Buffer Overflow

Heap buffer over-read in ImageMagick's distributed pixel cache server affects all Magick.NET NuGet package variants prior to version 14.12.0. An attacker with the ability to connect to a running `magick -distribute-cache` service can trigger an out-of-bounds read (CWE-125) in the server process, resulting in high-severity confidentiality impact (memory disclosure) and availability impact (potential crash). No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, and the CVSS score of 5.7 reflects meaningful mitigating constraints: high attack complexity and high privileges required per the vector.

Heap buffer over-write in ImageMagick's distributed pixel cache server (`magick -distribute-cache`) allows an attacker who can connect to the service to corrupt the server process's heap memory, resulting in a high-severity denial-of-service condition. All Magick.NET NuGet package variants (Q16, HDRI, OpenMP, across arm64/x64/x86/AnyCPU architectures) prior to version 14.12.0 are confirmed affected. No public exploit has been identified at time of analysis and the vulnerability does not appear in CISA KEV; however, a notable discrepancy exists between the CVSS attack vector (AV:L, local) and the description's implication of service-level connectivity, which warrants independent verification before fully trusting the low CVSS score.

Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) occurs when an application writes more than 4GB of data in a single Write call on an SSH channel, triggering an integer overflow in the internal payload size calculation that causes the write loop to spin indefinitely while emitting empty packets. The flaw affects any Go application using this SSH library for large data transfers and is patched upstream with a release in version 0.52.0; no public exploit identified at time of analysis and EPSS probability is very low at 0.02%.

Buffer Overflow vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the chat message functionality

In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes. Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages. Add a struct_size() check after extracting port_count and before the loop. In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset. Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.

Local privilege escalation in FreeBSD's libcasper(3) library affects FreeBSD 14.3, 14.4, and 15.0 releases prior to specified patch levels, where a missing FD_SETSIZE bounds check enables stack corruption when a low-privileged attacker forces a setuid-root application to allocate file descriptors above 1024. Successful exploitation yields root-equivalent privileges on the local host. No public exploit identified at time of analysis and EPSS scores exploitation probability at just 0.02%, but the issue is confirmed by a FreeBSD security advisory (SA-26:22.libcasper).

Local privilege escalation in FreeBSD via the ptrace(PT_SC_REMOTE) interface allows an unprivileged user with debug access to a process to trigger arbitrary kernel code execution by abusing improperly validated parameters in syscall(2) and __syscall(2) meta-system calls. Affected releases include FreeBSD 14.3, 14.4, and 15.0 prior to their respective patch levels, and no public exploit identified at time of analysis. EPSS exploitation probability is low (0.02%) but the CVSS base score of 8.4 reflects high impact across confidentiality, integrity, and availability once a foothold exists.

FreeBSD's fusefs kernel module mishandles extended attribute list responses from FUSE userspace daemons by calling strlen() on daemon-supplied buffers without first verifying NUL-termination, enabling a malicious daemon operator to read up to 253 bytes of kernel heap memory or inject up to 250 attacker-controlled bytes into unallocated kernel heap space. Affected releases are FreeBSD 14.3-RELEASE prior to p14, 14.4-RELEASE prior to p5, and 15.0-RELEASE prior to p9 per FreeBSD-SA-26:20.fusefs and EUVD-2026-31254. No public exploit code exists and EPSS sits at 0.02% (5th percentile), though the heap write primitive carries local privilege escalation potential beyond what the CVSS integrity score reflects.

Heap-based buffer overflow in MediaArea MediaInfoLib's LXF (Leitch eXchange Format) element parser allows attackers to achieve arbitrary code execution when a victim opens a maliciously crafted LXF media file. The flaw, disclosed by Cisco Talos as TALOS-2026-2371 and assigned CWE-823, requires user interaction and local file access but no privileges, and at the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV.

The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.

Netatalk versions 3.1.2 through 4.4.2 are distributed as binaries compiled without the FORTIFY_SOURCE flag, stripping away runtime buffer overflow detection that the compiler would otherwise embed into unsafe C standard library calls. Remote unauthenticated attackers can, under high-complexity conditions, trigger memory errors that the absent protection would have safely caught and terminated, instead manifesting as minor availability impact (CVSS A:L). No public exploit code exists and CISA has not added this to the KEV catalog; the CVSS score of 3.7 (Low) reflects the limited impact ceiling and high attack complexity.

Heap over-read in Netatalk's extended attribute (EA) header parser affects all releases from 2.1.0 through 4.4.2, allowing authenticated remote attackers to read beyond allocated heap boundaries under high-complexity conditions. The impact is limited to partial memory disclosure (C:L) and minor availability degradation (A:L) with no integrity impact, consistent with a read-only out-of-bounds primitive. No public exploit code exists and no active exploitation has been identified; vendor-released fix 4.5.0 is available.

