Buffer Overflow
Monthly
Kernel panic in the Linux kernel's Open vSwitch (openvswitch) subsystem allows a low-privileged local user to crash the host kernel on Ubuntu-default and similar configurations. The vport netlink reply handler pre-allocates a fixed-size buffer but lacks an upper-bound check on the upcall PID array size, causing nla_put() to return -EMSGSIZE and BUG_ON(err < 0) to fire in ovs_vport_cmd_set(), triggering a kernel panic. On systems with unprivileged user namespaces enabled (Ubuntu default), any local user can reach this path via unshare -Urn without requiring elevated privileges. No public exploit has been identified at time of analysis, and EPSS at 0.02% reflects low current exploitation probability.
Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.
Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the AdminCenter component, the device's web-based management interface. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw exploitable by unauthenticated attackers with low complexity and no user interaction, yielding full compromise of confidentiality, integrity, and availability (9.8 Critical). There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network-RCE profile on a consumer NAS device makes this a high-priority patch target.
Stack-based buffer overflow in the UTT HiPER 1250GW router (firmware up to 3.2.7-210907-180535) lets a network-adjacent authenticated user corrupt memory by supplying an oversized 'Profile' argument to the /goform/formGroupConfig endpoint of the Web Management Interface. The CVSS 4.0 score is 7.4, and publicly available exploit code exists, though the EPSS probability is very low (0.04%, 13th percentile) and it is not on the CISA KEV list. Successful exploitation can crash the device or potentially achieve arbitrary code execution on the router's management plane.
Stack-based buffer overflow in the web management interface of the UTT HiPER 1250GW router (firmware through 3.2.7-210907-180535) lets a remote, low-privileged attacker corrupt memory by submitting an oversized Profile value to the /goform/formConfigFastDirectionW handler, which passes it to an unbounded strcpy. The CVSS 4.0 vector rates confidentiality, integrity, and availability impact as High, consistent with potential code execution or device crash. Publicly available exploit code exists per the VulDB submission, though EPSS is very low (0.04%, 13th percentile) and there is no public exploit identified as actively exploited.
Stack-based buffer overflow in the UTT HiPER 1200GW router's Web Management Interface lets an authenticated, network-adjacent attacker corrupt memory by submitting oversized values to the PPTP client configuration handler (/goform/formPptpClientConfig), affecting firmware up to 2.5.3-170306. A successful overflow can crash the device or potentially achieve code execution on the embedded gateway, with high confidentiality, integrity, and availability impact on the device itself. Publicly available exploit code exists (CVSS 4.0 base 7.4), but the EPSS score is very low at 0.04% (13th percentile) and the issue is not listed in CISA KEV.
Stack buffer overflow in the UTT HiPER 1200GW router (firmware up to 2.5.3-170306) lets a remote, low-privileged user crash the device or potentially execute arbitrary code by submitting oversized sysAdmUser or sysAdmPass values to the /goform/setSysAdm endpoint of the Web Management Interface. The flaw stems from an unbounded strcpy call, and publicly available exploit code exists, though EPSS rates near-term mass exploitation as very low (0.04%). No CISA KEV listing or vendor patch has been identified.
Arbitrary code execution in GDAL 3.1.0 through 3.13.0 is reachable through the netCDF driver, where scanForGeometryContainers (frmts/netcdf/netcdfsg.cpp) copies a CF-convention geometry attribute into a fixed-size stack buffer without checking its length. Any service or workflow that feeds attacker-supplied NetCDF files to GDAL can be coerced into overflowing the stack and running attacker code in the process context. No public exploit is identified at time of analysis and EPSS is just 0.01% (3rd percentile), yet the issue carries a CVSS of 7.4 because the outcome is full remote code execution on the host.
Heap-based buffer overflow in GNU LibreDWG through version 0.13.4.8160 lets an attacker corrupt heap memory by getting the library to parse a malicious DWG file, specifically a 2004-format file with a crafted compressed section processed via the dwgbmp thumbnail-extraction utility. The flaw stems from missing bounds validation in the decompression routine and is reachable without authentication or user privileges per its CVSS vector; impact is rated low across confidentiality, integrity, and availability (CVSS 7.3). Publicly available exploit code exists (a proof-of-concept DWG sample), but the issue is not listed in CISA KEV, and an official upstream fix has been committed.
Out-of-bounds read in Apple macOS (all versions prior to macOS Tahoe 26) allows a locally authenticated, low-privileged application to trigger unexpected system termination, constituting a local denial-of-service condition. The root cause is insufficient bounds checking in a macOS component, addressed by Apple in macOS Tahoe 26. No public exploit code exists and this vulnerability is not listed in CISA KEV, though a vendor-confirmed patch is available.
Memory corruption via an off-by-one error in GnuTLS PKCS#12 bag element handling exposes any application using GnuTLS to remote unauthenticated denial of service - and potentially unspecified further impact - when a crafted PKCS#12 structure is parsed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated complexity, making internet-exposed services that parse client-supplied PKCS#12 inputs the primary risk surface. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap overread against TLS servers that perform legacy RSA key exchange using a private key backed by a PKCS#11 token. By sending an abnormally short premaster secret, the attacker causes the library to read beyond an allocated buffer (CWE-1284), which can leak a small amount of adjacent heap memory and, per the CVSS vector, more strongly impacts availability (A:H). No public exploit has been identified at time of analysis and the issue is not in CISA KEV; EPSS and SSVC data were not provided.
Out-of-bounds write in NVIDIA Virtual GPU Manager exposes virtualized GPU deployments to denial of service, data tampering, and information disclosure. A local, low-privileged attacker operating within a virtualized environment can trigger the memory corruption flaw in the host-side vGPU manager component across multiple affected driver branches (vGPU 16.x through 20.x). No public exploit code exists at time of analysis, and EPSS probability is at the 2nd percentile, but the high availability impact (A:H in CVSS) and the prevalence of vGPU in enterprise virtualization infrastructure warrant prompt patching.
Local privilege escalation in the NVIDIA Display Driver for Windows and Linux allows an authenticated low-privileged user to trigger an out-of-bounds write (CWE-787) in the kernel-mode driver, potentially leading to code execution, privilege escalation, information disclosure, data tampering, or denial of service. The flaw affects GeForce, RTX/Quadro/NVS, and Tesla product lines, with NVIDIA confirming the vulnerability and releasing patched driver versions. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.01%.
Out-of-bounds read in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest drivers) allows a locally authenticated user to trigger denial of service and information disclosure. The flaw carries a CVSS 3.1 score of 7.1 (AV:L/AC:L/PR:L), and per CISA SSVC there is no public exploit identified at time of analysis (Exploitation: none), with EPSS at 0.01% indicating negligible near-term exploitation likelihood. NVIDIA has published fixed driver versions across all affected branches in advisory ID 5821.
Local privilege escalation in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and Virtual GPU Manager branches) stems from an incorrect numeric type conversion (CWE-681) that produces a heap buffer overflow. A locally authenticated attacker with low privileges can trigger the flaw to achieve code execution, privilege escalation, information disclosure, data tampering, or denial of service. No public exploit identified at time of analysis, and EPSS is very low (0.01%, 1st percentile), but technical impact per SSVC is total.
Heap-based buffer overflow in IBM HTTP Server 8.5 and 9.0 allows an attacker already authenticated to the Administration Server to execute arbitrary code or crash the service. The flaw requires adjacent network access and existing low-level privileges, and no public exploit identified at time of analysis despite the high CVSS 8.0 rating. EPSS probability is negligible (0.01%) and SSVC marks exploitation as 'none,' indicating the issue is currently a patch-and-move-on item rather than an emergency.
Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL (VRML) file, leading to memory corruption that runs attacker-controlled code in the context of the current user. The flaw requires user interaction to open a malicious file and has no public exploit identified at time of analysis, with EPSS estimating only a 0.01% exploitation probability over the next 30 days. SSVC rates technical impact as total but classifies exploitation as 'none' and not automatable, consistent with a client-side file-format attack rather than a wormable internet-facing flaw.
Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a maliciously crafted WRL (VRML) file, triggering a memory corruption (buffer overflow) condition that runs attacker code in the context of the 3ds Max process. The flaw was reported by Autodesk itself and carries a CVSS 7.8 (local, user-interaction required); no public exploit has been identified and EPSS is 0.01%, indicating no observed exploitation activity to date. SSVC rates technical impact as total but exploitation as none and not automatable, consistent with a file-format parser bug requiring social engineering.
Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously crafted TIF image file, with impact ranging from process crash to data corruption to code execution in the context of the running application. The flaw requires local file handling and user interaction (UI:R), and there is no public exploit identified at time of analysis. EPSS is negligible (0.01%) and SSVC marks exploitation status as none, but the technical impact is rated total, making this a credible client-side risk for design and VFX workstations.
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a maliciously crafted .solv repository metadata file. The flaw stems from insufficient input validation during decompression of attacker-controlled data, enabling information disclosure, control-flow alteration, or denial of service across multiple Red Hat Enterprise Linux releases and SUSE distributions. SSVC marks exploitation as PoC-level with total technical impact, while EPSS remains very low at 0.01%, indicating limited probability of widespread exploitation despite high severity.
