Skip to main content

Buffer Overflow

36137 CVEs technique

Monthly

CVE-2026-7933 MEDIUM PATCH This Month

Out-of-bounds read in WebCodecs video processing in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to leak sensitive memory contents via a crafted video file. The vulnerability requires user interaction to open a malicious video, but affects all users regardless of authentication. Chrome 148.0.7778.96 and later versions patch this information disclosure vulnerability, which could expose cryptographic keys, session tokens, or other sensitive data resident in adjacent memory.

Google Information Disclosure Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7923 HIGH PATCH This Week

Renderer sandbox escape in Google Chrome versions prior to 148.0.7778.96 leverages an out-of-bounds write in the Skia graphics library. An attacker who has already compromised Chrome's renderer process through other means (such as a separate browser vulnerability) can deliver a specially crafted HTML page to break out of Chrome's security sandbox, gaining elevated code execution on the underlying operating system. EPSS data not available; no CISA KEV listing identified. Google has released Chrome 148.0.7778.96 addressing this high-severity flaw, classified as CWE-787 (Out-of-bounds Write) affecting the Skia graphics rendering engine.

Google Memory Corruption Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7912 MEDIUM PATCH This Month

Integer overflow in the GPU component of Google Chrome on Android prior to version 148.0.7778.96 enables a remote attacker whose renderer process has been compromised to execute arbitrary read and write operations via a malicious HTML page. The vulnerability requires prior compromise of the renderer process and user interaction, limiting its standalone exploitability but creating a significant secondary threat following renderer exploitation. Chromium security team rated this as high severity; no public exploit code or active exploitation has been identified at time of analysis.

Buffer Overflow Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-7904 MEDIUM PATCH This Month

Out-of-bounds memory read in Google Chrome's font handling allows remote attackers to leak sensitive information via a crafted HTML page when users visit a malicious website. Chrome versions prior to 148.0.7778.96 are affected. The vulnerability requires user interaction (clicking a link or visiting a page) but occurs over the network without authentication. Information disclosure risk is limited (CVSS C:L) with no impact on integrity or availability, but the Chromium security severity designation of High indicates concern about potential information leakage in real-world exploitation.

Google Information Disclosure Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7903 HIGH PATCH This Week

Integer overflow in Chrome's ANGLE graphics layer (Mac/Windows) enables heap corruption via malicious web pages. Remote attackers can achieve arbitrary code execution by tricking users into visiting crafted HTML content. Google patched this in Chrome 148.0.7778.96, marking it high severity. Users must interact with the malicious page, but no authentication is required. EPSS data not available; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though the Chromium bug tracker may contain additional context.

Microsoft Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7902 HIGH PATCH This Week

Remote code execution within Chrome's V8 sandbox affects all versions prior to 148.0.7778.96 when users visit malicious web pages. The out-of-bounds memory access vulnerability in V8 JavaScript engine enables arbitrary code execution with user interaction (visiting crafted HTML), rated high severity by Chromium team. EPSS and KEV data not available, but Google confirmed the vulnerability and released patches. Attack complexity is low (CVSS AC:L) with no authentication required, making this exploitable at scale once proof-of-concept becomes public.

RCE Google Memory Corruption Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7900 HIGH PATCH This Week

Heap buffer overflow in Chrome's ANGLE graphics layer enables sandbox escape for attackers who have already compromised the renderer process, requiring user interaction with a malicious webpage. Chrome 148.0.7778.96 patches this High-severity vulnerability. No active exploitation confirmed (not in CISA KEV), and CVSS 8.3 reflects the Changed scope indicating successful sandbox breakout - a critical security boundary failure that elevates renderer compromise to broader system access.

Heap Overflow Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-7899 HIGH PATCH This Week

Out-of-bounds memory access in Chrome's V8 JavaScript engine enables remote code execution within the browser sandbox when users visit malicious websites. Affects all Chrome versions prior to 148.0.7778.96 across Windows, macOS, and Linux. Google released patches in the stable channel update (build 148.0.7778.96) per May 2026 advisory. No active exploitation confirmed at time of analysis, but CVSS 8.8 indicates high severity and the vulnerability requires only user interaction (visiting a crafted webpage) with no authentication needed.

Google Information Disclosure RCE Buffer Overflow Red Hat +2
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7896 HIGH PATCH This Week

Heap corruption in Google Chrome prior to 148.0.7778.96 allows remote attackers to execute arbitrary code via a maliciously crafted HTML page exploiting an integer overflow in the Blink rendering engine. The vulnerability requires user interaction (visiting a malicious webpage) but no authentication, enabling drive-by attacks against default Chrome installations. Google has assigned this a Critical severity rating and released version 148.0.7778.96 to address the issue. No active exploitation (CISA KEV) or public POC has been identified at time of analysis, though the technical details are publicly documented in the Chromium issue tracker.

Buffer Overflow Google Red Hat Suse Chrome
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41286 HIGH PATCH This Week

Stack-based buffer overflow in WatchGuard Agent discovery service on Windows enables adjacent attackers without authentication to crash the agent via crafted network packets. CVSS 7.1 (High) reflects adjacent network attack vector with high integrity impact. The vulnerability targets the discovery service component used for agent enrollment and network communication. No CISA KEV listing or public exploit code identified at time of analysis, though the local network attack vector limits exposure to adjacent attackers.

Watchguard Stack Overflow Microsoft Buffer Overflow
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-20185 HIGH This Week

Cisco SG350 and SG350X managed switches can be remotely crashed via crafted SNMP requests, forcing unexpected device reloads. Authenticated attackers with valid SNMP credentials (read-only or read-write community strings for SNMPv1/v2c, or user credentials for SNMPv3) can trigger a heap-based buffer overflow in SNMP response parsing. Cisco confirmed this vulnerability affects all three SNMP versions (v1, v2c, v3) and published advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj. EPSS and KEV status not provided in available data; exploitation requires network access with low complexity but does require valid SNMP authentication.

Heap Overflow Denial Of Service Buffer Overflow Cisco
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2026-6691 HIGH This Week

Heap buffer overflow in MongoDB C Driver's Cyrus SASL integration allows local attackers to achieve code execution before authentication by providing a maliciously crafted username in a MongoDB URI with GSSAPI authentication. The vulnerability triggers during username canonicalization via unsafe string copying, requiring no privileges or user interaction. Exploitable against any application using the affected driver that processes untrusted MongoDB connection strings. No active exploitation confirmed (not in CISA KEV). EPSS data not provided. Vendor has acknowledged the issue via JIRA tracking (CDRIVER-6134).

Buffer Overflow Mongodb C Driver
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-41287 HIGH PATCH This Week

Stack-based buffer overflow in WatchGuard Agent's discovery service allows adjacent network attackers to crash the agent service without authentication. Affects Windows installations prior to version 1.25.03.0000. Vendor patch released addressing the vulnerability. SSVC framework indicates no active exploitation observed and manual exploitation required. While CVSS 7.1 (High) reflects network-adjacent access with high availability impact, actual risk is limited to denial-of-service - no code execution or data compromise possible per the CVSS vector (VC:N/VI:N/VA:H).

Watchguard Stack Overflow Microsoft Buffer Overflow
NVD
CVSS 4.0
7.1
EPSS
0.0%
CVE-2025-71292 MEDIUM PATCH This Month

Integer wraparound in the Linux kernel JFS (Journaled File System) `jfs_rename` function can be triggered by a local low-privileged user to cause a kernel warning and denial of service. When a directory's hard link count (nlink) is already at its maximum value (-1 as an unsigned overflow scenario), performing an in-place rename of a child subdirectory increments nlink and then decrements it, wrapping the counter to zero and triggering a `drop_nlink` kernel warning. The vulnerability affects a wide range of stable kernel branches from 5.10 through 6.19; no public exploit code exists and CISA has not listed this in KEV, making active exploitation unlikely but not impossible in multi-tenant or container environments where JFS-mounted filesystems are accessible to low-privilege users.

Buffer Overflow Linux
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43281 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function.

Information Disclosure Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43280 HIGH PATCH This Week

Local authenticated attackers can trigger an out-of-bounds kernel memory read in Linux kernel's xe graphics driver (6.18-6.19.x) via malicious pat_index values in the madvise IOCTL. This allows information disclosure from kernel memory and potential denial of service through kernel crashes. The vulnerability exists because madvise_args_are_sane() fails to validate pat_index bounds before passing it to xe_pat_index_get_coh_mode(), which performs unsafe array access into xe->pat.table. Vendor patches available for kernels 6.18.16+ and 6.19.6+ implement bounds checking with array_index_nospec() to prevent both direct exploitation and Spectre-based side-channel attacks. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43279 HIGH PATCH This Week

Out-of-bounds buffer writes in Linux kernel ALSA USB audio subsystem allow local authenticated attackers to crash the kernel or potentially achieve privilege escalation. The flaw occurs during implicit feedback mode playback when stream configurations mismatch between capture and playback, causing the prepare_silent_urb() function to write beyond allocated buffer boundaries. Affects all Linux kernel versions from initial commit 1da177e4c3f4 through multiple stable branches; vendor patches available for 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploits or active exploitation confirmed.

Linux Memory Corruption Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43274 HIGH PATCH This Week

Out-of-bounds memory access in Linux kernel's Microchip IPC mailbox driver allows local attackers to achieve arbitrary code execution with high integrity and confidentiality impact. The mchp-ipc-sbi driver incorrectly indexes a dynamically allocated cluster configuration array using non-contiguous hardware thread IDs (hartid) instead of sequential CPU IDs, causing reads/writes beyond array bounds on systems where hartid values exceed the number of online CPUs. Vendor patches available for stable kernel series 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% suggests low probability of mass exploitation despite high CVSS severity, with no active exploitation confirmed at time of analysis.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-43258 HIGH PATCH This Week

Local privilege escalation and memory corruption in Linux kernel on Alpha architecture allows authenticated users to execute arbitrary code, corrupt heap memory, or crash systems via insufficient TLB shootdown during memory compaction. The vulnerability affects Alpha systems exclusively and manifests as SIGSEGV crashes, glibc allocator corruption, and compiler failures. EPSS score of 0.02% indicates low likelihood of widespread exploitation, though vendor patches are available across multiple stable kernel branches. Attack requires local authenticated access with low complexity (CVSS AV:L/AC:L/PR:L), limiting remote exploitation scenarios.

