Buffer Overflow
Monthly
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 can be achieved by remote attackers who have already compromised the renderer process, leveraging an out-of-bounds read in the Dawn WebGPU implementation via a crafted HTML page. Google rates this as High severity and a vendor patch is available, though no public exploit has been identified at time of analysis. The bug is part of a multi-stage exploitation chain rather than a single-step RCE, but successful chaining yields full escape from Chrome's renderer sandbox.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 lets a remote attacker who has already compromised the renderer process break out of the Chromium sandbox via a crafted HTML page that triggers an out-of-bounds write in Skia. Google rates the underlying Chromium issue High severity and a vendor patch is available, though no public exploit code has been identified at time of analysis.
Sandbox escape in Google Chrome's Chromecast component prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High severity by the Chromium project with a CVSS of 8.3, the flaw requires a prior renderer compromise and user interaction, and no public exploit identified at time of analysis. Successful exploitation gives attackers code execution outside the renderer's restricted context, dramatically expanding impact on the host.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 is possible via an integer overflow in the Dawn WebGPU implementation, allowing a remote attacker who has already compromised the renderer process to break out of the browser sandbox using a crafted HTML page. Google rates the Chromium severity as High and a vendor patch is available; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Out-of-bounds write in the ANGLE graphics layer of Google Chrome versions prior to 149.0.7827.53 enables remote attackers to trigger heap corruption and potentially execute arbitrary code by luring a victim to a crafted HTML page. Chromium rates the severity as High and CVSS 8.8 reflects the network attack vector with required user interaction. No public exploit identified at time of analysis, though the bug class (memory corruption in a browser-exposed component) is historically a prime target for weaponization.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to potentially break out of the sandbox via a stack buffer overflow in the GPU component triggered by a crafted HTML page. Chromium rates this as Critical severity, and while no public exploit has been identified at time of analysis, the vendor has released a patched stable channel build addressing the issue.
Sandbox escape in Google Chrome's GPU component prior to version 149.0.7827.53 allows remote attackers to break out of the renderer sandbox via a crafted HTML page when a user visits a malicious site. Google's Chromium team rated the underlying issue Critical severity, and while a patch is available, no public exploit identified at time of analysis and EPSS estimates exploitation probability at only 0.03%.
Sandbox escape in Google Chrome for Android versions prior to 149.0.7827.53 stems from an out-of-bounds write in the GPU process that a remote attacker can trigger via a crafted HTML page. Google rates the underlying Chromium issue as Critical severity, and while a vendor patch is available, no public exploit identified at time of analysis and EPSS sits at 0.03% (11th percentile). The CVSS scope-changed vector (S:C) reflects the impact of breaking out of Chrome's sandbox to affect the broader Android OS context.
Out-of-bounds read in the ANGLE graphics layer of Google Chrome before 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox via a crafted HTML page. Chromium rates the underlying issue Critical severity, and while no public exploit has been identified at time of analysis, the bug is in a historically targeted attack surface (GPU/ANGLE) frequently abused in renderer-to-broker escape chains.
Heap corruption in Google Chrome's ANGLE graphics translation layer prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution by enticing a user to visit a crafted HTML page. Chromium rates the severity as Critical and the CVSS score is 8.8 (High), but no public exploit identified at time of analysis. The flaw is a type confusion issue that maps to CWE-787 (out-of-bounds write), affecting the browser's WebGL/graphics rendering path.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 149.0.7827.53 allows a remote attacker to trigger an out-of-bounds read and write via a crafted HTML page, with a CVSS 9.6 reflecting scope change and high impact across confidentiality, integrity, and availability. The flaw was rated Critical internally by Chromium and reported by Google's own CVE admin team; no public exploit identified at time of analysis, and CISA SSVC currently lists exploitation status as none.
Out-of-bounds write/read in Zephyr RTOS (versions ≤ 4.3) affects the TLS socket connect path when the TLS session cache is enabled, where tls_session_store() and tls_session_restore() memcpy a caller-supplied socket address into a fixed-size 24-byte stack buffer using an unvalidated, caller-controlled addrlen. Because struct net_sockaddr is opaque, an application can pass an oversized addrlen (e.g. 128 bytes), corrupting adjacent memory and causing a crash/denial of service, with potential for arbitrary code execution. Publicly available exploit code exists per the SSVC 'poc' status, but EPSS is very low (0.06%, 18th percentile) and it is not on CISA KEV.
Integer underflow in Zephyr RTOS Bluetooth Mesh solicitation handling (versions ≤ 4.3.0) allows any physically proximate, unauthenticated BLE device to corrupt memory via a crafted advertising PDU, potentially causing denial of service or arbitrary code execution on the target device. The flaw resides in bt_mesh_sol_recv() within the OD Private Proxy Server feature and requires no prior pairing or device association to trigger. No public exploit has been identified at time of analysis and EPSS probability is low at 0.02%, but the combination of zero-interaction exploitation and RCE impact on embedded IoT devices warrants prioritization where this configuration is deployed.
Incorrect native memory address resolution in Netty's Oblivious HTTP (OHTTP) BoringSSL JNI bridge allows unauthenticated remote attackers to corrupt memory belonging to concurrent connections and disclose the contents of adjacent pooled direct buffers - including HPKE encryption key material - on affected OHTTP gateways. The flaw exists in versions prior to 0.0.22.Final of netty-incubator-codec-ohttp and is only reachable when the JVM is configured to deny `sun.misc.Unsafe` access, causing the vulnerable fallback address-resolution path to activate. This directly undermines the confidentiality guarantees Oblivious HTTP is designed to provide; no public exploit code exists and the vulnerability is not listed in the CISA KEV catalog (CVSS 4.0 E:U).
Mobatek MobaXterm 12.1 contains a structured exception handling (SEH) based buffer overflow vulnerability in the username field of session files that allows remote attackers to execute arbitrary. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
LabF nfsAxe 3.7 Ping Client contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload in the Host IP field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AllPlayer 7.4 contains a local buffer overflow vulnerability in URL handling that allows attackers to overwrite structured exception handling pointers by supplying an excessively long URL string. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NetShareWatcher 1.5.8.0 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Out-of-bounds write in Samsung's rlottie animation rendering library allows a crafted Lottie animation file to trigger integer truncation in the embedded FreeType rasterizer, causing memory corruption. All rlottie versions before commit dcfde72eae1b0464dc0dd760aec00ada6a148635 are affected, spanning any downstream product or platform embedding this library (including Samsung TV and appliance firmware). Exploitation requires local access and user interaction to render a malicious animation, with primary impact being high availability loss (crash/DoS) and limited integrity impact; no public exploit identified at time of analysis and no active exploitation confirmed.
Stack-based buffer overflow in Samsung Open Source rlottie's FreeType-derived cubic Bezier rasterizer allows a local attacker, via a crafted Lottie animation file, to crash the embedding application or potentially corrupt stack memory. The vulnerable code in `gray_render_cubic` (`src/vector/freetype/v_ft_raster.cpp`) subdivides Bezier curves onto a fixed-size `bez_stack` (capacity 32×3+1 vectors) without a depth guard, so a pathologically complex curve exhausts the buffer. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Integer overflow in Samsung's rlottie animation library allows a crafted Lottie animation file to trigger memory corruption, resulting in high availability impact and low integrity impact on the rendering application. Specifically affecting the gradient color-stop parsing logic in lottiemodel.cpp, the flaw arises when a malformed colorPoints value causes a signed integer multiplication to overflow before being assigned to a size_t, producing an undersized buffer computation. No active exploitation has been identified at time of analysis, and a fix is available upstream via GitHub PR #592, though a formally tagged release version has not been independently confirmed.
Out-of-bounds read in Samsung's rlottie rendering library prior to commit 223a2a41ba4f462e4abe767bebba49a366c9b9fd allows a local attacker to crash the rendering process (high availability impact) or cause low-level integrity corruption by supplying a crafted Lottie animation file. Two distinct code paths are affected: signed integer overflow in FreeType raster bit-shift macros and a missing zero-stopCount guard in gradient color table generation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the wide embedding of rlottie in Samsung consumer devices (TVs, appliances) represents a meaningful aggregate exposure.
Heap out-of-bounds read in Morse Micro HaLowLink 2 prior to version 2.11.12 allows an unauthenticated attacker within 802.11ah radio range to disclose up to 9 bytes of kernel heap memory or trigger a kernel panic (DoS) by transmitting a crafted beacon or probe response frame containing a malformed Vendor Information Element. The morse.ko kernel driver function morse_vendor_find_vendor_ie() fails to validate IE body length against the expected structure size before downstream callers read at fixed offsets, requiring only that the IE length field exceed 3 bytes. No public exploit identified at time of analysis; EPSS places exploitation probability at 0.03% (8th percentile) with no CISA KEV listing, though the zero-prerequisite radio-range attack surface warrants prompt patching for HaLow-enabled deployments.
Denial of service in BACnet Stack 1.3.1 occurs through an out-of-bounds read in the bacnet_tag_number_decode function, allowing remote attackers to crash affected building automation systems by sending crafted BACnet protocol messages. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at a very low 0.02%, though the network-reachable nature of BACnet deployments in critical infrastructure warrants attention.
Out-of-bounds array access in the Linux kernel's AMD GPU display driver (drm/amd/display) allows local privileged users to trigger memory corruption via the dcn35_stream_encoder_create() function when eng_id equals ENGINE_ID_DIGF (value 5) or is negative, indexing past the 5-element stream_enc_regs[] array. The flaw stems from a faulty boundary check using <= instead of <, and no public exploit has been identified at time of analysis with an EPSS score of 0.02% (5th percentile) indicating very low exploitation probability.