Heap out-of-bounds read in Netatalk 3.1.0 through 4.4.2 allows authenticated remote attackers to disclose sensitive memory contents and potentially crash the daemon by sending malformed Spotlight RPC requests. The flaw stems from improper bounds checking during Spotlight RPC unmarshalling and is fixed in version 4.4.3. No public exploit identified at time of analysis, and there is no evidence of active exploitation in CISA KEV.

Out-of-bounds read in Netatalk versions 1.3 through 4.4.2 allows adjacent network attackers to trigger denial of service and potentially disclose memory contents via malformed ASP (AppleTalk Session Protocol) session IDs. The flaw, classified as CWE-125, was fixed in version 4.4.3, and no public exploit identified at time of analysis. CVSS 7.1 reflects an adjacent-network attack vector with no privileges required and a high availability impact.

Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 stems from a missing o_len bounds check in the pull_charset_flags() character-set conversion routine, enabling remote attackers with low privileges to corrupt memory and potentially compromise confidentiality, integrity, and availability of the AFP file server. The flaw is addressed in Netatalk 4.4.3, and no public exploit has been identified at time of analysis.

Stack buffer overflow in Netatalk's desktop.c affects all versions from 1.3 through 4.2.2, allowing a network-reachable low-privilege authenticated attacker to crash the AFP service or potentially execute arbitrary code on the server. The vulnerability is rooted in improper bounds checking within AFP desktop database handling code and carries a CVSS score of 6.0 (Medium) with high availability impact as the most reliably achievable outcome. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the required high attack complexity materially limits real-world exploitation risk.

Heap buffer overflow in the Netatalk cnid_metad daemon's comm_rcv() function allows remote attackers with low-level privileges to corrupt memory across versions 2.0.0 through 4.4.2. Given the CVSS 9.9 score with scope change and high impact across confidentiality, integrity, and availability, successful exploitation likely leads to code execution in the daemon's context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Out-of-bounds write in Netatalk versions 2.0.4 through 4.4.2 affects the convert_charset() routine during null termination handling, exposing the AppleTalk/AFP server implementation to memory corruption. Authenticated remote attackers can trigger heap or stack corruption that threatens confidentiality, integrity, and availability of the host. No public exploit identified at time of analysis, and the vendor has shipped a corrective release in 4.4.3.

Stack-based buffer overflow in Netatalk versions 2.0.4 through 4.4.2 allows authenticated remote attackers to corrupt memory via UCS-2 type confusion in the convert_charset() function, leading to high-impact compromise of confidentiality, integrity, and availability. The flaw affects Netatalk, the open-source AppleTalk/AFP file server commonly used to share files with macOS clients, and is fixed in version 4.4.3. No public exploit identified at time of analysis, though the high CVSS of 8.8 and low attack complexity warrant prompt patching.

Heap-based buffer overflow in libsolv's repo_add_solv() function enables a remote unauthenticated attacker to crash the parsing process by delivering a specially crafted .solv repository metadata file containing negative values in the maxsize or allsize header fields. The malformed values bypass allocation sizing logic, producing an undersized heap buffer that is subsequently written past its bounds, yielding a denial of service. No public exploit identified at time of analysis; however, an upstream fix has been submitted via openSUSE/libsolv GitHub PR #617, and Red Hat has acknowledged the issue via a dedicated security advisory.

Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify_d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial of service via the check_template.cpp, check_template function, tokenize_cleanup function, uncrustify executable components

Stack-based buffer overflow in libsolv's Debian metadata parser allows remote, unauthenticated attackers to cause a denial of service by serving maliciously crafted Debian repository metadata containing SHA384 or SHA512 checksum tags. The root cause, confirmed by the GitHub PR #616 diff, is a statically allocated 65-byte stack buffer in `ext/repo_deb.c` sized only for SHA256 digests, which is overflowed by the larger SHA384 (96 hex chars) and SHA512 (128 hex chars) values. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; an upstream fix is available as an open pull request.

Heap-based integer overflow in the hpcups component of HP Linux Imaging and Printing Software (HPLIP) allows attackers to achieve arbitrary code execution and/or privilege escalation by submitting crafted print data. The CVSS 4.0 base score of 9.3 reflects network-reachable exploitation against the printing subsystem with no authentication or user interaction required, though no public exploit identified at time of analysis and the issue has not been added to CISA KEV.

Heap buffer overflow in the Chromecast component of Google Chrome on Android, Linux, and ChromeOS prior to version 148.0.7778.179 allows an adjacent-network attacker to execute arbitrary code within the renderer sandbox via malicious network traffic. Google's Chrome team reported the issue with a Medium severity rating, and no public exploit identified at time of analysis. The vulnerability requires adjacent network positioning rather than full internet-based access, limiting practical exploitation to attackers on the same local network segment.