Linux Buffer Overflow Memory Corruption Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43256 HIGH PATCH This Week

Out-of-bounds memory access in Linux kernel Qualcomm Camera Subsystem (camss) allows local authenticated users to achieve arbitrary code execution, data corruption, or denial of service. The vfe_isr() function iterates beyond the bounds of the vfe->line[] array (size 4) using a loop count of 7, enabling access to memory at offsets +4, +5, and +6. Vendor patches available across multiple stable branches (6.1.167, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score 0.02% (7th percentile) indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV).

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43250 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).

Memory Corruption Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43248 HIGH PATCH This Week

Out-of-bounds write in Linux kernel vhost_vdpa subsystem allows local authenticated users to achieve arbitrary kernel memory corruption via ASID group assignment. Affects Linux kernel versions 5.19 through 6.19.x, with vendor patches available for stable branches 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. Exploitation requires local access with low privileges but no user interaction (CVSS:3.1/AV:L/AC:L/PR:L/UI:N). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability, and no public exploit code or active exploitation confirmed at time of analysis.

Linux Buffer Overflow Memory Corruption Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43241 HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's NTB Switchtec hardware driver allows authenticated local users with low privileges to read sensitive kernel memory or trigger denial of service. The vulnerability affects the mw_sizes array when NTB (Non-Transparent Bridge) configurations set memory window LUTs to MAX_MWS, enabling access beyond array boundaries. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no confirmed active exploitation or public POC. Vendor patches are available across all affected stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).

Information Disclosure Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43233 HIGH PATCH This Week

Heap buffer overflow in Linux kernel's nf_conntrack_h323 netfilter module allows remote unauthenticated attackers to trigger 1-2 byte out-of-bounds read via crafted Q.931 SETUP messages to port 1720. The vulnerability affects firewalls with H.323 connection tracking active and can cause information disclosure or denial of service. EPSS score of 0.02% suggests low exploitation probability despite network-accessible attack vector. Patches available across all maintained stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-43228 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: hfs: Replace BUG_ON with error handling for CNID count checks In a06ec283e125 next_id, folder_count, and file_count in the super block info were expanded to 64 bits, and BUG_ONs were added to detect overflow. This triggered an error reported by syzbot: if the MDB is corrupted, the BUG_ON is triggered. This patch replaces this mechanism with proper error handling and resolves the syzbot reported bug. Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>

Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43208 CRITICAL PATCH Act Now

Out-of-bounds memory access in Linux kernel RPS (Receive Packet Steering) subsystem allows remote unauthenticated attackers to trigger kernel crashes or potentially achieve code execution with SYSTEM privileges. The flaw stems from incorrect assumptions about RPS hash table sizing across receive queues, introduced in commit 48aa30443e52. Exploitation requires no authentication (CVSS AV:N/PR:N) but EPSS probability remains low at 0.02% (4th percentile), suggesting limited real-world targeting. Patches available for stable kernel branches 6.18.16, 6.19.6, and 7.0.

Linux Buffer Overflow Memory Corruption Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43206 HIGH PATCH This Week

Out-of-bounds kernel memory write in Linux kernel's AMD KFD (Kernel Fusion Driver) allows local authenticated attackers with low privileges to escalate to root privileges. The kfd_event_page_set() function performs unchecked memset operations of fixed size (KFD_SIGNAL_EVENT_LIMIT * 8 bytes) regardless of user-supplied buffer size, enabling unprivileged userspace processes to corrupt kernel memory. Patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite high CVSS severity, likely due to the local attack vector and requirement for systems with AMD GPU hardware running the amdkfd driver.

Buffer Overflow Linux Memory Corruption Red Hat Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43205 HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...

Memory Corruption Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43197 CRITICAL PATCH Act Now

Out-of-bounds memory reads in Linux kernel netconsole subsystem allow information disclosure and system crashes via unterminated console messages. The vulnerability affects Linux kernel 6.6+ including 6.18.x and 6.19.x branches, triggered by netconsole's failure to validate message buffer boundaries when converting to NBCON console infrastructure. Vendor patches available for 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% suggests minimal real-world exploitation despite CVSS 9.1 rating. No public exploit identified at time of analysis.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43190 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's netfilter xt_tcpmss module allows remote unauthenticated attackers to leak memory contents and potentially cause system crashes via malformed TCP options. The xt_tcpmss TCP option parser fails to validate remaining option length before reading optlen values, triggering memory access beyond buffer boundaries when processing crafted packets. EPSS exploitation probability is low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the network attack vector (AV:N) and lack of authentication requirements (PR:N) make this exploitable against any system using netfilter with TCP MSS clamping enabled.

Buffer Overflow Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-43186 CRITICAL PATCH Act Now

Heap buffer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) packet processing allows remote unauthenticated attackers to corrupt kernel memory and trigger system crashes. Attackers send crafted IPv6 packets with inconsistent IOAM trace headers (nodelen=0 with type bits set), causing __ioam6_fill_trace_data() to write ~100 bytes beyond allocated memory into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is low (0.05%, 16th percentile) and no active exploitation or public POC has been identified. Vendor patches available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Buffer Overflow Linux Memory Corruption Red Hat Suse
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-43185 CRITICAL PATCH Act Now

Heap buffer overflow in Linux kernel ksmbd SMB Direct negotiation allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability stems from a signedness bug where a malicious SMB Direct client sends a crafted preferred_send_size value (0x80000000) that bypasses minimum size validation, then follows with an oversized message (>1420 bytes) triggering heap corruption. With CVSS 9.8 critical severity and network-accessible attack vector requiring no authentication, this represents a severe pre-auth remote code execution risk. EPSS score of 0.02% suggests limited observed exploitation activity. Vendor patches available across multiple stable kernel branches.

Buffer Overflow Linux Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43175 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver.

Denial Of Service Buffer Overflow Null Pointer Dereference Linux Red Hat +1
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43166 HIGH PATCH This Week

Out-of-bounds read in Linux kernel EROFS filesystem allows local attackers with user interaction to read kernel memory and cause denial of service via crafted compressed images. The vulnerability stems from incorrect classification of unaligned plain extents, triggering OOB access in z_erofs_transform_plain(). Vendor patches are available across multiple stable kernel branches (6.15, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, with no active exploitation confirmed at time of analysis.

Linux Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43158 HIGH PATCH This Week

Memory corruption in Linux kernel XFS filesystem allows authenticated users with write access to trigger kernel assertion failures and system shutdowns via crafted extended attribute operations. The vulnerability stems from incorrect freemap adjustment logic when adding xattrs to leaf blocks, causing the entries array and free space tracking to claim overlapping memory regions. This results in firstused pointer corruption where the name area starts below the end of the entries array. Vendor-released patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Low EPSS score (0.02%, 7th percentile) and no CISA KEV listing indicate no widespread exploitation observed, though the high CVSS 8.8 reflects severe impact on availability and potential for data corruption in XFS filesystems.

Linux Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43150 HIGH PATCH This Week

Buffer overflow in Linux kernel's ARM CMN performance monitoring driver allows local attackers with low privileges to execute arbitrary code and gain elevated access. The perf/arm-cmn driver fails to validate hardware configuration parameters against assumed maximum sizes, enabling memory corruption through crafted CMN device configurations. While EPSS indicates low exploitation probability (0.02%), patches are available across all maintained kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) per vendor advisories. The local attack vector and requirement for low-privileged user access limit remote exploitation scenarios.

Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43141 HIGH PATCH This Week

Local denial-of-service and potential memory corruption in the Linux kernel's ntb_hw_switchtec driver allows a low-privileged local user to trigger undefined behavior via a shift-out-of-bounds condition when the Non-Transparent Bridge (NTB) is configured with zero Memory Window LUTs. The flaw stems from rounddown_pow_of_two being invoked on a zero value, and although no public exploit is identified at time of analysis, the upstream fix is available across multiple stable kernel branches. EPSS is very low at 0.02%, consistent with the local attack vector and narrow hardware-dependent trigger.

Information Disclosure Buffer Overflow Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43125 CRITICAL PATCH Act Now

Remote unauthenticated attackers can cause critical out-of-bounds writes in the Linux kernel's Distributed Lock Manager (DLM) subsystem by sending malformed network messages with unvalidated length parameters to dlm_dump_rsb_name(). When the length exceeds DLM_RESNAME_MAXLEN, dlm_search_rsb_tree() writes beyond allocated buffers, enabling arbitrary code execution, denial of service, or information disclosure. Patches available for kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit or active exploitation has been identified at time of analysis, despite the critical CVSS 9.8 score.

Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-43121 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed by separate atomic_dec) to manipulate user_refs. This is serialized against other callers by rq_lock, but io_zcrx_scrub() modifies the same counter with atomic_xchg() WITHOUT holding rq_lock. On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) - 1 // window opens atomic_xchg(uref, 0) - 1 return_niov_freelist(niov) [PUSH #1] // window closes atomic_dec(uref) - wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE] The same niov is pushed to the freelist twice, causing free_count to exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc'd freelist array into the adjacent slab object. Fix this by replacing the non-atomic read-then-dec in io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically tests and decrements user_refs. This makes the operation safe against concurrent atomic_xchg from scrub without requiring scrub to acquire rq_lock. [pavel: removed a warning and a comment]

Race Condition Buffer Overflow Linux Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-43112 HIGH PATCH This Week

Out-of-bounds read in Linux kernel CIFS client allows network attackers to achieve high-severity impacts including potential code execution, information disclosure, or denial of service when users access maliciously crafted SMB shares. The vulnerability resides in cifs_sanitize_prepath() which improperly handles empty strings or delimiter-only paths, triggering memory access violations confirmed via AddressSanitizer testing. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability despite high CVSS 8.8, and no active exploitation or public POC identified at time of analysis.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-43083 CRITICAL PATCH Act Now

Out-of-bounds memory access in Linux kernel IOAM6 networking code allows remote unauthenticated attackers to read sensitive kernel memory or crash systems via crafted IPv6 packets with IOAM trace options. The vulnerability triggers when RX queue indices from ingress devices exceed TX queue counts on egress devices, causing array boundary violations in network qdisc operations. Additionally, a missing spinlock enables race conditions in queue statistics access from concurrent softirq and process contexts. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation. Vendor patches available across multiple stable kernel branches.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43080 MEDIUM PATCH This Month

Integer overflow in the Linux kernel's l2tp subsystem allows a local low-privileged attacker to cause a denial of service by sending oversized packets through a PPPoL2TP socket with UDP encapsulation. In l2tp_xmit_core() (net/l2tp/l2tp_core.c:1293), the UDP length field - constrained to 16 bits - is assigned a packet length value without any bounds check, silently truncating values exceeding 65535 bytes and producing malformed UDP frames on the wire or triggering a kernel WARN. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but a syzbot reproducer is publicly documented in the upstream patch discussion.

