor patch is available; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Out-of-bounds memory read in Google Chrome's ANGLE graphics layer on macOS versions prior to 149.0.7827.53 allows remote attackers to disclose memory contents or crash the renderer by enticing a user to visit a crafted HTML page. Google rates the underlying Chromium issue as High severity, and while no public exploit is identified at time of analysis, the EPSS score of 0.03% suggests low near-term mass exploitation likelihood. The flaw requires user interaction (visiting a page) but no authentication, making drive-by web attacks the realistic threat model.