Out-of-bounds read in the GPU process of Google Chrome on macOS prior to 148.0.7778.179 exposes potentially sensitive data from process memory to remote attackers. Exploitation requires a victim to visit a crafted HTML page (CVSS UI:R), limiting automation potential - consistent with SSVC's 'Automatable: no' determination. No public exploit identified at time of analysis and CISA has not added this to the Known Exploited Vulnerabilities catalog; Chrome's own severity rating is Medium.

Heap corruption in Google Chrome's GPU component prior to version 148.0.7778.179 allows remote attackers to exploit an out-of-bounds read via a crafted HTML page, potentially leading to arbitrary code execution or information disclosure within the renderer context. The flaw carries a CVSS 8.8 (High) rating due to network reachability and high impact across confidentiality, integrity, and availability, though exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis, and CISA SSVC marks exploitation status as 'none', suggesting opportunistic rather than active targeting.

Heap buffer overflow in the WebRTC component of Google Chrome before 148.0.7778.179 allows remote attackers to execute arbitrary code within the renderer sandbox by luring a victim to a crafted HTML page. The flaw was reported by Chrome's internal security team, has a patched stable channel build available, and carries a CVSS 8.8 score with no public exploit identified at time of analysis. SSVC currently rates exploitation as 'none' but technical impact as 'total', reflecting full compromise of the affected process if triggered.

Out-of-bounds memory read in the GPU component of Google Chrome on macOS exposes process memory to remote attackers via a crafted HTML page. Affected versions are all Chrome releases prior to 148.0.7778.179 on Mac; Windows and Linux are not identified as affected. No public exploit or active exploitation has been identified at time of analysis, and SSVC confirms exploitation status as none with non-automatable attack delivery.

Out-of-bounds write in NVIDIA TensorRT allows remote attackers to corrupt memory and tamper with data processed by the inference engine, per NVIDIA's own advisory (KB 5836). The CVSS 8.2 score reflects high integrity impact with no privileges or user interaction required, though confidentiality is unaffected. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

The legacy GridFS API in the MongoDB C Driver fails to validate file metadata fields retrieved from the database, enabling crafted documents stored in a GridFS collection to trigger either a division-by-zero crash (denial of service) or an out-of-bounds read that exposes process memory contents to the caller. Versions in the 1.x branch before 1.30.8 and 2.x branch before 2.2.4 are affected per EUVD-2026-31132. The CVSS 4.0 score of 6.0 accurately reflects a constrained attack path requiring low-privilege database access and a pre-positioned malicious document (AT:P), with no public exploit identified at time of analysis.

Heap-based buffer overflow in MediaArea MediaInfoLib's Channel Splitting parser allows attackers to corrupt heap memory and potentially execute arbitrary code when a victim opens a maliciously crafted media file. The CVSS 7.8 vector (AV:L/UI:R) indicates local attack with required user interaction, and no public exploit identified at time of analysis. The flaw was reported by Cisco Talos and disclosed in TALOS-2026-2374.

Remote code execution in Microsoft Defender (Microsoft Malware Protection Engine) enables unauthenticated network-based attackers to corrupt heap memory and run arbitrary code on hosts running the vulnerable scanning engine. The flaw scores CVSS 8.1 with high attack complexity, affects systems by default since Defender is shipped with Windows, and at time of analysis has no public exploit identified, though Microsoft has released a vendor patch via MSRC.

Heap out-of-bounds read in Unbound's DNSCrypt packet handling allows a remote unauthenticated attacker to potentially crash the resolver with a single malformed query, causing denial of service. Affected are all Unbound installations from version 1.6.2 through 1.25.0 that were compiled with the optional '--enable-dnscrypt' flag. The crash is probabilistic rather than guaranteed - whether the out-of-bounds read escalates to a heap overflow depends entirely on the memory allocator behavior and heap layout at runtime; absent a crash, Unbound's own packet validation will discard the offending query. No public exploit exists and no active exploitation has been identified at time of analysis.

Out-of-bounds read in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory disclosure that may escalate to code execution, data tampering, or denial of service. The flaw carries a CVSS 8.0 (High) rating reflecting low-privilege network access with required user interaction, and no public exploit identified at time of analysis. NVIDIA has published a security bulletin addressing the issue.

Receiver-side out-of-bounds array read in Rsync 3.4.2 and earlier allows a malicious rsync server to deterministically crash any connecting client process via a crafted synchronization session. The flaw in recv_files() causes the client to dereference an invalid pointer at an unmapped address, producing a reliable SIGSEGV. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the crash is described as deterministic, meaning any attacker controlling or impersonating an rsync server can reliably deny service to clients that connect.