Heap buffer overflow in FreeRDP versions prior to 3.26.0 allows a malicious RDP server to write out-of-bounds heap memory on connecting clients through the gdi_CacheToSurface function, potentially leading to remote code execution or client crash. The flaw stems from inconsistent rectangle validation where coordinates are clamped to UINT16_MAX but copy operations use unclamped cache entry dimensions. Publicly available exploit code exists per SSVC, though EPSS exploitation probability remains low at 0.06%.
Heap-based buffer overflow in Check Point Quantum Security Gateway's HTTP-based service allows unauthenticated remote attackers to cause availability disruption by sending crafted malformed HTTP requests requiring no authentication or user interaction. Affected deployments span all R81.10 releases and below, R81.20 through Jumbo Hotfix Take 127, R82 through Jumbo Hotfix Take 91, and R82.10 through Jumbo Hotfix Take 19. No public exploit identified at time of analysis, though SSVC classifies the attack as automatable with total technical impact - a meaningful tension with the CVSS A:L rating that security teams should scrutinize before deprioritizing.
Denial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to crash the VPN processing service by sending specially crafted IKE packets over NAT-T (UDP/4500). Multiple supported releases (R81.10 and below, R81.20, R82, R82.10) are affected up to specific Jumbo Hotfix takes. No public exploit identified at time of analysis, and EPSS is low at 0.06% (17th percentile), suggesting limited near-term exploitation likelihood despite the 8.1 CVSS score.
Denial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to terminate the VPN service by sending a malformed IKE fragment to UDP port 500 during the early phase of a connection attempt. The flaw affects multiple R81.x, R82, and R82.10 release trains running below specific Jumbo Hotfix Takes; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).
Heap-based buffer overflow in Squirrel versions 3.0 through 3.2 allows a locally authenticated low-privilege attacker to corrupt heap memory by supplying a malicious Cnut file to the ReadObject function in sqobject.cpp. The impact is limited to partial confidentiality, integrity, and availability effects with no scope change, as confirmed by the CVSS 4.0 score of 1.9. A public proof-of-concept exploit exists on GitHub, but this vulnerability has not been confirmed actively exploited by CISA KEV, and EPSS places exploitation probability at just 0.01% (2nd percentile), indicating very low real-world exploitation activity.
Heap-based buffer overflow in Hitachi Energy MACH HiDraw's XML parser allows a low-privileged, locally authenticated attacker to corrupt heap memory by inducing a victim to open a specially crafted XML file, with a primary impact of high availability loss (application crash) and limited confidentiality and integrity compromise. Affected versions span MACH HiDraw 9.0 through versions prior to 9.22 per EUVD-2026-31812. No public exploit identified at time of analysis, and an EPSS score of 0.01% (3rd percentile) combined with an SSVC exploitation status of 'none' confirm minimal current real-world exploitation activity.
Heap-based buffer overflow in MediaArea MediaInfoLib's LXF (Leitch eXchange Format) parser allows attackers to achieve arbitrary code execution when a victim opens a maliciously crafted LXF media file. The flaw affects MediaInfoLib 26.01 and was reported by Cisco Talos (TALOS-2026-2367); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.
Heap buffer overflow in MediaArea MediaInfoLib's ID3v2 metadata parser allows local attackers to achieve arbitrary code execution when a victim opens a crafted media file. The flaw affects MediaInfoLib 26.01 and requires user interaction to trigger, with no public exploit identified at time of analysis. While CVSS rates it 7.8 (High), the very low EPSS score (0.01%) and SSVC 'Exploitation: none' signal suggest no widespread targeting is occurring.
Denial of service in CODESYS Control runtime products and HMI/Toolkit components allows unauthenticated remote attackers to crash affected industrial control systems by sending malformed HTTP requests that trigger a size-limited out-of-bounds write during length parsing. The flaw affects a broad range of CODESYS runtime variants used across PLCs, industrial PCs, and embedded controllers from vendors like Beckhoff, WAGO, and Raspberry Pi-based deployments. No public exploit identified at time of analysis, EPSS is low (0.07%), but the network-reachable, no-privileges-required attack surface makes this operationally significant for OT environments.
Out-of-bounds read in GNU LibreDWG's read_2004_compressed_section function (src/decode.c) affects all versions through 0.14, allowing a local low-privileged attacker to crash the dwgbmp utility or any LibreDWG-based application by supplying a crafted DWG 2004 file with manipulated section address or size fields. Impact is limited to availability (application crash) with no confirmed confidentiality or integrity exposure per the CVSS 4.0 vector. A publicly available proof-of-concept DWG file exists on GitHub, but EPSS at 0.01% (2nd percentile) and no CISA KEV listing confirm this is not currently subject to widespread exploitation.
Symlink-based path traversal in the Perl module Archive::Tar before version 3.08 allows a malicious tar archive to write or point files outside the intended extraction directory. When an application extracts an attacker-supplied archive, symlink entries whose targets are absolute paths or contain '..' traversal sequences are followed without validation, letting an attacker place links that resolve to arbitrary filesystem locations. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the issue is rated CVSS 9.1 because Archive::Tar is widely embedded in automated server-side processing of untrusted archives.
Arbitrary file modification in the Perl Archive::Tar module before version 3.08 allows a malicious tar archive to create hardlinks pointing outside the extraction directory. Any application or service that extracts attacker-supplied tarballs is affected: because extraction chmods the shared inode of a hardlink, an attacker can alter permissions of sensitive files outside the intended target path. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not listed in CISA KEV.
Buffer overflow in FastNetMon Community Edition through 1.2.9 allows a local attacker with no privileges to crash the FastNetMon process, disabling DDoS detection and network monitoring capabilities. The vulnerability is specifically tied to a sprintf-based overflow in the ExaBGP integration component, as documented in the Lorikeetsecurity advisory. This is one of at least three distinct buffer overflow vulnerabilities (alongside CVE-2026-48686 and CVE-2026-48689) identified in the same product version, suggesting a broader audit surfaced a class of unsafe string-handling bugs. No public exploit identified at time of analysis, and the impact is limited to availability (denial of service) with no confidentiality or integrity exposure.
Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Heap corruption in FastNetMon Community Edition through 1.2.9 allows authenticated local users to trigger an integer overflow in the packet capture buffer allocation routine, resulting in undersized allocations followed by out-of-bounds heap writes during packet storage. The flaw stems from 32-bit unsigned arithmetic in allocate_buffer() in src/packet_storage.hpp, where a sufficiently large ban_details_records_count configuration value causes the memory size calculation to wrap. No public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.01%.
Out-of-bounds read in FastNetMon Community Edition through 1.2.9 allows remote unauthenticated attackers to leak adjacent process memory by sending crafted BGP UPDATE messages containing malformed MP_REACH_NLRI IPv6 attributes. The flaw resides in decode_mp_reach_ipv6() where attacker-controlled length fields drive memcpy operations without bounds validation, and is acknowledged by an in-source TODO comment by the maintainer. No public exploit identified at time of analysis, EPSS is low (0.03%), and CISA SSVC classifies exploitation as 'none' but 'automatable: yes', meaning weaponization is technically straightforward if a threat actor invests effort.
Out-of-bounds read in FastNetMon Community Edition through 1.2.9 exposes network monitoring infrastructure to unauthenticated remote attack via malformed NetFlow v9 UDP packets. The vulnerability resides in the options template parser (process_netflow_v9_options_template()), where attacker-controlled length fields - option_scope_length and option_length - drive iteration loops with no bounds validation, enabling reads past the end of the UDP packet buffer. With a CVSS vector of AV:N/AC:L/PR:N/UI:N and SSVC automatable:yes, mass exploitation is technically feasible, though EPSS sits at 0.03% (9th percentile) and no public exploit or KEV listing has been identified at time of analysis.
Out-of-bounds memory read in FastNetMon Community Edition through 1.2.9 exposes sensitive process memory and can crash the collector when processing crafted NetFlow v9 packets. The NetFlow v9 data flowset parser in src/netflow_plugin/netflow_v9_collector.cpp omits the per-iteration boundary check present in the sibling Options template branch, allowing a network-adjacent attacker who can deliver UDP NetFlow v9 packets to the collector to supply malicious template definitions that drive the parser past the end of the packet buffer. No public exploit code or confirmed active exploitation has been identified at time of analysis, but a security researcher blog post at lorikeetsecurity.com documents the code-level flaw, raising the disclosure surface.
Heap buffer overflow in FastNetMon Community Edition through 1.2.9 originates from a CWE-190 integer overflow in the BGP AS_PATH attribute encoder (IPv4UnicastAnnounce::get_attributes() in src/bgp_protocol.hpp). When an AS_PATH carries more than 63 ASNs, the computed attribute length is silently truncated into a uint8_t field used for buffer sizing while the full data is still written, corrupting the heap. The CVSS 9.8 score implies remote unauthenticated code execution, though the flaw lives in FastNetMon's outbound BGP announcement encoder; no public exploit is identified at time of analysis and no EPSS or KEV data was supplied.
Out-of-bounds memory access in FastNetMon Community Edition through 1.2.9 allows an authenticated BGP peer to crash the monitoring process by sending a crafted UPDATE message. The parser in src/bgp_protocol.hpp correctly detects the RFC 4271 Extended Length flag but reads only one byte of the mandatory two-byte length field, silently truncating attribute lengths above 255 bytes and causing cascading misparse of subsequent BGP data. With CVSS availability impact rated High and SSVC confirming no known active exploitation, this is a targeted denial-of-service risk primarily affecting network operators using FastNetMon for DDoS detection - no public exploit code identified at time of analysis.