Linux Debian Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43079 MEDIUM PATCH This Month

Out-of-bounds array write in the Linux kernel's Intel uncore PMU driver (`perf/x86/intel/uncore`) causes denial of service on affected Intel multi-die x86 systems. The driver fails to skip discovery table parsing for dies whose CPUs are all offline at boot, allowing the assignment `pmu->boxes[die] = box` in `uncore_pci_pmu_register()` to overflow the boxes array, triggering a kernel WARN or potential memory corruption. Exploitation requires local low-privilege access under a specific hardware and boot configuration; no public exploit exists and EPSS is 0.02%, indicating negligible real-world exploitation likelihood.

Linux Intel Buffer Overflow Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-43078 HIGH PATCH This Week

Memory corruption in the Linux kernel's AF_ALG crypto subsystem allows local authenticated users to execute arbitrary code or cause denial of service through a page reassignment overflow in af_alg_pull_tsgl. The vulnerability affects multiple stable kernel branches (4.14 through 7.0) and has been patched across all maintained versions. With CVSS 7.8 and low attack complexity (AC:L), this presents a realistic privilege escalation path for local attackers, though EPSS exploitation probability remains low at 0.02% and no public exploit or KEV listing exists at time of analysis.

Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-43075 HIGH PATCH This Week

Out-of-bounds write in Linux kernel's ocfs2 filesystem driver allows local attackers with low privileges to achieve arbitrary code execution or system crash via a corrupted ocfs2 filesystem image. Exploitation occurs during copy_file_range operations when the malicious id_count field in the inode block exceeds physical inline data capacity, causing a buffer overflow past the inode block buffer. Vendor patches are available across multiple stable kernel versions (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile), and no active exploitation or public POC is currently identified.

Buffer Overflow Linux Memory Corruption
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-28780 CRITICAL PATCH Act Now

Remote heap buffer overflow in Apache HTTP Server's mod_proxy_ajp module allows complete system compromise when proxying to attacker-controlled AJP backends. Affects all versions through 2.4.66; attackers can achieve remote code execution by sending malicious AJP protocol responses that overflow a heap buffer with 4 controlled bytes. Apache released patch in version 2.4.67. Despite critical CVSS 9.8, EPSS probability remains very low (0.02%, 5th percentile) indicating minimal observed exploitation attempts, and no CISA KEV listing confirms active in-the-wild abuse. Exploitation requires specific proxy_ajp deployment configuration connecting to malicious AJP servers.

Heap Overflow Apache Buffer Overflow Apache Http Server
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-34464 HIGH PATCH This Week

Stack-based buffer overflow in Sandboxie-Plus SbieSvc service enables sandboxed processes to escape isolation and execute code as SYSTEM. Affected versions 1.17.2 and earlier allow malicious sandboxed code to overflow a fixed 160-wide-character stack buffer in NamedPipeServer::OpenHandler via crafted named pipe open requests, bypassing the fundamental security boundary Sandboxie provides. Fixed in version 1.17.3. EPSS data unavailable, no CISA KEV listing or public exploit identified at time of analysis, but the security boundary violation represents a complete defeat of Sandboxie's core function.

Stack Overflow Microsoft RCE Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-34462 HIGH PATCH This Week

Stack-based buffer overflow in Sandboxie-Plus ProcessServer handlers allows local authenticated attackers to execute arbitrary code as SYSTEM or crash the SbieSvc service. The vulnerability affects versions 1.17.2 and earlier, stems from unsafe wcscpy operations on unchecked WCHAR fields from service pipe requests, and has been patched in version 1.17.3. The service pipe's NULL DACL permits any local process to connect and trigger the flaw before authorization checks execute, enabling privilege escalation from low-privileged local accounts. No public exploit code identified at time of analysis, though the technical details in the GitHub advisory provide sufficient information for skilled attackers to develop exploits.

Stack Overflow Microsoft RCE Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-34461 HIGH PATCH This Week

Local privilege escalation to SYSTEM in Sandboxie-Plus 1.17.2 and earlier allows low-privileged interactive users to trigger stack buffer overflow in SbieSvc service via unauthenticated IPC, bypassing sandbox isolation controls. The vulnerability exists in the RunSbieCtrl handler which processes crafted messages before security checks and copies unbounded input into a 128-character stack buffer. Fixed in version 1.17.3. EPSS data unavailable; not listed in CISA KEV at time of analysis, but publicly disclosed via GitHub Security Advisory with technical details sufficient for exploit development.

Stack Overflow Microsoft RCE Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-34459 HIGH PATCH This Week

Stack buffer overflow in Sandboxie-Plus SbieSvc proxy service enables SYSTEM privilege escalation from sandboxed processes, including Security Hardened Sandboxes. Attackers chain an information disclosure (returning up to 32KB uninitialized stack memory with ASLR/stack cookie bypass) with an unbounded memcpy overflow in the GetRawInputDeviceInfoSlave IPC handler. Intel CET shadow stacks block ROP exploitation but not the information leak itself. Vendor-released patch available in version 1.17.3. No public exploit identified at time of analysis, but attack complexity is rated high (AC:H) with low privilege requirements (PR:L), making this viable for motivated attackers targeting sandbox environments.

Stack Overflow Microsoft Buffer Overflow Privilege Escalation Intel
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-7857 HIGH POC This Week

Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 enables authenticated remote code execution via crafted input to the /user_group.asp CGI handler. Attackers with high-privilege (administrator) credentials can exploit the unsafe sprintf function to achieve arbitrary code execution with complete system compromise. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation despite the high-privilege requirement.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-7856 HIGH POC This Week

Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows authenticated administrators to execute arbitrary code via crafted 'Name' parameter to /url_member.asp in the web management interface. Public exploit code exists on GitHub, demonstrating active proof-of-concept availability. EPSS data unavailable; CVSS 7.2 reflects high impact but limited by requirement for high-privilege (admin) authentication, reducing real-world urgency for most organizations unless admin credentials are compromised or insider threat exists.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-30923 HIGH PATCH This Week

Worker process crashes occur in ModSecurity (libmodsecurity3) when processing query string parameters containing single characters through the t:hexDecode transformation function. Remote unauthenticated attackers can trigger repeated segmentation faults to disrupt web application firewall protection, though service automatically recovers once the attack ceases. All libmodsecurity3 versions before 3.0.15 are affected across Apache, IIS, and Nginx deployments. OWASP confirmed the vulnerability via GitHub security advisory GHSA-qrjc-3jpc-3h2g and released patch version 3.0.15 addressing this buffer overflow (CWE-125: Out-of-bounds Read).

Suse Denial Of Service Apache Buffer Overflow Nginx +2
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-7855 HIGH POC This Week

Buffer overflow in D-Link DI-8100 router (firmware 16.07.26A1) allows authenticated remote attackers to execute arbitrary code or crash the device via crafted HTTP requests to the /tggl.asp endpoint. The vulnerability affects the tggl_asp function's Name parameter handling. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation for attackers with valid router credentials.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7854 HIGH POC This Week

Remote unauthenticated buffer overflow in D-Link DI-8100 firmware 16.07.26A1 enables attackers to execute arbitrary code, compromise device integrity, and cause denial of service via crafted POST requests to /url_rule.asp. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation. The CVSS 9.8 critical score reflects network-based remote attack requiring no authentication or user interaction, though no active exploitation has been confirmed via CISA KEV at time of analysis.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-7853 HIGH POC This Week

Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows remote unauthenticated attackers to execute arbitrary code via crafted HTTP requests to /auto_reboot.asp. The vulnerability exploits unsafe sprintf calls handling the 'enable' and 'time' parameters in the auto-reboot feature's HTTP handler. A public proof-of-concept exploit is available on GitHub, significantly lowering the barrier to exploitation. CVSS 8.9 with EPSS and attack complexity both low indicate high real-world risk for internet-facing devices running this firmware version.

D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-7851 HIGH POC This Week

Stack-based buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows authenticated remote attackers with high privileges to execute arbitrary code via malformed ID parameter to yyxz.asp administrative interface. Public exploit code exists on GitHub, demonstrating reliable exploitation. CVSS 7.3 (High) reflects network attack vector but requires admin-level authentication, limiting real-world exposure to compromised credentials or insider scenarios.

Stack Overflow D-Link Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.3
EPSS
0.1%
CVE-2026-25589 HIGH PATCH This Week

Heap-based buffer overflow in RedisBloom versions before 2.8.20 enables remote code execution via Redis RESTORE command when authenticated attackers supply malicious serialized payloads. The vulnerability stems from improper validation of deserialized data in the probabilistic data structures module. Exploitation requires Redis authentication and RESTORE command privileges (PR:L), with CVSS 7.7 rating reflecting the authentication requirement despite critical impact potential. No public exploit code or CISA KEV listing identified at time of analysis, though vendor has released security-focused patch 2.8.20.

Heap Overflow Redis RCE Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-25588 HIGH PATCH This Week

Remote code execution in RedisTimeSeries versions before 1.12.14 allows authenticated attackers with RESTORE command permissions to execute arbitrary code via crafted serialized payloads. The vulnerability stems from improper validation of data processed through Redis RESTORE command, enabling heap buffer overflow exploitation. Attackers with low-level privileges can achieve complete system compromise (CVSS 7.7, CVSS:4.0 High confidentiality/integrity/availability impact) through network-based attacks with high complexity. No public exploit code or active exploitation confirmed at time of analysis.

