Buffer Overflow
Monthly
Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticated remote attackers to corrupt memory by sending malformed NGReset messages to the 5G core network component. The vulnerability stems from insufficient validation of PLMN ID strings in SUCI (Subscription Concealed Identifier) processing within the NGReset message handler. Public exploit code exists (GitHub issue #678), and vendor patch is available (PR #666 upgrading to version 2.2.0). EPSS data not available but exploit code publication increases real-world exploitation likelihood for targeted attacks against 5G core infrastructure.
Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows network-adjacent authenticated attackers to corrupt process memory via crafted NGAP messages or malformed SUCI values, affecting confidentiality, integrity, and availability. The vulnerability stems from missing nil-pointer guards in the NGAP dispatcher and absent input validation when parsing Subscription Concealed Identifiers (SUCI) during UE registration and identity response flows. Exploit code has been publicly disclosed (GitHub issue #679), and no public exploit identified at time of analysis confirms active KEV exploitation, though the CVSS temporal vector E:P confirms proof-of-concept availability.
Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation via crafted NGAP PDUSessionResourceModifyIndication messages, allowing low-privileged attackers to achieve partial confidentiality, integrity, and availability impact on the Access and Mobility Management Function. A publicly available exploit exists (confirmed by CVSS E:P and GitHub issue #681), and an official vendor patch has been released in version 2.2.0 via PR #666. No CISA KEV listing was identified at time of analysis, so active widespread exploitation is not confirmed.
Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticated remote attackers to corrupt memory by sending crafted NGAP or NAS messages targeting the PathSwitchRequest handler and related message processing paths. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:L/I:L/A:L) indicates low-complexity network exploitation requiring only low-privilege credentials, with partial impacts across confidentiality, integrity, and availability. Publicly available exploit code exists (confirmed by GitHub issue #680 and the E:P temporal modifier); no active exploitation is confirmed in CISA KEV.
Buffer overflow in the Edimax BR-6428NS 1.10 router's web management interface allows authenticated remote attackers to corrupt memory by submitting a crafted vapurl parameter to the formWirelessTbl POST handler at /goform/formWirelessTbl. Publicly available exploit code exists (released via VulDB and a Notion writeup), and the vendor has not responded to coordinated disclosure attempts. The flaw is not currently listed in CISA KEV, but the combination of public PoC, low attack complexity, and an unpatched/unresponsive vendor makes this a tangible risk for any exposed device.
Stack buffer overflow in the Edimax BR-6428NS 1.10 wireless router allows authenticated remote attackers to corrupt memory by sending an overlong pppUserName parameter to the /goform/formWanTcpipSetup endpoint. Publicly available exploit code exists, and the vendor failed to respond to the coordinated disclosure attempt, leaving devices without an official fix. With a CVSS of 8.8 and full CIA impact, successful exploitation can result in arbitrary code execution or device takeover on the embedded router.
Heap-buffer-overflow in libheif 1.21.2 and prior exposes any application parsing untrusted HEIF sequence files to an out-of-bounds read during file ingestion, with potential for heap memory disclosure or process crash. The flaw is triggered the moment a victim opens a crafted file - no additional interaction beyond file opening is required - making it a practical threat in desktop image viewers, browsers, and media pipelines that embed libheif. No public exploit has been identified at time of analysis, EPSS sits at 0.04% (11th percentile), and a vendor-released patch (v1.22.0) is available, keeping real-world exploitation risk currently assessed as low-moderate despite the memory-corruption class.
Out-of-bounds read in libheif versions 1.21.2 and prior crashes any application that parses attacker-controlled HEIF sequence files, resulting in denial of service. The defect lives in the SampleAuxInfoReader constructor, which enters its processing loop when saiz.sample_count > 0 even though stco.entry_count == 0 left the chunks vector empty; dereferencing chunks[0] then triggers the crash. No public exploit code has been identified at time of analysis, but the attack requires only that a user open or process a specially crafted HEIF file, making it relevant wherever libheif is embedded in image-handling applications (browsers, media libraries, operating-system image stacks). Vendor-released patch v1.22.0 is available.
Integer overflow in NewNTUnicodeString within the Go extended syscall package for Windows allows a local low-privileged attacker to silently inject a truncated NTUnicodeString into applications that expect validation failures on oversized input. Affected is golang.org/x/sys/windows before version 0.44.0. Because the function returns a truncated result rather than an error, consuming code may proceed with a malformed string, potentially bypassing length-based security checks or causing downstream logic errors - no public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02%.
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV.
vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7
Heap buffer over-read in ImageMagick's distributed pixel cache server affects all Magick.NET NuGet package variants prior to version 14.12.0. An attacker with the ability to connect to a running `magick -distribute-cache` service can trigger an out-of-bounds read (CWE-125) in the server process, resulting in high-severity confidentiality impact (memory disclosure) and availability impact (potential crash). No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.7 reflects meaningful mitigating constraints: high attack complexity and high privileges required per the vector.
Heap buffer over-write in ImageMagick's distributed pixel cache server (`magick -distribute-cache`) allows an attacker who can connect to the service to corrupt the server process's heap memory, resulting in a high-severity denial-of-service condition. All Magick.NET NuGet package variants (Q16, HDRI, OpenMP, across arm64/x64/x86/AnyCPU architectures) prior to version 14.12.0 are confirmed affected. No public exploit has been identified at time of analysis and the vulnerability does not appear in CISA KEV; however, a notable discrepancy exists between the CVSS attack vector (AV:L, local) and the description's implication of service-level connectivity, which warrants independent verification before fully trusting the low CVSS score.
Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) occurs when an application writes more than 4GB of data in a single Write call on an SSH channel, triggering an integer overflow in the internal payload size calculation that causes the write loop to spin indefinitely while emitting empty packets. The flaw affects any Go application using this SSH library for large data transfers and is patched upstream with a release in version 0.52.0; no public exploit identified at time of analysis and EPSS probability is very low at 0.02%.
Resource exhaustion in the Go golang.org/x/crypto/ssh package allows a malicious SSH peer to leak goroutines and memory by sending unsolicited global request responses that fill an internal buffer and block the connection's read loop. Affected versions are below 0.52.0, and even calling Close() fails to release the blocked goroutine, enabling per-connection resource leaks against any Go application using this library as an SSH client or server. There is no public exploit identified at time of analysis, and the EPSS score of 0.02% (4th percentile) indicates very low observed exploitation interest despite the high CVSS rating.
Remote code execution in Easy Chat Server 3.1 stems from a buffer overflow in the chat message handling functionality, letting remote attackers overwrite memory to leak sensitive data and run arbitrary code on the hosting Windows machine. The product is a small standalone web-based chat server historically used as an exploit-development target, and publicly available exploit code exists (GitHub PoC), though EPSS is low (0.18%, 39th percentile) and it is not on CISA KEV. No public evidence of active in-the-wild exploitation was identified at time of analysis.
Integer overflow in Arm ArmNN's TensorShape::GetNumElements() enables a crafted TFLite model to bypass buffer size validation and trigger a heap-based buffer over-read, resulting in a denial of service. Affected systems are those that load externally-supplied or untrusted TFLite model files using any ArmNN build through 2026-03-27. An attacker who controls a model file processed by an ArmNN-backed application can crash the host process during the optimization pass via BatchToSpaceNdLayer's InferOutputShapes() routine. No public exploit code and no active exploitation has been identified at time of analysis; EPSS sits at 0.02% (5th percentile), consistent with low real-world threat.
Out-of-bounds heap write in the Linux kernel's IPv6 RPL Source Routing Header (SRH) processing path allows local attackers with raw IPv6 socket access to corrupt memory beyond the skb buffer. The flaw in ipv6_rpl_srh_rcv() occurs when a recompressed SRH grows larger than the received one and consumes unchecked headroom, causing skb_mac_header_rebuild() to wrap a u16 offset and trigger a ~64KiB out-of-bounds memmove. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from unprivileged userspace via a single crafted AF_INET6/SOCK_RAW packet over loopback per the reporter's KASAN reproduction.
Local privilege-level data corruption in the Linux kernel's accel/ivpu driver (Intel VPU accelerator) allows authenticated local users to trigger incorrect device access and memory corruption by re-exporting imported GEM (Graphics Execution Manager) buffer objects via the DMA-BUF prime interface. The flaw stems from the missing validation that allowed buffer flag settings to be lost on re-export, and while CVSS rates it 7.8 High due to local high-impact effects, EPSS is only 0.02% and no public exploit identified at time of analysis.
Slab-out-of-bounds read in the Linux kernel's t7xx WWAN driver allows a malicious or compromised MediaTek modem to leak up to 262140 bytes of kernel memory by sending a crafted port enumeration message with an inflated port_count field. The flaw affects systems using the t7xx driver (e.g., laptops with MediaTek 5G M.2 modems such as the FM350-GL) and has no public exploit identified at time of analysis, with an EPSS score of 0.02% indicating very low predicted exploitation activity.
Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to specified patch levels, where a missing FD_SETSIZE bounds check enables stack corruption when a low-privileged attacker forces a setuid-root application to allocate file descriptors above 1024. Successful exploitation yields root-equivalent privileges on the local host. No public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.02%, but the issue is confirmed by a FreeBSD security advisory (SA-26:22.libcasper).
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug access to a process to trigger arbitrary kernel code execution by abusing improperly validated parameters in syscall(2) and __syscall(2) meta-system calls. Affected releases include FreeBSD 14.3, 14.4, and 15.0 prior to their respective patch levels, and no public exploit identified at time of analysis. EPSS exploitation probability is low (0.02%) but the CVSS base score of 8.4 reflects high impact across confidentiality, integrity, and availability once a foothold exists.
FreeBSD's fusefs kernel module mishandles extended attribute list responses from FUSE userspace daemons by calling strlen() on daemon-supplied buffers without first verifying NUL-termination, enabling a malicious daemon operator to read up to 253 bytes of kernel heap memory or inject up to 250 attacker-controlled bytes into unallocated kernel heap space. Affected releases are FreeBSD 14.3-RELEASE prior to p14, 14.4-RELEASE prior to p5, and 15.0-RELEASE prior to p9 per FreeBSD-SA-26:20.fusefs and EUVD-2026-31254. No public exploit code exists and EPSS sits at 0.02% (5th percentile), though the heap write primitive carries local privilege escalation potential beyond what the CVSS integrity score reflects.
Heap-based buffer overflow in MediaArea MediaInfoLib's LXF (Leitch eXchange Format) element parser allows attackers to achieve arbitrary code execution when a victim opens a maliciously crafted LXF media file. The flaw, disclosed by Cisco Talos as TALOS-2026-2371 and assigned CWE-823, requires user interaction and local file access but no privileges, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping away runtime buffer overflow detection that the compiler would otherwise embed into unsafe C standard library calls. Remote unauthenticated attackers can, under high-complexity conditions, trigger memory errors that the absent protection would have safely caught and terminated, instead manifesting as minor availability impact (CVSS A:L). No public exploit code exists and CISA has not added this to the KEV catalog; the CVSS score of 3.7 (Low) reflects the limited impact ceiling and high attack complexity.
Heap over-read in Netatalk's extended attribute (EA) header parser affects all releases from 2.1.0 through 4.4.2, allowing authenticated remote attackers to read beyond allocated heap boundaries under high-complexity conditions. The impact is limited to partial memory disclosure (C:L) and minor availability degradation (A:L) with no integrity impact, consistent with a read-only out-of-bounds primitive. No public exploit code exists and no active exploitation has been identified; vendor-released fix 4.5.0 is available.
Heap out-of-bounds read in Netatalk 3.1.0 through 4.4.2 allows authenticated remote attackers to disclose sensitive memory contents and potentially crash the daemon by sending malformed Spotlight RPC requests. The flaw stems from improper bounds checking during Spotlight RPC unmarshalling and is fixed in version 4.4.3. No public exploit identified at time of analysis, and there is no evidence of active exploitation in CISA KEV.
Out-of-bounds read in Netatalk versions 1.3 through 4.4.2 allows adjacent network attackers to trigger denial of service and potentially disclose memory contents via malformed ASP (AppleTalk Session Protocol) session IDs. The flaw, classified as CWE-125, was fixed in version 4.4.3, and no public exploit identified at time of analysis. CVSS 7.1 reflects an adjacent-network attack vector with no privileges required and a high availability impact.
Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 stems from a missing o_len bounds check in the pull_charset_flags() character-set conversion routine, enabling remote attackers with low privileges to corrupt memory and potentially compromise confidentiality, integrity, and availability of the AFP file server. The flaw is addressed in Netatalk 4.4.3, and no public exploit has been identified at time of analysis.
Stack buffer overflow in Netatalk's desktop.c affects all versions from 1.3 through 4.2.2, allowing a network-reachable low-privilege authenticated attacker to crash the AFP service or potentially execute arbitrary code on the server. The vulnerability is rooted in improper bounds checking within AFP desktop database handling code and carries a CVSS score of 6.0 (Medium) with high availability impact as the most reliably achievable outcome. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the required high attack complexity materially limits real-world exploitation risk.
Heap buffer overflow in the Netatalk cnid_metad daemon's comm_rcv() function allows remote attackers with low-level privileges to corrupt memory across versions 2.0.0 through 4.4.2. Given the CVSS 9.9 score with scope change and high impact across confidentiality, integrity, and availability, successful exploitation likely leads to code execution in the daemon's context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 affects the convert_charset() routine during null termination handling, exposing the AppleTalk/AFP server implementation to memory corruption. Authenticated remote attackers can trigger heap or stack corruption that threatens confidentiality, integrity, and availability of the host. No public exploit identified at time of analysis, and the vendor has shipped a corrective release in 4.4.3.
Stack-based buffer overflow in Netatalk versions 2.0.4 through 4.4.2 allows authenticated remote attackers to corrupt memory via UCS-2 type confusion in the convert_charset() function, leading to high-impact compromise of confidentiality, integrity, and availability. The flaw affects Netatalk, the open-source AppleTalk/AFP file server commonly used to share files with macOS clients, and is fixed in version 4.4.3. No public exploit identified at time of analysis, though the high CVSS of 8.8 and low attack complexity warrant prompt patching.
Heap-based buffer overflow in libsolv's repo_add_solv() function enables a remote unauthenticated attacker to crash the parsing process by delivering a specially crafted .solv repository metadata file containing negative values in the maxsize or allsize header fields. The malformed values bypass allocation sizing logic, producing an undersized heap buffer that is subsequently written past its bounds, yielding a denial of service. No public exploit identified at time of analysis; however, an upstream fix has been submitted via openSUSE/libsolv GitHub PR #617, and Red Hat has acknowledged the issue via a dedicated security advisory.
Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify_d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial of service via the check_template.cpp, check_template function, tokenize_cleanup function, uncrustify executable components
Stack-based buffer overflow in libsolv's Debian metadata parser allows remote, unauthenticated attackers to cause a denial of service by serving maliciously crafted Debian repository metadata containing SHA384 or SHA512 checksum tags. The root cause, confirmed by the GitHub PR #616 diff, is a statically allocated 65-byte stack buffer in `ext/repo_deb.c` sized only for SHA256 digests, which is overflowed by the larger SHA384 (96 hex chars) and SHA512 (128 hex chars) values. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; an upstream fix is available as an open pull request.
Heap-based integer overflow in the hpcups component of HP Linux Imaging and Printing Software (HPLIP) allows attackers to achieve arbitrary code execution and/or privilege escalation by submitting crafted print data. The CVSS 4.0 base score of 9.3 reflects network-reachable exploitation against the printing subsystem with no authentication or user interaction required, though no public exploit identified at time of analysis and the issue has not been added to CISA KEV.
Heap buffer overflow in the Chromecast component of Google Chrome on Android, Linux, and ChromeOS prior to version 148.0.7778.179 allows an adjacent-network attacker to execute arbitrary code within the renderer sandbox via malicious network traffic. Google's Chrome team reported the issue with a Medium severity rating, and no public exploit identified at time of analysis. The vulnerability requires adjacent network positioning rather than full internet-based access, limiting practical exploitation to attackers on the same local network segment.
Out-of-bounds read in the GPU process of Google Chrome on macOS prior to 148.0.7778.179 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a crafted HTML page (CVSS UI:R), limiting automation potential - consistent with SSVC's 'Automatable: no' determination. No public exploit identified at time of analysis and CISA has not added this to the Known Exploited Vulnerabilities catalog; Chrome's own severity rating is Medium.
Heap corruption in Google Chrome's GPU component prior to version 148.0.7778.179 allows remote attackers to exploit an out-of-bounds read via a crafted HTML page, potentially leading to arbitrary code execution or information disclosure within the renderer context. The flaw carries a CVSS 8.8 (High) rating due to network reachability and high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none', suggesting opportunistic rather than active targeting.
Heap buffer overflow in the WebRTC component of Google Chrome before 148.0.7778.179 allows remote attackers to execute arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw was reported by Chrome's internal security team, has a patched stable channel build available, and carries a CVSS 8.8 score with no public exploit identified at time of analysis. SSVC currently rates exploitation as 'none' but technical impact as 'total', reflecting full compromise of the affected process if triggered.
Out-of-bounds memory read in the GPU component of Google Chrome on macOS exposes process memory to remote attackers via a crafted HTML page. Affected versions are all Chrome releases prior to 148.0.7778.179 on Mac; Windows and Linux are not identified as affected. No public exploit or active exploitation has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable attack delivery.