Stack-based buffer overflow in FastNetMon Community Edition through 1.2.9 allows remote unauthenticated attackers to achieve arbitrary code execution by sending a crafted BGP UPDATE message containing a malformed NLRI prefix length value. The vulnerable function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the wire without bounding it to the IPv4 maximum of 32, enabling a memcpy of up to 32 bytes into a 4-byte stack variable - a potential 28-byte stack smash. Despite a critical CVSS score of 9.8 and SSVC technical impact rated 'total', EPSS sits at just 0.02% (7th percentile) and SSVC exploitation status is 'none', indicating no known active exploitation at time of analysis; however, a public security research writeup from Lorikeetsecurity exists that details the flaw.
Heap-based buffer overflow in Perl interpreters up to and including 5.43.10 on 32-bit builds lets a caller that compiles an attacker-controlled regular expression corrupt heap memory at regex compile time, with potential for code execution. The flaw stems from an integer overflow in Perl_study_chunk when optimizing a repeated fixed substring, and is rated CVSS 9.8 by NVD. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; the issue is limited to 32-bit Perl builds and applications that feed untrusted input into regex compilation.
Out-of-bounds read in GNU LibreDWG's dwggrep utility exposes heap memory when processing maliciously crafted DWG files containing LTYPE objects with unterminated wide-character dash text strings. Affected versions span 0.1 through 0.14 (CPE: cpe:2.3:a:gnu:libredwg). A local authenticated attacker can trigger partial information disclosure by supplying a crafted DWG file to the dwggrep command-line tool; a public proof-of-concept DWG payload exists, though EPSS of 0.01% (2nd percentile) and absence from CISA KEV indicate no widespread exploitation activity at time of analysis.
Heap-based buffer overflow in GNU LibreDWG's dwgread utility (versions 0.1 through 0.14) allows a local attacker with low privileges to corrupt heap memory by supplying a specially crafted R2004-format DWG file. The vulnerable function decompress_R2004_section in src/decode.c fails to validate decompression offset and size parameters before writing, enabling out-of-bounds heap writes with partial confidentiality, integrity, and availability impact. Publicly available exploit code exists as a crafted DWG file; however, no active exploitation is confirmed (not in CISA KEV), EPSS is 0.01% (2nd percentile), and the local-only attack vector sharply constrains real-world risk.
Heap-based buffer overflow in GNU LibreDWG's read_2004_compressed_section function (src/decode.c) exposes users of the dwgread utility to partial confidentiality, integrity, and availability compromise when processing a maliciously crafted DWG file. All released versions from 0.1 through 0.14 are affected, and a publicly available proof-of-concept exploit file exists on GitHub. No vendor patch has been issued; the project has not responded to the responsible disclosure despite early notification via issue report.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 wireless range extender allows remote attackers with low-privilege credentials to corrupt memory via a crafted submit-url parameter sent to the formSDHCP handler at /goform/formSDHCP. Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), but EPSS is only 0.04% and the vendor has not responded to coordinated disclosure, leaving the device unpatched.
Stack-based buffer overflow in the Edimax EW-7438RPn Wi-Fi range extender (firmware 1.31) allows remote authenticated attackers to corrupt memory by submitting an oversized 'submit-url' argument to the formStats handler at /goform/formStats. Publicly available exploit code exists (VulDB-published PoC on GitHub), though EPSS estimates exploitation probability at only 0.04%. The vendor was notified but has not responded, leaving deployed devices without an official fix.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 Wi-Fi range extender allows remote attackers with low privileges to corrupt memory via the submit-url parameter handled by the formrefresh function at /goform/formrefresh. Publicly available exploit code exists per VulDB, though EPSS scoring (0.04%) suggests limited mass exploitation activity, and the vendor has not responded to the disclosure, leaving devices without an official fix.
Stack-based buffer overflow in the Edimax EW-7438RPn Wi-Fi range extender (firmware 1.31) allows authenticated remote attackers to corrupt memory via the submit-url parameter of the formLogout handler at /goform/formLogout. Publicly available exploit code exists per VulDB disclosure, and the vendor failed to respond to coordinated disclosure, leaving the device unpatched. EPSS probability is currently very low (0.04%, 13th percentile), but the device class - consumer SOHO networking gear - is a recurring target for botnet recruitment.
Flash Slideshow Maker Professional 5.20 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Socusoft 3GP Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SocuSoft iPod Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by overwriting the structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SocuSoft DVD Photo Slideshow Professional 8.07 contains a stack-based buffer overflow vulnerability in the registration name field that allows local attackers to execute arbitrary code by exploiting. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Visual Ping 0.8.0.0 contains a buffer overflow vulnerability in input field handling that allows local attackers to crash the application by supplying oversized data. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NASA openVSP 3.16.1 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the geometry name field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
CuteFTP 5.0 XP contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by injecting malicious payload into the Site Manager label field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AgataSoft Auto PingMaster 1.5 contains a stack-based buffer overflow vulnerability in the Trace Route host name field that allows local attackers to execute arbitrary code by triggering structured. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 range extender allows remote authenticated attackers to corrupt memory by submitting an oversized submit-url parameter to the formLicence handler at /goform/formLicence. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, leaving deployed devices without a fix. EPSS exploitation probability remains low (0.04%, 13th percentile) despite the public POC, indicating limited but credible risk for exposed devices.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 wireless range extender enables remote low-privileged attackers to compromise the device by supplying an oversized submit-url argument to the /goform/formWpsProxyEnable web management endpoint. Exploitation achieves full confidentiality, integrity, and availability impact on the device per CVSS VC:H/VI:H/VA:H, and a public proof-of-concept is available on GitHub. No vendor patch exists - Edimax did not respond to coordinated disclosure - though EPSS remains low at 0.04% (13th percentile) and the vulnerability is not listed in CISA KEV, suggesting limited observed exploitation despite the available POC.
Stack-based buffer overflow in the Edimax EW-7438RPn Wi-Fi range extender (firmware 1.31) allows remote authenticated attackers to corrupt memory by sending an oversized submit-url parameter to the formRadius handler at /goform/formRadius. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure attempts, leaving the device without a confirmed fix. EPSS probability is currently low (0.04%), but the combination of a public PoC, total technical impact, and unpatched status warrants urgent attention for any deployed units.
Stack-based buffer overflow in Edimax EW-7438RPn 1.31 range extenders allows authenticated remote attackers to corrupt memory by sending a crafted submit-url parameter to the formAccept handler at /goform/formAccept. Publicly available exploit code exists (VulDB-disclosed, with a PoC published on GitHub), but EPSS rates real-world exploitation probability at only 0.04% (13th percentile) and the vendor has not responded to disclosure, leaving the device permanently exposed.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 wireless range extender allows remote attackers with low privileges to corrupt memory by sending crafted max_Conn or timeOut parameters to /goform/formConnectionSetting. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving deployed devices unpatched. EPSS probability is low (0.04%), but the combination of public POC, network reachability, and full CIA impact warrants prompt action on exposed devices.
Remote buffer overflow in the Edimax BR-6478AC router (firmware 1.23) allows authenticated attackers to corrupt memory by submitting a crafted L2TPUserName parameter to the /goform/formL2TPSetup endpoint. Publicly available exploit code exists (VulDB-published POC on Notion), and SSVC rates technical impact as total despite a low 0.04% EPSS score. The vendor was contacted but has not responded, leaving the device without an official fix.
Stack/buffer overflow in the Edimax BR-6478AC 1.23 wireless router's web management interface allows authenticated remote attackers to corrupt memory by submitting an oversized selSSID parameter to /goform/formiNICSiteSurvey, with publicly available exploit code exists and no vendor response to coordinated disclosure. The flaw affects the formiNICSiteSurvey POST request handler and yields high impact on confidentiality, integrity, and availability of the device. EPSS is low (0.04%, 13th percentile), indicating limited mass-scanning activity despite the published exploit.
Stack-based buffer overflow in Tenda F1202 router firmware 1.2.0.20(408) allows authenticated remote attackers to corrupt memory via the opttype parameter in the fromPptpUserAdd function at /goform/PptpUserAdd, enabling potential arbitrary code execution with total impact on confidentiality, integrity, and availability. Publicly available exploit code exists (VulDB-referenced PoC on GitHub), though EPSS rates exploitation probability low at 0.05% and the issue is not on CISA KEV.
Stack-based buffer overflow in the Tenda F1202 router (firmware 1.2.0.20(408)) allows remote attackers to corrupt memory by sending a crafted 'dips' parameter to the formGstDhcpSetSer handler at /goform/GstDhcpSetSer. Publicly available exploit code exists (published via VulDB/GitHub), though EPSS rates real-world exploitation probability very low at 0.05%, and the issue is not listed in CISA KEV.
Stack-based buffer overflow in the Tenda F1202 router (firmware 1.2.0.20(408)) allows remote attackers to corrupt memory by sending a crafted 'delno' parameter to the /goform/WrlExtraSet endpoint handled by the formWrlExtraSet function. Publicly available exploit code exists, though EPSS predicts only a 0.05% exploitation probability (14th percentile), and SSVC classifies the technical impact as total despite the attack not being automatable.