Stack memory corruption in rsync before 3.4.3 allows network-positioned attackers to write a null byte past the end of a fixed-size stack buffer in the establish_proxy_connection() function in socket.c. The vulnerability is only reachable when the RSYNC_PROXY environment variable is set and an attacker controls or intercepts traffic to the configured HTTP proxy. Impact is constrained to a low-severity availability disruption (process crash) with no confidentiality or integrity exposure; no public exploit has been identified at time of analysis.

Buffer Overflow vulnerability in EPSON L14150 FL27PB allows a remote attacker to execute arbitrary code via the RAW Printing Service (JetDirect) on TCP port 9100

Heap buffer over-read in libheif versions 1.21.2 and prior allows remote attackers to crash applications or potentially leak adjacent heap memory by supplying a crafted HEIF/AVIF file with an overlay image (iovl) whose alpha channel bit depth differs from its color channels. The flaw in HeifPixelImage::overlay() uses the color channel stride to index into the alpha plane, reading up to 3,123 bytes beyond the alpha buffer for a 100×50 image with 10-bit color and 8-bit alpha. No public exploit identified at time of analysis, and the issue is fixed in version 1.22.0.

Heap buffer overflow in libheif versions 1.21.2 and below allows remote attackers to corrupt memory via a maliciously crafted HEIF file containing a mask image (mski) box. The flaw resides in MaskImageCodec::decode_mask_image(), where an attacker-controlled iloc extent length is memcpy'd into an undersized pixel buffer with no upper-bound validation, yielding heap corruption when a user opens the file. No public exploit identified at time of analysis, but the vulnerability is straightforward to trigger because the vulnerable branch is reachable under default library security limits.

Heap buffer overflow write in libheif (versions ≤ 1.21.2) lets a crafted HEIF/AVIF file write 64 bytes of attacker-controlled data past a chroma-plane heap allocation during grid tile compositing. Any application using libheif to decode untrusted images - image viewers, file managers, browsers, mobile OS thumbnailers - is exposed, with CVSS 8.8 reflecting likely code execution after user-triggered file open. No public exploit identified at time of analysis, but the deterministic 64-byte fully-controlled overflow is highly favorable for exploitation.

Denial of service in libheif versions 1.21.2 and below allows a remote attacker to crash any application linked against the library by supplying a crafted HEIF sequence file. The crash is deterministic - the malformed file passes parsing without error, then triggers a guaranteed SEGV on the first frame access due to an unsigned integer underflow that maps all media samples to an empty chunk. No public exploit has been identified at time of analysis, and this is not listed in the CISA KEV catalog; vendor-released patch is available in version 1.22.0.

Heap memory corruption in Kitty cross-platform GPU terminal emulator (versions 0.46.2 and below) allows remote attackers to trigger out-of-bounds heap reads and writes by emitting crafted graphics protocol escape sequences. The flaw stems from a 32-bit integer overflow in handle_compose_command() that lets malicious x_offset/y_offset values bypass bounds checks. No public exploit identified at time of analysis, but the bug requires no user interaction, no authentication, and works against default configurations whenever attacker-controlled bytes can reach the terminal - including via SSH banners, cat'd files, or piped output.

Heap buffer overflow in Kitty terminal versions 0.46.2 and below allows any process able to write to the terminal's standard input to crash the application and potentially achieve remote code execution. The flaw lives in load_image_data() and is triggered by a single APC graphics protocol command declaring PNG format (f=100) with a payload exceeding twice the initial buffer capacity, giving the attacker control over both overflow length and content. No public exploit identified at time of analysis, but the vulnerability has been fixed upstream in version 0.47.0.

Heap buffer overflow in F5 NGINX JavaScript (njs) module versions 0.9.4 through 0.9.8 allows unauthenticated remote attackers to crash NGINX worker processes, with potential remote code execution on hosts where ASLR is disabled. Exploitation requires the deployment to use the js_fetch_proxy directive with at least one client-controlled NGINX variable (such as $http_*, $arg_*, or $cookie_*) and a location that invokes ngx.fetch(). No public exploit identified at time of analysis, but a vendor patch is available and the CVSS 4.0 base score of 9.2 reflects the high impact across confidentiality, integrity, and availability.

Memory corruption in Mozilla Firefox 150 and Firefox ESR (115.35, 140.10) allows remote attackers to potentially execute arbitrary code when a user visits a crafted web page. The flaws stem from memory safety bugs reported by Mozilla developers, some showing evidence of exploitable memory corruption. No public exploit identified at time of analysis, and EPSS scoring (0.06%) suggests low near-term exploitation likelihood despite the high CVSS rating.