Heap Overflow Redis RCE Buffer Overflow Suse
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-25243 HIGH PATCH This Week

Remote code execution in Redis server versions up to 8.6.3 allows authenticated attackers with RESTORE command privileges to execute arbitrary code by submitting maliciously crafted serialized payloads. The vulnerability stems from insufficient validation of serialized values in the RESTORE command, enabling heap-based buffer overflow conditions. Redis released version 8.6.3 to patch this flaw alongside four other critical RCE vulnerabilities. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted rather than widespread exploitation.

Heap Overflow Redis RCE Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-43071 CRITICAL PATCH Act Now

Out-of-bounds read in Linux Kernel dentry hashtable can crash the system when dhash_entries boot parameter is set to 1. The vulnerability triggers during directory cache lookups when the hash shift calculation results in access to unallocated memory regions, causing kernel page faults. Affects Linux Kernel versions from initial commit (1da177e4c3f4) through multiple stable branches. Patches available for 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, and 7.1-rc1. EPSS probability of 0.02% (7th percentile) indicates very low likelihood of exploitation in the wild, and no public exploit code or CISA KEV listing exists, suggesting this remains a theoretical edge-case issue requiring specific kernel boot configuration.

Information Disclosure Linux Buffer Overflow
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-43070 HIGH PATCH This Week

eBPF verifier in Linux kernel allows local privilege escalation through incorrect register ID handling during byte-swap operations. When BPF_END instruction performs byte swapping, the verifier fails to reset scalar register IDs, causing it to incorrectly propagate bounds checks between linked registers. This validation bypass allows authenticated local attackers with BPF program loading privileges to craft malicious eBPF programs that pass verification but achieve out-of-bounds memory access at runtime, potentially escalating to kernel-level code execution. Vendor patches available for affected 6.18.x and 6.19.x branches with EPSS score of 0.02% indicating low observed exploitation probability.

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-34002 MEDIUM PATCH This Month

Out-of-bounds read in X.Org X Server XKB modifier map handling allows local authenticated attackers to read sensitive memory or crash the server by sending malformed X11 requests. The vulnerability affects RHEL 6 through 10 and requires local access with user-level privileges; exploitation results in information disclosure or denial of service.

Denial Of Service Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-34000 MEDIUM PATCH This Month

Out-of-bounds read in X.Org X server XKB geometry processing allows local or remote attackers with X11 server access to disclose sensitive memory contents or cause denial of service by crashing the server. The vulnerability exists in CheckSetGeom() and XkbAddGeomKeyAlias functions and requires low privileges but no user interaction. No public exploit code or active exploitation has been identified at time of analysis.

Denial Of Service Information Disclosure Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-7834 HIGH POC This Week

Stack-based buffer overflow in EFM ipTIME NAS1dual 1.5.24 allows remote unauthenticated attackers to achieve complete system compromise via the get_csrf_whites function in /cgi/advanced/misc_main.cgi. Public exploit code exists on GitHub, demonstrating practical exploitability despite lack of vendor response to responsible disclosure. CVSS 8.9 (Critical) with EPSS data unavailable; attack requires no authentication, low complexity, and no user interaction (AV:N/AC:L/PR:N/UI:N), making this a high-priority remote attack surface.

Stack Overflow Buffer Overflow Iptime Nas1Dual
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-6918 HIGH PATCH This Week

Remote unauthenticated attackers can crash Eclipse OpenJ9 JITServer instances (versions 0.21-0.58) by sending a specially crafted 32-byte TCP message, triggering a buffer over-read (CWE-125) that causes denial of service. The vulnerability requires no authentication or user interaction, affecting any exposed JITServer endpoint. CVSS 8.7 (High) reflects the severe availability impact, though EPSS data is not available for this recent CVE. Exploit code is publicly available via GitHub PR #23793, which demonstrates the bounds-checking fix, though no active exploitation is confirmed at time of analysis.

Information Disclosure Buffer Overflow Eclipse Openj9
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-39103 MEDIUM This Month

Heap buffer overflow in GPAC's SVG attribute parser allows local attackers to cause denial of service by providing crafted SVG input that triggers out-of-bounds memory access in the svg_parse_strings() function. The vulnerability requires user interaction (opening a malicious SVG file) and operates with low complexity on local systems. While CVSS score is moderate (5.5) and EPSS probability is very low (0.02%), the issue affects the widely-used multimedia framework's SVG handling and has been confirmed fixed upstream.

Heap Overflow Denial Of Service Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-42311 PyPI HIGH PATCH GHSA This Week

Integer overflow in Pillow 10.3.0 through 12.1.1 bypasses bounds checks during PSD tile extent validation, enabling memory corruption and arbitrary code execution when processing malicious PSD files. This vulnerability (CVE-2026-42311) exploits an incomplete fix for CVE-2026-25990, where the original patch added tile extent validation but used overflow-prone integer types. Attackers craft PSD images with tile dimensions that wrap around during extent sum calculations, defeating the bounds checks and triggering out-of-bounds writes in decode.c and encode.c. Pillow 12.2.0 patches this by avoiding extent addition before comparison. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists via proof-of-concept test images in the patch commit.

Integer Overflow RCE Buffer Overflow Python
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-42308 PyPI MEDIUM PATCH GHSA This Month

Integer overflow in Pillow's font glyph processing allows remote code execution or denial of service when handling maliciously crafted fonts with extremely large glyph advance values. Pillow versions before 12.2.0 are affected. The vulnerability is triggered during font rendering operations where position tracking accumulates glyph advances without proper bounds checking, leading to wraparound arithmetic that can corrupt memory or crash the interpreter.

Integer Overflow Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-42309 PyPI MEDIUM PATCH GHSA This Month

Heap buffer overflow in Pillow 11.2.1 through 12.1.x allows local attackers to cause denial of service or potentially execute arbitrary code by passing deeply nested list structures as coordinates to ImagePath.Path, ImageDraw.polygon, or ImageDraw.line APIs, which recursively unpack coordinates beyond allocated buffer boundaries.

Heap Overflow Buffer Overflow Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-41927 HIGH POC This Week

Stack-based buffer overflow in WDR201A WiFi Extender firewall.cgi and makeRequest.cgi binaries enables remote unauthenticated attackers to execute arbitrary code through crafted POST requests with oversized Content-Length headers. The vulnerability affects hardware version 2.1 running firmware LFMZX28040922V1.02, with publicly available proof-of-concept exploit code documented via AI-assisted vulnerability research. CVSS 8.3 with high attack complexity indicates exploitation requires advanced technical skills, though the network vector and lack of authentication requirements make this a significant risk for exposed IoT devices.

Stack Overflow RCE Buffer Overflow Wdr201A Wifi Extender
NVD VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-40251 Go HIGH PATCH GHSA This Week

Denial of service in Incus prior to version 7.0.0 allows authenticated users to crash the Incus daemon by importing a maliciously crafted backup archive with physical snapshot directories but tampered metadata arrays. The vulnerability stems from an incorrect bounds check (len(slice) >= i-1 instead of len(slice) > i) in the backup restore and migration code paths, enabling out-of-bounds array access that triggers a runtime panic. Repeated exploitation keeps the Incus service offline, confirmed by a publicly available proof-of-concept.

Denial Of Service Information Disclosure Buffer Overflow Suse
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-42144 MEDIUM PATCH This Month

Integer overflow in CImg Library's _load_pnm() function allows crafted PNM/PGM/PPM image files to bypass memory allocation guards via undersized buffer allocation, potentially triggering heap buffer overflow with local file access and user interaction. CVSS 6.1 (local, user-required interaction). Patch available in commit 4ca26bc and v.3.7.5.

Integer Overflow Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-29004 HIGH PATCH This Week

Heap buffer overflow in BusyBox udhcpc6 (DHCPv6 client) allows network-adjacent attackers to achieve remote code execution or denial of service on embedded systems. The vulnerability stems from incorrect heap buffer allocation in option_to_env() when parsing D6_OPT_DNS_SERVERS options in DHCPv6 responses. Particularly dangerous on embedded devices lacking heap hardening protections. Fixed in commit 42202bf. No active exploitation confirmed (not in CISA KEV), but publicly available proof-of-concept from VulnCheck disclosure increases real-world risk for IoT and embedded deployments.

RCE Denial Of Service Buffer Overflow Heap Overflow
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-25293 CRITICAL Act Now

Buffer overflow in Qualcomm Snapdragon firmware enables authentication bypass on adjacent networks, allowing remote unauthenticated attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability stems from incorrect authorization logic (CWE-863) that fails to prevent buffer overflow conditions. CVSS score of 9.6 reflects adjacent network attack vector with low complexity and no required privileges or user interaction, with scope change indicating container/hypervisor escape or lateral movement potential. No CISA KEV listing or public exploit identified at time of analysis, though EPSS data not available to assess exploitation probability.

Authentication Bypass Buffer Overflow Snapdragon
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-25266 MEDIUM This Month

Memory corruption in Qualcomm Snapdragon SDK occurs when processing IOCTL commands while the device is in power-save state, allowing local authenticated attackers to trigger a denial of service. The vulnerability affects all versions of Snapdragon and requires local access with user-level privileges; no authentication bypass or privilege escalation is possible, but successful exploitation causes system crash or hang. EPSS and KEV status not provided; no public exploit code has been identified at time of analysis.

Buffer Overflow Snapdragon
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-24082 HIGH This Week

Use-after-free vulnerability in Qualcomm Snapdragon chipsets enables local privilege escalation to achieve full device compromise. Low-privilege authenticated users can trigger memory corruption during performance counter deselect operations, gaining high-integrity code execution with kernel-level access. Qualcomm has released patches in their May 2026 security bulletin. EPSS data not yet available for this future-dated CVE; no confirmed active exploitation or public exploit code identified at time of analysis.

Buffer Overflow Use After Free Memory Corruption Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47408 HIGH This Week

Memory corruption in Qualcomm Snapdragon allows local authenticated attackers with low privileges to achieve arbitrary code execution and full system compromise. The vulnerability triggers when malicious drivers invoke specific IOCTLs with intentionally malformed input/output buffers, bypassing buffer validation checks. EPSS and KEV status not available at time of analysis; advisory references May 2026 bulletin suggesting pre-disclosure analysis.