Out-of-bounds read in the Linux kernel's IPv6 routing subsystem (fib6_add_rt2node) allows a local user with network configuration privileges to trigger memory corruption when adding routes that use the RTA_NH_ID nexthop attribute. The flaw was discovered by syzkaller and confirmed via KASAN slab-out-of-bounds reports. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the bug is in mainline kernel code paths reachable through netlink and is fixed across multiple stable trees.
Denial-of-service via recursion deadlock in the Linux kernel's NFS LOCALIO subsystem when direct memory reclaim occurs on systems using loopback NFS mounts. The LOCALIO optimization - which bypasses network I/O when NFS client and server share the same host - fails to restrict its page cache allocations to GFP_NOFS context, allowing the kernel memory allocator to re-enter NFS via nfs_writepages during reclaim (path: NFS LOCALIO → XFS → NFS), producing a deadlock and kernel hang. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with a kernel subsystem defect that requires a specific local configuration rather than a broadly exploitable condition. Vendor-released patches are available across stable kernel branches.
Heap buffer overflow in the Linux kernel's pstore/ram subsystem (persistent_ram_save_old function) allows local attackers with low privileges to trigger out-of-bounds writes and reads when the ramoops buffer size grows across boot cycles. The flaw affects Linux kernel versions from 3.5 onward and carries a CVSS 7.8 (High) rating, though exploitation requires a highly improbable chain of conditions across reboots. No public exploit identified at time of analysis, and EPSS is very low at 0.03%.
Out-of-bounds read in lwext4 1.0.0's ext4_ext_binsearch_idx function (src/ext4_extent.c) exposes applications to memory disclosure or process crashes when parsing a specially crafted ext4 filesystem image. Insufficient validation of extent header fields before binary search traversal of the extent index tree allows invalid pointer arithmetic, resulting in reads beyond the allocated buffer boundary. A publicly available exploit exists on GitHub; no CISA KEV listing has been confirmed, but the combination of a network-deliverable attack vector and public POC elevates practical urgency for lwext4 consumers.
Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows authenticated remote attackers to corrupt stack memory in the gdv-serverconfig service and seize full system control. The flaw, reported by CERT@VDE and tracked as CVE-2026-35085 with a CVSS 4.0 score of 8.7 (High), affects multiple fieldbus variants (Profibus, Profinet, KNX, LON, DALI, M-Bus, CAN, X-Link). No public exploit identified at time of analysis, and EPSS data was not supplied for this advisory.
Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A, Single-X, and the Double-A/Double-X family (Profibus, X-Link, CAN, DALI, KNX, LON, M-Bus, Profinet). A remote attacker holding low-level user credentials can exploit the flaw to gain full system access, with CVSS 4.0 scoring it 8.7 (High). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines covering Profibus, Profinet, KNX, DALI, LON, M-Bus, CAN, and X-Link variants) is achievable by an authenticated remote user via a stack buffer overflow. The CVSS 4.0 base score of 8.7 reflects network-reachable exploitation with low complexity and only user-level privileges required, leading to full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE (advisory VDE-2026-039), indicating responsible disclosure rather than in-the-wild abuse.
Denial of service in FreeIPMI versions before 1.16.18 allows remote attackers to crash the ipmi-oem client by sending malformed IPMI response messages that trigger stack-based buffer overflows in the 'dell get-active-directory-config' and 'fujitsu get-sel-entry-long-text' subcommands. The flaw is client-side: a victim must invoke the affected subcommand against an attacker-controlled or compromised IPMI endpoint. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Uninitialized memory disclosure in the Mercusys AC12G (EU) V1 router exposes 128 bytes of internal server buffer contents to unauthenticated adjacent-network attackers. The device's HTTP server fails to sanitize responses for POST requests sent to undefined paths, returning raw internal buffer data instead of a clean error. No active exploitation is confirmed (not in CISA KEV), but a public researcher advisory exists on GitHub; the CVSS score of 4.3 (Medium) reflects the adjacent-network-only attack vector and limited confidentiality impact.
Out-of-bounds write in openSeaChest v25.05.3's --showSupportedFormats command allows a high-privileged local attacker to corrupt one byte beyond an allocated buffer by presenting a maliciously crafted NVMe device with a bogus namespace FLBAS (Format LBA Size) value, forcing that byte to 1. Affected platforms include all systems supported by the toolkit. With a CVSS 4.0 score of 1.8, this is a minimal-severity issue requiring both high privileges and a specially crafted physical or emulated NVMe device; no public exploit code or active exploitation has been identified at time of analysis.
Out-of-bounds write in Seagate's openSeaChest v26.03.0 allows a high-privileged local user to write 16 bytes beyond the allocated memory buffer during a Trim/Unmap (SCSI UNMAP / ATA DSM) storage operation. The flaw is confined to the LBA range descriptor construction logic and produces limited observable impact - low confidentiality exposure to the local system and a secondary system, with no integrity or availability consequences per the CVSS 4.0 vector. No public exploit identified at time of analysis, and CISA KEV does not list this vulnerability; Seagate self-disclosed the issue, suggesting responsible internal discovery.
Out-of-bounds write and read in Seagate's openSeaChest v25.05.3 affects the --showSCSIDefects diagnostic command, allowing memory corruption when parsing abnormally large SCSI defect list responses. A high-privileged local operator running diagnostics against a physically degraded drive with an excessive defect count, or against a maliciously crafted SCSI device returning an oversized defect response, can trigger limited confidentiality, integrity, and availability impact on the diagnostic host. No public exploit and no active exploitation has been identified at time of analysis; this vulnerability was self-reported by Seagate with a CVSS 4.0 base score of 1.8, reflecting the severe exploitation constraints.
Dräger CC-Vision Basic before 7.5.3 and Dräger CC-Vision E-Cal before 7.2.5.0 contain an out-of-bounds write vulnerability when loading .gdt files. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity.
Information disclosure in Mozilla Firefox prior to 151.0.3 allows remote attackers to read out-of-bounds memory via the Graphics: Text component when processing crafted content. The flaw stems from incorrect boundary conditions (CWE-119) in text rendering and can be triggered without user authentication, though no public exploit has been identified and EPSS scores it at just 0.02% likelihood of exploitation.
Stack-based buffer overflow in CZ.NIC BIRD Internet Routing Daemon through 2.19.0 allows an established BGP peer to crash the daemon by sending a crafted AS_PATH exceeding 2048 expanded ASNs when RFC 8654 Extended Messages are enabled and an AS path mask filter is active. The as_path_match() function in nest/a-path.c uses a fixed 2049-entry stack array while parse_path() expands AS_PATH segments without enforcing a corresponding capacity limit, causing a write beyond the stack buffer boundary and a daemon crash. No public exploit identified at time of analysis; notably, the vendor has explicitly declined to prioritize a fix, instead citing operator best-practice filtering as the expected mitigation.
Denial of service in TP-Link Tapo C200 v5 IP cameras allows adjacent network attackers to crash the RTSP service and force a device reboot by sending a crafted Authorization header in an RTSP authentication request. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP authentication handler; no public exploit identified at time of analysis, but vendor-acknowledged and patched firmware is available from TP-Link.
Out-of-bounds write in the Bitdefender Napoca bare-metal hypervisor allows a low-privileged guest to corrupt hypervisor heap memory via crafted SS:SP register values processed by the real-mode hook handler. The flaw, tracked as EUVD-2026-33944 and reported by Bitdefender itself, affects an end-of-life product with no public exploit identified at time of analysis. Successful exploitation breaks the guest-to-hypervisor boundary, yielding total compromise of confidentiality, integrity, and availability of the host hypervisor.
Stack-based buffer overflow in VIVOTEK FD8136 network camera firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root by sending a crafted POST request to the export_language.cgi administrative endpoint. The CGI handler passes an attacker-controlled Content-Length HTTP header value directly to fread() with no bounds validation, overflowing a 0x60-byte stack buffer and overwriting the saved link register; the binary's lack of stack canaries eliminates the primary runtime defense against this class of attack. A researcher-published proof-of-concept exists on GitHub, though EPSS stands at 0.05% (17th percentile) and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at time of analysis.
Out-of-bounds heap write in the Bitdefender Napoca bare-metal hypervisor lets a malicious guest VM operating in real mode corrupt hypervisor memory through a crafted INT 0x15/E820 BIOS call, potentially enabling guest-to-host escape. The flaw resides in napoca/guests/bios_handlers.c, which computes a write offset from attacker-controlled ES:EDI register values without bounds checking against the 1MB RealModeMemory buffer. No public exploit identified at time of analysis, and CISA SSVC classifies exploitation status as 'none' - but the product is end-of-life and unsupported, raising the long-term risk profile.
Buffer overflow in the UPnP DeletePortMapping() command of Zyxel VMG4005-B50B DSL/Ethernet CPE firmware (through 5.13(ABRL.5.4)C0) enables an unauthenticated adjacent-network attacker to crash the device's UPnP service. The impact is a temporary, recoverable denial-of-service confined to the UPnP function - availability is fully affected (A:H) while confidentiality and integrity remain unimpacted (C:N/I:N). No public exploit code or CISA KEV listing exists at time of analysis; the vulnerability was disclosed by Zyxel itself on 2026-06-02.