Stack-based buffer overflow in the Tenda F1202 router firmware 1.2.0.20(408) allows authenticated remote attackers to corrupt memory via the delno parameter of the /goform/PPTPUserSetting endpoint handled by fromPPTPUserSetting. Publicly available exploit code exists per VulDB disclosure, though EPSS rates the exploitation probability at only 0.05% (14th percentile) and no public exploit identified at time of analysis appears in CISA KEV. Successful exploitation can compromise confidentiality, integrity, and availability of the device.
Stack-based buffer overflow in Edimax EW-7438RPn 1.31 wireless range extenders allows remote authenticated attackers to corrupt memory by manipulating the selSSID or submit-url parameters in the formWlSiteSurvey handler (/goform/formWlSiteSurvey) of the embedded web server. Publicly available exploit code exists and the vendor did not respond to disclosure attempts, leaving the device without a confirmed patch. EPSS rates exploitation probability low at 0.04%, but the combination of public PoC and unresponsive vendor makes exposed devices a concrete risk.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 wireless range extender allows remote attackers with low privileges to corrupt memory and likely achieve code execution by manipulating multiple parameters (Anntena, Mcs, regDomain, nic0Addr/nic1Addr/wlanAddr/wanAddr, wlanSSID, wlanChan, initgain, txcck, txofdm, submit-url) sent to the formHwSet handler at /goform/formHwSet. Publicly available exploit code exists on GitHub, but EPSS rates real-world exploitation probability at only 0.04% (13th percentile) and the issue is not in CISA KEV. The vendor was contacted by the researcher but never responded, leaving the device unpatched.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 range extender's formWlanMP handler (/goform/formWlanMP) allows remote authenticated attackers to corrupt memory and potentially achieve arbitrary code execution on the device. Publicly available exploit code exists, but EPSS remains low at 0.04% and there is no CISA KEV listing, indicating no confirmed widespread active exploitation. The vendor was contacted but did not respond, leaving the issue unpatched.
Stack/heap buffer overflow in the Edimax BR-6675nD 1.12 wireless router allows authenticated remote attackers to corrupt memory by sending a crafted POST request with an oversized selSSID parameter to /goform/formWlSiteSurvey, potentially achieving code execution on the device. Publicly available exploit code exists (disclosed by VulDB), and the vendor was contacted early but did not respond, leaving the device without an official fix. EPSS probability is low (0.04%, 13th percentile) and the issue is not listed in CISA KEV.
Buffer overflow in the Edimax BR-6675nD 1.12 wireless router's web management interface allows remote attackers with low-level credentials to corrupt memory via a crafted pppUserName parameter sent to the /goform/formWanTcpipSetup endpoint. Publicly available exploit code exists (disclosed via VulDB and a Notion writeup), and SSVC rates the technical impact as total, though EPSS remains very low at 0.04%. The vendor did not respond to coordinated disclosure, leaving affected devices without a confirmed fix.
Stack buffer overflow in the Edimax BR-6675nD 1.12 wireless router allows remote authenticated attackers to corrupt memory and achieve total compromise via a crafted pppUserName parameter sent to /goform/formsetPPPoE. Publicly available exploit code exists and the vendor did not respond to the disclosure, leaving deployed devices exposed without an official fix. EPSS exploitation probability is low (0.04%) despite the public POC, but SSVC rates technical impact as total.
Buffer overflow in the H3C Magic B0 router (firmware up to 100R002) allows authenticated remote attackers to corrupt memory via the param argument handled by the Edit_BasicSSID_5G function in /goform/aspForm, leading to high impact on confidentiality, integrity, and availability. Publicly available exploit code exists per VulDB, though EPSS remains very low (0.04%, 13th percentile) and the issue is not listed in CISA KEV, indicating no public exploit identified as actively used at time of analysis. The vendor was contacted but did not respond, increasing risk of an unpatched window for exposed devices.
Buffer overflow in the Tenda F456 router (firmware 1.0.0.5) allows remote attackers with low privileges to corrupt memory via the page parameter handled by the frmL7ImForm function exposed at /goform/L7Im. Publicly available exploit code exists, though EPSS rates near-term exploitation probability at only 0.05% (14th percentile) and the issue is not listed in CISA KEV.
Stack buffer overflow in the Edimax BR-6675nD 1.12 router's PPTP setup handler allows remote authenticated attackers to corrupt memory and potentially execute arbitrary code via an oversized pptpUserName POST parameter to /goform/formPPTPSetup. Publicly available exploit code exists (SSVC: PoC), though EPSS estimates exploitation probability at only 0.04% (13th percentile), reflecting the niche, end-of-life nature of the device. The vendor was notified prior to disclosure but did not respond, leaving affected units without an official fix.
Buffer overflow in the Edimax BR-6675nD 1.12 wireless router allows remote attackers to corrupt memory by sending a malicious pppUserName parameter to the /goform/formPPPoESetup endpoint. Publicly available exploit code exists, raising the risk of opportunistic targeting despite a low EPSS score of 0.04%, and the vendor has not responded to coordinated disclosure attempts.
Stack/heap buffer overflow in Edimax BR-6675nD 1.12 routers allows authenticated remote attackers to corrupt memory via an oversized L2TPUserName parameter sent to the /goform/formL2TPSetup endpoint, with publicly available exploit code exists. The vendor was notified early but has not responded, and no patch has been released, leaving deployed devices exposed. EPSS probability is low (0.04%, 13th percentile) but the combination of public POC, network reachability, and total technical impact (per SSVC) makes this a credible threat against unpatched edge devices.
Heap-based buffer overflow in Ettercap's GG protocol dissector (versions up to 0.8.3) allows remote attackers to potentially achieve limited confidentiality, integrity, and availability compromise through crafted network traffic. The vulnerability exists in the ec_gg.c dissector when processing Gadu-Gadu instant messaging protocol packets. Publicly available exploit code exists (GitHub issue #1306), and vendor has released patch version 0.8.4 (commit feeae6fa). Despite network attack vector, exploitation difficulty is high (AC:H) with low EPSS risk, suggesting specialized targeting rather than mass exploitation.
Buffer overflow in Edimax EW-7438RPn Wi-Fi range extender firmware 1.28a enables authenticated remote attackers to execute arbitrary code via malformed POST requests to the wireless encryption configuration endpoint. The vulnerability requires low-privilege authentication and has publicly available exploit code. No vendor response or patch has been provided despite early disclosure attempts.
Stack-based buffer overflow in Edimax EW-7438RPn WiFi range extender firmware up to version 1.31 enables authenticated remote attackers to execute arbitrary code by sending malicious input to the /goform/mp endpoint in the web server component. Public exploit code exists on GitHub, though the vulnerability is not listed in CISA KEV. The vendor failed to respond to responsible disclosure attempts, leaving devices unpatched.
Buffer overflow in Edimax EW-7438RPn WiFi range extender firmware up to version 1.31 enables authenticated remote attackers to execute arbitrary code via crafted POST requests to the wireless table management interface. The vulnerability affects the formWirelessTbl function when processing the submit-url parameter, with publicly available exploit code on GitHub demonstrating the attack method.
Buffer overflow in Edimax EW-7438RPn WiFi range extender firmware versions up to 1.31 enables authenticated remote attackers to execute arbitrary code by sending malformed parameters to the device configuration interface. The vulnerability affects the formWizSurvey function in /goform/formWizSurvey when processing ssid, manualssid, ip, mask, or gateway parameters, with publicly available exploit code existing on GitHub.
Stack-based buffer overflow in Edimax EW-7438RPn WiFi range extender firmware up to version 1.31 allows authenticated remote attackers to crash or execute code on the device by sending malicious input to the WPS configuration interface. The vulnerability occurs when processing the pinCode or wlan-url parameters in /goform/formWpsStart, with publicly available exploit code on GitHub demonstrating the attack.
SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Audiograbber 1.83 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
10-Strike Network Scanner 3.0 contains a local buffer overflow vulnerability in the host name field that allows attackers to bypass SafeSEH protections and execute arbitrary code. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
10-Strike Network Inventory Explorer 8.54 contains a stack-based buffer overflow vulnerability in the registration key input field that allows local attackers to execute arbitrary code by triggering. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Kernel panic in the Linux kernel's Open vSwitch (openvswitch) subsystem allows a low-privileged local user to crash the host kernel on Ubuntu-default and similar configurations. The vport netlink reply handler pre-allocates a fixed-size buffer but lacks an upper-bound check on the upcall PID array size, causing nla_put() to return -EMSGSIZE and BUG_ON(err < 0) to fire in ovs_vport_cmd_set(), triggering a kernel panic. On systems with unprivileged user namespaces enabled (Ubuntu default), any local user can reach this path via unshare -Urn without requiring elevated privileges. No public exploit has been identified at time of analysis, and EPSS at 0.02% reflects low current exploitation probability.
Local denial of service in the Linux kernel's BPF CO-RE relocation parser allows a process holding CAP_BPF to deterministically crash the system by loading a BPF program with a negative CO-RE accessor index. The flaw stems from bpf_core_parse_spec() in the libbpf relocation core accepting negative values from sscanf("%d") that bypass upper-bound checks due to integer promotion, ultimately driving an out-of-bounds read past the BTF members array. EPSS is negligible (0.01%) and there is no public exploit identified at time of analysis; a kernel oops backtrace is published in the changelog but it serves as a crash reproducer rather than a weaponized exploit.
Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the AdminCenter component, the device's web-based management interface. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates a network-reachable flaw exploitable by unauthenticated attackers with low complexity and no user interaction, yielding full compromise of confidentiality, integrity, and availability (9.8 Critical). There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network-RCE profile on a consumer NAS device makes this a high-priority patch target.
Stack-based buffer overflow in the UTT HiPER 1250GW router (firmware up to 3.2.7-210907-180535) lets a network-adjacent authenticated user corrupt memory by supplying an oversized 'Profile' argument to the /goform/formGroupConfig endpoint of the Web Management Interface. The CVSS 4.0 score is 7.4, and publicly available exploit code exists, though the EPSS probability is very low (0.04%, 13th percentile) and it is not on the CISA KEV list. Successful exploitation can crash the device or potentially achieve arbitrary code execution on the router's management plane.
Stack-based buffer overflow in the web management interface of the UTT HiPER 1250GW router (firmware through 3.2.7-210907-180535) lets a remote, low-privileged attacker corrupt memory by submitting an oversized Profile value to the /goform/formConfigFastDirectionW handler, which passes it to an unbounded strcpy. The CVSS 4.0 vector rates confidentiality, integrity, and availability impact as High, consistent with potential code execution or device crash. Publicly available exploit code exists per the VulDB submission, though EPSS is very low (0.04%, 13th percentile) and there is no public exploit identified as actively exploited.
Stack-based buffer overflow in the UTT HiPER 1200GW router's Web Management Interface lets an authenticated, network-adjacent attacker corrupt memory by submitting oversized values to the PPTP client configuration handler (/goform/formPptpClientConfig), affecting firmware up to 2.5.3-170306. A successful overflow can crash the device or potentially achieve code execution on the embedded gateway, with high confidentiality, integrity, and availability impact on the device itself. Publicly available exploit code exists (CVSS 4.0 base 7.4), but the EPSS score is very low at 0.04% (13th percentile) and the issue is not listed in CISA KEV.
Stack buffer overflow in the UTT HiPER 1200GW router (firmware up to 2.5.3-170306) lets a remote, low-privileged user crash the device or potentially execute arbitrary code by submitting oversized sysAdmUser or sysAdmPass values to the /goform/setSysAdm endpoint of the Web Management Interface. The flaw stems from an unbounded strcpy call, and publicly available exploit code exists, though EPSS rates near-term mass exploitation as very low (0.04%). No CISA KEV listing or vendor patch has been identified.
Arbitrary code execution in GDAL 3.1.0 through 3.13.0 is reachable through the netCDF driver, where scanForGeometryContainers (frmts/netcdf/netcdfsg.cpp) copies a CF-convention geometry attribute into a fixed-size stack buffer without checking its length. Any service or workflow that feeds attacker-supplied NetCDF files to GDAL can be coerced into overflowing the stack and running attacker code in the process context. No public exploit is identified at time of analysis and EPSS is just 0.01% (3rd percentile), yet the issue carries a CVSS of 7.4 because the outcome is full remote code execution on the host.
Heap-based buffer overflow in GNU LibreDWG through version 0.13.4.8160 lets an attacker corrupt heap memory by getting the library to parse a malicious DWG file, specifically a 2004-format file with a crafted compressed section processed via the dwgbmp thumbnail-extraction utility. The flaw stems from missing bounds validation in the decompression routine and is reachable without authentication or user privileges per its CVSS vector; impact is rated low across confidentiality, integrity, and availability (CVSS 7.3). Publicly available exploit code exists (a proof-of-concept DWG sample), but the issue is not listed in CISA KEV, and an official upstream fix has been committed.
Out-of-bounds read in Apple macOS (all versions prior to macOS Tahoe 26) allows a locally authenticated, low-privileged application to trigger unexpected system termination, constituting a local denial-of-service condition. The root cause is insufficient bounds checking in a macOS component, addressed by Apple in macOS Tahoe 26. No public exploit code exists and this vulnerability is not listed in CISA KEV, though a vendor-confirmed patch is available.
Memory corruption via an off-by-one error in GnuTLS PKCS#12 bag element handling exposes any application using GnuTLS to remote unauthenticated denial of service - and potentially unspecified further impact - when a crafted PKCS#12 structure is parsed. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no elevated complexity, making internet-exposed services that parse client-supplied PKCS#12 inputs the primary risk surface. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap overread against TLS servers that perform legacy RSA key exchange using a private key backed by a PKCS#11 token. By sending an abnormally short premaster secret, the attacker causes the library to read beyond an allocated buffer (CWE-1284), which can leak a small amount of adjacent heap memory and, per the CVSS vector, more strongly impacts availability (A:H). No public exploit has been identified at time of analysis and the issue is not in CISA KEV; EPSS and SSVC data were not provided.
Out-of-bounds write in NVIDIA Virtual GPU Manager exposes virtualized GPU deployments to denial of service, data tampering, and information disclosure. A local, low-privileged attacker operating within a virtualized environment can trigger the memory corruption flaw in the host-side vGPU manager component across multiple affected driver branches (vGPU 16.x through 20.x). No public exploit code exists at time of analysis, and EPSS probability is at the 2nd percentile, but the high availability impact (A:H in CVSS) and the prevalence of vGPU in enterprise virtualization infrastructure warrant prompt patching.
Local privilege escalation in the NVIDIA Display Driver for Windows and Linux allows an authenticated low-privileged user to trigger an out-of-bounds write (CWE-787) in the kernel-mode driver, potentially leading to code execution, privilege escalation, information disclosure, data tampering, or denial of service. The flaw affects GeForce, RTX/Quadro/NVS, and Tesla product lines, with NVIDIA confirming the vulnerability and releasing patched driver versions. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.01%.
Out-of-bounds read in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and vGPU Guest drivers) allows a locally authenticated user to trigger denial of service and information disclosure. The flaw carries a CVSS 3.1 score of 7.1 (AV:L/AC:L/PR:L), and per CISA SSVC there is no public exploit identified at time of analysis (Exploitation: none), with EPSS at 0.01% indicating negligible near-term exploitation likelihood. NVIDIA has published fixed driver versions across all affected branches in advisory ID 5821.
Local privilege escalation in NVIDIA Display Driver for Linux (GeForce, RTX/Quadro/NVS, Tesla, and Virtual GPU Manager branches) stems from an incorrect numeric type conversion (CWE-681) that produces a heap buffer overflow. A locally authenticated attacker with low privileges can trigger the flaw to achieve code execution, privilege escalation, information disclosure, data tampering, or denial of service. No public exploit identified at time of analysis, and EPSS is very low (0.01%, 1st percentile), but technical impact per SSVC is total.
Heap-based buffer overflow in IBM HTTP Server 8.5 and 9.0 allows an attacker already authenticated to the Administration Server to execute arbitrary code or crash the service. The flaw requires adjacent network access and existing low-level privileges, and no public exploit identified at time of analysis despite the high CVSS 8.0 rating. EPSS probability is negligible (0.01%) and SSVC marks exploitation as 'none,' indicating the issue is currently a patch-and-move-on item rather than an emergency.
Arbitrary code execution in Autodesk 3ds Max 2026 and 2027 occurs when the application parses a maliciously crafted WRL (VRML) file, leading to memory corruption that runs attacker-controlled code in the context of the current user. The flaw requires user interaction to open a malicious file and has no public exploit identified at time of analysis, with EPSS estimating only a 0.01% exploitation probability over the next 30 days. SSVC rates technical impact as total but classifies exploitation as 'none' and not automatable, consistent with a client-side file-format attack rather than a wormable internet-facing flaw.
Arbitrary code execution in Autodesk 3ds Max 2026 (<2026.1) and 2027 (<2027.1) is possible when a user opens a maliciously crafted WRL (VRML) file, triggering a memory corruption (buffer overflow) condition that runs attacker code in the context of the 3ds Max process. The flaw was reported by Autodesk itself and carries a CVSS 7.8 (local, user-interaction required); no public exploit has been identified and EPSS is 0.01%, indicating no observed exploitation activity to date. SSVC rates technical impact as total but exploitation as none and not automatable, consistent with a file-format parser bug requiring social engineering.
Out-of-bounds write in Autodesk 3ds Max 2026 and 2027 enables arbitrary code execution when a user opens a maliciously crafted TIF image file, with impact ranging from process crash to data corruption to code execution in the context of the running application. The flaw requires local file handling and user interaction (UI:R), and there is no public exploit identified at time of analysis. EPSS is negligible (0.01%) and SSVC marks exploitation status as none, but the technical impact is rated total, making this a credible client-side risk for design and VFX workstations.
Heap buffer overflow in libsolv allows local attackers to corrupt memory when a vulnerable application processes a maliciously crafted .solv repository metadata file. The flaw stems from insufficient input validation during decompression of attacker-controlled data, enabling information disclosure, control-flow alteration, or denial of service across multiple Red Hat Enterprise Linux releases and SUSE distributions. SSVC marks exploitation as PoC-level with total technical impact, while EPSS remains very low at 0.01%, indicating limited probability of widespread exploitation despite high severity.