Memory corruption in Mozilla Firefox 150 and Firefox ESR 140.10 allows remote attackers to potentially execute arbitrary code when a victim visits a crafted web page. The flaw stems from multiple memory safety bugs reported by Mozilla developers, with some showing evidence of exploitable memory corruption; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.05%, 14th percentile). Mozilla has shipped fixes in Firefox 151 and Firefox ESR 140.11.

Memory corruption vulnerabilities in Mozilla Firefox 150 could enable remote code execution when a user visits a maliciously crafted web page, with Mozilla acknowledging that some of the bugs showed evidence of memory corruption potentially exploitable for arbitrary code execution. The issue is resolved in Firefox 151 per Mozilla advisory MFSA2026-46/MFSA2026-50. No public exploit identified at time of analysis and EPSS remains low (0.04%), but SSVC rates technical impact as total and automatable.

Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.

Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.

Out-of-bounds write in Samsung's Escargot lightweight JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) allows attackers to corrupt memory by inducing buffer overflows through crafted JavaScript. Exploitation requires local execution of attacker-supplied script content with user interaction, but successful triggering yields high impact to confidentiality, integrity, and availability (CVSS 7.8). No public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Heap-based buffer overflow in Samsung's Escargot JavaScript engine (commit 590345cc6258317c5da850d846ce6baaf2afc2d3) allows remote attackers to corrupt heap memory and likely achieve arbitrary code execution when a victim processes attacker-controlled JavaScript. No public exploit identified at time of analysis, but the upstream fix (PR #1565) reveals multiple memory-safety hardening changes including integer underflow protection in TypedArray.copyWithin, fast-mode array conversion checks during spread operations, and OOM handling, indicating concrete reachable corruption paths. CVSS 7.8 with local attack vector and required user interaction reflects the engine's typical embedding context (apps, IoT, smart TV runtimes) rather than network-facing services.

Out-of-bounds write in OpenHarmony v6.0 and earlier enables a local low-privileged attacker to corrupt memory and trigger an unrecoverable denial-of-service condition on affected devices. The flaw was disclosed by the OpenHarmony project itself, and no public exploit identified at time of analysis. Although CVSS scores it 8.4 (High) due to scope change and high confidentiality/integrity impact, the vector indicates local-only access with low privileges already required.

Arbitrary code execution in OpenHarmony v6.0 and earlier enables remote attackers with low privileges to execute code within pre-installed apps via an out-of-bounds write (CWE-787). The CVSS 8.8 vector reflects network-reachable exploitation with low complexity and no user interaction once minimal privileges are obtained, yielding high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Stack overflow in the Magick.NET fx expression evaluator affects all Q16 and HDRI NuGet package variants prior to version 14.13.1. The root cause is a missing recursion depth check in the fx operation: a crafted argument can drive the evaluator into uncontrolled recursion, exhausting the call stack and crashing the host process. Impact is limited to availability (denial of service); no confidentiality or integrity exposure is present, and no public exploit or CISA KEV listing exists at time of analysis.

Heap buffer over-write in Magick.NET's MIFF encoder triggers an out-of-bounds write when LZMA compression is active, due to a missing buffer size check (CWE-131). All Magick.NET NuGet package variants prior to version 14.13.1 are affected across multiple architectures (AnyCPU, x64, x86, arm64) and depth configurations (Q16, Q16-HDRI, OpenMP). An attacker who can deliver a crafted MIFF file for local processing can crash the consuming application, resulting in a complete availability impact. No public exploit code or CISA KEV listing exists at time of analysis, limiting real-world severity despite the heap write primitive.

Heap-based buffer over-write in ImageMagick's IPL decoder (exposed through Magick.NET bindings) can be triggered when the library reads a multi-image stream whose frames have differing dimensions, leading to memory corruption and process crash. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) signals an availability-only impact reachable without authentication, and no public exploit identified at time of analysis. Risk is amplified by how widely ImageMagick is embedded in image-processing pipelines that accept untrusted user uploads.

Out-of-bounds heap over-read in Magick.NET's polynomial distortion operation exposes limited heap memory and can trigger a crash when processing a specially crafted image with specific distortion arguments. Affected are all Magick.NET NuGet package variants (Q16, Q16-HDRI, across AnyCPU, arm64, x64, x86, and OpenMP builds) prior to version 14.13.1. The CVSS vector scores this as a local, low-complexity issue with low confidentiality and availability impact; no public exploit code exists and it is not listed in the CISA KEV catalog at time of analysis.