Buffer overflow in the UPnP AddPortMapping() command handler on Zyxel VMG4005-B50B DSL/Ethernet CPE devices allows adjacent unauthenticated attackers to crash the UPnP service, causing a temporary denial-of-service condition. Affected firmware versions run through 5.13(ABRL.5.4)C0, and the vulnerability was self-disclosed by Zyxel in a June 2026 advisory covering multiple CPE product lines. No public exploit code exists and this vulnerability has not been confirmed as actively exploited (not in CISA KEV).
Stack-based buffer overflow in Orthanc DICOM Server up to version 1.12.11 allows a local, low-privileged attacker to crash the server process, causing limited availability impact through the DCMTK parser's DcmItem::read function. The CVSS 4.0 score of 1.9 reflects heavily constrained exploitation conditions: local access only, low-privilege account required, and impact confined to availability with no confidentiality or integrity exposure. Publicly available exploit code exists (confirmed by CVSS 4.0 E:P modifier and CVE description), though no active exploitation has been confirmed by CISA KEV.
Remote code execution in VIVOTEK FD8136 network camera (firmware VVTK-0300a) is possible via a stack-based buffer overflow in the set_getparam.cgi component, reachable over the network without authentication. CVSS 7.3 reflects partial CIA impact, but the presence of public vulnerability-research artifacts on GitHub indicates publicly available exploit code exists, while EPSS remains low at 0.05% (17th percentile) and the issue is not currently listed in CISA KEV.
Stack-based buffer overflow in VIVOTEK FD8136 firmware FD8136-VVTK-0300a grants authenticated remote attackers root-level code execution by supplying an oversized POST parameter to any of three symlinked CGI admin endpoints. The vulnerable `motion_privacy.cgi` binary copies the `n1` parameter into a fixed 164-byte (0xa4) stack buffer with no bounds check and no stack canary protection, overwriting the saved link register and diverting execution to attacker-controlled code. A public proof-of-concept is available on GitHub; no active exploitation has been confirmed in CISA KEV at time of analysis.
Remote code execution in Vivotek FD8136 IP cameras running firmware FD8136-VVTK-0300a allows authenticated attackers to gain root-level command execution by triggering a buffer overflow in the /cgi-bin/admin/eventtask.cgi admin endpoint. Publicly available exploit code exists in a GitHub research repository, though EPSS scoring (0.09%, 25th percentile) suggests low observed exploitation activity and the CVE is not listed in CISA KEV.
Out-of-bounds read in FastNetMon Community Edition through 1.2.9 allows unauthenticated remote attackers to disclose memory contents by sending crafted IPv4 packets with a manipulated IHL field to any monitored network interface. The parser in `src/simple_packet_parser_ng.cpp` validates only a 20-byte minimum buffer before blindly advancing a pointer by `4 * IHL` bytes, enabling a 40-byte over-read (IHL=15) or type confusion where TCP/UDP structures are parsed from raw IP header bytes (IHL 0-4). No public exploit identified at time of analysis; EPSS (0.02%, 4th percentile) and SSVC (exploitation: none, automatable: no) both signal low near-term exploitation probability.
Authenticated remote code execution in Vivotek FD8136 IP cameras running firmware FD8136-VVTK-0300a allows attackers with valid admin-interface credentials to overflow a buffer in the /cgi-bin/dido/setdo.cgi endpoint and execute arbitrary code as root. No public exploit identified at time of analysis, though a vulnerability research repository on GitHub describes the issue, and EPSS estimates exploitation probability at 0.05% (17th percentile), suggesting low broad-scale exploitation interest despite the high CVSS 8.8 score.
Memory corruption in Qualcomm Snapdragon Strongbox component allows local low-privileged attackers to trigger a buffer overflow that crosses a security boundary (scope changed) and compromises confidentiality, integrity, and availability of the device. The flaw is reported directly by Qualcomm in the June 2026 security bulletin and carries a CVSS 3.1 base score of 8.8 with no public exploit identified at time of analysis. Strongbox is the hardware-backed keystore used to protect cryptographic material, so successful exploitation undermines a core trust component of Snapdragon-based mobile platforms.
Local privilege escalation in Qualcomm Snapdragon chipsets stems from an out-of-bounds memory access in the Strongbox trusted execution component, where a missing bounds check enables memory corruption from a low-privileged context. A successful exploit crosses a trust boundary (CVSS scope=Changed) and yields high impact to confidentiality, integrity, and availability on the affected device. No public exploit identified at time of analysis, and EPSS data was not provided alongside this advisory.
Local privilege escalation in Qualcomm Snapdragon platforms stems from a Time-of-Check to Time-of-Use (TOCTOU) race condition in shared buffer handling, where kernel-mode code reads user-mode input without re-validation after initial checks. A low-privileged local attacker can corrupt memory to gain full confidentiality, integrity, and availability impact on the affected device. No public exploit identified at time of analysis, and the issue is documented in the Qualcomm June 2026 security bulletin.
Local privilege escalation in Qualcomm Snapdragon platforms is possible through memory corruption when processing multiple IOCTL commands for escape operations. The flaw, reported by Qualcomm in its June 2026 security bulletin, affects Snapdragon graphics/driver components and can be triggered by a low-privileged local user to achieve high impact on confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Qualcomm Snapdragon platforms stems from an out-of-bounds read (CWE-125) triggered during IOCTL escape operation processing, resulting in memory corruption. A local authenticated attacker with low privileges on an affected Snapdragon-based device can leverage the flaw to achieve high-impact compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon fastboot bootloader when processing commands that set the display mode allows a high-privileged local attacker with physical device access to corrupt memory and potentially execute code outside the bootloader's security context. The flaw, reported by Qualcomm and disclosed in their June 2026 security bulletin, affects Snapdragon platforms across the product line per the supplied CPE. No public exploit has been identified at the time of analysis, and the CVSS 7.2 score reflects the high privilege and physical access barriers that limit broad exploitation.
Memory corruption in Qualcomm Snapdragon fastboot bootloader processing allows a physically present attacker with high privileges to corrupt memory by submitting improperly formatted fastboot commands. The flaw carries a CVSS 7.2 score reflecting physical attack vector with scope change, and no public exploit identified at time of analysis. Disclosed in Qualcomm's June 2026 security bulletin, it affects Snapdragon platforms exposed during device provisioning, recovery, or firmware-flash workflows.
Memory corruption in Qualcomm Snapdragon fastboot bootloader handling allows a privileged local attacker with physical access to corrupt memory by issuing malformed fastboot commands, with scope change (CVSS S:C) indicating impact extends beyond the bootloader's security boundary. The flaw was disclosed by Qualcomm in the June 2026 security bulletin and carries a CVSS 3.1 base score of 7.2 (High). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon fastboot OEM command handling allows a local attacker with high privileges and physical access to compromise device confidentiality, integrity, and availability. The CVSS 7.2 score reflects the physical attack vector (AV:P) offset by high impact and scope change, and no public exploit identified at time of analysis. Disclosure originates from Qualcomm's June 2026 security bulletin.
Local privilege escalation in Qualcomm Snapdragon platforms stems from a stack-based memory corruption triggered while processing display command line information with an uninitialized variable. With CVSS 7.2 and a physical attack vector requiring high privileges, the flaw allows a privileged local attacker to corrupt memory and impact confidentiality, integrity, and availability across a changed security scope. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon platforms allows a locally privileged attacker to trigger an out-of-bounds write by issuing a random number generator (RNG) command paired with an undersized output buffer, yielding complete confidentiality, integrity, and availability impact. The vulnerability requires local access and high privileges (CVSS:3.1/AV:L/AC:L/PR:H), placing the base score at 6.7 (Medium) despite the high C/I/A ratings. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stack-based buffer overflow in Qualcomm Snapdragon corrupts memory during a data copy operation when the output buffer is sized smaller than the input buffer, enabling a high-privileged local attacker to achieve full compromise of confidentiality, integrity, and availability on affected devices. Rooted in CWE-121, this vulnerability can allow control-flow hijacking via stack memory overwrite on Snapdragon-based platforms. No public exploit identified at time of analysis and no CISA KEV listing, but the high-impact triad (C:H/I:H/A:H) warrants prompt patching in environments where privileged access is shared or contested.
Stack-based buffer overflow in Qualcomm Snapdragon Windows drivers allows a locally authenticated high-privilege attacker to cause memory corruption by sending a malformed trusted application request. The vulnerability affects Snapdragon-based systems running Windows drivers and can result in complete compromise of confidentiality, integrity, and availability. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Memory corruption via out-of-bounds write in Qualcomm Snapdragon diagnostic services allows a local, highly-privileged attacker to achieve high-impact compromise of confidentiality, integrity, and availability. The root cause is absent input validation in the diagnostic services component, enabling a crafted payload to corrupt memory. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon affects the IOCTL request processing path, exploitable by a local attacker with high privileges who can win a race condition between API version validation and user-space buffer consumption. Successful exploitation yields high-impact confidentiality, integrity, and availability compromise despite the moderate overall CVSS score of 6.4, which is suppressed by the high attack complexity and privilege requirements. No public exploit code and no CISA KEV listing have been identified at time of analysis, limiting immediate widespread risk.
Qualcomm Snapdragon chipsets improperly parse 802.11 advertisement frames containing malformed MBSSID (Multiple BSSID) elements of insufficient length, triggering a buffer over-read that discloses memory contents to an attacker. The CVSS vector (AV:N/AC:H/PR:L/UI:R/S:C) indicates network-reachable exploitation with changed scope, meaning the impact crosses beyond the Wi-Fi subsystem into adjacent components. No public exploit identified at time of analysis, and no CISA KEV listing exists; Qualcomm addressed this in their June 2026 Security Bulletin.