Buffer Overflow Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47407 HIGH This Week

Local privilege escalation in Qualcomm Snapdragon chipsets allows authenticated users to corrupt kernel memory during digital signal processor (DSP) process creation, leading to arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability exploits allocation failure handling at kernel level. Qualcomm has published a security bulletin with remediation details for the May 2026 bulletin cycle. No active exploitation or public exploit code identified at time of analysis, though EPSS data not available to assess probabilistic risk.

Buffer Overflow Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47406 MEDIUM This Month

Information disclosure in Qualcomm Snapdragon firmware allows local authenticated attackers to read sensitive kernel memory via malformed IOCTL handler callbacks that bypass buffer size validation. The vulnerability affects multiple Snapdragon chipset versions and requires local access with limited privileges; exploitation results in confidentiality breach without direct system compromise. No active exploitation has been confirmed at the time of analysis.

Information Disclosure Buffer Overflow Snapdragon
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-47405 HIGH This Week

Memory corruption in Qualcomm Snapdragon camera subsystem allows local authenticated users to execute arbitrary code with high privileges through crafted input/output control (ioctl) calls targeting camera sensor interfaces with malformed output buffers. CVSS score of 7.8 reflects local attack vector requiring low-privilege account access. No EPSS data or KEV listing at time of analysis, suggesting exploitation has not been publicly observed. Qualcomm security bulletin scheduled for May 2026 indicates vendor-coordinated disclosure with patches expected in that timeframe.

Buffer Overflow Snapdragon
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47404 MEDIUM This Month

Memory corruption in Qualcomm Snapdragon occurs when dynamically resizing a previously allocated buffer while its contents are being concurrently modified, enabling local authenticated attackers with user-level privileges to achieve high confidentiality and integrity impact with CVSS 6.5. No active exploitation has been confirmed at the time of analysis, and patch availability details require verification against the May 2026 Qualcomm security bulletin.

Buffer Overflow Snapdragon
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-47403 MEDIUM This Month

Denial of service in Qualcomm Snapdragon wireless chipsets allows unauthenticated attackers in wireless range to crash the device by sending a malformed Fast Transition response frame during roaming operations. The vulnerability triggers a buffer overflow in the 802.11 frame parser when processing an invalid header structure, resulting in temporary denial of service. No authentication is required and exploitation requires only network adjacency.

Buffer Overflow Snapdragon
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-47401 MEDIUM This Month

Transient denial of service in Qualcomm Snapdragon occurs during target power rate table processing when configuring wireless channels, caused by a buffer over-read vulnerability. The vulnerability affects all Snapdragon versions and requires adjacent network access with no authentication or user interaction, resulting in service interruption but no data compromise or unauthorized access.

Buffer Overflow Snapdragon
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-33857 MEDIUM PATCH This Month

Out-of-bounds read in mod_proxy_ajp of Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to disclose sensitive information via a crafted AJP protocol request. The vulnerability has a CVSS score of 5.3 (moderate) with no active exploitation confirmed. Upgrade to version 2.4.67 to remediate.

Red Hat Suse Information Disclosure Apache Buffer Overflow +1
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-34032 MEDIUM PATCH This Month

Improper null termination and out-of-bounds read vulnerability in Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to trigger information disclosure with low complexity exploitation. The vulnerability has a CVSS score of 5.3 (medium) with network-accessible attack vector and no user interaction required, though technical impact is limited to confidentiality (partial information disclosure). Vendor-released patch: version 2.4.67 addresses the issue.

Red Hat Suse Apache Buffer Overflow Apache HTTP Server
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-34059 HIGH POC PATCH This Week

Buffer over-read in Apache HTTP Server through 2.4.66 enables remote unauthenticated information disclosure at network scale. Attackers can read sensitive memory content without authentication or user interaction, achieving high confidentiality impact with low attack complexity. EPSS exploitation probability and KEV status not provided, but SSVC framework confirms the vulnerability is automatable with partial technical impact and no active exploitation detected at time of analysis. Patch released in version 2.4.67.

Red Hat Suse Apache Buffer Overflow Apache HTTP Server
NVD VulDB GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7482 Go HIGH PATCH GHSA This Week

Heap out-of-bounds read in Ollama's GGUF model loader (<0.17.1) leaks sensitive memory contents including API keys, environment variables, and concurrent user data when processing maliciously crafted model files. Attackers can trigger the vulnerability by uploading a GGUF file with tensor offsets exceeding file bounds via the unauthenticated /api/create endpoint, then exfiltrate leaked memory through /api/push to attacker-controlled registries. While default deployments bind to localhost only, the widely-adopted OLLAMA_HOST=0.0.0.0 configuration exposes instances to network exploitation. Vendor-released patch available in version 0.17.1 with GitHub commit 88d57d0483cca907e0b23a968c83627a20b21047 adding bounds validation to fs/ggml/gguf.go and server/quantization.go.

Information Disclosure Buffer Overflow Red Hat Suse
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
CVE-2026-33846 HIGH PATCH This Week

Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt memory. The vulnerability stems from inconsistent fragment validation in merge_handshake_packet(), where attackers can send crafted DTLS fragments with conflicting message_length values to trigger out-of-bounds writes. Red Hat reported this affecting RHEL 6-10 and OpenShift Container Platform 4. CVSS 7.5 (High) reflects network-accessible denial of service, though memory corruption may enable further exploitation. No EPSS data, KEV status, or POC availability reported at time of analysis, but the remote unauthenticated attack vector (AV:N/PR:N) and low complexity (AC:L) make this a priority for systems using DTLS.

Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +3
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7750 HIGH POC This Week

Remote authenticated attackers can execute arbitrary code on Totolink N300RH 3.2.4-B20220812 routers via buffer overflow in the setMacFilterRules function. Exploitation requires low-privilege authentication to the router's web interface, then sending a crafted POST request with an oversized mac_address parameter to /cgi-bin/cstecgi.cgi. Public exploit code is available (documented on Notion), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector, publicly available POC, and vulnerable IoT device suggest moderate real-world risk for internet-exposed routers with default or weak credentials.

Buffer Overflow N300Rh
NVD VulDB
CVSS 4.0
7.4
EPSS
0.1%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Out-of-bounds read in WebCodecs video processing in Google Chrome versions prior to 148.0.7778.96 allows remote attackers to leak sensitive memory contents via a crafted video file. The vulnerability requires user interaction to open a malicious video, but affects all users regardless of authentication. Chrome 148.0.7778.96 and later versions patch this information disclosure vulnerability, which could expose cryptographic keys, session tokens, or other sensitive data resident in adjacent memory.

Google Information Disclosure Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Renderer sandbox escape in Google Chrome versions prior to 148.0.7778.96 leverages an out-of-bounds write in the Skia graphics library. An attacker who has already compromised Chrome's renderer process through other means (such as a separate browser vulnerability) can deliver a specially crafted HTML page to break out of Chrome's security sandbox, gaining elevated code execution on the underlying operating system. EPSS data not available; no CISA KEV listing identified. Google has released Chrome 148.0.7778.96 addressing this high-severity flaw, classified as CWE-787 (Out-of-bounds Write) affecting the Skia graphics rendering engine.

Google Memory Corruption Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Integer overflow in the GPU component of Google Chrome on Android prior to version 148.0.7778.96 enables a remote attacker whose renderer process has been compromised to execute arbitrary read and write operations via a malicious HTML page. The vulnerability requires prior compromise of the renderer process and user interaction, limiting its standalone exploitability but creating a significant secondary threat following renderer exploitation. Chromium security team rated this as high severity; no public exploit code or active exploitation has been identified at time of analysis.

Buffer Overflow Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Out-of-bounds memory read in Google Chrome's font handling allows remote attackers to leak sensitive information via a crafted HTML page when users visit a malicious website. Chrome versions prior to 148.0.7778.96 are affected. The vulnerability requires user interaction (clicking a link or visiting a page) but occurs over the network without authentication. Information disclosure risk is limited (CVSS C:L) with no impact on integrity or availability, but the Chromium security severity designation of High indicates concern about potential information leakage in real-world exploitation.

Google Information Disclosure Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Integer overflow in Chrome's ANGLE graphics layer (Mac/Windows) enables heap corruption via malicious web pages. Remote attackers can achieve arbitrary code execution by tricking users into visiting crafted HTML content. Google patched this in Chrome 148.0.7778.96, marking it high severity. Users must interact with the malicious page, but no authentication is required. EPSS data not available; no CISA KEV listing indicates exploitation not yet confirmed in the wild, though the Chromium bug tracker may contain additional context.

Microsoft Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution within Chrome's V8 sandbox affects all versions prior to 148.0.7778.96 when users visit malicious web pages. The out-of-bounds memory access vulnerability in V8 JavaScript engine enables arbitrary code execution with user interaction (visiting crafted HTML), rated high severity by Chromium team. EPSS and KEV data not available, but Google confirmed the vulnerability and released patches. Attack complexity is low (CVSS AC:L) with no authentication required, making this exploitable at scale once proof-of-concept becomes public.

RCE Google Memory Corruption +4
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Heap buffer overflow in Chrome's ANGLE graphics layer enables sandbox escape for attackers who have already compromised the renderer process, requiring user interaction with a malicious webpage. Chrome 148.0.7778.96 patches this High-severity vulnerability. No active exploitation confirmed (not in CISA KEV), and CVSS 8.3 reflects the Changed scope indicating successful sandbox breakout - a critical security boundary failure that elevates renderer compromise to broader system access.

Heap Overflow Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds memory access in Chrome's V8 JavaScript engine enables remote code execution within the browser sandbox when users visit malicious websites. Affects all Chrome versions prior to 148.0.7778.96 across Windows, macOS, and Linux. Google released patches in the stable channel update (build 148.0.7778.96) per May 2026 advisory. No active exploitation confirmed at time of analysis, but CVSS 8.8 indicates high severity and the vulnerability requires only user interaction (visiting a crafted webpage) with no authentication needed.