Heap buffer overflow in FreeRDP versions prior to 3.26.0 allows a malicious RDP server to write out-of-bounds heap memory on connecting clients through the gdi_CacheToSurface function, potentially leading to remote code execution or client crash. The flaw stems from inconsistent rectangle validation where coordinates are clamped to UINT16_MAX but copy operations use unclamped cache entry dimensions. Publicly available exploit code exists per SSVC, though EPSS exploitation probability remains low at 0.06%.
Heap-based buffer overflow in Check Point Quantum Security Gateway's HTTP-based service allows unauthenticated remote attackers to cause availability disruption by sending crafted malformed HTTP requests requiring no authentication or user interaction. Affected deployments span all R81.10 releases and below, R81.20 through Jumbo Hotfix Take 127, R82 through Jumbo Hotfix Take 91, and R82.10 through Jumbo Hotfix Take 19. No public exploit identified at time of analysis, though SSVC classifies the attack as automatable with total technical impact - a meaningful tension with the CVSS A:L rating that security teams should scrutinize before deprioritizing.
Denial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to crash the VPN processing service by sending specially crafted IKE packets over NAT-T (UDP/4500). Multiple supported releases (R81.10 and below, R81.20, R82, R82.10) are affected up to specific Jumbo Hotfix takes. No public exploit identified at time of analysis, and EPSS is low at 0.06% (17th percentile), suggesting limited near-term exploitation likelihood despite the 8.1 CVSS score.
Denial of service in Check Point Quantum Security Gateway allows remote unauthenticated attackers to terminate the VPN service by sending a malformed IKE fragment to UDP port 500 during the early phase of a connection attempt. The flaw affects multiple R81.x, R82, and R82.10 release trains running below specific Jumbo Hotfix Takes; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).
Heap-based buffer overflow in Squirrel versions 3.0 through 3.2 allows a locally authenticated low-privilege attacker to corrupt heap memory by supplying a malicious Cnut file to the ReadObject function in sqobject.cpp. The impact is limited to partial confidentiality, integrity, and availability effects with no scope change, as confirmed by the CVSS 4.0 score of 1.9. A public proof-of-concept exploit exists on GitHub, but this vulnerability has not been confirmed actively exploited by CISA KEV, and EPSS places exploitation probability at just 0.01% (2nd percentile), indicating very low real-world exploitation activity.
Heap-based buffer overflow in Hitachi Energy MACH HiDraw's XML parser allows a low-privileged, locally authenticated attacker to corrupt heap memory by inducing a victim to open a specially crafted XML file, with a primary impact of high availability loss (application crash) and limited confidentiality and integrity compromise. Affected versions span MACH HiDraw 9.0 through versions prior to 9.22 per EUVD-2026-31812. No public exploit identified at time of analysis, and an EPSS score of 0.01% (3rd percentile) combined with an SSVC exploitation status of 'none' confirm minimal current real-world exploitation activity.
Heap-based buffer overflow in MediaArea MediaInfoLib's LXF (Leitch eXchange Format) parser allows attackers to achieve arbitrary code execution when a victim opens a maliciously crafted LXF media file. The flaw affects MediaInfoLib 26.01 and was reported by Cisco Talos (TALOS-2026-2367); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.
Heap buffer overflow in MediaArea MediaInfoLib's ID3v2 metadata parser allows local attackers to achieve arbitrary code execution when a victim opens a crafted media file. The flaw affects MediaInfoLib 26.01 and requires user interaction to trigger, with no public exploit identified at time of analysis. While CVSS rates it 7.8 (High), the very low EPSS score (0.01%) and SSVC 'Exploitation: none' signal suggest no widespread targeting is occurring.
Denial of service in CODESYS Control runtime products and HMI/Toolkit components allows unauthenticated remote attackers to crash affected industrial control systems by sending malformed HTTP requests that trigger a size-limited out-of-bounds write during length parsing. The flaw affects a broad range of CODESYS runtime variants used across PLCs, industrial PCs, and embedded controllers from vendors like Beckhoff, WAGO, and Raspberry Pi-based deployments. No public exploit identified at time of analysis, EPSS is low (0.07%), but the network-reachable, no-privileges-required attack surface makes this operationally significant for OT environments.
Out-of-bounds read in GNU LibreDWG's read_2004_compressed_section function (src/decode.c) affects all versions through 0.14, allowing a local low-privileged attacker to crash the dwgbmp utility or any LibreDWG-based application by supplying a crafted DWG 2004 file with manipulated section address or size fields. Impact is limited to availability (application crash) with no confirmed confidentiality or integrity exposure per the CVSS 4.0 vector. A publicly available proof-of-concept DWG file exists on GitHub, but EPSS at 0.01% (2nd percentile) and no CISA KEV listing confirm this is not currently subject to widespread exploitation.
Symlink-based path traversal in the Perl module Archive::Tar before version 3.08 allows a malicious tar archive to write or point files outside the intended extraction directory. When an application extracts an attacker-supplied archive, symlink entries whose targets are absolute paths or contain '..' traversal sequences are followed without validation, letting an attacker place links that resolve to arbitrary filesystem locations. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the issue is rated CVSS 9.1 because Archive::Tar is widely embedded in automated server-side processing of untrusted archives.
Arbitrary file modification in the Perl Archive::Tar module before version 3.08 allows a malicious tar archive to create hardlinks pointing outside the extraction directory. Any application or service that extracts attacker-supplied tarballs is affected: because extraction chmods the shared inode of a hardlink, an attacker can alter permissions of sensitive files outside the intended target path. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; it is not listed in CISA KEV.
Buffer overflow in FastNetMon Community Edition through 1.2.9 allows a local attacker with no privileges to crash the FastNetMon process, disabling DDoS detection and network monitoring capabilities. The vulnerability is specifically tied to a sprintf-based overflow in the ExaBGP integration component, as documented in the Lorikeetsecurity advisory. This is one of at least three distinct buffer overflow vulnerabilities (alongside CVE-2026-48686 and CVE-2026-48689) identified in the same product version, suggesting a broader audit surfaced a class of unsafe string-handling bugs. No public exploit identified at time of analysis, and the impact is limited to availability (denial of service) with no confidentiality or integrity exposure.
Remote code execution in FastNetMon Community Edition through 1.2.9 stems from an off-by-one heap write in the pervasively-used dynamic_binary_buffer_t class, reachable by anyone who can send NetFlow, sFlow, IPFIX, or BGP traffic to the DDoS-detection appliance. Because the flawed buffer is exercised during BGP encoding/decoding, NetFlow template parsing, and Flow Spec NLRI construction, an unauthenticated network attacker can corrupt adjacent heap metadata and potentially execute arbitrary code. The flaw carries a critical CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), but no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Heap corruption in FastNetMon Community Edition through 1.2.9 allows authenticated local users to trigger an integer overflow in the packet capture buffer allocation routine, resulting in undersized allocations followed by out-of-bounds heap writes during packet storage. The flaw stems from 32-bit unsigned arithmetic in allocate_buffer() in src/packet_storage.hpp, where a sufficiently large ban_details_records_count configuration value causes the memory size calculation to wrap. No public exploit identified at time of analysis and EPSS exploitation probability is negligible at 0.01%.
Out-of-bounds read in FastNetMon Community Edition through 1.2.9 allows remote unauthenticated attackers to leak adjacent process memory by sending crafted BGP UPDATE messages containing malformed MP_REACH_NLRI IPv6 attributes. The flaw resides in decode_mp_reach_ipv6() where attacker-controlled length fields drive memcpy operations without bounds validation, and is acknowledged by an in-source TODO comment by the maintainer. No public exploit identified at time of analysis, EPSS is low (0.03%), and CISA SSVC classifies exploitation as 'none' but 'automatable: yes', meaning weaponization is technically straightforward if a threat actor invests effort.
Out-of-bounds read in FastNetMon Community Edition through 1.2.9 exposes network monitoring infrastructure to unauthenticated remote attack via malformed NetFlow v9 UDP packets. The vulnerability resides in the options template parser (process_netflow_v9_options_template()), where attacker-controlled length fields - option_scope_length and option_length - drive iteration loops with no bounds validation, enabling reads past the end of the UDP packet buffer. With a CVSS vector of AV:N/AC:L/PR:N/UI:N and SSVC automatable:yes, mass exploitation is technically feasible, though EPSS sits at 0.03% (9th percentile) and no public exploit or KEV listing has been identified at time of analysis.
Out-of-bounds memory read in FastNetMon Community Edition through 1.2.9 exposes sensitive process memory and can crash the collector when processing crafted NetFlow v9 packets. The NetFlow v9 data flowset parser in src/netflow_plugin/netflow_v9_collector.cpp omits the per-iteration boundary check present in the sibling Options template branch, allowing a network-adjacent attacker who can deliver UDP NetFlow v9 packets to the collector to supply malicious template definitions that drive the parser past the end of the packet buffer. No public exploit code or confirmed active exploitation has been identified at time of analysis, but a security researcher blog post at lorikeetsecurity.com documents the code-level flaw, raising the disclosure surface.