Out-of-bounds write in NVIDIA TensorRT allows remote attackers to corrupt memory and tamper with data processed by the inference engine, per NVIDIA's own advisory (KB 5836). The CVSS 8.2 score reflects high integrity impact with no privileges or user interaction required, though confidentiality is unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
The legacy GridFS API in the MongoDB C Driver fails to validate file metadata fields retrieved from the database, enabling crafted documents stored in a GridFS collection to trigger either a division-by-zero crash (denial of service) or an out-of-bounds read that exposes process memory contents to the caller. Versions in the 1.x branch before 1.30.8 and 2.x branch before 2.2.4 are affected per EUVD-2026-31132. The CVSS 4.0 score of 6.0 accurately reflects a constrained attack path requiring low-privilege database access and a pre-positioned malicious document (AT:P), with no public exploit identified at time of analysis.
Heap-based buffer overflow in MediaArea MediaInfoLib's Channel Splitting parser allows attackers to corrupt heap memory and potentially execute arbitrary code when a victim opens a maliciously crafted media file. The CVSS 7.8 vector (AV:L/UI:R) indicates local attack with required user interaction, and no public exploit identified at time of analysis. The flaw was reported by Cisco Talos and disclosed in TALOS-2026-2374.
Remote code execution in Microsoft Defender (Microsoft Malware Protection Engine) enables unauthenticated network-based attackers to corrupt heap memory and run arbitrary code on hosts running the vulnerable scanning engine. The flaw scores CVSS 8.1 with high attack complexity, affects systems by default since Defender is shipped with Windows, and at time of analysis has no public exploit identified, though Microsoft has released a vendor patch via MSRC.
Heap out-of-bounds read in Unbound's DNSCrypt packet handling allows a remote unauthenticated attacker to potentially crash the resolver with a single malformed query, causing denial of service. Affected are all Unbound installations from version 1.6.2 through 1.25.0 that were compiled with the optional '--enable-dnscrypt' flag. The crash is probabilistic rather than guaranteed - whether the out-of-bounds read escalates to a heap overflow depends entirely on the memory allocator behavior and heap layout at runtime; absent a crash, Unbound's own packet validation will discard the offending query. No public exploit exists and no active exploitation has been identified at time of analysis.
Out-of-bounds read in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory disclosure that may escalate to code execution, data tampering, or denial of service. The flaw carries a CVSS 8.0 (High) rating reflecting low-privilege network access with required user interaction, and no public exploit identified at time of analysis. NVIDIA has published a security bulletin addressing the issue.
Receiver-side out-of-bounds array read in Rsync 3.4.2 and earlier allows a malicious rsync server to deterministically crash any connecting client process via a crafted synchronization session. The flaw in recv_files() causes the client to dereference an invalid pointer at an unmapped address, producing a reliable SIGSEGV. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the crash is described as deterministic, meaning any attacker controlling or impersonating an rsync server can reliably deny service to clients that connect.
Stack memory corruption in rsync before 3.4.3 allows network-positioned attackers to write a null byte past the end of a fixed-size stack buffer in the establish_proxy_connection() function in socket.c. The vulnerability is only reachable when the RSYNC_PROXY environment variable is set and an attacker controls or intercepts traffic to the configured HTTP proxy. Impact is constrained to a low-severity availability disruption (process crash) with no confidentiality or integrity exposure; no public exploit has been identified at time of analysis.
Buffer Overflow vulnerability in EPSON L14150 FL27PB allows a remote attacker to execute arbitrary code via the RAW Printing Service (JetDirect) on TCP port 9100
Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out of bounds read or write to a limited section of the Top of. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. No vendor patch available.
Heap buffer over-read in libheif versions 1.21.2 and prior allows remote attackers to crash applications or potentially leak adjacent heap memory by supplying a crafted HEIF/AVIF file with an overlay image (iovl) whose alpha channel bit depth differs from its color channels. The flaw in HeifPixelImage::overlay() uses the color channel stride to index into the alpha plane, reading up to 3,123 bytes beyond the alpha buffer for a 100×50 image with 10-bit color and 8-bit alpha. No public exploit identified at time of analysis, and the issue is fixed in version 1.22.0.
Heap buffer overflow in libheif versions 1.21.2 and below allows remote attackers to corrupt memory via a maliciously crafted HEIF file containing a mask image (mski) box. The flaw resides in MaskImageCodec::decode_mask_image(), where an attacker-controlled iloc extent length is memcpy'd into an undersized pixel buffer with no upper-bound validation, yielding heap corruption when a user opens the file. No public exploit identified at time of analysis, but the vulnerability is straightforward to trigger because the vulnerable branch is reachable under default library security limits.
Heap buffer overflow write in libheif (versions ≤ 1.21.2) lets a crafted HEIF/AVIF file write 64 bytes of attacker-controlled data past a chroma-plane heap allocation during grid tile compositing. Any application using libheif to decode untrusted images - image viewers, file managers, browsers, mobile OS thumbnailers - is exposed, with CVSS 8.8 reflecting likely code execution after user-triggered file open. No public exploit identified at time of analysis, but the deterministic 64-byte fully-controlled overflow is highly favorable for exploitation.
Denial of service in libheif versions 1.21.2 and below allows a remote attacker to crash any application linked against the library by supplying a crafted HEIF sequence file. The crash is deterministic - the malformed file passes parsing without error, then triggers a guaranteed SEGV on the first frame access due to an unsigned integer underflow that maps all media samples to an empty chunk. No public exploit has been identified at time of analysis, and this is not listed in the CISA KEV catalog; vendor-released patch is available in version 1.22.0.
Heap memory corruption in Kitty cross-platform GPU terminal emulator (versions 0.46.2 and below) allows remote attackers to trigger out-of-bounds heap reads and writes by emitting crafted graphics protocol escape sequences. The flaw stems from a 32-bit integer overflow in handle_compose_command() that lets malicious x_offset/y_offset values bypass bounds checks. No public exploit identified at time of analysis, but the bug requires no user interaction, no authentication, and works against default configurations whenever attacker-controlled bytes can reach the terminal - including via SSH banners, cat'd files, or piped output.
Heap buffer overflow in Kitty terminal versions 0.46.2 and below allows any process able to write to the terminal's standard input to crash the application and potentially achieve remote code execution. The flaw lives in load_image_data() and is triggered by a single APC graphics protocol command declaring PNG format (f=100) with a payload exceeding twice the initial buffer capacity, giving the attacker control over both overflow length and content. No public exploit identified at time of analysis, but the vulnerability has been fixed upstream in version 0.47.0.
Heap buffer overflow in F5 NGINX JavaScript (njs) module versions 0.9.4 through 0.9.8 allows unauthenticated remote attackers to crash NGINX worker processes, with potential remote code execution on hosts where ASLR is disabled. Exploitation requires the deployment to use the js_fetch_proxy directive with at least one client-controlled NGINX variable (such as $http_*, $arg_*, or $cookie_*) and a location that invokes ngx.fetch(). No public exploit identified at time of analysis, but a vendor patch is available and the CVSS 4.0 base score of 9.2 reflects the high impact across confidentiality, integrity, and availability.
Memory corruption in Mozilla Firefox 150 and Firefox ESR (115.35, 140.10) allows remote attackers to potentially execute arbitrary code when a user visits a crafted web page. The flaws stem from memory safety bugs reported by Mozilla developers, some showing evidence of exploitable memory corruption. No public exploit identified at time of analysis, and EPSS scoring (0.06%) suggests low near-term exploitation likelihood despite the high CVSS rating.
Memory corruption in Mozilla Firefox 150 and Firefox ESR 140.10 allows remote attackers to potentially execute arbitrary code when a victim visits a crafted web page. The flaw stems from multiple memory safety bugs reported by Mozilla developers, with some showing evidence of exploitable memory corruption; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.05%, 14th percentile). Mozilla has shipped fixes in Firefox 151 and Firefox ESR 140.11.
Memory corruption vulnerabilities in Mozilla Firefox 150 could enable remote code execution when a user visits a maliciously crafted web page, with Mozilla acknowledging that some of the bugs showed evidence of memory corruption potentially exploitable for arbitrary code execution. The issue is resolved in Firefox 151 per Mozilla advisory MFSA2026-46/MFSA2026-50. No public exploit identified at time of analysis and EPSS remains low (0.04%), but SSVC rates technical impact as total and automatable.
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Out-of-bounds write in Samsung's Escargot lightweight JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) allows attackers to corrupt memory by inducing buffer overflows through crafted JavaScript. Exploitation requires local execution of attacker-supplied script content with user interaction, but successful triggering yields high impact to confidentiality, integrity, and availability (CVSS 7.8). No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Heap-based buffer overflow in Samsung's Escargot JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) allows remote attackers to corrupt heap memory and likely achieve arbitrary code execution when a victim processes attacker-controlled JavaScript. No public exploit identified at time of analysis, but the upstream fix (PR #1565) reveals multiple memory-safety hardening changes including integer underflow protection in TypedArray.copyWithin, fast-mode array conversion checks during spread operations, and OOM handling, indicating concrete reachable corruption paths. CVSS 7.8 with local attack vector and required user interaction reflects the engine's typical embedding context (apps, IoT, smart TV runtimes) rather than network-facing services.