Google Information Disclosure RCE +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome prior to 148.0.7778.96 allows remote attackers to execute arbitrary code via a maliciously crafted HTML page exploiting an integer overflow in the Blink rendering engine. The vulnerability requires user interaction (visiting a malicious webpage) but no authentication, enabling drive-by attacks against default Chrome installations. Google has assigned this a Critical severity rating and released version 148.0.7778.96 to address the issue. No active exploitation (CISA KEV) or public POC has been identified at time of analysis, though the technical details are publicly documented in the Chromium issue tracker.

Buffer Overflow Google Red Hat +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stack-based buffer overflow in WatchGuard Agent discovery service on Windows enables adjacent attackers without authentication to crash the agent via crafted network packets. CVSS 7.1 (High) reflects adjacent network attack vector with high integrity impact. The vulnerability targets the discovery service component used for agent enrollment and network communication. No CISA KEV listing or public exploit code identified at time of analysis, though the local network attack vector limits exposure to adjacent attackers.

Watchguard Stack Overflow Microsoft +1
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Cisco SG350 and SG350X managed switches can be remotely crashed via crafted SNMP requests, forcing unexpected device reloads. Authenticated attackers with valid SNMP credentials (read-only or read-write community strings for SNMPv1/v2c, or user credentials for SNMPv3) can trigger a heap-based buffer overflow in SNMP response parsing. Cisco confirmed this vulnerability affects all three SNMP versions (v1, v2c, v3) and published advisory cisco-sa-sg350-snmp-dos-GEFZr2Tj. EPSS and KEV status not provided in available data; exploitation requires network access with low complexity but does require valid SNMP authentication.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Heap buffer overflow in MongoDB C Driver's Cyrus SASL integration allows local attackers to achieve code execution before authentication by providing a maliciously crafted username in a MongoDB URI with GSSAPI authentication. The vulnerability triggers during username canonicalization via unsafe string copying, requiring no privileges or user interaction. Exploitable against any application using the affected driver that processes untrusted MongoDB connection strings. No active exploitation confirmed (not in CISA KEV). EPSS data not provided. Vendor has acknowledged the issue via JIRA tracking (CDRIVER-6134).

Buffer Overflow Mongodb C Driver
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Stack-based buffer overflow in WatchGuard Agent's discovery service allows adjacent network attackers to crash the agent service without authentication. Affects Windows installations prior to version 1.25.03.0000. Vendor patch released addressing the vulnerability. SSVC framework indicates no active exploitation observed and manual exploitation required. While CVSS 7.1 (High) reflects network-adjacent access with high availability impact, actual risk is limited to denial-of-service - no code execution or data compromise possible per the CVSS vector (VC:N/VI:N/VA:H).

Watchguard Stack Overflow Microsoft +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer wraparound in the Linux kernel JFS (Journaled File System) `jfs_rename` function can be triggered by a local low-privileged user to cause a kernel warning and denial of service. When a directory's hard link count (nlink) is already at its maximum value (-1 as an unsigned overflow scenario), performing an in-place rename of a child subdirectory increments nlink and then decrements it, wrapping the counter to zero and triggering a `drop_nlink` kernel warning. The vulnerability affects a wide range of stable kernel branches from 5.10 through 6.19; no public exploit code exists and CISA has not listed this in KEV, making active exploitation unlikely but not impossible in multi-tenant or container environments where JFS-mounted filesystems are accessible to low-privilege users.

Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: mailbox: Prevent out-of-bounds access in fw_mbox_index_xlate() Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function.

Information Disclosure Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local authenticated attackers can trigger an out-of-bounds kernel memory read in Linux kernel's xe graphics driver (6.18-6.19.x) via malicious pat_index values in the madvise IOCTL. This allows information disclosure from kernel memory and potential denial of service through kernel crashes. The vulnerability exists because madvise_args_are_sane() fails to validate pat_index bounds before passing it to xe_pat_index_get_coh_mode(), which performs unsafe array access into xe->pat.table. Vendor patches available for kernels 6.18.16+ and 6.19.6+ implement bounds checking with array_index_nospec() to prevent both direct exploitation and Spectre-based side-channel attacks. EPSS score of 0.02% indicates low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis.

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds buffer writes in Linux kernel ALSA USB audio subsystem allow local authenticated attackers to crash the kernel or potentially achieve privilege escalation. The flaw occurs during implicit feedback mode playback when stream configurations mismatch between capture and playback, causing the prepare_silent_urb() function to write beyond allocated buffer boundaries. Affects all Linux kernel versions from initial commit 1da177e4c3f4 through multiple stable branches; vendor patches available for 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. EPSS exploitation probability is low (0.02%, 7th percentile), and no public exploits or active exploitation confirmed.

Linux Memory Corruption Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Out-of-bounds memory access in Linux kernel's Microchip IPC mailbox driver allows local attackers to achieve arbitrary code execution with high integrity and confidentiality impact. The mchp-ipc-sbi driver incorrectly indexes a dynamically allocated cluster configuration array using non-contiguous hardware thread IDs (hartid) instead of sequential CPU IDs, causing reads/writes beyond array bounds on systems where hartid values exceed the number of online CPUs. Vendor patches available for stable kernel series 6.18.16, 6.19.6, and mainline 7.0. EPSS score of 0.02% suggests low probability of mass exploitation despite high CVSS severity, with no active exploitation confirmed at time of analysis.

Buffer Overflow Linux Information Disclosure +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation and memory corruption in Linux kernel on Alpha architecture allows authenticated users to execute arbitrary code, corrupt heap memory, or crash systems via insufficient TLB shootdown during memory compaction. The vulnerability affects Alpha systems exclusively and manifests as SIGSEGV crashes, glibc allocator corruption, and compiler failures. EPSS score of 0.02% indicates low likelihood of widespread exploitation, though vendor patches are available across multiple stable kernel branches. Attack requires local authenticated access with low complexity (CVSS AV:L/AC:L/PR:L), limiting remote exploitation scenarios.

Linux Buffer Overflow Memory Corruption +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds memory access in Linux kernel Qualcomm Camera Subsystem (camss) allows local authenticated users to achieve arbitrary code execution, data corruption, or denial of service. The vfe_isr() function iterates beyond the bounds of the vfe->line[] array (size 4) using a loop count of 7, enabling access to memory at offsets +4, +5, and +6. Vendor patches available across multiple stable branches (6.1.167, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score 0.02% (7th percentile) indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV).

Buffer Overflow Linux Information Disclosure +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke() The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).

Memory Corruption Buffer Overflow Linux +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in Linux kernel vhost_vdpa subsystem allows local authenticated users to achieve arbitrary kernel memory corruption via ASID group assignment. Affects Linux kernel versions 5.19 through 6.19.x, with vendor patches available for stable branches 6.12.75, 6.18.16, 6.19.6, and mainline 7.0. Exploitation requires local access with low privileges but no user interaction (CVSS:3.1/AV:L/AC:L/PR:L/UI:N). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability, and no public exploit code or active exploitation confirmed at time of analysis.

Linux Buffer Overflow Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds array access in the Linux kernel's NTB Switchtec hardware driver allows authenticated local users with low privileges to read sensitive kernel memory or trigger denial of service. The vulnerability affects the mw_sizes array when NTB (Non-Transparent Bridge) configurations set memory window LUTs to MAX_MWS, enabling access beyond array boundaries. Exploitation probability is low (EPSS 0.02%, 7th percentile) with no confirmed active exploitation or public POC. Vendor patches are available across all affected stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).

Information Disclosure Buffer Overflow Linux +2
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Heap buffer overflow in Linux kernel's nf_conntrack_h323 netfilter module allows remote unauthenticated attackers to trigger 1-2 byte out-of-bounds read via crafted Q.931 SETUP messages to port 1720. The vulnerability affects firewalls with H.323 connection tracking active and can cause information disclosure or denial of service. EPSS score of 0.02% suggests low exploitation probability despite network-accessible attack vector. Patches available across all maintained stable branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and mainline 7.0).

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: hfs: Replace BUG_ON with error handling for CNID count checks In a06ec283e125 next_id, folder_count, and file_count in the super block info were expanded to 64 bits, and BUG_ONs were added to detect overflow. This triggered an error reported by syzbot: if the MDB is corrupted, the BUG_ON is triggered. This patch replaces this mechanism with proper error handling and resolves the syzbot reported bug. Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>

Buffer Overflow Linux Red Hat +1
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds memory access in Linux kernel RPS (Receive Packet Steering) subsystem allows remote unauthenticated attackers to trigger kernel crashes or potentially achieve code execution with SYSTEM privileges. The flaw stems from incorrect assumptions about RPS hash table sizing across receive queues, introduced in commit 48aa30443e52. Exploitation requires no authentication (CVSS AV:N/PR:N) but EPSS probability remains low at 0.02% (4th percentile), suggesting limited real-world targeting. Patches available for stable kernel branches 6.18.16, 6.19.6, and 7.0.

Linux Buffer Overflow Memory Corruption +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds kernel memory write in Linux kernel's AMD KFD (Kernel Fusion Driver) allows local authenticated attackers with low privileges to escalate to root privileges. The kfd_event_page_set() function performs unchecked memset operations of fixed size (KFD_SIGNAL_EVENT_LIMIT * 8 bytes) regardless of user-supplied buffer size, enabling unprivileged userspace processes to corrupt kernel memory. Patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability despite high CVSS severity, likely due to the local attack vector and requirement for systems with AMD GPU hardware running the amdkfd driver.

Buffer Overflow Linux Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: validate num_ifs to prevent out-of-bounds write The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes() but never validates it against DPSW_MAX_IF (64). This value controls iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports num_ifs >= 64, the loop can write past the array bounds. Add a bound check for num_ifs in dpaa2_switch_init(). dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all ports match the flood filter, the loop fills all 64 slots and the control interface write overflows by one entry. The check uses >= because num_ifs == DPSW_MAX_IF is also functionally broken. build_if_id_bitmap() silently drops any ID >= 64: if (id[i] < DPSW_MAX_IF) bmap[id[i] / 64] |= ...