Heap buffer overflow in FastNetMon Community Edition through 1.2.9 originates from a CWE-190 integer overflow in the BGP AS_PATH attribute encoder (IPv4UnicastAnnounce::get_attributes() in src/bgp_protocol.hpp). When an AS_PATH carries more than 63 ASNs, the computed attribute length is silently truncated into a uint8_t field used for buffer sizing while the full data is still written, corrupting the heap. The CVSS 9.8 score implies remote unauthenticated code execution, though the flaw lives in FastNetMon's outbound BGP announcement encoder; no public exploit is identified at time of analysis and no EPSS or KEV data was supplied.
Out-of-bounds memory access in FastNetMon Community Edition through 1.2.9 allows an authenticated BGP peer to crash the monitoring process by sending a crafted UPDATE message. The parser in src/bgp_protocol.hpp correctly detects the RFC 4271 Extended Length flag but reads only one byte of the mandatory two-byte length field, silently truncating attribute lengths above 255 bytes and causing cascading misparse of subsequent BGP data. With CVSS availability impact rated High and SSVC confirming no known active exploitation, this is a targeted denial-of-service risk primarily affecting network operators using FastNetMon for DDoS detection - no public exploit code identified at time of analysis.
Stack-based buffer overflow in FastNetMon Community Edition through 1.2.9 allows remote unauthenticated attackers to achieve arbitrary code execution by sending a crafted BGP UPDATE message containing a malformed NLRI prefix length value. The vulnerable function decode_bgp_subnet_encoding_ipv4_raw() in src/bgp_protocol.cpp reads prefix_bit_length directly from the wire without bounding it to the IPv4 maximum of 32, enabling a memcpy of up to 32 bytes into a 4-byte stack variable - a potential 28-byte stack smash. Despite a critical CVSS score of 9.8 and SSVC technical impact rated 'total', EPSS sits at just 0.02% (7th percentile) and SSVC exploitation status is 'none', indicating no known active exploitation at time of analysis; however, a public security research writeup from Lorikeetsecurity exists that details the flaw.
Heap-based buffer overflow in Perl interpreters up to and including 5.43.10 on 32-bit builds lets a caller that compiles an attacker-controlled regular expression corrupt heap memory at regex compile time, with potential for code execution. The flaw stems from an integer overflow in Perl_study_chunk when optimizing a repeated fixed substring, and is rated CVSS 9.8 by NVD. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis; the issue is limited to 32-bit Perl builds and applications that feed untrusted input into regex compilation.
Out-of-bounds read in GNU LibreDWG's dwggrep utility exposes heap memory when processing maliciously crafted DWG files containing LTYPE objects with unterminated wide-character dash text strings. Affected versions span 0.1 through 0.14 (CPE: cpe:2.3:a:gnu:libredwg). A local authenticated attacker can trigger partial information disclosure by supplying a crafted DWG file to the dwggrep command-line tool; a public proof-of-concept DWG payload exists, though EPSS of 0.01% (2nd percentile) and absence from CISA KEV indicate no widespread exploitation activity at time of analysis.
Heap-based buffer overflow in GNU LibreDWG's dwgread utility (versions 0.1 through 0.14) allows a local attacker with low privileges to corrupt heap memory by supplying a specially crafted R2004-format DWG file. The vulnerable function decompress_R2004_section in src/decode.c fails to validate decompression offset and size parameters before writing, enabling out-of-bounds heap writes with partial confidentiality, integrity, and availability impact. Publicly available exploit code exists as a crafted DWG file; however, no active exploitation is confirmed (not in CISA KEV), EPSS is 0.01% (2nd percentile), and the local-only attack vector sharply constrains real-world risk.
Heap-based buffer overflow in GNU LibreDWG's read_2004_compressed_section function (src/decode.c) exposes users of the dwgread utility to partial confidentiality, integrity, and availability compromise when processing a maliciously crafted DWG file. All released versions from 0.1 through 0.14 are affected, and a publicly available proof-of-concept exploit file exists on GitHub. No vendor patch has been issued; the project has not responded to the responsible disclosure despite early notification via issue report.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 wireless range extender allows remote attackers with low-privilege credentials to corrupt memory via a crafted submit-url parameter sent to the formSDHCP handler at /goform/formSDHCP. Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), but EPSS is only 0.04% and the vendor has not responded to coordinated disclosure, leaving the device unpatched.
Stack-based buffer overflow in the Edimax EW-7438RPn Wi-Fi range extender (firmware 1.31) allows remote authenticated attackers to corrupt memory by submitting an oversized 'submit-url' argument to the formStats handler at /goform/formStats. Publicly available exploit code exists (VulDB-published PoC on GitHub), though EPSS estimates exploitation probability at only 0.04%. The vendor was notified but has not responded, leaving deployed devices without an official fix.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 Wi-Fi range extender allows remote attackers with low privileges to corrupt memory via the submit-url parameter handled by the formrefresh function at /goform/formrefresh. Publicly available exploit code exists per VulDB, though EPSS scoring (0.04%) suggests limited mass exploitation activity, and the vendor has not responded to the disclosure, leaving devices without an official fix.
Stack-based buffer overflow in the Edimax EW-7438RPn Wi-Fi range extender (firmware 1.31) allows authenticated remote attackers to corrupt memory via the submit-url parameter of the formLogout handler at /goform/formLogout. Publicly available exploit code exists per VulDB disclosure, and the vendor failed to respond to coordinated disclosure, leaving the device unpatched. EPSS probability is currently very low (0.04%, 13th percentile), but the device class - consumer SOHO networking gear - is a recurring target for botnet recruitment.
Flash Slideshow Maker Professional 5.20 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Socusoft 3GP Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by exploiting structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SocuSoft iPod Photo Slideshow 8.05 contains a buffer overflow vulnerability in the registration dialog that allows local attackers to execute arbitrary code by overwriting the structured exception. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SocuSoft DVD Photo Slideshow Professional 8.07 contains a stack-based buffer overflow vulnerability in the registration name field that allows local attackers to execute arbitrary code by exploiting. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Visual Ping 0.8.0.0 contains a buffer overflow vulnerability in input field handling that allows local attackers to crash the application by supplying oversized data. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
NASA openVSP 3.16.1 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the geometry name field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
CuteFTP 5.0 XP contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by injecting malicious payload into the Site Manager label field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AgataSoft Auto PingMaster 1.5 contains a stack-based buffer overflow vulnerability in the Trace Route host name field that allows local attackers to execute arbitrary code by triggering structured. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 range extender allows remote authenticated attackers to corrupt memory by submitting an oversized submit-url parameter to the formLicence handler at /goform/formLicence. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, leaving deployed devices without a fix. EPSS exploitation probability remains low (0.04%, 13th percentile) despite the public POC, indicating limited but credible risk for exposed devices.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 wireless range extender enables remote low-privileged attackers to compromise the device by supplying an oversized submit-url argument to the /goform/formWpsProxyEnable web management endpoint. Exploitation achieves full confidentiality, integrity, and availability impact on the device per CVSS VC:H/VI:H/VA:H, and a public proof-of-concept is available on GitHub. No vendor patch exists - Edimax did not respond to coordinated disclosure - though EPSS remains low at 0.04% (13th percentile) and the vulnerability is not listed in CISA KEV, suggesting limited observed exploitation despite the available POC.
Stack-based buffer overflow in the Edimax EW-7438RPn Wi-Fi range extender (firmware 1.31) allows remote authenticated attackers to corrupt memory by sending an oversized submit-url parameter to the formRadius handler at /goform/formRadius. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure attempts, leaving the device without a confirmed fix. EPSS probability is currently low (0.04%), but the combination of a public PoC, total technical impact, and unpatched status warrants urgent attention for any deployed units.
Stack-based buffer overflow in Edimax EW-7438RPn 1.31 range extenders allows authenticated remote attackers to corrupt memory by sending a crafted submit-url parameter to the formAccept handler at /goform/formAccept. Publicly available exploit code exists (VulDB-disclosed, with a PoC published on GitHub), but EPSS rates real-world exploitation probability at only 0.04% (13th percentile) and the vendor has not responded to disclosure, leaving the device permanently exposed.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 wireless range extender allows remote attackers with low privileges to corrupt memory by sending crafted max_Conn or timeOut parameters to /goform/formConnectionSetting. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving deployed devices unpatched. EPSS probability is low (0.04%), but the combination of public POC, network reachability, and full CIA impact warrants prompt action on exposed devices.
Remote buffer overflow in the Edimax BR-6478AC router (firmware 1.23) allows authenticated attackers to corrupt memory by submitting a crafted L2TPUserName parameter to the /goform/formL2TPSetup endpoint. Publicly available exploit code exists (VulDB-published POC on Notion), and SSVC rates technical impact as total despite a low 0.04% EPSS score. The vendor was contacted but has not responded, leaving the device without an official fix.
Stack/buffer overflow in the Edimax BR-6478AC 1.23 wireless router's web management interface allows authenticated remote attackers to corrupt memory by submitting an oversized selSSID parameter to /goform/formiNICSiteSurvey, with publicly available exploit code exists and no vendor response to coordinated disclosure. The flaw affects the formiNICSiteSurvey POST request handler and yields high impact on confidentiality, integrity, and availability of the device. EPSS is low (0.04%, 13th percentile), indicating limited mass-scanning activity despite the published exploit.
Stack-based buffer overflow in Tenda F1202 router firmware 1.2.0.20(408) allows authenticated remote attackers to corrupt memory via the opttype parameter in the fromPptpUserAdd function at /goform/PptpUserAdd, enabling potential arbitrary code execution with total impact on confidentiality, integrity, and availability. Publicly available exploit code exists (VulDB-referenced PoC on GitHub), though EPSS rates exploitation probability low at 0.05% and the issue is not on CISA KEV.