Local privilege escalation and memory corruption in Qualcomm Snapdragon platforms allows an attacker with low-privileged local access to corrupt memory during secure data initialization, leading to high impact on confidentiality, integrity, and availability. The flaw is traceable to a NULL pointer dereference (CWE-476) reachable when heap memory is exhausted, and is addressed in the Qualcomm June 2026 security bulletin. No public exploit identified at time of analysis, and EPSS data was not provided.
Local privilege escalation via memory corruption in Qualcomm Snapdragon platform components allows an authenticated low-privileged local attacker to corrupt memory by supplying device identifier strings exceeding the expected maximum length. The CVSS 7.8 (AV:L/AC:L/PR:L) profile combined with CWE-787 out-of-bounds write indicates a classic stack/heap overflow path that can be leveraged for code execution with full confidentiality, integrity, and availability impact on affected devices. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local memory corruption in Qualcomm Snapdragon platforms (CVE-2025-59604) allows a low-privileged local attacker to trigger invalid memory writes via a null pointer condition during a memory copy operation, resulting in high confidentiality, integrity, and availability impact (CVSS 7.8). The flaw is disclosed in the Qualcomm June 2026 security bulletin with no public exploit identified at time of analysis and no CISA KEV listing. While CWE-476 (null pointer dereference) typically yields denial of service, the vendor's CIA:H scoring indicates the invalid writes may be steerable into broader corruption beyond a simple crash.
Stack-based buffer overflow in UTT HiPER 1200GW routers (firmware up to 2.5.3-170306) allows authenticated remote attackers to corrupt memory via the Profile parameter in the /goform/formFireWall endpoint, where unsafe strcpy usage processes the input. Publicly available exploit code exists, increasing the realistic risk of attempted compromise against exposed management interfaces. No CISA KEV listing has been published, so exploitation is not yet confirmed active in the wild.
Local privilege escalation in Google Android 16 and 16-qpr2 allows an attacker with low-privilege code execution on the device to gain elevated privileges by exploiting an incorrect bounds check that causes a desync in persistence logic across multiple functions. Categorized as CWE-120 buffer overflow with high confidentiality, integrity, and availability impact, the flaw requires no user interaction and has no public exploit identified at time of analysis. CISA SSVC scoring indicates no observed exploitation but rates technical impact as total.
Local privilege escalation in Android (versions 14, 15, 16, and 16-qpr2) stems from a heap buffer overflow in the LoadedArsc.cpp resource table loader, allowing a low-privileged local process to write out of bounds and gain elevated execution privileges without user interaction. No public exploit identified at time of analysis, and SSVC scoring indicates exploitation has not been observed despite a 'total' technical impact rating. Patches are tracked in the June 2026 Android Security Bulletin.
Local privilege escalation in Android 14, 15, and 16 (including 16-qpr2) stems from an out-of-bounds read in the validateNode function of ResourceTypes.cpp, part of the Android resource parsing layer. A local attacker running an unprivileged app can leverage the flaw to elevate privileges without user interaction. No public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue is addressed in the June 2026 Android Security Bulletin.
Proximity-based remote code execution in Google Android (versions 14, 15, 16, and 16-qpr2) is possible via a heap buffer overflow in multiple functions of sdp_discovery.cc, the Bluetooth Service Discovery Protocol component. An adjacent attacker within Bluetooth range can trigger memory corruption without any user interaction, with no public exploit identified at time of analysis. The flaw resides in the native Bluetooth stack and could yield code execution at the privilege level of the Bluetooth process.
Local information disclosure in Google Android's ResourceTypes.cpp affects Android 14, 15, and 16 (including 16-QPR2) via an incorrect bounds check in the setTo function that enables an out-of-bounds read. An authenticated local attacker holding a standard user account can trigger this flaw without user interaction, potentially leaking sensitive memory contents from the process. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting the structured exception handler. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Arm Whois 3.11 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by supplying oversized input to the IP address or domain field. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stack-based buffer overflow in UTT HiPER 1200GW routers (firmware versions up to 2.5.3-170306) allows remote authenticated attackers to corrupt memory via the strcpy function in the /goform/formTaskEdit endpoint. Publicly available exploit code exists, raising the practical risk despite the requirement for low-level privileges. No KEV listing or EPSS data is provided in the input, so widespread automated exploitation has not been confirmed.
Stack-based buffer overflow in microtar through 0.1.0 allows remote attackers to corrupt stack memory and potentially achieve code execution when an application using the library parses a malicious TAR archive. The flaw in raw_to_header() uses strcpy() on non-null-terminated 100-byte ustar fields, enabling writes of up to 355 bytes into a 100-byte buffer. Publicly available exploit code exists and the issue was reported by VulnCheck, raising the practical risk despite no current CISA KEV listing.
Stack-based buffer overflow in rrdcached (the caching daemon for rrdtool) allows a local attacker with socket access to crash the daemon or potentially execute arbitrary code by sending an oversized CREATE request. The flaw is tracked under CWE-121 with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L), reported by Red Hat against RHEL 6 through 10, and there is no public exploit identified at time of analysis.
Buffer overflow in OpenSC's pkcs11-tool component (versions up to and including 0.26.1) exposes users of the key generation functionality to memory corruption when processing maliciously oversized PKCS#11 URI object IDs. An unauthenticated remote attacker can trigger the flaw in the test_kpgen_certwrite function, but exploitation requires passive user interaction and high attack complexity, reflected in the extremely low CVSS 4.0 score of 1.3 with impact limited to the vulnerable component only. Publicly available exploit code exists (E:P confirmed in CVSS vector), but no public exploit identified at time of analysis in CISA KEV, and real-world mass exploitation is significantly constrained by the required user participation and attack complexity.
Local code execution in Poppler's Splash rendering backend allows attackers to compromise applications that open attacker-supplied PDFs by triggering an integer overflow in tilingPatternFill that produces an undersized heap allocation and a subsequent out-of-bounds write. The flaw affects Poppler as shipped across Red Hat Enterprise Linux 6 through 10 and Red Hat Hardened Images, with impact including arbitrary code execution, information disclosure, or denial of service in the rendering process. No public exploit identified at time of analysis, and the CVSS 7.8 vector requires user interaction to open a malicious PDF.
Stack-based buffer overflow in D-Link DI-7001 MINI routers (firmware up to 19.09.19A1) allows authenticated remote attackers to corrupt memory via the Time parameter passed to the sprintf function in /httpd_debug.asp. Publicly available exploit code exists on GitHub, and the CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privilege requirement and no user interaction. The vulnerability targets an embedded networking appliance commonly deployed at SMB and branch-office perimeters, increasing exposure risk where the management interface is reachable.
Out-of-bounds read in janet-lang/janet up to version 1.41.0 allows a local low-privileged attacker to read memory beyond allocated bounds via the doframe debug introspection function in src/core/debug.c. The root cause is missing bounds validation when using symbolmap entries (specifically jsm.death_pc and jsm.slot_index) as array indices into function environments and stack data. No public exploit identified at time of analysis, but publicly available exploit code exists per the POC reference; real-world impact is limited to low-confidence local reads with no availability or integrity consequence (CVSS:4.0 score 1.9).
Stack-based buffer overflow in H3C Magic B0 routers (versions up to 100R002) allows remote authenticated attackers to corrupt memory via the SetMobileAPInfoById function in /goform/aspForm by manipulating the param argument. Publicly available exploit code exists (disclosed on GitHub and VulDB), and the vendor did not respond to disclosure outreach, leaving devices without an official fix. CVSS 4.0 score of 7.4 reflects high impact to confidentiality, integrity, and availability with low attack complexity.
Remote code execution in Poly Voice products on Linux is possible through a stack-based buffer overflow reachable when administrators enable Interactive Connectivity Establishment (ICE). Unauthenticated network attackers can trigger the flaw without user interaction, and no public exploit has been identified at time of analysis. HP rates the issue at CVSS 4.0 9.2 (Critical), driven by network reachability and full confidentiality, integrity, and availability impact.
Heap buffer overflow in GPAC MP4Box v2.4's MPEG-2 TS demuxer crashes the application when processing a specially crafted MP4 file, resulting in a Denial of Service. The vulnerable function `m2tsdmx_send_packet` in `filters/dmx_m2ts.c` lacked a minimum packet-length guard before performing heap operations on M2TS packet data. No active exploitation has been identified (not in CISA KEV), and impact is limited to availability - no code execution or data exposure is achievable via this path.
Integer overflow in the Janet scripting language's fiber unmarshaling routine (versions up to 1.41.0) allows a local authenticated attacker to cause a denial-of-service condition. The vulnerable function `unmarshal_one_fiber` in `src/core/marsh.c` performs an unchecked addition when computing fiber stack capacity - if `fiber_stacktop` is near INT32_MAX, adding 10 wraps the value, resulting in a dangerously small capacity allocation that crashes the interpreter. No public exploitation in production environments has been confirmed (not listed in CISA KEV), but a public proof-of-concept exploit exists, and the upstream patch has been released as commit d9b1d711.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 can be achieved by remote attackers who have already compromised the renderer process, leveraging an out-of-bounds read in the Dawn WebGPU implementation via a crafted HTML page. Google rates this as High severity and a vendor patch is available, though no public exploit has been identified at time of analysis. The bug is part of a multi-stage exploitation chain rather than a single-step RCE, but successful chaining yields full escape from Chrome's renderer sandbox.