Out-of-bounds write in OpenHarmony v6.0 and earlier enables a local low-privileged attacker to corrupt memory and trigger an unrecoverable denial-of-service condition on affected devices. The flaw was disclosed by the OpenHarmony project itself, and no public exploit identified at time of analysis. Although CVSS scores it 8.4 (High) due to scope change and high confidentiality/integrity impact, the vector indicates local-only access with low privileges already required.
Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code within pre-installed apps via an out-of-bounds write (CWE-787). The CVSS 8.8 vector reflects network-reachable exploitation with low complexity and no user interaction once minimal privileges are obtained, yielding high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Stack overflow in the Magick.NET fx expression evaluator affects all Q16 and HDRI NuGet package variants prior to version 14.13.1. The root cause is a missing recursion depth check in the fx operation: a crafted argument can drive the evaluator into uncontrolled recursion, exhausting the call stack and crashing the host process. Impact is limited to availability (denial of service); no confidentiality or integrity exposure is present, and no public exploit or CISA KEV listing exists at time of analysis.
Heap buffer over-write in Magick.NET's MIFF encoder triggers an out-of-bounds write when LZMA compression is active, due to a missing buffer size check (CWE-131). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and depth configurations (Q16, Q16-HDRI, OpenMP). An attacker who can deliver a crafted MIFF file for local processing can crash the consuming application, resulting in a complete availability impact. No public exploit code or CISA KEV listing exists at time of analysis, limiting real-world severity despite the heap write primitive.
Heap-based buffer over-write in ImageMagick's IPL decoder (exposed through Magick.NET bindings) can be triggered when the library reads a multi-image stream whose frames have differing dimensions, leading to memory corruption and process crash. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) signals an availability-only impact reachable without authentication, and no public exploit identified at time of analysis. Risk is amplified by how widely ImageMagick is embedded in image-processing pipelines that accept untrusted user uploads.
Out-of-bounds heap over-read in Magick.NET's polynomial distortion operation exposes limited heap memory and can trigger a crash when processing a specially crafted image with specific distortion arguments. Affected are all Magick.NET NuGet package variants (Q16, Q16-HDRI, across AnyCPU, arm64, x64, x86, and OpenMP builds) prior to version 14.13.1. The CVSS vector scores this as a local, low-complexity issue with low confidentiality and availability impact; no public exploit code exists and it is not listed in the CISA KEV catalog at time of analysis.
Out-of-bounds read and write in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows a local attacker to corrupt application memory and leak adjacent buffer contents by triggering a multi-segment writev call against a process instrumented with log enrichment enabled. The eBPF log enricher incorrectly uses the total iov_iter.count as the copy length while only resolving the first iovec segment, causing bpf_probe_read_user and bpf_probe_write_user to access memory beyond the first segment boundary. No public exploit identified at time of analysis, though a working proof-of-concept was included in the GitHub security advisory and confirmed to reproduce the out-of-bounds condition under ASan and debugger instrumentation.
Out-of-bounds memory read in OpenTelemetry eBPF Instrumentation (OBI) prior to 0.9.0 exposes adjacent kernel memory through the HTTP tracing telemetry pipeline. The vulnerable path arises in the per-CPU message-buffer fallback logic in `k_tracer.c` and `protocol_http.h`: when a CPU mismatch occurs between producer and consumer contexts, OBI substitutes the 256-byte `fallback_buf` as the source buffer while retaining `real_size` values of up to 8KB, causing an over-read of up to 7,936 bytes of adjacent memory that is subsequently exported in telemetry. No public exploit identified at time of analysis, though publicly available exploit code exists as a validated user-space AddressSanitizer PoC demonstrating the same size-mismatch over-read class.
Stack-based buffer overflow in lwIP through 2.2.1 enables remote unauthenticated attackers to corrupt stack memory in the SNMPv3 USM handler by sending a crafted msgAuthenticationParameters field to snmp_parse_inbound_frame in src/apps/snmp/snmp_msg.c. The flaw stems from a commented-out length assertion that allowed user-controlled TLV value lengths to exceed SNMP_V3_MAX_AUTH_PARAM_LENGTH during decoding. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation against a library widely embedded in IoT and embedded TCP/IP stacks.
Out-of-bounds single-byte read in Magick.NET's meta encoder affects all Q16 and Q16-HDRI NuGet package variants prior to version 14.13.1. An off-by-one indexing error in the meta encoder allows a remote unauthenticated attacker to read one byte beyond the allocated buffer boundary during metadata processing, resulting in limited memory disclosure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is network-reachable without authentication or user interaction, making any application that processes attacker-supplied images or metadata a viable target.
Heap buffer over-read in Magick.NET's connected components operation exposes process memory when an attacker or untrusted input supplies a malformed `connected-components:keep-top` define value. All Magick.NET NuGet package variants (Q16, Q16-HDRI, OpenMP, arm64, x64, x86, AnyCPU) prior to version 14.13.1 are affected. Exploitation yields high confidentiality impact - enabling partial or full disclosure of heap memory contents - with low availability impact and no integrity impact; no public exploit and no CISA KEV listing have been identified at time of analysis.
Out-of-bounds single-byte heap read in Magick.NET's IPTC encoder exposes all NuGet package variants (Q16, Q16-HDRI, multi-architecture builds) before version 14.13.1 to limited confidentiality and availability impact when processing a crafted input file. The flaw resides in the IPTC output writing pathway: supplying a malicious image file triggers a one-byte over-read of the heap buffer, classified as CWE-125. No active exploitation has been identified (not in CISA KEV), no public exploit code is known, and the local attack vector (AV:L) materially constrains realistic exposure.
Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-severity availability impact via malformed NGAP messages. The vulnerability resides in ngap/dispatcher.go where insufficient null-pointer validation and input sanitization in the NGAP message handler permits memory corruption. Public exploit code exists (GitHub issue #670) with vendor-released fix in version 2.2.0. Despite CVSS 2.1 base score, exploitation probability is low (CVSS:4.0 E:P indicates POC exists) and impact limited to partial availability degradation - authentication required (PR:L) and no confidentiality or integrity impact (VC:N/VI:N).
Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers to crash the 5G core network component by sending crafted NGAP NG Setup Request messages with malformed InformationElement fields. Affects OMEC AMF versions up to 2.1.3-dev. Publicly available exploit code exists (GitHub issue #671), and vendor patch released in version 2.2.0. CVSS 4.3 (Low severity) reflects low availability impact, requiring authentication (PR:L), but real-world risk is moderate for 5G network operators given public POC and critical infrastructure role of AMF in mobile core networks.
Stack buffer overflow in the Edimax BR-6428NS router (firmware 1.10) allows remote authenticated attackers to corrupt memory by sending an overlong pptpUserName parameter to the /goform/formPPTPSetup endpoint. Publicly available exploit code exists per VulDB disclosure, and no public exploit identified at time of analysis in CISA KEV. The vendor was reportedly contacted prior to disclosure but did not respond, leaving the device line without a confirmed fix.
Stack buffer overflow in the Edimax BR-6428NS router firmware version 1.10 allows authenticated remote attackers to corrupt memory by sending a crafted POST request to the formL2TPSetup handler with an oversized L2TPUserName parameter. Publicly available exploit code exists via a third-party Notion writeup, and the vendor was contacted but did not respond, leaving devices exposed without a coordinated fix. No CISA KEV listing or EPSS data is available to confirm active mass exploitation, but the combination of a public PoC and unresponsive vendor elevates real-world risk for any internet-exposed device.
OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A crafted ENIP/CPF message can supply an attacker-controlled item_count value that is not consistently validated against the remaining data_length of the CPF slice
Remote buffer overflow in H3C Magic B3 routers (firmware up to 100R002) allows attackers with high privileges to corrupt memory via the UpdateWanParams function in /goform/aspForm by manipulating the param argument. Publicly available exploit code exists per VulDB disclosure, though the vendor did not respond to coordinated disclosure attempts. With CVSS 4.0 score of 7.3 and PR:H requirement, exploitation hinges on prior administrative access to the device's web interface.
Heap out-of-bounds write in the Crypt::OpenSSL::PKCS12 Perl module (versions up to and including 1.94) allows attackers who can supply a malicious PKCS12 file processed via info() or info_as_hash() to corrupt heap memory and potentially achieve remote code execution. The flaw stems from an integer overflow when an OCTET STRING or BIT STRING attribute on a SAFEBAG is >= 1 GiB in size, causing an undersized allocation followed by an OOB write. No public exploit identified at time of analysis, but the upstream patch and oss-security disclosure are public.
VX Search 10.6.18 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying an oversized string in the directory field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Allok AVI DivX MPEG to DVD Converter 2.6.1217 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Memory corruption in OMEC Project AMF (Access and Mobility Management Function) versions up to 2.1.1 allows authenticated remote attackers to corrupt memory by sending malformed NGReset messages to the 5G core network component. The vulnerability stems from insufficient validation of PLMN ID strings in SUCI (Subscription Concealed Identifier) processing within the NGReset message handler. Public exploit code exists (GitHub issue #678), and vendor patch is available (PR #666 upgrading to version 2.2.0). EPSS data not available but exploit code publication increases real-world exploitation likelihood for targeted attacks against 5G core infrastructure.