Out-of-bounds read and write in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows a local attacker to corrupt application memory and leak adjacent buffer contents by triggering a multi-segment writev call against a process instrumented with log enrichment enabled. The eBPF log enricher incorrectly uses the total iov_iter.count as the copy length while only resolving the first iovec segment, causing bpf_probe_read_user and bpf_probe_write_user to access memory beyond the first segment boundary. No public exploit identified at time of analysis, though a working proof-of-concept was included in the GitHub security advisory and confirmed to reproduce the out-of-bounds condition under ASan and debugger instrumentation.

Out-of-bounds memory read in OpenTelemetry eBPF Instrumentation (OBI) prior to 0.9.0 exposes adjacent kernel memory through the HTTP tracing telemetry pipeline. The vulnerable path arises in the per-CPU message-buffer fallback logic in `k_tracer.c` and `protocol_http.h`: when a CPU mismatch occurs between producer and consumer contexts, OBI substitutes the 256-byte `fallback_buf` as the source buffer while retaining `real_size` values of up to 8KB, causing an over-read of up to 7,936 bytes of adjacent memory that is subsequently exported in telemetry. No public exploit identified at time of analysis, though publicly available exploit code exists as a validated user-space AddressSanitizer PoC demonstrating the same size-mismatch over-read class.

Stack-based buffer overflow in lwIP through 2.2.1 enables remote unauthenticated attackers to corrupt stack memory in the SNMPv3 USM handler by sending a crafted msgAuthenticationParameters field to snmp_parse_inbound_frame in src/apps/snmp/snmp_msg.c. The flaw stems from a commented-out length assertion that allowed user-controlled TLV value lengths to exceed SNMP_V3_MAX_AUTH_PARAM_LENGTH during decoding. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation against a library widely embedded in IoT and embedded TCP/IP stacks.

Out-of-bounds single-byte read in Magick.NET's meta encoder affects all Q16 and Q16-HDRI NuGet package variants prior to version 14.13.1. An off-by-one indexing error in the meta encoder allows a remote unauthenticated attacker to read one byte beyond the allocated buffer boundary during metadata processing, resulting in limited memory disclosure. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; however, the CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is network-reachable without authentication or user interaction, making any application that processes attacker-supplied images or metadata a viable target.

Heap buffer over-read in Magick.NET's connected components operation exposes process memory when an attacker or untrusted input supplies a malformed `connected-components:keep-top` define value. All Magick.NET NuGet package variants (Q16, Q16-HDRI, OpenMP, arm64, x64, x86, AnyCPU) prior to version 14.13.1 are affected. Exploitation yields high confidentiality impact - enabling partial or full disclosure of heap memory contents - with low availability impact and no integrity impact; no public exploit and no CISA KEV listing have been identified at time of analysis.

Out-of-bounds single-byte heap read in Magick.NET's IPTC encoder exposes all NuGet package variants (Q16, Q16-HDRI, multi-architecture builds) before version 14.13.1 to limited confidentiality and availability impact when processing a crafted input file. The flaw resides in the IPTC output writing pathway: supplying a malicious image file triggers a one-byte over-read of the heap buffer, classified as CWE-125. No active exploitation has been identified (not in CISA KEV), no public exploit code is known, and the local attack vector (AV:L) materially constrains realistic exposure.

Memory corruption in omec-project AMF versions up to 2.1.3-dev allows authenticated remote attackers to trigger low-severity availability impact via malformed NGAP messages. The vulnerability resides in ngap/dispatcher.go where insufficient null-pointer validation and input sanitization in the NGAP message handler permits memory corruption. Public exploit code exists (GitHub issue #670) with vendor-released fix in version 2.2.0. Despite CVSS 2.1 base score, exploitation probability is low (CVSS:4.0 E:P indicates POC exists) and impact limited to partial availability degradation - authentication required (PR:L) and no confidentiality or integrity impact (VC:N/VI:N).

Memory corruption in OMEC Project's Access and Mobility Management Function (AMF) allows authenticated remote attackers to crash the 5G core network component by sending crafted NGAP NG Setup Request messages with malformed InformationElement fields. Affects OMEC AMF versions up to 2.1.3-dev. Publicly available exploit code exists (GitHub issue #671), and vendor patch released in version 2.2.0. CVSS 4.3 (Low severity) reflects low availability impact, requiring authentication (PR:L), but real-world risk is moderate for 5G network operators given public POC and critical infrastructure role of AMF in mobile core networks.

Stack buffer overflow in the Edimax BR-6428NS router (firmware 1.10) allows remote authenticated attackers to corrupt memory by sending an overlong pptpUserName parameter to the /goform/formPPTPSetup endpoint. Publicly available exploit code exists per VulDB disclosure, and no public exploit identified at time of analysis in CISA KEV. The vendor was reportedly contacted prior to disclosure but did not respond, leaving the device line without a confirmed fix.