Sandbox escape in Google Chrome on macOS prior to 149.0.7827.53 lets a remote attacker who has already compromised the renderer process break out of the Chromium sandbox via a crafted HTML page that triggers an out-of-bounds write in Skia. Google rates the underlying Chromium issue High severity and a vendor patch is available, though no public exploit code has been identified at time of analysis.
Sandbox escape in Google Chrome's Chromecast component prior to 149.0.7827.53 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High severity by the Chromium project with a CVSS of 8.3, the flaw requires a prior renderer compromise and user interaction, and no public exploit identified at time of analysis. Successful exploitation gives attackers code execution outside the renderer's restricted context, dramatically expanding impact on the host.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 is possible via an integer overflow in the Dawn WebGPU implementation, allowing a remote attacker who has already compromised the renderer process to break out of the browser sandbox using a crafted HTML page. Google rates the Chromium severity as High and a vendor patch is available; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Out-of-bounds write in the ANGLE graphics layer of Google Chrome versions prior to 149.0.7827.53 enables remote attackers to trigger heap corruption and potentially execute arbitrary code by luring a victim to a crafted HTML page. Chromium rates the severity as High and CVSS 8.8 reflects the network attack vector with required user interaction. No public exploit identified at time of analysis, though the bug class (memory corruption in a browser-exposed component) is historically a prime target for weaponization.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to potentially break out of the sandbox via a stack buffer overflow in the GPU component triggered by a crafted HTML page. Chromium rates this as Critical severity, and while no public exploit has been identified at time of analysis, the vendor has released a patched stable channel build addressing the issue.
Sandbox escape in Google Chrome's GPU component prior to version 149.0.7827.53 allows remote attackers to break out of the renderer sandbox via a crafted HTML page when a user visits a malicious site. Google's Chromium team rated the underlying issue Critical severity, and while a patch is available, no public exploit identified at time of analysis and EPSS estimates exploitation probability at only 0.03%.
Sandbox escape in Google Chrome for Android versions prior to 149.0.7827.53 stems from an out-of-bounds write in the GPU process that a remote attacker can trigger via a crafted HTML page. Google rates the underlying Chromium issue as Critical severity, and while a vendor patch is available, no public exploit identified at time of analysis and EPSS sits at 0.03% (11th percentile). The CVSS scope-changed vector (S:C) reflects the impact of breaking out of Chrome's sandbox to affect the broader Android OS context.
Out-of-bounds read in the ANGLE graphics layer of Google Chrome before 149.0.7827.53 enables a remote attacker who has already compromised the renderer process to potentially escape the browser sandbox via a crafted HTML page. Chromium rates the underlying issue Critical severity, and while no public exploit has been identified at time of analysis, the bug is in a historically targeted attack surface (GPU/ANGLE) frequently abused in renderer-to-broker escape chains.
Heap corruption in Google Chrome's ANGLE graphics translation layer prior to version 149.0.7827.53 allows remote attackers to potentially achieve code execution by enticing a user to visit a crafted HTML page. Chromium rates the severity as Critical and the CVSS score is 8.8 (High), but no public exploit identified at time of analysis. The flaw is a type confusion issue that maps to CWE-787 (out-of-bounds write), affecting the browser's WebGL/graphics rendering path.
Sandbox escape in Google Chrome's ANGLE graphics layer prior to version 149.0.7827.53 allows a remote attacker to trigger an out-of-bounds read and write via a crafted HTML page, with a CVSS 9.6 reflecting scope change and high impact across confidentiality, integrity, and availability. The flaw was rated Critical internally by Chromium and reported by Google's own CVE admin team; no public exploit identified at time of analysis, and CISA SSVC currently lists exploitation status as none.
Out-of-bounds write/read in Zephyr RTOS (versions ≤ 4.3) affects the TLS socket connect path when the TLS session cache is enabled, where tls_session_store() and tls_session_restore() memcpy a caller-supplied socket address into a fixed-size 24-byte stack buffer using an unvalidated, caller-controlled addrlen. Because struct net_sockaddr is opaque, an application can pass an oversized addrlen (e.g. 128 bytes), corrupting adjacent memory and causing a crash/denial of service, with potential for arbitrary code execution. Publicly available exploit code exists per the SSVC 'poc' status, but EPSS is very low (0.06%, 18th percentile) and it is not on CISA KEV.
Integer underflow in Zephyr RTOS Bluetooth Mesh solicitation handling (versions ≤ 4.3.0) allows any physically proximate, unauthenticated BLE device to corrupt memory via a crafted advertising PDU, potentially causing denial of service or arbitrary code execution on the target device. The flaw resides in bt_mesh_sol_recv() within the OD Private Proxy Server feature and requires no prior pairing or device association to trigger. No public exploit has been identified at time of analysis and EPSS probability is low at 0.02%, but the combination of zero-interaction exploitation and RCE impact on embedded IoT devices warrants prioritization where this configuration is deployed.
Incorrect native memory address resolution in Netty's Oblivious HTTP (OHTTP) BoringSSL JNI bridge allows unauthenticated remote attackers to corrupt memory belonging to concurrent connections and disclose the contents of adjacent pooled direct buffers - including HPKE encryption key material - on affected OHTTP gateways. The flaw exists in versions prior to 0.0.22.Final of netty-incubator-codec-ohttp and is only reachable when the JVM is configured to deny `sun.misc.Unsafe` access, causing the vulnerable fallback address-resolution path to activate. This directly undermines the confidentiality guarantees Oblivious HTTP is designed to provide; no public exploit code exists and the vulnerability is not listed in the CISA KEV catalog (CVSS 4.0 E:U).
Mobatek MobaXterm 12.1 contains a structured exception handling (SEH) based buffer overflow vulnerability in the username field of session files that allows remote attackers to execute arbitrary. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
LabF nfsAxe 3.7 Ping Client contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload in the Host IP field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AllPlayer 7.4 contains a local buffer overflow vulnerability in URL handling that allows attackers to overwrite structured exception handling pointers by supplying an excessively long URL string. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NetShareWatcher 1.5.8.0 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Out-of-bounds write in Samsung's rlottie animation rendering library allows a crafted Lottie animation file to trigger integer truncation in the embedded FreeType rasterizer, causing memory corruption. All rlottie versions before commit dcfde72eae1b0464dc0dd760aec00ada6a148635 are affected, spanning any downstream product or platform embedding this library (including Samsung TV and appliance firmware). Exploitation requires local access and user interaction to render a malicious animation, with primary impact being high availability loss (crash/DoS) and limited integrity impact; no public exploit identified at time of analysis and no active exploitation confirmed.
Stack-based buffer overflow in Samsung Open Source rlottie's FreeType-derived cubic Bezier rasterizer allows a local attacker, via a crafted Lottie animation file, to crash the embedding application or potentially corrupt stack memory. The vulnerable code in `gray_render_cubic` (`src/vector/freetype/v_ft_raster.cpp`) subdivides Bezier curves onto a fixed-size `bez_stack` (capacity 32×3+1 vectors) without a depth guard, so a pathologically complex curve exhausts the buffer. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Integer overflow in Samsung's rlottie animation library allows a crafted Lottie animation file to trigger memory corruption, resulting in high availability impact and low integrity impact on the rendering application. Specifically affecting the gradient color-stop parsing logic in lottiemodel.cpp, the flaw arises when a malformed colorPoints value causes a signed integer multiplication to overflow before being assigned to a size_t, producing an undersized buffer computation. No active exploitation has been identified at time of analysis, and a fix is available upstream via GitHub PR #592, though a formally tagged release version has not been independently confirmed.
Out-of-bounds read in Samsung's rlottie rendering library prior to commit 223a2a41ba4f462e4abe767bebba49a366c9b9fd allows a local attacker to crash the rendering process (high availability impact) or cause low-level integrity corruption by supplying a crafted Lottie animation file. Two distinct code paths are affected: signed integer overflow in FreeType raster bit-shift macros and a missing zero-stopCount guard in gradient color table generation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV, but the wide embedding of rlottie in Samsung consumer devices (TVs, appliances) represents a meaningful aggregate exposure.
Heap out-of-bounds read in Morse Micro HaLowLink 2 prior to version 2.11.12 allows an unauthenticated attacker within 802.11ah radio range to disclose up to 9 bytes of kernel heap memory or trigger a kernel panic (DoS) by transmitting a crafted beacon or probe response frame containing a malformed Vendor Information Element. The morse.ko kernel driver function morse_vendor_find_vendor_ie() fails to validate IE body length against the expected structure size before downstream callers read at fixed offsets, requiring only that the IE length field exceed 3 bytes. No public exploit identified at time of analysis; EPSS places exploitation probability at 0.03% (8th percentile) with no CISA KEV listing, though the zero-prerequisite radio-range attack surface warrants prompt patching for HaLow-enabled deployments.
Denial of service in BACnet Stack 1.3.1 occurs through an out-of-bounds read in the bacnet_tag_number_decode function, allowing remote attackers to crash affected building automation systems by sending crafted BACnet protocol messages. No public exploit identified at time of analysis, and EPSS scores the exploitation probability at a very low 0.02%, though the network-reachable nature of BACnet deployments in critical infrastructure warrants attention.