Memory corruption in the omec-project AMF (Access and Mobility Management Function) NGSetupRequest Handler allows network-adjacent authenticated attackers to corrupt process memory via crafted NGAP messages or malformed SUCI values, affecting confidentiality, integrity, and availability. The vulnerability stems from missing nil-pointer guards in the NGAP dispatcher and absent input validation when parsing Subscription Concealed Identifiers (SUCI) during UE registration and identity response flows. Exploit code has been publicly disclosed (GitHub issue #679), and no public exploit identified at time of analysis confirms active KEV exploitation, though the CVSS temporal vector E:P confirms proof-of-concept availability.
Memory corruption in omec-project AMF versions up to 2.1.1 exposes 5G core network infrastructure to remote exploitation via crafted NGAP PDUSessionResourceModifyIndication messages, allowing low-privileged attackers to achieve partial confidentiality, integrity, and availability impact on the Access and Mobility Management Function. A publicly available exploit exists (confirmed by CVSS E:P and GitHub issue #681), and an official vendor patch has been released in version 2.2.0 via PR #666. No CISA KEV listing was identified at time of analysis, so active widespread exploitation is not confirmed.
Memory corruption in omec-project AMF (Access and Mobility Management Function) through version 2.1.1 allows authenticated remote attackers to corrupt memory by sending crafted NGAP or NAS messages targeting the PathSwitchRequest handler and related message processing paths. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:L/I:L/A:L) indicates low-complexity network exploitation requiring only low-privilege credentials, with partial impacts across confidentiality, integrity, and availability. Publicly available exploit code exists (confirmed by GitHub issue #680 and the E:P temporal modifier); no active exploitation is confirmed in CISA KEV.
Buffer overflow in the Edimax BR-6428NS 1.10 router's web management interface allows authenticated remote attackers to corrupt memory by submitting a crafted vapurl parameter to the formWirelessTbl POST handler at /goform/formWirelessTbl. Publicly available exploit code exists (released via VulDB and a Notion writeup), and the vendor has not responded to coordinated disclosure attempts. The flaw is not currently listed in CISA KEV, but the combination of public PoC, low attack complexity, and an unpatched/unresponsive vendor makes this a tangible risk for any exposed device.
Stack buffer overflow in the Edimax BR-6428NS 1.10 wireless router allows authenticated remote attackers to corrupt memory by sending an overlong pppUserName parameter to the /goform/formWanTcpipSetup endpoint. Publicly available exploit code exists, and the vendor failed to respond to the coordinated disclosure attempt, leaving devices without an official fix. With a CVSS of 8.8 and full CIA impact, successful exploitation can result in arbitrary code execution or device takeover on the embedded router.
Heap-buffer-overflow in libheif 1.21.2 and prior exposes any application parsing untrusted HEIF sequence files to an out-of-bounds read during file ingestion, with potential for heap memory disclosure or process crash. The flaw is triggered the moment a victim opens a crafted file - no additional interaction beyond file opening is required - making it a practical threat in desktop image viewers, browsers, and media pipelines that embed libheif. No public exploit has been identified at time of analysis, EPSS sits at 0.04% (11th percentile), and a vendor-released patch (v1.22.0) is available, keeping real-world exploitation risk currently assessed as low-moderate despite the memory-corruption class.
Out-of-bounds read in libheif versions 1.21.2 and prior crashes any application that parses attacker-controlled HEIF sequence files, resulting in denial of service. The defect lives in the SampleAuxInfoReader constructor, which enters its processing loop when saiz.sample_count > 0 even though stco.entry_count == 0 left the chunks vector empty; dereferencing chunks[0] then triggers the crash. No public exploit code has been identified at time of analysis, but the attack requires only that a user open or process a specially crafted HEIF file, making it relevant wherever libheif is embedded in image-handling applications (browsers, media libraries, operating-system image stacks). Vendor-released patch v1.22.0 is available.
Integer overflow in NewNTUnicodeString within the Go extended syscall package for Windows allows a local low-privileged attacker to silently inject a truncated NTUnicodeString into applications that expect validation failures on oversized input. Affected is golang.org/x/sys/windows before version 0.44.0. Because the function returns a truncated result rather than an error, consuming code may proceed with a malformed string, potentially bypassing length-based security checks or causing downstream logic errors - no public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02%.
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV.
vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7
Heap buffer over-read in ImageMagick's distributed pixel cache server affects all Magick.NET NuGet package variants prior to version 14.12.0. An attacker with the ability to connect to a running `magick -distribute-cache` service can trigger an out-of-bounds read (CWE-125) in the server process, resulting in high-severity confidentiality impact (memory disclosure) and availability impact (potential crash). No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.7 reflects meaningful mitigating constraints: high attack complexity and high privileges required per the vector.
Heap buffer over-write in ImageMagick's distributed pixel cache server (`magick -distribute-cache`) allows an attacker who can connect to the service to corrupt the server process's heap memory, resulting in a high-severity denial-of-service condition. All Magick.NET NuGet package variants (Q16, HDRI, OpenMP, across arm64/x64/x86/AnyCPU architectures) prior to version 14.12.0 are confirmed affected. No public exploit has been identified at time of analysis and the vulnerability does not appear in CISA KEV; however, a notable discrepancy exists between the CVSS attack vector (AV:L, local) and the description's implication of service-level connectivity, which warrants independent verification before fully trusting the low CVSS score.
Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) occurs when an application writes more than 4GB of data in a single Write call on an SSH channel, triggering an integer overflow in the internal payload size calculation that causes the write loop to spin indefinitely while emitting empty packets. The flaw affects any Go application using this SSH library for large data transfers and is patched upstream with a release in version 0.52.0; no public exploit identified at time of analysis and EPSS probability is very low at 0.02%.
Resource exhaustion in the Go golang.org/x/crypto/ssh package allows a malicious SSH peer to leak goroutines and memory by sending unsolicited global request responses that fill an internal buffer and block the connection's read loop. Affected versions are below 0.52.0, and even calling Close() fails to release the blocked goroutine, enabling per-connection resource leaks against any Go application using this library as an SSH client or server. There is no public exploit identified at time of analysis, and the EPSS score of 0.02% (4th percentile) indicates very low observed exploitation interest despite the high CVSS rating.
Remote code execution in Easy Chat Server 3.1 stems from a buffer overflow in the chat message handling functionality, letting remote attackers overwrite memory to leak sensitive data and run arbitrary code on the hosting Windows machine. The product is a small standalone web-based chat server historically used as an exploit-development target, and publicly available exploit code exists (GitHub PoC), though EPSS is low (0.18%, 39th percentile) and it is not on CISA KEV. No public evidence of active in-the-wild exploitation was identified at time of analysis.
Integer overflow in Arm ArmNN's TensorShape::GetNumElements() enables a crafted TFLite model to bypass buffer size validation and trigger a heap-based buffer over-read, resulting in a denial of service. Affected systems are those that load externally-supplied or untrusted TFLite model files using any ArmNN build through 2026-03-27. An attacker who controls a model file processed by an ArmNN-backed application can crash the host process during the optimization pass via BatchToSpaceNdLayer's InferOutputShapes() routine. No public exploit code and no active exploitation has been identified at time of analysis; EPSS sits at 0.02% (5th percentile), consistent with low real-world threat.
Out-of-bounds heap write in the Linux kernel's IPv6 RPL Source Routing Header (SRH) processing path allows local attackers with raw IPv6 socket access to corrupt memory beyond the skb buffer. The flaw in ipv6_rpl_srh_rcv() occurs when a recompressed SRH grows larger than the received one and consumes unchecked headroom, causing skb_mac_header_rebuild() to wrap a u16 offset and trigger a ~64KiB out-of-bounds memmove. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the bug is reachable from unprivileged userspace via a single crafted AF_INET6/SOCK_RAW packet over loopback per the reporter's KASAN reproduction.
Local privilege-level data corruption in the Linux kernel's accel/ivpu driver (Intel VPU accelerator) allows authenticated local users to trigger incorrect device access and memory corruption by re-exporting imported GEM (Graphics Execution Manager) buffer objects via the DMA-BUF prime interface. The flaw stems from the missing validation that allowed buffer flag settings to be lost on re-export, and while CVSS rates it 7.8 High due to local high-impact effects, EPSS is only 0.02% and no public exploit identified at time of analysis.
Slab-out-of-bounds read in the Linux kernel's t7xx WWAN driver allows a malicious or compromised MediaTek modem to leak up to 262140 bytes of kernel memory by sending a crafted port enumeration message with an inflated port_count field. The flaw affects systems using the t7xx driver (e.g., laptops with MediaTek 5G M.2 modems such as the FM350-GL) and has no public exploit identified at time of analysis, with an EPSS score of 0.02% indicating very low predicted exploitation activity.
Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to specified patch levels, where a missing FD_SETSIZE bounds check enables stack corruption when a low-privileged attacker forces a setuid-root application to allocate file descriptors above 1024. Successful exploitation yields root-equivalent privileges on the local host. No public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.02%, but the issue is confirmed by a FreeBSD security advisory (SA-26:22.libcasper).
Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug access to a process to trigger arbitrary kernel code execution by abusing improperly validated parameters in syscall(2) and __syscall(2) meta-system calls. Affected releases include FreeBSD 14.3, 14.4, and 15.0 prior to their respective patch levels, and no public exploit identified at time of analysis. EPSS exploitation probability is low (0.02%) but the CVSS base score of 8.4 reflects high impact across confidentiality, integrity, and availability once a foothold exists.
FreeBSD's fusefs kernel module mishandles extended attribute list responses from FUSE userspace daemons by calling strlen() on daemon-supplied buffers without first verifying NUL-termination, enabling a malicious daemon operator to read up to 253 bytes of kernel heap memory or inject up to 250 attacker-controlled bytes into unallocated kernel heap space. Affected releases are FreeBSD 14.3-RELEASE prior to p14, 14.4-RELEASE prior to p5, and 15.0-RELEASE prior to p9 per FreeBSD-SA-26:20.fusefs and EUVD-2026-31254. No public exploit code exists and EPSS sits at 0.02% (5th percentile), though the heap write primitive carries local privilege escalation potential beyond what the CVSS integrity score reflects.
Heap-based buffer overflow in MediaArea MediaInfoLib's LXF (Leitch eXchange Format) element parser allows attackers to achieve arbitrary code execution when a victim opens a maliciously crafted LXF media file. The flaw, disclosed by Cisco Talos as TALOS-2026-2371 and assigned CWE-823, requires user interaction and local file access but no privileges, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.
The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.
Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping away runtime buffer overflow detection that the compiler would otherwise embed into unsafe C standard library calls. Remote unauthenticated attackers can, under high-complexity conditions, trigger memory errors that the absent protection would have safely caught and terminated, instead manifesting as minor availability impact (CVSS A:L). No public exploit code exists and CISA has not added this to the KEV catalog; the CVSS score of 3.7 (Low) reflects the limited impact ceiling and high attack complexity.
Heap over-read in Netatalk's extended attribute (EA) header parser affects all releases from 2.1.0 through 4.4.2, allowing authenticated remote attackers to read beyond allocated heap boundaries under high-complexity conditions. The impact is limited to partial memory disclosure (C:L) and minor availability degradation (A:L) with no integrity impact, consistent with a read-only out-of-bounds primitive. No public exploit code exists and no active exploitation has been identified; vendor-released fix 4.5.0 is available.
Heap out-of-bounds read in Netatalk 3.1.0 through 4.4.2 allows authenticated remote attackers to disclose sensitive memory contents and potentially crash the daemon by sending malformed Spotlight RPC requests. The flaw stems from improper bounds checking during Spotlight RPC unmarshalling and is fixed in version 4.4.3. No public exploit identified at time of analysis, and there is no evidence of active exploitation in CISA KEV.
Out-of-bounds read in Netatalk versions 1.3 through 4.4.2 allows adjacent network attackers to trigger denial of service and potentially disclose memory contents via malformed ASP (AppleTalk Session Protocol) session IDs. The flaw, classified as CWE-125, was fixed in version 4.4.3, and no public exploit identified at time of analysis. CVSS 7.1 reflects an adjacent-network attack vector with no privileges required and a high availability impact.
Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 stems from a missing o_len bounds check in the pull_charset_flags() character-set conversion routine, enabling remote attackers with low privileges to corrupt memory and potentially compromise confidentiality, integrity, and availability of the AFP file server. The flaw is addressed in Netatalk 4.4.3, and no public exploit has been identified at time of analysis.
Stack buffer overflow in Netatalk's desktop.c affects all versions from 1.3 through 4.2.2, allowing a network-reachable low-privilege authenticated attacker to crash the AFP service or potentially execute arbitrary code on the server. The vulnerability is rooted in improper bounds checking within AFP desktop database handling code and carries a CVSS score of 6.0 (Medium) with high availability impact as the most reliably achievable outcome. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the required high attack complexity materially limits real-world exploitation risk.
Heap buffer overflow in the Netatalk cnid_metad daemon's comm_rcv() function allows remote attackers with low-level privileges to corrupt memory across versions 2.0.0 through 4.4.2. Given the CVSS 9.9 score with scope change and high impact across confidentiality, integrity, and availability, successful exploitation likely leads to code execution in the daemon's context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 affects the convert_charset() routine during null termination handling, exposing the AppleTalk/AFP server implementation to memory corruption. Authenticated remote attackers can trigger heap or stack corruption that threatens confidentiality, integrity, and availability of the host. No public exploit identified at time of analysis, and the vendor has shipped a corrective release in 4.4.3.
Stack-based buffer overflow in Netatalk versions 2.0.4 through 4.4.2 allows authenticated remote attackers to corrupt memory via UCS-2 type confusion in the convert_charset() function, leading to high-impact compromise of confidentiality, integrity, and availability. The flaw affects Netatalk, the open-source AppleTalk/AFP file server commonly used to share files with macOS clients, and is fixed in version 4.4.3. No public exploit identified at time of analysis, though the high CVSS of 8.8 and low attack complexity warrant prompt patching.
Heap-based buffer overflow in libsolv's repo_add_solv() function enables a remote unauthenticated attacker to crash the parsing process by delivering a specially crafted .solv repository metadata file containing negative values in the maxsize or allsize header fields. The malformed values bypass allocation sizing logic, producing an undersized heap buffer that is subsequently written past its bounds, yielding a denial of service. No public exploit identified at time of analysis; however, an upstream fix has been submitted via openSUSE/libsolv GitHub PR #617, and Red Hat has acknowledged the issue via a dedicated security advisory.
Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify_d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial of service via the check_template.cpp, check_template function, tokenize_cleanup function, uncrustify executable components
Stack-based buffer overflow in libsolv's Debian metadata parser allows remote, unauthenticated attackers to cause a denial of service by serving maliciously crafted Debian repository metadata containing SHA384 or SHA512 checksum tags. The root cause, confirmed by the GitHub PR #616 diff, is a statically allocated 65-byte stack buffer in `ext/repo_deb.c` sized only for SHA256 digests, which is overflowed by the larger SHA384 (96 hex chars) and SHA512 (128 hex chars) values. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; an upstream fix is available as an open pull request.
Heap-based integer overflow in the hpcups component of HP Linux Imaging and Printing Software (HPLIP) allows attackers to achieve arbitrary code execution and/or privilege escalation by submitting crafted print data. The CVSS 4.0 base score of 9.3 reflects network-reachable exploitation against the printing subsystem with no authentication or user interaction required, though no public exploit identified at time of analysis and the issue has not been added to CISA KEV.
Heap buffer overflow in the Chromecast component of Google Chrome on Android, Linux, and ChromeOS prior to version 148.0.7778.179 allows an adjacent-network attacker to execute arbitrary code within the renderer sandbox via malicious network traffic. Google's Chrome team reported the issue with a Medium severity rating, and no public exploit identified at time of analysis. The vulnerability requires adjacent network positioning rather than full internet-based access, limiting practical exploitation to attackers on the same local network segment.
Out-of-bounds read in the GPU process of Google Chrome on macOS prior to 148.0.7778.179 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a crafted HTML page (CVSS UI:R), limiting automation potential - consistent with SSVC's 'Automatable: no' determination. No public exploit identified at time of analysis and CISA has not added this to the Known Exploited Vulnerabilities catalog; Chrome's own severity rating is Medium.
Heap corruption in Google Chrome's GPU component prior to version 148.0.7778.179 allows remote attackers to exploit an out-of-bounds read via a crafted HTML page, potentially leading to arbitrary code execution or information disclosure within the renderer context. The flaw carries a CVSS 8.8 (High) rating due to network reachability and high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none', suggesting opportunistic rather than active targeting.
Heap buffer overflow in the WebRTC component of Google Chrome before 148.0.7778.179 allows remote attackers to execute arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw was reported by Chrome's internal security team, has a patched stable channel build available, and carries a CVSS 8.8 score with no public exploit identified at time of analysis. SSVC currently rates exploitation as 'none' but technical impact as 'total', reflecting full compromise of the affected process if triggered.
Out-of-bounds memory read in the GPU component of Google Chrome on macOS exposes process memory to remote attackers via a crafted HTML page. Affected versions are all Chrome releases prior to 148.0.7778.179 on Mac; Windows and Linux are not identified as affected. No public exploit or active exploitation has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable attack delivery.