Stack buffer overflow in the Edimax BR-6428NS router firmware version 1.10 allows authenticated remote attackers to corrupt memory by sending a crafted POST request to the formL2TPSetup handler with an oversized L2TPUserName parameter. Publicly available exploit code exists via a third-party Notion writeup, and the vendor was contacted but did not respond, leaving devices exposed without a coordinated fix. No CISA KEV listing or EPSS data is available to confirm active mass exploitation, but the combination of a public PoC and unresponsive vendor elevates real-world risk for any internet-exposed device.

OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A crafted ENIP/CPF message can supply an attacker-controlled item_count value that is not consistently validated against the remaining data_length of the CPF slice

Remote buffer overflow in H3C Magic B3 routers (firmware up to 100R002) allows attackers with high privileges to corrupt memory via the UpdateWanParams function in /goform/aspForm by manipulating the param argument. Publicly available exploit code exists per VulDB disclosure, though the vendor did not respond to coordinated disclosure attempts. With CVSS 4.0 score of 7.3 and PR:H requirement, exploitation hinges on prior administrative access to the device's web interface.

Heap out-of-bounds write in the Crypt::OpenSSL::PKCS12 Perl module (versions up to and including 1.94) allows attackers who can supply a malicious PKCS12 file processed via info() or info_as_hash() to corrupt heap memory and potentially achieve remote code execution. The flaw stems from an integer overflow when an OCTET STRING or BIT STRING attribute on a SAFEBAG is >= 1 GiB in size, causing an undersized allocation followed by an OOB write. No public exploit identified at time of analysis, but the upstream patch and oss-security disclosure are public.

Stack-based buffer overflow in Investintech SlimPDFReader ≤2.0.13 enables remote code execution when victims open malicious PDF files. The vulnerability exists in the sub_3B4610 function of SlimPDFReader.exe and requires no authentication but depends on user interaction (opening crafted PDF). Public exploit code is available via Fraunhofer SIT, significantly lowering attacker barrier. The vendor has discontinued the product with no remediation planned, leaving users with no official patch and requiring migration to alternative PDF readers.

Memory corruption in radare2 6.1.5's GDB client allows remote attackers to crash the application or potentially execute code through malformed thread information responses. The vulnerability triggers when the GDB remote protocol's qsThreadInfo command fails after qfThreadInfo has allocated memory, causing a use-after-free condition. While no public exploits have been identified, the CVSS 8.7 score reflects the potential for remote unauthenticated denial of service impact.

Denial of service vulnerability in coreMQTT versions before 5.0.1 allows remote MQTT brokers to crash client applications through malformed MQTT v5.0 property packets. The vulnerability stems from missing bounds validation in the property parser, enabling out-of-bounds read conditions (CWE-125). Amazon Web Services has issued a security bulletin and released version 5.0.1 to address this issue.

Remote attackers can trigger memory corruption in radare2 6.1.5 through its GDB remote debugging interface, causing denial of service or potentially achieving code execution. The use-after-free vulnerability in gdbr_threads_list() occurs when processing a valid qfThreadInfo response followed by a malformed qsThreadInfo response, leading to improper memory management. VulnCheck reported this issue and vendor patch commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c addresses the vulnerability.

Heap buffer overflow in Imager for Perl versions through 1.030 allows remote attackers to corrupt memory and potentially read limited data via specially crafted multi-frame GIF files. The vulnerability stems from missing bounds validation in the skip-image code path of i_readgif_multi_low(), which reuses a fixed-size buffer allocated for the GIF's global screen width without checking if subsequent image frames exceed these dimensions. Vendor-released patch available in version 1.031. CVSS 6.5 indicates network-accessible exploitation requiring no authentication or user interaction, though the impact is limited to low confidentiality/integrity with no availability disruption. No public exploit identified at time of analysis.

Heap buffer overflow in Imager::File::GIF (Perl image processing library) versions through 1.002 allows local attackers to corrupt memory via specially crafted multi-frame GIF files. The vulnerability stems from missing boundary validation in the skip-image code path, which writes image data beyond allocated buffer boundaries when processing malformed GIF frames. With EPSS score at 0.02% (5th percentile) and no evidence of active exploitation, this represents a low-probability supply chain risk for Perl applications processing untrusted GIF files. Patch released in version 1.003.

Out-of-bounds write in Huawei HarmonyOS and EMUI distributed file system module allows authenticated local attackers to corrupt memory, potentially affecting system availability and integrity. CVSS 6.8 reflects adjacent network access requirement and low attack complexity, but exploitation requires prior authentication and local network presence. No public exploit code or active exploitation confirmed at time of analysis.

Stack overflow in Huawei HarmonyOS media platform allows local authenticated users to cause denial of service through a crafted media file that triggers stack memory exhaustion. The vulnerability requires user interaction and authenticated access (CVSS PR:L), limiting its real-world severity despite affecting availability. No public exploit code or active exploitation has been identified at the time of analysis.