Out-of-bounds array access in the Linux kernel's AMD GPU display driver (drm/amd/display) allows local privileged users to trigger memory corruption via the dcn35_stream_encoder_create() function when eng_id equals ENGINE_ID_DIGF (value 5) or is negative, indexing past the 5-element stream_enc_regs[] array. The flaw stems from a faulty boundary check using <= instead of <, and no public exploit has been identified at time of analysis with an EPSS score of 0.02% (5th percentile) indicating very low exploitation probability.
Out-of-bounds read in the Linux kernel's IPv6 routing subsystem (fib6_add_rt2node) allows a local user with network configuration privileges to trigger memory corruption when adding routes that use the RTA_NH_ID nexthop attribute. The flaw was discovered by syzkaller and confirmed via KASAN slab-out-of-bounds reports. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but the bug is in mainline kernel code paths reachable through netlink and is fixed across multiple stable trees.
Denial-of-service via recursion deadlock in the Linux kernel's NFS LOCALIO subsystem when direct memory reclaim occurs on systems using loopback NFS mounts. The LOCALIO optimization - which bypasses network I/O when NFS client and server share the same host - fails to restrict its page cache allocations to GFP_NOFS context, allowing the kernel memory allocator to re-enter NFS via nfs_writepages during reclaim (path: NFS LOCALIO → XFS → NFS), producing a deadlock and kernel hang. No public exploit exists and EPSS stands at 0.02% (4th percentile), consistent with a kernel subsystem defect that requires a specific local configuration rather than a broadly exploitable condition. Vendor-released patches are available across stable kernel branches.
Heap buffer overflow in the Linux kernel's pstore/ram subsystem (persistent_ram_save_old function) allows local attackers with low privileges to trigger out-of-bounds writes and reads when the ramoops buffer size grows across boot cycles. The flaw affects Linux kernel versions from 3.5 onward and carries a CVSS 7.8 (High) rating, though exploitation requires a highly improbable chain of conditions across reboots. No public exploit identified at time of analysis, and EPSS is very low at 0.03%.
Out-of-bounds read in lwext4 1.0.0's ext4_ext_binsearch_idx function (src/ext4_extent.c) exposes applications to memory disclosure or process crashes when parsing a specially crafted ext4 filesystem image. Insufficient validation of extent header fields before binary search traversal of the extent index tree allows invalid pointer arithmetic, resulting in reads beyond the allocated buffer boundary. A publicly available exploit exists on GitHub; no CISA KEV listing has been confirmed, but the combination of a network-deliverable attack vector and public POC elevates practical urgency for lwext4 consumers.
Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows authenticated remote attackers to corrupt stack memory in the gdv-serverconfig service and seize full system control. The flaw, reported by CERT@VDE and tracked as CVE-2026-35085 with a CVSS 4.0 score of 8.7 (High), affects multiple fieldbus variants (Profibus, Profinet, KNX, LON, DALI, M-Bus, CAN, X-Link). No public exploit identified at time of analysis, and EPSS data was not supplied for this advisory.
Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A, Single-X, and the Double-A/Double-X family (Profibus, X-Link, CAN, DALI, KNX, LON, M-Bus, Profinet). A remote attacker holding low-level user credentials can exploit the flaw to gain full system access, with CVSS 4.0 scoring it 8.7 (High). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines covering Profibus, Profinet, KNX, DALI, LON, M-Bus, CAN, and X-Link variants) is achievable by an authenticated remote user via a stack buffer overflow. The CVSS 4.0 base score of 8.7 reflects network-reachable exploitation with low complexity and only user-level privileges required, leading to full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE (advisory VDE-2026-039), indicating responsible disclosure rather than in-the-wild abuse.
Denial of service in FreeIPMI versions before 1.16.18 allows remote attackers to crash the ipmi-oem client by sending malformed IPMI response messages that trigger stack-based buffer overflows in the 'dell get-active-directory-config' and 'fujitsu get-sel-entry-long-text' subcommands. The flaw is client-side: a victim must invoke the affected subcommand against an attacker-controlled or compromised IPMI endpoint. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Uninitialized memory disclosure in the Mercusys AC12G (EU) V1 router exposes 128 bytes of internal server buffer contents to unauthenticated adjacent-network attackers. The device's HTTP server fails to sanitize responses for POST requests sent to undefined paths, returning raw internal buffer data instead of a clean error. No active exploitation is confirmed (not in CISA KEV), but a public researcher advisory exists on GitHub; the CVSS score of 4.3 (Medium) reflects the adjacent-network-only attack vector and limited confidentiality impact.
Out-of-bounds write in openSeaChest v25.05.3's --showSupportedFormats command allows a high-privileged local attacker to corrupt one byte beyond an allocated buffer by presenting a maliciously crafted NVMe device with a bogus namespace FLBAS (Format LBA Size) value, forcing that byte to 1. Affected platforms include all systems supported by the toolkit. With a CVSS 4.0 score of 1.8, this is a minimal-severity issue requiring both high privileges and a specially crafted physical or emulated NVMe device; no public exploit code or active exploitation has been identified at time of analysis.
Out-of-bounds write in Seagate's openSeaChest v26.03.0 allows a high-privileged local user to write 16 bytes beyond the allocated memory buffer during a Trim/Unmap (SCSI UNMAP / ATA DSM) storage operation. The flaw is confined to the LBA range descriptor construction logic and produces limited observable impact - low confidentiality exposure to the local system and a secondary system, with no integrity or availability consequences per the CVSS 4.0 vector. No public exploit identified at time of analysis, and CISA KEV does not list this vulnerability; Seagate self-disclosed the issue, suggesting responsible internal discovery.
Out-of-bounds write and read in Seagate's openSeaChest v25.05.3 affects the --showSCSIDefects diagnostic command, allowing memory corruption when parsing abnormally large SCSI defect list responses. A high-privileged local operator running diagnostics against a physically degraded drive with an excessive defect count, or against a maliciously crafted SCSI device returning an oversized defect response, can trigger limited confidentiality, integrity, and availability impact on the diagnostic host. No public exploit and no active exploitation has been identified at time of analysis; this vulnerability was self-reported by Seagate with a CVSS 4.0 base score of 1.8, reflecting the severe exploitation constraints.
Dräger CC-Vision Basic before 7.5.3 and Dräger CC-Vision E-Cal before 7.2.5.0 contain an out-of-bounds write vulnerability when loading .gdt files. Rated high severity (CVSS 8.3), this vulnerability is no authentication required, low attack complexity.
Information disclosure in Mozilla Firefox prior to 151.0.3 allows remote attackers to read out-of-bounds memory via the Graphics: Text component when processing crafted content. The flaw stems from incorrect boundary conditions (CWE-119) in text rendering and can be triggered without user authentication, though no public exploit has been identified and EPSS scores it at just 0.02% likelihood of exploitation.
Stack-based buffer overflow in CZ.NIC BIRD Internet Routing Daemon through 2.19.0 allows an established BGP peer to crash the daemon by sending a crafted AS_PATH exceeding 2048 expanded ASNs when RFC 8654 Extended Messages are enabled and an AS path mask filter is active. The as_path_match() function in nest/a-path.c uses a fixed 2049-entry stack array while parse_path() expands AS_PATH segments without enforcing a corresponding capacity limit, causing a write beyond the stack buffer boundary and a daemon crash. No public exploit identified at time of analysis; notably, the vendor has explicitly declined to prioritize a fix, instead citing operator best-practice filtering as the expected mitigation.
Denial of service in TP-Link Tapo C200 v5 IP cameras allows adjacent network attackers to crash the RTSP service and force a device reboot by sending a crafted Authorization header in an RTSP authentication request. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP authentication handler; no public exploit identified at time of analysis, but vendor-acknowledged and patched firmware is available from TP-Link.
Out-of-bounds write in the Bitdefender Napoca bare-metal hypervisor allows a low-privileged guest to corrupt hypervisor heap memory via crafted SS:SP register values processed by the real-mode hook handler. The flaw, tracked as EUVD-2026-33944 and reported by Bitdefender itself, affects an end-of-life product with no public exploit identified at time of analysis. Successful exploitation breaks the guest-to-hypervisor boundary, yielding total compromise of confidentiality, integrity, and availability of the host hypervisor.
Stack-based buffer overflow in VIVOTEK FD8136 network camera firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root by sending a crafted POST request to the export_language.cgi administrative endpoint. The CGI handler passes an attacker-controlled Content-Length HTTP header value directly to fread() with no bounds validation, overflowing a 0x60-byte stack buffer and overwriting the saved link register; the binary's lack of stack canaries eliminates the primary runtime defense against this class of attack. A researcher-published proof-of-concept exists on GitHub, though EPSS stands at 0.05% (17th percentile) and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at time of analysis.
Out-of-bounds heap write in the Bitdefender Napoca bare-metal hypervisor lets a malicious guest VM operating in real mode corrupt hypervisor memory through a crafted INT 0x15/E820 BIOS call, potentially enabling guest-to-host escape. The flaw resides in napoca/guests/bios_handlers.c, which computes a write offset from attacker-controlled ES:EDI register values without bounds checking against the 1MB RealModeMemory buffer. No public exploit identified at time of analysis, and CISA SSVC classifies exploitation status as 'none' - but the product is end-of-life and unsupported, raising the long-term risk profile.
Buffer overflow in the UPnP DeletePortMapping() command of Zyxel VMG4005-B50B DSL/Ethernet CPE firmware (through 5.13(ABRL.5.4)C0) enables an unauthenticated adjacent-network attacker to crash the device's UPnP service. The impact is a temporary, recoverable denial-of-service confined to the UPnP function - availability is fully affected (A:H) while confidentiality and integrity remain unimpacted (C:N/I:N). No public exploit code or CISA KEV listing exists at time of analysis; the vulnerability was disclosed by Zyxel itself on 2026-06-02.