Out-of-bounds write in NVIDIA TensorRT allows remote attackers to corrupt memory and tamper with data processed by the inference engine, per NVIDIA's own advisory (KB 5836). The CVSS 8.2 score reflects high integrity impact with no privileges or user interaction required, though confidentiality is unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
The legacy GridFS API in the MongoDB C Driver fails to validate file metadata fields retrieved from the database, enabling crafted documents stored in a GridFS collection to trigger either a division-by-zero crash (denial of service) or an out-of-bounds read that exposes process memory contents to the caller. Versions in the 1.x branch before 1.30.8 and 2.x branch before 2.2.4 are affected per EUVD-2026-31132. The CVSS 4.0 score of 6.0 accurately reflects a constrained attack path requiring low-privilege database access and a pre-positioned malicious document (AT:P), with no public exploit identified at time of analysis.
Heap-based buffer overflow in MediaArea MediaInfoLib's Channel Splitting parser allows attackers to corrupt heap memory and potentially execute arbitrary code when a victim opens a maliciously crafted media file. The CVSS 7.8 vector (AV:L/UI:R) indicates local attack with required user interaction, and no public exploit identified at time of analysis. The flaw was reported by Cisco Talos and disclosed in TALOS-2026-2374.
Remote code execution in Microsoft Defender (Microsoft Malware Protection Engine) enables unauthenticated network-based attackers to corrupt heap memory and run arbitrary code on hosts running the vulnerable scanning engine. The flaw scores CVSS 8.1 with high attack complexity, affects systems by default since Defender is shipped with Windows, and at time of analysis has no public exploit identified, though Microsoft has released a vendor patch via MSRC.
Heap out-of-bounds read in Unbound's DNSCrypt packet handling allows a remote unauthenticated attacker to potentially crash the resolver with a single malformed query, causing denial of service. Affected are all Unbound installations from version 1.6.2 through 1.25.0 that were compiled with the optional '--enable-dnscrypt' flag. The crash is probabilistic rather than guaranteed - whether the out-of-bounds read escalates to a heap overflow depends entirely on the memory allocator behavior and heap layout at runtime; absent a crash, Unbound's own packet validation will discard the offending query. No public exploit exists and no active exploitation has been identified at time of analysis.
Out-of-bounds read in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory disclosure that may escalate to code execution, data tampering, or denial of service. The flaw carries a CVSS 8.0 (High) rating reflecting low-privilege network access with required user interaction, and no public exploit identified at time of analysis. NVIDIA has published a security bulletin addressing the issue.
Receiver-side out-of-bounds array read in Rsync 3.4.2 and earlier allows a malicious rsync server to deterministically crash any connecting client process via a crafted synchronization session. The flaw in recv_files() causes the client to dereference an invalid pointer at an unmapped address, producing a reliable SIGSEGV. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the crash is described as deterministic, meaning any attacker controlling or impersonating an rsync server can reliably deny service to clients that connect.
Stack memory corruption in rsync before 3.4.3 allows network-positioned attackers to write a null byte past the end of a fixed-size stack buffer in the establish_proxy_connection() function in socket.c. The vulnerability is only reachable when the RSYNC_PROXY environment variable is set and an attacker controls or intercepts traffic to the configured HTTP proxy. Impact is constrained to a low-severity availability disruption (process crash) with no confidentiality or integrity exposure; no public exploit has been identified at time of analysis.
Buffer Overflow vulnerability in EPSON L14150 FL27PB allows a remote attacker to execute arbitrary code via the RAW Printing Service (JetDirect) on TCP port 9100
Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out of bounds read or write to a limited section of the Top of. Rated medium severity (CVSS 4.6), this vulnerability is low attack complexity. No vendor patch available.
Heap buffer over-read in libheif versions 1.21.2 and prior allows remote attackers to crash applications or potentially leak adjacent heap memory by supplying a crafted HEIF/AVIF file with an overlay image (iovl) whose alpha channel bit depth differs from its color channels. The flaw in HeifPixelImage::overlay() uses the color channel stride to index into the alpha plane, reading up to 3,123 bytes beyond the alpha buffer for a 100×50 image with 10-bit color and 8-bit alpha. No public exploit identified at time of analysis, and the issue is fixed in version 1.22.0.
Heap buffer overflow in libheif versions 1.21.2 and below allows remote attackers to corrupt memory via a maliciously crafted HEIF file containing a mask image (mski) box. The flaw resides in MaskImageCodec::decode_mask_image(), where an attacker-controlled iloc extent length is memcpy'd into an undersized pixel buffer with no upper-bound validation, yielding heap corruption when a user opens the file. No public exploit identified at time of analysis, but the vulnerability is straightforward to trigger because the vulnerable branch is reachable under default library security limits.
Heap buffer overflow write in libheif (versions ≤ 1.21.2) lets a crafted HEIF/AVIF file write 64 bytes of attacker-controlled data past a chroma-plane heap allocation during grid tile compositing. Any application using libheif to decode untrusted images - image viewers, file managers, browsers, mobile OS thumbnailers - is exposed, with CVSS 8.8 reflecting likely code execution after user-triggered file open. No public exploit identified at time of analysis, but the deterministic 64-byte fully-controlled overflow is highly favorable for exploitation.
Denial of service in libheif versions 1.21.2 and below allows a remote attacker to crash any application linked against the library by supplying a crafted HEIF sequence file. The crash is deterministic - the malformed file passes parsing without error, then triggers a guaranteed SEGV on the first frame access due to an unsigned integer underflow that maps all media samples to an empty chunk. No public exploit has been identified at time of analysis, and this is not listed in the CISA KEV catalog; vendor-released patch is available in version 1.22.0.
Heap memory corruption in Kitty cross-platform GPU terminal emulator (versions 0.46.2 and below) allows remote attackers to trigger out-of-bounds heap reads and writes by emitting crafted graphics protocol escape sequences. The flaw stems from a 32-bit integer overflow in handle_compose_command() that lets malicious x_offset/y_offset values bypass bounds checks. No public exploit identified at time of analysis, but the bug requires no user interaction, no authentication, and works against default configurations whenever attacker-controlled bytes can reach the terminal - including via SSH banners, cat'd files, or piped output.
Heap buffer overflow in Kitty terminal versions 0.46.2 and below allows any process able to write to the terminal's standard input to crash the application and potentially achieve remote code execution. The flaw lives in load_image_data() and is triggered by a single APC graphics protocol command declaring PNG format (f=100) with a payload exceeding twice the initial buffer capacity, giving the attacker control over both overflow length and content. No public exploit identified at time of analysis, but the vulnerability has been fixed upstream in version 0.47.0.
Heap buffer overflow in F5 NGINX JavaScript (njs) module versions 0.9.4 through 0.9.8 allows unauthenticated remote attackers to crash NGINX worker processes, with potential remote code execution on hosts where ASLR is disabled. Exploitation requires the deployment to use the js_fetch_proxy directive with at least one client-controlled NGINX variable (such as $http_*, $arg_*, or $cookie_*) and a location that invokes ngx.fetch(). No public exploit identified at time of analysis, but a vendor patch is available and the CVSS 4.0 base score of 9.2 reflects the high impact across confidentiality, integrity, and availability.
Memory corruption in Mozilla Firefox 150 and Firefox ESR (115.35, 140.10) allows remote attackers to potentially execute arbitrary code when a user visits a crafted web page. The flaws stem from memory safety bugs reported by Mozilla developers, some showing evidence of exploitable memory corruption. No public exploit identified at time of analysis, and EPSS scoring (0.06%) suggests low near-term exploitation likelihood despite the high CVSS rating.
Memory corruption in Mozilla Firefox 150 and Firefox ESR 140.10 allows remote attackers to potentially execute arbitrary code when a victim visits a crafted web page. The flaw stems from multiple memory safety bugs reported by Mozilla developers, with some showing evidence of exploitable memory corruption; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.05%, 14th percentile). Mozilla has shipped fixes in Firefox 151 and Firefox ESR 140.11.
Memory corruption vulnerabilities in Mozilla Firefox 150 could enable remote code execution when a user visits a maliciously crafted web page, with Mozilla acknowledging that some of the bugs showed evidence of memory corruption potentially exploitable for arbitrary code execution. The issue is resolved in Firefox 151 per Mozilla advisory MFSA2026-46/MFSA2026-50. No public exploit identified at time of analysis and EPSS remains low (0.04%), but SSVC rates technical impact as total and automatable.
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Out-of-bounds write in Samsung's Escargot lightweight JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) allows attackers to corrupt memory by inducing buffer overflows through crafted JavaScript. Exploitation requires local execution of attacker-supplied script content with user interaction, but successful triggering yields high impact to confidentiality, integrity, and availability (CVSS 7.8). No public exploit identified at time of analysis and the issue is not on the CISA KEV list.
Heap-based buffer overflow in Samsung's Escargot JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) allows remote attackers to corrupt heap memory and likely achieve arbitrary code execution when a victim processes attacker-controlled JavaScript. No public exploit identified at time of analysis, but the upstream fix (PR #1565) reveals multiple memory-safety hardening changes including integer underflow protection in TypedArray.copyWithin, fast-mode array conversion checks during spread operations, and OOM handling, indicating concrete reachable corruption paths. CVSS 7.8 with local attack vector and required user interaction reflects the engine's typical embedding context (apps, IoT, smart TV runtimes) rather than network-facing services.