Out-of-bounds read and buffer overflow in the Linux kernel's ksmbd SMB server allows authenticated remote attackers to corrupt memory or read past allocated buffers by sending a malformed inheritable ACE with an inflated num_subauth value. The flaw resides in smb_inherit_dacl() and smb_set_ace(), where the variable-length SID is not bounds-checked during DACL inheritance, enabling heap corruption with potential for remote code execution against any SMB server using ksmbd. EPSS is very low (0.02%) and no public exploit identified at time of analysis, but the vendor patch is available across multiple stable branches.

A race condition in the MxGPU-Virtualization driver’s ioctl path caused by concurrent unsynchronized access to the global variable amdgv_cmd in an unlocked ioctl handler could be exploited by an attacker to trigger a heap-based buffer overflow, potentially resulting in denial-of-service within the vulnerable system context.

Out-of-bounds read in power management firmware affects AMD Ryzen AI, Ryzen 7000/8000 series mobile processors, Ryzen 8000 desktop processors, embedded processors, and Radeon graphics products. A local attacker with low privileges can read sensitive firmware data, potentially disclosing confidential information and causing availability degradation. CVSS 4.8 (low severity) reflects limited privilege requirements and contained impact, though the vulnerability affects a broad processor family.

Buffer overflow in AMD GPU driver IOCTL handler enables local privilege escalation to root on Linux systems running AMD Instinct or Radeon Pro GPUs. Authenticated local users with low privileges can exploit an out-of-bounds write vulnerability in the AMDGV_CMD_GET_DIAG_DATA IOCTL to achieve arbitrary kernel code execution. EPSS data not available; no public exploit or CISA KEV listing identified at time of analysis, suggesting limited active exploitation despite high CVSS 8.5 severity.

Out-of-bounds read in AMD Secure Processor TEE SOC Driver allows high-privileged local attackers to trigger memory exposure or denial of service via malformed SR-IOV commands on Radeon RX 6000/7000, Pro W6000/W7000, and Instinct MI-series GPUs. Insufficient parameter sanitization in the DRV_SOC_CMD_ID_LOAD_GFX_IP_FW command handler permits crafted input to bypass bounds checks, exposing SOC Driver memory or causing exceptions. Attack requires high privilege level (PR:H) and local access (AV:L), limiting real-world exploitation to compromised administrative contexts or supply-chain scenarios.

Local privilege escalation in AMD Platform Management Framework (PMF) allows authenticated attackers with low privileges to execute arbitrary code with elevated system privileges through an out-of-bounds write vulnerability. Affects multiple AMD Ryzen processor series (6000, 7035, 7040, 8040, and Embedded R8000) across mobile and embedded platforms. The CVSS 4.0 score of 8.4 reflects high impact to system integrity and availability with changed scope, indicating the attacker can escape the vulnerable component's security context. No active exploitation confirmed in CISA KEV at time of analysis, and public exploit code availability is not indicated in current intelligence.

Buffer overflow in AMD Sensor Fusion Hub Driver allows local authenticated attackers to write out of bounds, causing denial of service or system crash. The vulnerability affects multiple Ryzen processor families (4000, 5000, 7000, 7020, 7030, 7035, 7040 series and Ryzen AI 300 series) with Radeon integrated graphics across Windows mobile and desktop platforms. No active exploitation has been confirmed at time of analysis.

Out-of-bounds read in AMD Platform Management Framework (PMF) allows authenticated local attackers to read arbitrary memory locations, potentially disclosing sensitive information or causing availability loss on affected Ryzen processors. The vulnerability requires local access and low privileges but can be triggered without user interaction. AMD released a security bulletin (AMD-SB-4015) describing the issue; active exploitation status not confirmed at time of analysis.

Out-of-bounds write in the AMD Platform Management Framework (PMF) Driver enables local authenticated users to escalate privileges on AMD Ryzen 6000/7000/8000 series processors. The vulnerability stems from improper input validation (CWE-787) allowing memory corruption beyond allocated buffer boundaries. Exploitation requires low-privilege local access with low attack complexity (CVSS 4.0: AV:L/AC:L/PR:L), making this a realistic post-compromise escalation vector. AMD released chipset driver version 7.06.02.123 addressing all affected Ryzen series. No public exploit or active exploitation confirmed at time of analysis.

Improper input validation in the AMD Platform Management Framework (PMF) driver allows local authenticated attackers to read out-of-bounds memory, resulting in information disclosure or denial of service. The vulnerability affects multiple Ryzen processor families (7035, 7040, 8040, 6000 series, and Embedded 8000) and requires local access with limited privileges to exploit.