Buffer overflow in the UPnP AddPortMapping() command handler on Zyxel VMG4005-B50B DSL/Ethernet CPE devices allows adjacent unauthenticated attackers to crash the UPnP service, causing a temporary denial-of-service condition. Affected firmware versions run through 5.13(ABRL.5.4)C0, and the vulnerability was self-disclosed by Zyxel in a June 2026 advisory covering multiple CPE product lines. No public exploit code exists and this vulnerability has not been confirmed as actively exploited (not in CISA KEV).
Stack-based buffer overflow in Orthanc DICOM Server up to version 1.12.11 allows a local, low-privileged attacker to crash the server process, causing limited availability impact through the DCMTK parser's DcmItem::read function. The CVSS 4.0 score of 1.9 reflects heavily constrained exploitation conditions: local access only, low-privilege account required, and impact confined to availability with no confidentiality or integrity exposure. Publicly available exploit code exists (confirmed by CVSS 4.0 E:P modifier and CVE description), though no active exploitation has been confirmed by CISA KEV.
Remote code execution in VIVOTEK FD8136 network camera (firmware VVTK-0300a) is possible via a stack-based buffer overflow in the set_getparam.cgi component, reachable over the network without authentication. CVSS 7.3 reflects partial CIA impact, but the presence of public vulnerability-research artifacts on GitHub indicates publicly available exploit code exists, while EPSS remains low at 0.05% (17th percentile) and the issue is not currently listed in CISA KEV.
Stack-based buffer overflow in VIVOTEK FD8136 firmware FD8136-VVTK-0300a grants authenticated remote attackers root-level code execution by supplying an oversized POST parameter to any of three symlinked CGI admin endpoints. The vulnerable `motion_privacy.cgi` binary copies the `n1` parameter into a fixed 164-byte (0xa4) stack buffer with no bounds check and no stack canary protection, overwriting the saved link register and diverting execution to attacker-controlled code. A public proof-of-concept is available on GitHub; no active exploitation has been confirmed in CISA KEV at time of analysis.
Remote code execution in Vivotek FD8136 IP cameras running firmware FD8136-VVTK-0300a allows authenticated attackers to gain root-level command execution by triggering a buffer overflow in the /cgi-bin/admin/eventtask.cgi admin endpoint. Publicly available exploit code exists in a GitHub research repository, though EPSS scoring (0.09%, 25th percentile) suggests low observed exploitation activity and the CVE is not listed in CISA KEV.
Out-of-bounds read in FastNetMon Community Edition through 1.2.9 allows unauthenticated remote attackers to disclose memory contents by sending crafted IPv4 packets with a manipulated IHL field to any monitored network interface. The parser in `src/simple_packet_parser_ng.cpp` validates only a 20-byte minimum buffer before blindly advancing a pointer by `4 * IHL` bytes, enabling a 40-byte over-read (IHL=15) or type confusion where TCP/UDP structures are parsed from raw IP header bytes (IHL 0-4). No public exploit identified at time of analysis; EPSS (0.02%, 4th percentile) and SSVC (exploitation: none, automatable: no) both signal low near-term exploitation probability.
Authenticated remote code execution in Vivotek FD8136 IP cameras running firmware FD8136-VVTK-0300a allows attackers with valid admin-interface credentials to overflow a buffer in the /cgi-bin/dido/setdo.cgi endpoint and execute arbitrary code as root. No public exploit identified at time of analysis, though a vulnerability research repository on GitHub describes the issue, and EPSS estimates exploitation probability at 0.05% (17th percentile), suggesting low broad-scale exploitation interest despite the high CVSS 8.8 score.
Memory corruption in Qualcomm Snapdragon Strongbox component allows local low-privileged attackers to trigger a buffer overflow that crosses a security boundary (scope changed) and compromises confidentiality, integrity, and availability of the device. The flaw is reported directly by Qualcomm in the June 2026 security bulletin and carries a CVSS 3.1 base score of 8.8 with no public exploit identified at time of analysis. Strongbox is the hardware-backed keystore used to protect cryptographic material, so successful exploitation undermines a core trust component of Snapdragon-based mobile platforms.
Local privilege escalation in Qualcomm Snapdragon chipsets stems from an out-of-bounds memory access in the Strongbox trusted execution component, where a missing bounds check enables memory corruption from a low-privileged context. A successful exploit crosses a trust boundary (CVSS scope=Changed) and yields high impact to confidentiality, integrity, and availability on the affected device. No public exploit identified at time of analysis, and EPSS data was not provided alongside this advisory.
Local privilege escalation in Qualcomm Snapdragon platforms stems from a Time-of-Check to Time-of-Use (TOCTOU) race condition in shared buffer handling, where kernel-mode code reads user-mode input without re-validation after initial checks. A low-privileged local attacker can corrupt memory to gain full confidentiality, integrity, and availability impact on the affected device. No public exploit identified at time of analysis, and the issue is documented in the Qualcomm June 2026 security bulletin.
Local privilege escalation in Qualcomm Snapdragon platforms is possible through memory corruption when processing multiple IOCTL commands for escape operations. The flaw, reported by Qualcomm in its June 2026 security bulletin, affects Snapdragon graphics/driver components and can be triggered by a low-privileged local user to achieve high impact on confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation in Qualcomm Snapdragon platforms stems from an out-of-bounds read (CWE-125) triggered during IOCTL escape operation processing, resulting in memory corruption. A local authenticated attacker with low privileges on an affected Snapdragon-based device can leverage the flaw to achieve high-impact compromise of confidentiality, integrity, and availability. There is no public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon fastboot bootloader when processing commands that set the display mode allows a high-privileged local attacker with physical device access to corrupt memory and potentially execute code outside the bootloader's security context. The flaw, reported by Qualcomm and disclosed in their June 2026 security bulletin, affects Snapdragon platforms across the product line per the supplied CPE. No public exploit has been identified at the time of analysis, and the CVSS 7.2 score reflects the high privilege and physical access barriers that limit broad exploitation.
Memory corruption in Qualcomm Snapdragon fastboot bootloader processing allows a physically present attacker with high privileges to corrupt memory by submitting improperly formatted fastboot commands. The flaw carries a CVSS 7.2 score reflecting physical attack vector with scope change, and no public exploit identified at time of analysis. Disclosed in Qualcomm's June 2026 security bulletin, it affects Snapdragon platforms exposed during device provisioning, recovery, or firmware-flash workflows.
Memory corruption in Qualcomm Snapdragon fastboot bootloader handling allows a privileged local attacker with physical access to corrupt memory by issuing malformed fastboot commands, with scope change (CVSS S:C) indicating impact extends beyond the bootloader's security boundary. The flaw was disclosed by Qualcomm in the June 2026 security bulletin and carries a CVSS 3.1 base score of 7.2 (High). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon fastboot OEM command handling allows a local attacker with high privileges and physical access to compromise device confidentiality, integrity, and availability. The CVSS 7.2 score reflects the physical attack vector (AV:P) offset by high impact and scope change, and no public exploit identified at time of analysis. Disclosure originates from Qualcomm's June 2026 security bulletin.
Local privilege escalation in Qualcomm Snapdragon platforms stems from a stack-based memory corruption triggered while processing display command line information with an uninitialized variable. With CVSS 7.2 and a physical attack vector requiring high privileges, the flaw allows a privileged local attacker to corrupt memory and impact confidentiality, integrity, and availability across a changed security scope. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon platforms allows a locally privileged attacker to trigger an out-of-bounds write by issuing a random number generator (RNG) command paired with an undersized output buffer, yielding complete confidentiality, integrity, and availability impact. The vulnerability requires local access and high privileges (CVSS:3.1/AV:L/AC:L/PR:H), placing the base score at 6.7 (Medium) despite the high C/I/A ratings. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Stack-based buffer overflow in Qualcomm Snapdragon corrupts memory during a data copy operation when the output buffer is sized smaller than the input buffer, enabling a high-privileged local attacker to achieve full compromise of confidentiality, integrity, and availability on affected devices. Rooted in CWE-121, this vulnerability can allow control-flow hijacking via stack memory overwrite on Snapdragon-based platforms. No public exploit identified at time of analysis and no CISA KEV listing, but the high-impact triad (C:H/I:H/A:H) warrants prompt patching in environments where privileged access is shared or contested.
Stack-based buffer overflow in Qualcomm Snapdragon Windows drivers allows a locally authenticated high-privilege attacker to cause memory corruption by sending a malformed trusted application request. The vulnerability affects Snapdragon-based systems running Windows drivers and can result in complete compromise of confidentiality, integrity, and availability. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Memory corruption via out-of-bounds write in Qualcomm Snapdragon diagnostic services allows a local, highly-privileged attacker to achieve high-impact compromise of confidentiality, integrity, and availability. The root cause is absent input validation in the diagnostic services component, enabling a crafted payload to corrupt memory. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon affects the IOCTL request processing path, exploitable by a local attacker with high privileges who can win a race condition between API version validation and user-space buffer consumption. Successful exploitation yields high-impact confidentiality, integrity, and availability compromise despite the moderate overall CVSS score of 6.4, which is suppressed by the high attack complexity and privilege requirements. No public exploit code and no CISA KEV listing have been identified at time of analysis, limiting immediate widespread risk.