Memory Corruption Buffer Overflow Linux +2
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory reads in Linux kernel netconsole subsystem allow information disclosure and system crashes via unterminated console messages. The vulnerability affects Linux kernel 6.6+ including 6.18.x and 6.19.x branches, triggered by netconsole's failure to validate message buffer boundaries when converting to NBCON console infrastructure. Vendor patches available for 6.18.16, 6.19.6, and 7.0. EPSS score of 0.02% suggests minimal real-world exploitation despite CVSS 9.1 rating. No public exploit identified at time of analysis.

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's netfilter xt_tcpmss module allows remote unauthenticated attackers to leak memory contents and potentially cause system crashes via malformed TCP options. The xt_tcpmss TCP option parser fails to validate remaining option length before reading optlen values, triggering memory access beyond buffer boundaries when processing crafted packets. EPSS exploitation probability is low (0.02%, 7th percentile) and no public exploit identified at time of analysis, but the network attack vector (AV:N) and lack of authentication requirements (PR:N) make this exploitable against any system using netfilter with TCP MSS clamping enabled.

Buffer Overflow Linux Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Heap buffer overflow in Linux kernel's IPv6 IOAM (In-situ Operations, Administration, and Maintenance) packet processing allows remote unauthenticated attackers to corrupt kernel memory and trigger system crashes. Attackers send crafted IPv6 packets with inconsistent IOAM trace headers (nodelen=0 with type bits set), causing __ioam6_fill_trace_data() to write ~100 bytes beyond allocated memory into skb_shared_info structures. Despite CVSS 9.8 critical rating, EPSS exploitation probability is low (0.05%, 16th percentile) and no active exploitation or public POC has been identified. Vendor patches available across multiple stable kernel branches (5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0).

Buffer Overflow Linux Memory Corruption +2
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Heap buffer overflow in Linux kernel ksmbd SMB Direct negotiation allows remote unauthenticated attackers to achieve arbitrary code execution. The vulnerability stems from a signedness bug where a malicious SMB Direct client sends a crafted preferred_send_size value (0x80000000) that bypasses minimum size validation, then follows with an oversized message (>1420 bytes) triggering heap corruption. With CVSS 9.8 critical severity and network-accessible attack vector requiring no authentication, this represents a severe pre-auth remote code execution risk. EPSS score of 0.02% suggests limited observed exploitation activity. Vendor patches available across multiple stable kernel branches.

Buffer Overflow Linux Red Hat +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver.

Denial Of Service Buffer Overflow Null Pointer Dereference +3
NVD
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read in Linux kernel EROFS filesystem allows local attackers with user interaction to read kernel memory and cause denial of service via crafted compressed images. The vulnerability stems from incorrect classification of unaligned plain extents, triggering OOB access in z_erofs_transform_plain(). Vendor patches are available across multiple stable kernel branches (6.15, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (4th percentile) indicates very low observed exploitation probability, with no active exploitation confirmed at time of analysis.

Linux Memory Corruption Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Memory corruption in Linux kernel XFS filesystem allows authenticated users with write access to trigger kernel assertion failures and system shutdowns via crafted extended attribute operations. The vulnerability stems from incorrect freemap adjustment logic when adding xattrs to leaf blocks, causing the entries array and free space tracking to claim overlapping memory regions. This results in firstused pointer corruption where the name area starts below the end of the entries array. Vendor-released patches are available across multiple stable kernel branches (5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). Low EPSS score (0.02%, 7th percentile) and no CISA KEV listing indicate no widespread exploitation observed, though the high CVSS 8.8 reflects severe impact on availability and potential for data corruption in XFS filesystems.

Linux Memory Corruption Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Buffer overflow in Linux kernel's ARM CMN performance monitoring driver allows local attackers with low privileges to execute arbitrary code and gain elevated access. The perf/arm-cmn driver fails to validate hardware configuration parameters against assumed maximum sizes, enabling memory corruption through crafted CMN device configurations. While EPSS indicates low exploitation probability (0.02%), patches are available across all maintained kernel branches (6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) per vendor advisories. The local attack vector and requirement for low-privileged user access limit remote exploitation scenarios.

Buffer Overflow Linux Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local denial-of-service and potential memory corruption in the Linux kernel's ntb_hw_switchtec driver allows a low-privileged local user to trigger undefined behavior via a shift-out-of-bounds condition when the Non-Transparent Bridge (NTB) is configured with zero Memory Window LUTs. The flaw stems from rounddown_pow_of_two being invoked on a zero value, and although no public exploit is identified at time of analysis, the upstream fix is available across multiple stable kernel branches. EPSS is very low at 0.02%, consistent with the local attack vector and narrow hardware-dependent trigger.

Information Disclosure Buffer Overflow Linux
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote unauthenticated attackers can cause critical out-of-bounds writes in the Linux kernel's Distributed Lock Manager (DLM) subsystem by sending malformed network messages with unvalidated length parameters to dlm_dump_rsb_name(). When the length exceeds DLM_RESNAME_MAXLEN, dlm_search_rsb_tree() writes beyond allocated buffers, enabling arbitrary code execution, denial of service, or information disclosure. Patches available for kernel versions 6.12.75, 6.18.16, 6.19.6, and 7.0. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit or active exploitation has been identified at time of analysis, despite the critical CVSS 9.8 score.

Buffer Overflow Linux Memory Corruption
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix user_ref race between scrub and refill paths The io_zcrx_put_niov_uref() function uses a non-atomic check-then-decrement pattern (atomic_read followed by separate atomic_dec) to manipulate user_refs. This is serialized against other callers by rq_lock, but io_zcrx_scrub() modifies the same counter with atomic_xchg() WITHOUT holding rq_lock. On SMP systems, the following race exists: CPU0 (refill, holds rq_lock) CPU1 (scrub, no rq_lock) put_niov_uref: atomic_read(uref) - 1 // window opens atomic_xchg(uref, 0) - 1 return_niov_freelist(niov) [PUSH #1] // window closes atomic_dec(uref) - wraps to -1 returns true return_niov(niov) return_niov_freelist(niov) [PUSH #2: DOUBLE-FREE] The same niov is pushed to the freelist twice, causing free_count to exceed nr_iovs. Subsequent freelist pushes then perform an out-of-bounds write (a u32 value) past the kvmalloc'd freelist array into the adjacent slab object. Fix this by replacing the non-atomic read-then-dec in io_zcrx_put_niov_uref() with an atomic_try_cmpxchg loop that atomically tests and decrements user_refs. This makes the operation safe against concurrent atomic_xchg from scrub without requiring scrub to acquire rq_lock. [pavel: removed a warning and a comment]

Race Condition Buffer Overflow Linux +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Out-of-bounds read in Linux kernel CIFS client allows network attackers to achieve high-severity impacts including potential code execution, information disclosure, or denial of service when users access maliciously crafted SMB shares. The vulnerability resides in cifs_sanitize_prepath() which improperly handles empty strings or delimiter-only paths, triggering memory access violations confirmed via AddressSanitizer testing. Vendor patches available across multiple stable kernel branches (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS score of 0.02% (5th percentile) indicates low predicted exploitation probability despite high CVSS 8.8, and no active exploitation or public POC identified at time of analysis.

Buffer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory access in Linux kernel IOAM6 networking code allows remote unauthenticated attackers to read sensitive kernel memory or crash systems via crafted IPv6 packets with IOAM trace options. The vulnerability triggers when RX queue indices from ingress devices exceed TX queue counts on egress devices, causing array boundary violations in network qdisc operations. Additionally, a missing spinlock enables race conditions in queue statistics access from concurrent softirq and process contexts. EPSS probability is very low (0.02%, 4th percentile) with no evidence of active exploitation. Vendor patches available across multiple stable kernel branches.

Buffer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer overflow in the Linux kernel's l2tp subsystem allows a local low-privileged attacker to cause a denial of service by sending oversized packets through a PPPoL2TP socket with UDP encapsulation. In l2tp_xmit_core() (net/l2tp/l2tp_core.c:1293), the UDP length field - constrained to 16 bits - is assigned a packet length value without any bounds check, silently truncating values exceeding 65535 bytes and producing malformed UDP frames on the wire or triggering a kernel WARN. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but a syzbot reproducer is publicly documented in the upstream patch discussion.

Linux Debian Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Out-of-bounds array write in the Linux kernel's Intel uncore PMU driver (`perf/x86/intel/uncore`) causes denial of service on affected Intel multi-die x86 systems. The driver fails to skip discovery table parsing for dies whose CPUs are all offline at boot, allowing the assignment `pmu->boxes[die] = box` in `uncore_pci_pmu_register()` to overflow the boxes array, triggering a kernel WARN or potential memory corruption. Exploitation requires local low-privilege access under a specific hardware and boot configuration; no public exploit exists and EPSS is 0.02%, indicating negligible real-world exploitation likelihood.

Linux Intel Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel's AF_ALG crypto subsystem allows local authenticated users to execute arbitrary code or cause denial of service through a page reassignment overflow in af_alg_pull_tsgl. The vulnerability affects multiple stable kernel branches (4.14 through 7.0) and has been patched across all maintained versions. With CVSS 7.8 and low attack complexity (AC:L), this presents a realistic privilege escalation path for local attackers, though EPSS exploitation probability remains low at 0.02% and no public exploit or KEV listing exists at time of analysis.

Buffer Overflow Linux Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in Linux kernel's ocfs2 filesystem driver allows local attackers with low privileges to achieve arbitrary code execution or system crash via a corrupted ocfs2 filesystem image. Exploitation occurs during copy_file_range operations when the malicious id_count field in the inode block exceeds physical inline data capacity, causing a buffer overflow past the inode block buffer. Vendor patches are available across multiple stable kernel versions (6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0). EPSS exploitation probability is low (0.02%, 5th percentile), and no active exploitation or public POC is currently identified.

Buffer Overflow Linux Memory Corruption
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote heap buffer overflow in Apache HTTP Server's mod_proxy_ajp module allows complete system compromise when proxying to attacker-controlled AJP backends. Affects all versions through 2.4.66; attackers can achieve remote code execution by sending malicious AJP protocol responses that overflow a heap buffer with 4 controlled bytes. Apache released patch in version 2.4.67. Despite critical CVSS 9.8, EPSS probability remains very low (0.02%, 5th percentile) indicating minimal observed exploitation attempts, and no CISA KEV listing confirms active in-the-wild abuse. Exploitation requires specific proxy_ajp deployment configuration connecting to malicious AJP servers.