Out-of-bounds write in OpenHarmony v6.0 and earlier enables a local low-privileged attacker to corrupt memory and trigger an unrecoverable denial-of-service condition on affected devices. The flaw was disclosed by the OpenHarmony project itself, and no public exploit identified at time of analysis. Although CVSS scores it 8.4 (High) due to scope change and high confidentiality/integrity impact, the vector indicates local-only access with low privileges already required.
Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code within pre-installed apps via an out-of-bounds write (CWE-787). The CVSS 8.8 vector reflects network-reachable exploitation with low complexity and no user interaction once minimal privileges are obtained, yielding high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Stack overflow in the Magick.NET fx expression evaluator affects all Q16 and HDRI NuGet package variants prior to version 14.13.1. The root cause is a missing recursion depth check in the fx operation: a crafted argument can drive the evaluator into uncontrolled recursion, exhausting the call stack and crashing the host process. Impact is limited to availability (denial of service); no confidentiality or integrity exposure is present, and no public exploit or CISA KEV listing exists at time of analysis.
Heap buffer over-write in Magick.NET's MIFF encoder triggers an out-of-bounds write when LZMA compression is active, due to a missing buffer size check (CWE-131). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and depth configurations (Q16, Q16-HDRI, OpenMP). An attacker who can deliver a crafted MIFF file for local processing can crash the consuming application, resulting in a complete availability impact. No public exploit code or CISA KEV listing exists at time of analysis, limiting real-world severity despite the heap write primitive.
Heap-based buffer over-write in ImageMagick's IPL decoder (exposed through Magick.NET bindings) can be triggered when the library reads a multi-image stream whose frames have differing dimensions, leading to memory corruption and process crash. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) signals an availability-only impact reachable without authentication, and no public exploit identified at time of analysis. Risk is amplified by how widely ImageMagick is embedded in image-processing pipelines that accept untrusted user uploads.
Out-of-bounds heap over-read in Magick.NET's polynomial distortion operation exposes limited heap memory and can trigger a crash when processing a specially crafted image with specific distortion arguments. Affected are all Magick.NET NuGet package variants (Q16, Q16-HDRI, across AnyCPU, arm64, x64, x86, and OpenMP builds) prior to version 14.13.1. The CVSS vector scores this as a local, low-complexity issue with low confidentiality and availability impact; no public exploit code exists and it is not listed in the CISA KEV catalog at time of analysis.
Out-of-bounds read and write in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows a local attacker to corrupt application memory and leak adjacent buffer contents by triggering a multi-segment writev call against a process instrumented with log enrichment enabled. The eBPF log enricher incorrectly uses the total iov_iter.count as the copy length while only resolving the first iovec segment, causing bpf_probe_read_user and bpf_probe_write_user to access memory beyond the first segment boundary. No public exploit identified at time of analysis, though a working proof-of-concept was included in the GitHub security advisory and confirmed to reproduce the out-of-bounds condition under ASan and debugger instrumentation.
Out-of-bounds memory read in OpenTelemetry eBPF Instrumentation (OBI) prior to 0.9.0 exposes adjacent kernel memory through the HTTP tracing telemetry pipeline. The vulnerable path arises in the per-CPU message-buffer fallback logic in `k_tracer.c` and `protocol_http.h`: when a CPU mismatch occurs between producer and consumer contexts, OBI substitutes the 256-byte `fallback_buf` as the source buffer while retaining `real_size` values of up to 8KB, causing an over-read of up to 7,936 bytes of adjacent memory that is subsequently exported in telemetry. No public exploit identified at time of analysis, though publicly available exploit code exists as a validated user-space AddressSanitizer PoC demonstrating the same size-mismatch over-read class.
Stack-based buffer overflow in lwIP through 2.2.1 enables remote unauthenticated attackers to corrupt stack memory in the SNMPv3 USM handler by sending a crafted msgAuthenticationParameters field to snmp_parse_inbound_frame in src/apps/snmp/snmp_msg.c. The flaw stems from a commented-out length assertion that allowed user-controlled TLV value lengths to exceed SNMP_V3_MAX_AUTH_PARAM_LENGTH during decoding. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation against a library widely embedded in IoT and embedded TCP/IP stacks.
Out-of-bounds single-byte read in Magick.NET's meta encoder affects all Q16 and Q16-HDRI NuGet package variants prior to version 14.13.1. An off-by-one indexing error in the meta encoder allows a remote unauthenticated attacker to read one byte beyond the allocated buffer boundary during metadata processing, resulting in limited memory disclosure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is network-reachable without authentication or user interaction, making any application that processes attacker-supplied images or metadata a viable target.
Heap buffer over-read in Magick.NET's connected components operation exposes process memory when an attacker or untrusted input supplies a malformed `connected-components:keep-top` define value. All Magick.NET NuGet package variants (Q16, Q16-HDRI, OpenMP, arm64, x64, x86, AnyCPU) prior to version 14.13.1 are affected. Exploitation yields high confidentiality impact - enabling partial or full disclosure of heap memory contents - with low availability impact and no integrity impact; no public exploit and no CISA KEV listing have been identified at time of analysis.
Out-of-bounds single-byte heap read in Magick.NET's IPTC encoder exposes all NuGet package variants (Q16, Q16-HDRI, multi-architecture builds) before version 14.13.1 to limited confidentiality and availability impact when processing a crafted input file. The flaw resides in the IPTC output writing pathway: supplying a malicious image file triggers a one-byte over-read of the heap buffer, classified as CWE-125. No active exploitation has been identified (not in CISA KEV), no public exploit code is known, and the local attack vector (AV:L) materially constrains realistic exposure.
Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-severity availability impact via malformed NGAP messages. The vulnerability resides in ngap/dispatcher.go where insufficient null-pointer validation and input sanitization in the NGAP message handler permits memory corruption. Public exploit code exists (GitHub issue #670) with vendor-released fix in version 2.2.0. Despite CVSS 2.1 base score, exploitation probability is low (CVSS:4.0 E:P indicates POC exists) and impact limited to partial availability degradation - authentication required (PR:L) and no confidentiality or integrity impact (VC:N/VI:N).
Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers to crash the 5G core network component by sending crafted NGAP NG Setup Request messages with malformed InformationElement fields. Affects OMEC AMF versions up to 2.1.3-dev. Publicly available exploit code exists (GitHub issue #671), and vendor patch released in version 2.2.0. CVSS 4.3 (Low severity) reflects low availability impact, requiring authentication (PR:L), but real-world risk is moderate for 5G network operators given public POC and critical infrastructure role of AMF in mobile core networks.
Stack buffer overflow in the Edimax BR-6428NS router (firmware 1.10) allows remote authenticated attackers to corrupt memory by sending an overlong pptpUserName parameter to the /goform/formPPTPSetup endpoint. Publicly available exploit code exists per VulDB disclosure, and no public exploit identified at time of analysis in CISA KEV. The vendor was reportedly contacted prior to disclosure but did not respond, leaving the device line without a confirmed fix.
Stack buffer overflow in the Edimax BR-6428NS router firmware version 1.10 allows authenticated remote attackers to corrupt memory by sending a crafted POST request to the formL2TPSetup handler with an oversized L2TPUserName parameter. Publicly available exploit code exists via a third-party Notion writeup, and the vendor was contacted but did not respond, leaving devices exposed without a coordinated fix. No CISA KEV listing or EPSS data is available to confirm active mass exploitation, but the combination of a public PoC and unresponsive vendor elevates real-world risk for any internet-exposed device.
OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A crafted ENIP/CPF message can supply an attacker-controlled item_count value that is not consistently validated against the remaining data_length of the CPF slice
Remote buffer overflow in H3C Magic B3 routers (firmware up to 100R002) allows attackers with high privileges to corrupt memory via the UpdateWanParams function in /goform/aspForm by manipulating the param argument. Publicly available exploit code exists per VulDB disclosure, though the vendor did not respond to coordinated disclosure attempts. With CVSS 4.0 score of 7.3 and PR:H requirement, exploitation hinges on prior administrative access to the device's web interface.
Heap out-of-bounds write in the Crypt::OpenSSL::PKCS12 Perl module (versions up to and including 1.94) allows attackers who can supply a malicious PKCS12 file processed via info() or info_as_hash() to corrupt heap memory and potentially achieve remote code execution. The flaw stems from an integer overflow when an OCTET STRING or BIT STRING attribute on a SAFEBAG is >= 1 GiB in size, causing an undersized allocation followed by an OOB write. No public exploit identified at time of analysis, but the upstream patch and oss-security disclosure are public.
VX Search 10.6.18 contains a local buffer overflow vulnerability that allows attackers to overwrite the instruction pointer by supplying an oversized string in the directory field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Allok AVI DivX MPEG to DVD Converter 2.6.1217 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.