Qualcomm Snapdragon chipsets improperly parse 802.11 advertisement frames containing malformed MBSSID (Multiple BSSID) elements of insufficient length, triggering a buffer over-read that discloses memory contents to an attacker. The CVSS vector (AV:N/AC:H/PR:L/UI:R/S:C) indicates network-reachable exploitation with changed scope, meaning the impact crosses beyond the Wi-Fi subsystem into adjacent components. No public exploit identified at time of analysis, and no CISA KEV listing exists; Qualcomm addressed this in their June 2026 Security Bulletin.
Local privilege escalation and memory corruption in Qualcomm Snapdragon platforms allows an attacker with low-privileged local access to corrupt memory during secure data initialization, leading to high impact on confidentiality, integrity, and availability. The flaw is traceable to a NULL pointer dereference (CWE-476) reachable when heap memory is exhausted, and is addressed in the Qualcomm June 2026 security bulletin. No public exploit identified at time of analysis, and EPSS data was not provided.
Local privilege escalation via memory corruption in Qualcomm Snapdragon platform components allows an authenticated low-privileged local attacker to corrupt memory by supplying device identifier strings exceeding the expected maximum length. The CVSS 7.8 (AV:L/AC:L/PR:L) profile combined with CWE-787 out-of-bounds write indicates a classic stack/heap overflow path that can be leveraged for code execution with full confidentiality, integrity, and availability impact on affected devices. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local memory corruption in Qualcomm Snapdragon platforms (CVE-2025-59604) allows a low-privileged local attacker to trigger invalid memory writes via a null pointer condition during a memory copy operation, resulting in high confidentiality, integrity, and availability impact (CVSS 7.8). The flaw is disclosed in the Qualcomm June 2026 security bulletin with no public exploit identified at time of analysis and no CISA KEV listing. While CWE-476 (null pointer dereference) typically yields denial of service, the vendor's CIA:H scoring indicates the invalid writes may be steerable into broader corruption beyond a simple crash.
Stack-based buffer overflow in UTT HiPER 1200GW routers (firmware up to 2.5.3-170306) allows authenticated remote attackers to corrupt memory via the Profile parameter in the /goform/formFireWall endpoint, where unsafe strcpy usage processes the input. Publicly available exploit code exists, increasing the realistic risk of attempted compromise against exposed management interfaces. No CISA KEV listing has been published, so exploitation is not yet confirmed active in the wild.
Local privilege escalation in Google Android 16 and 16-qpr2 allows an attacker with low-privilege code execution on the device to gain elevated privileges by exploiting an incorrect bounds check that causes a desync in persistence logic across multiple functions. Categorized as CWE-120 buffer overflow with high confidentiality, integrity, and availability impact, the flaw requires no user interaction and has no public exploit identified at time of analysis. CISA SSVC scoring indicates no observed exploitation but rates technical impact as total.
Local privilege escalation in Android (versions 14, 15, 16, and 16-qpr2) stems from a heap buffer overflow in the LoadedArsc.cpp resource table loader, allowing a low-privileged local process to write out of bounds and gain elevated execution privileges without user interaction. No public exploit identified at time of analysis, and SSVC scoring indicates exploitation has not been observed despite a 'total' technical impact rating. Patches are tracked in the June 2026 Android Security Bulletin.
Local privilege escalation in Android 14, 15, and 16 (including 16-qpr2) stems from an out-of-bounds read in the validateNode function of ResourceTypes.cpp, part of the Android resource parsing layer. A local attacker running an unprivileged app can leverage the flaw to elevate privileges without user interaction. No public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue is addressed in the June 2026 Android Security Bulletin.
Proximity-based remote code execution in Google Android (versions 14, 15, 16, and 16-qpr2) is possible via a heap buffer overflow in multiple functions of sdp_discovery.cc, the Bluetooth Service Discovery Protocol component. An adjacent attacker within Bluetooth range can trigger memory corruption without any user interaction, with no public exploit identified at time of analysis. The flaw resides in the native Bluetooth stack and could yield code execution at the privilege level of the Bluetooth process.
Local information disclosure in Google Android's ResourceTypes.cpp affects Android 14, 15, and 16 (including 16-QPR2) via an incorrect bounds check in the setTo function that enables an out-of-bounds read. An authenticated local attacker holding a standard user account can trigger this flaw without user interaction, potentially leaking sensitive memory contents from the process. No public exploit has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by overwriting the structured exception handler. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Arm Whois 3.11 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by supplying oversized input to the IP address or domain field. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stack-based buffer overflow in UTT HiPER 1200GW routers (firmware versions up to 2.5.3-170306) allows remote authenticated attackers to corrupt memory via the strcpy function in the /goform/formTaskEdit endpoint. Publicly available exploit code exists, raising the practical risk despite the requirement for low-level privileges. No KEV listing or EPSS data is provided in the input, so widespread automated exploitation has not been confirmed.
Stack-based buffer overflow in microtar through 0.1.0 allows remote attackers to corrupt stack memory and potentially achieve code execution when an application using the library parses a malicious TAR archive. The flaw in raw_to_header() uses strcpy() on non-null-terminated 100-byte ustar fields, enabling writes of up to 355 bytes into a 100-byte buffer. Publicly available exploit code exists and the issue was reported by VulnCheck, raising the practical risk despite no current CISA KEV listing.
Stack-based buffer overflow in rrdcached (the caching daemon for rrdtool) allows a local attacker with socket access to crash the daemon or potentially execute arbitrary code by sending an oversized CREATE request. The flaw is tracked under CWE-121 with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L), reported by Red Hat against RHEL 6 through 10, and there is no public exploit identified at time of analysis.
Buffer overflow in OpenSC's pkcs11-tool component (versions up to and including 0.26.1) exposes users of the key generation functionality to memory corruption when processing maliciously oversized PKCS#11 URI object IDs. An unauthenticated remote attacker can trigger the flaw in the test_kpgen_certwrite function, but exploitation requires passive user interaction and high attack complexity, reflected in the extremely low CVSS 4.0 score of 1.3 with impact limited to the vulnerable component only. Publicly available exploit code exists (E:P confirmed in CVSS vector), but no public exploit identified at time of analysis in CISA KEV, and real-world mass exploitation is significantly constrained by the required user participation and attack complexity.
Local code execution in Poppler's Splash rendering backend allows attackers to compromise applications that open attacker-supplied PDFs by triggering an integer overflow in tilingPatternFill that produces an undersized heap allocation and a subsequent out-of-bounds write. The flaw affects Poppler as shipped across Red Hat Enterprise Linux 6 through 10 and Red Hat Hardened Images, with impact including arbitrary code execution, information disclosure, or denial of service in the rendering process. No public exploit identified at time of analysis, and the CVSS 7.8 vector requires user interaction to open a malicious PDF.
Stack-based buffer overflow in D-Link DI-7001 MINI routers (firmware up to 19.09.19A1) allows authenticated remote attackers to corrupt memory via the Time parameter passed to the sprintf function in /httpd_debug.asp. Publicly available exploit code exists on GitHub, and the CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privilege requirement and no user interaction. The vulnerability targets an embedded networking appliance commonly deployed at SMB and branch-office perimeters, increasing exposure risk where the management interface is reachable.
Out-of-bounds read in janet-lang/janet up to version 1.41.0 allows a local low-privileged attacker to read memory beyond allocated bounds via the doframe debug introspection function in src/core/debug.c. The root cause is missing bounds validation when using symbolmap entries (specifically jsm.death_pc and jsm.slot_index) as array indices into function environments and stack data. No public exploit identified at time of analysis, but publicly available exploit code exists per the POC reference; real-world impact is limited to low-confidence local reads with no availability or integrity consequence (CVSS:4.0 score 1.9).
Stack-based buffer overflow in H3C Magic B0 routers (versions up to 100R002) allows remote authenticated attackers to corrupt memory via the SetMobileAPInfoById function in /goform/aspForm by manipulating the param argument. Publicly available exploit code exists (disclosed on GitHub and VulDB), and the vendor did not respond to disclosure outreach, leaving devices without an official fix. CVSS 4.0 score of 7.4 reflects high impact to confidentiality, integrity, and availability with low attack complexity.
Remote code execution in Poly Voice products on Linux is possible through a stack-based buffer overflow reachable when administrators enable Interactive Connectivity Establishment (ICE). Unauthenticated network attackers can trigger the flaw without user interaction, and no public exploit has been identified at time of analysis. HP rates the issue at CVSS 4.0 9.2 (Critical), driven by network reachability and full confidentiality, integrity, and availability impact.
Heap buffer overflow in GPAC MP4Box v2.4's MPEG-2 TS demuxer crashes the application when processing a specially crafted MP4 file, resulting in a Denial of Service. The vulnerable function `m2tsdmx_send_packet` in `filters/dmx_m2ts.c` lacked a minimum packet-length guard before performing heap operations on M2TS packet data. No active exploitation has been identified (not in CISA KEV), and impact is limited to availability - no code execution or data exposure is achievable via this path.
Integer overflow in the Janet scripting language's fiber unmarshaling routine (versions up to 1.41.0) allows a local authenticated attacker to cause a denial-of-service condition. The vulnerable function `unmarshal_one_fiber` in `src/core/marsh.c` performs an unchecked addition when computing fiber stack capacity - if `fiber_stacktop` is near INT32_MAX, adding 10 wraps the value, resulting in a dangerously small capacity allocation that crashes the interpreter. No public exploitation in production environments has been confirmed (not listed in CISA KEV), but a public proof-of-concept exploit exists, and the upstream patch has been released as commit d9b1d711.