Stack-based buffer overflow in the Tenda F1202 router (firmware 1.2.0.20(408)) allows remote attackers to corrupt memory by sending a crafted 'dips' parameter to the formGstDhcpSetSer handler at /goform/GstDhcpSetSer. Publicly available exploit code exists (published via VulDB/GitHub), though EPSS rates real-world exploitation probability very low at 0.05%, and the issue is not listed in CISA KEV.
Stack-based buffer overflow in the Tenda F1202 router (firmware 1.2.0.20(408)) allows remote attackers to corrupt memory by sending a crafted 'delno' parameter to the /goform/WrlExtraSet endpoint handled by the formWrlExtraSet function. Publicly available exploit code exists, though EPSS predicts only a 0.05% exploitation probability (14th percentile), and SSVC classifies the technical impact as total despite the attack not being automatable.
Stack-based buffer overflow in the Tenda F1202 router firmware 1.2.0.20(408) allows authenticated remote attackers to corrupt memory via the delno parameter of the /goform/PPTPUserSetting endpoint handled by fromPPTPUserSetting. Publicly available exploit code exists per VulDB disclosure, though EPSS rates the exploitation probability at only 0.05% (14th percentile) and no public exploit identified at time of analysis appears in CISA KEV. Successful exploitation can compromise confidentiality, integrity, and availability of the device.
Stack-based buffer overflow in Edimax EW-7438RPn 1.31 wireless range extenders allows remote authenticated attackers to corrupt memory by manipulating the selSSID or submit-url parameters in the formWlSiteSurvey handler (/goform/formWlSiteSurvey) of the embedded web server. Publicly available exploit code exists and the vendor did not respond to disclosure attempts, leaving the device without a confirmed patch. EPSS rates exploitation probability low at 0.04%, but the combination of public PoC and unresponsive vendor makes exposed devices a concrete risk.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 wireless range extender allows remote attackers with low privileges to corrupt memory and likely achieve code execution by manipulating multiple parameters (Anntena, Mcs, regDomain, nic0Addr/nic1Addr/wlanAddr/wanAddr, wlanSSID, wlanChan, initgain, txcck, txofdm, submit-url) sent to the formHwSet handler at /goform/formHwSet. Publicly available exploit code exists on GitHub, but EPSS rates real-world exploitation probability at only 0.04% (13th percentile) and the issue is not in CISA KEV. The vendor was contacted by the researcher but never responded, leaving the device unpatched.
Stack-based buffer overflow in the Edimax EW-7438RPn 1.31 range extender's formWlanMP handler (/goform/formWlanMP) allows remote authenticated attackers to corrupt memory and potentially achieve arbitrary code execution on the device. Publicly available exploit code exists, but EPSS remains low at 0.04% and there is no CISA KEV listing, indicating no confirmed widespread active exploitation. The vendor was contacted but did not respond, leaving the issue unpatched.
Stack/heap buffer overflow in the Edimax BR-6675nD 1.12 wireless router allows authenticated remote attackers to corrupt memory by sending a crafted POST request with an oversized selSSID parameter to /goform/formWlSiteSurvey, potentially achieving code execution on the device. Publicly available exploit code exists (disclosed by VulDB), and the vendor was contacted early but did not respond, leaving the device without an official fix. EPSS probability is low (0.04%, 13th percentile) and the issue is not listed in CISA KEV.
Buffer overflow in the Edimax BR-6675nD 1.12 wireless router's web management interface allows remote attackers with low-level credentials to corrupt memory via a crafted pppUserName parameter sent to the /goform/formWanTcpipSetup endpoint. Publicly available exploit code exists (disclosed via VulDB and a Notion writeup), and SSVC rates the technical impact as total, though EPSS remains very low at 0.04%. The vendor did not respond to coordinated disclosure, leaving affected devices without a confirmed fix.
Stack buffer overflow in the Edimax BR-6675nD 1.12 wireless router allows remote authenticated attackers to corrupt memory and achieve total compromise via a crafted pppUserName parameter sent to /goform/formsetPPPoE. Publicly available exploit code exists and the vendor did not respond to the disclosure, leaving deployed devices exposed without an official fix. EPSS exploitation probability is low (0.04%) despite the public POC, but SSVC rates technical impact as total.
Buffer overflow in the H3C Magic B0 router (firmware up to 100R002) allows authenticated remote attackers to corrupt memory via the param argument handled by the Edit_BasicSSID_5G function in /goform/aspForm, leading to high impact on confidentiality, integrity, and availability. Publicly available exploit code exists per VulDB, though EPSS remains very low (0.04%, 13th percentile) and the issue is not listed in CISA KEV, indicating no public exploit identified as actively used at time of analysis. The vendor was contacted but did not respond, increasing risk of an unpatched window for exposed devices.
Buffer overflow in the Tenda F456 router (firmware 1.0.0.5) allows remote attackers with low privileges to corrupt memory via the page parameter handled by the frmL7ImForm function exposed at /goform/L7Im. Publicly available exploit code exists, though EPSS rates near-term exploitation probability at only 0.05% (14th percentile) and the issue is not listed in CISA KEV.
Stack buffer overflow in the Edimax BR-6675nD 1.12 router's PPTP setup handler allows remote authenticated attackers to corrupt memory and potentially execute arbitrary code via an oversized pptpUserName POST parameter to /goform/formPPTPSetup. Publicly available exploit code exists (SSVC: PoC), though EPSS estimates exploitation probability at only 0.04% (13th percentile), reflecting the niche, end-of-life nature of the device. The vendor was notified prior to disclosure but did not respond, leaving affected units without an official fix.
Buffer overflow in the Edimax BR-6675nD 1.12 wireless router allows remote attackers to corrupt memory by sending a malicious pppUserName parameter to the /goform/formPPPoESetup endpoint. Publicly available exploit code exists, raising the risk of opportunistic targeting despite a low EPSS score of 0.04%, and the vendor has not responded to coordinated disclosure attempts.
Stack/heap buffer overflow in Edimax BR-6675nD 1.12 routers allows authenticated remote attackers to corrupt memory via an oversized L2TPUserName parameter sent to the /goform/formL2TPSetup endpoint, with publicly available exploit code exists. The vendor was notified early but has not responded, and no patch has been released, leaving deployed devices exposed. EPSS probability is low (0.04%, 13th percentile) but the combination of public POC, network reachability, and total technical impact (per SSVC) makes this a credible threat against unpatched edge devices.
Heap-based buffer overflow in Ettercap's GG protocol dissector (versions up to 0.8.3) allows remote attackers to potentially achieve limited confidentiality, integrity, and availability compromise through crafted network traffic. The vulnerability exists in the ec_gg.c dissector when processing Gadu-Gadu instant messaging protocol packets. Publicly available exploit code exists (GitHub issue #1306), and vendor has released patch version 0.8.4 (commit feeae6fa). Despite network attack vector, exploitation difficulty is high (AC:H) with low EPSS risk, suggesting specialized targeting rather than mass exploitation.
Buffer overflow in Edimax EW-7438RPn Wi-Fi range extender firmware 1.28a enables authenticated remote attackers to execute arbitrary code via malformed POST requests to the wireless encryption configuration endpoint. The vulnerability requires low-privilege authentication and has publicly available exploit code. No vendor response or patch has been provided despite early disclosure attempts.
Stack-based buffer overflow in Edimax EW-7438RPn WiFi range extender firmware up to version 1.31 enables authenticated remote attackers to execute arbitrary code by sending malicious input to the /goform/mp endpoint in the web server component. Public exploit code exists on GitHub, though the vulnerability is not listed in CISA KEV. The vendor failed to respond to responsible disclosure attempts, leaving devices unpatched.
Buffer overflow in Edimax EW-7438RPn WiFi range extender firmware up to version 1.31 enables authenticated remote attackers to execute arbitrary code via crafted POST requests to the wireless table management interface. The vulnerability affects the formWirelessTbl function when processing the submit-url parameter, with publicly available exploit code on GitHub demonstrating the attack method.
Buffer overflow in Edimax EW-7438RPn WiFi range extender firmware versions up to 1.31 enables authenticated remote attackers to execute arbitrary code by sending malformed parameters to the device configuration interface. The vulnerability affects the formWizSurvey function in /goform/formWizSurvey when processing ssid, manualssid, ip, mask, or gateway parameters, with publicly available exploit code existing on GitHub.
Stack-based buffer overflow in Edimax EW-7438RPn WiFi range extender firmware up to version 1.31 allows authenticated remote attackers to crash or execute code on the device by sending malicious input to the WPS configuration interface. The vulnerability occurs when processing the pinCode or wlan-url parameters in /goform/formWpsStart, with publicly available exploit code on GitHub demonstrating the attack.
SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Audiograbber 1.83 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
10-Strike Network Scanner 3.0 contains a local buffer overflow vulnerability in the host name field that allows attackers to bypass SafeSEH protections and execute arbitrary code. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
10-Strike Network Inventory Explorer 8.54 contains a stack-based buffer overflow vulnerability in the registration key input field that allows local attackers to execute arbitrary code by triggering. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.