Heap Overflow Apache Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Stack-based buffer overflow in Sandboxie-Plus SbieSvc service enables sandboxed processes to escape isolation and execute code as SYSTEM. Affected versions 1.17.2 and earlier allow malicious sandboxed code to overflow a fixed 160-wide-character stack buffer in NamedPipeServer::OpenHandler via crafted named pipe open requests, bypassing the fundamental security boundary Sandboxie provides. Fixed in version 1.17.3. EPSS data unavailable, no CISA KEV listing or public exploit identified at time of analysis, but the security boundary violation represents a complete defeat of Sandboxie's core function.

Stack Overflow Microsoft RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Stack-based buffer overflow in Sandboxie-Plus ProcessServer handlers allows local authenticated attackers to execute arbitrary code as SYSTEM or crash the SbieSvc service. The vulnerability affects versions 1.17.2 and earlier, stems from unsafe wcscpy operations on unchecked WCHAR fields from service pipe requests, and has been patched in version 1.17.3. The service pipe's NULL DACL permits any local process to connect and trigger the flaw before authorization checks execute, enabling privilege escalation from low-privileged local accounts. No public exploit code identified at time of analysis, though the technical details in the GitHub advisory provide sufficient information for skilled attackers to develop exploits.

Stack Overflow Microsoft RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Local privilege escalation to SYSTEM in Sandboxie-Plus 1.17.2 and earlier allows low-privileged interactive users to trigger stack buffer overflow in SbieSvc service via unauthenticated IPC, bypassing sandbox isolation controls. The vulnerability exists in the RunSbieCtrl handler which processes crafted messages before security checks and copies unbounded input into a 128-character stack buffer. Fixed in version 1.17.3. EPSS data unavailable; not listed in CISA KEV at time of analysis, but publicly disclosed via GitHub Security Advisory with technical details sufficient for exploit development.

Stack Overflow Microsoft RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Stack buffer overflow in Sandboxie-Plus SbieSvc proxy service enables SYSTEM privilege escalation from sandboxed processes, including Security Hardened Sandboxes. Attackers chain an information disclosure (returning up to 32KB uninitialized stack memory with ASLR/stack cookie bypass) with an unbounded memcpy overflow in the GetRawInputDeviceInfoSlave IPC handler. Intel CET shadow stacks block ROP exploitation but not the information leak itself. Vendor-released patch available in version 1.17.3. No public exploit identified at time of analysis, but attack complexity is rated high (AC:H) with low privilege requirements (PR:L), making this viable for motivated attackers targeting sandbox environments.

Stack Overflow Microsoft Buffer Overflow +2
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH POC This Week

Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 enables authenticated remote code execution via crafted input to the /user_group.asp CGI handler. Attackers with high-privilege (administrator) credentials can exploit the unsafe sprintf function to achieve arbitrary code execution with complete system compromise. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation despite the high-privilege requirement.

D-Link Buffer Overflow
NVD VulDB GitHub
EPSS 0% CVSS 7.3
HIGH POC This Week

Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows authenticated administrators to execute arbitrary code via crafted 'Name' parameter to /url_member.asp in the web management interface. Public exploit code exists on GitHub, demonstrating active proof-of-concept availability. EPSS data unavailable; CVSS 7.2 reflects high impact but limited by requirement for high-privilege (admin) authentication, reducing real-world urgency for most organizations unless admin credentials are compromised or insider threat exists.

D-Link Buffer Overflow
NVD VulDB GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Worker process crashes occur in ModSecurity (libmodsecurity3) when processing query string parameters containing single characters through the t:hexDecode transformation function. Remote unauthenticated attackers can trigger repeated segmentation faults to disrupt web application firewall protection, though service automatically recovers once the attack ceases. All libmodsecurity3 versions before 3.0.15 are affected across Apache, IIS, and Nginx deployments. OWASP confirmed the vulnerability via GitHub security advisory GHSA-qrjc-3jpc-3h2g and released patch version 3.0.15 addressing this buffer overflow (CWE-125: Out-of-bounds Read).

Suse Denial Of Service Apache +4
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

Buffer overflow in D-Link DI-8100 router (firmware 16.07.26A1) allows authenticated remote attackers to execute arbitrary code or crash the device via crafted HTTP requests to the /tggl.asp endpoint. The vulnerability affects the tggl_asp function's Name parameter handling. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation for attackers with valid router credentials.

D-Link Buffer Overflow
NVD VulDB GitHub
EPSS 0% CVSS 8.9
HIGH POC This Week

Remote unauthenticated buffer overflow in D-Link DI-8100 firmware 16.07.26A1 enables attackers to execute arbitrary code, compromise device integrity, and cause denial of service via crafted POST requests to /url_rule.asp. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation. The CVSS 9.8 critical score reflects network-based remote attack requiring no authentication or user interaction, though no active exploitation has been confirmed via CISA KEV at time of analysis.

D-Link Buffer Overflow
NVD VulDB GitHub
EPSS 0% CVSS 8.9
HIGH POC This Week

Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows remote unauthenticated attackers to execute arbitrary code via crafted HTTP requests to /auto_reboot.asp. The vulnerability exploits unsafe sprintf calls handling the 'enable' and 'time' parameters in the auto-reboot feature's HTTP handler. A public proof-of-concept exploit is available on GitHub, significantly lowering the barrier to exploitation. CVSS 8.9 with EPSS and attack complexity both low indicate high real-world risk for internet-facing devices running this firmware version.

D-Link Buffer Overflow
NVD VulDB GitHub
EPSS 0% CVSS 7.3
HIGH POC This Week

Stack-based buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows authenticated remote attackers with high privileges to execute arbitrary code via malformed ID parameter to yyxz.asp administrative interface. Public exploit code exists on GitHub, demonstrating reliable exploitation. CVSS 7.3 (High) reflects network attack vector but requires admin-level authentication, limiting real-world exposure to compromised credentials or insider scenarios.

Stack Overflow D-Link Buffer Overflow
NVD VulDB GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Heap-based buffer overflow in RedisBloom versions before 2.8.20 enables remote code execution via Redis RESTORE command when authenticated attackers supply malicious serialized payloads. The vulnerability stems from improper validation of deserialized data in the probabilistic data structures module. Exploitation requires Redis authentication and RESTORE command privileges (PR:L), with CVSS 7.7 rating reflecting the authentication requirement despite critical impact potential. No public exploit code or CISA KEV listing identified at time of analysis, though vendor has released security-focused patch 2.8.20.

Heap Overflow Redis RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Remote code execution in RedisTimeSeries versions before 1.12.14 allows authenticated attackers with RESTORE command permissions to execute arbitrary code via crafted serialized payloads. The vulnerability stems from improper validation of data processed through Redis RESTORE command, enabling heap buffer overflow exploitation. Attackers with low-level privileges can achieve complete system compromise (CVSS 7.7, CVSS:4.0 High confidentiality/integrity/availability impact) through network-based attacks with high complexity. No public exploit code or active exploitation confirmed at time of analysis.

Heap Overflow Redis RCE +2
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Remote code execution in Redis server versions up to 8.6.3 allows authenticated attackers with RESTORE command privileges to execute arbitrary code by submitting maliciously crafted serialized payloads. The vulnerability stems from insufficient validation of serialized values in the RESTORE command, enabling heap-based buffer overflow conditions. Redis released version 8.6.3 to patch this flaw alongside four other critical RCE vulnerabilities. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted rather than widespread exploitation.

Heap Overflow Redis RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in Linux Kernel dentry hashtable can crash the system when dhash_entries boot parameter is set to 1. The vulnerability triggers during directory cache lookups when the hash shift calculation results in access to unallocated memory regions, causing kernel page faults. Affects Linux Kernel versions from initial commit (1da177e4c3f4) through multiple stable branches. Patches available for 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, and 7.1-rc1. EPSS probability of 0.02% (7th percentile) indicates very low likelihood of exploitation in the wild, and no public exploit code or CISA KEV listing exists, suggesting this remains a theoretical edge-case issue requiring specific kernel boot configuration.

Information Disclosure Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

eBPF verifier in Linux kernel allows local privilege escalation through incorrect register ID handling during byte-swap operations. When BPF_END instruction performs byte swapping, the verifier fails to reset scalar register IDs, causing it to incorrectly propagate bounds checks between linked registers. This validation bypass allows authenticated local attackers with BPF program loading privileges to craft malicious eBPF programs that pass verification but achieve out-of-bounds memory access at runtime, potentially escalating to kernel-level code execution. Vendor patches available for affected 6.18.x and 6.19.x branches with EPSS score of 0.02% indicating low observed exploitation probability.

Buffer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Out-of-bounds read in X.Org X Server XKB modifier map handling allows local authenticated attackers to read sensitive memory or crash the server by sending malformed X11 requests. The vulnerability affects RHEL 6 through 10 and requires local access with user-level privileges; exploitation results in information disclosure or denial of service.

Denial Of Service Buffer Overflow Red Hat Enterprise Linux 10 +4
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Out-of-bounds read in X.Org X server XKB geometry processing allows local or remote attackers with X11 server access to disclose sensitive memory contents or cause denial of service by crashing the server. The vulnerability exists in CheckSetGeom() and XkbAddGeomKeyAlias functions and requires low privileges but no user interaction. No public exploit code or active exploitation has been identified at time of analysis.

Denial Of Service Information Disclosure Buffer Overflow +5
NVD VulDB
EPSS 0% CVSS 8.9
HIGH POC This Week

Stack-based buffer overflow in EFM ipTIME NAS1dual 1.5.24 allows remote unauthenticated attackers to achieve complete system compromise via the get_csrf_whites function in /cgi/advanced/misc_main.cgi. Public exploit code exists on GitHub, demonstrating practical exploitability despite lack of vendor response to responsible disclosure. CVSS 8.9 (Critical) with EPSS data unavailable; attack requires no authentication, low complexity, and no user interaction (AV:N/AC:L/PR:N/UI:N), making this a high-priority remote attack surface.

Stack Overflow Buffer Overflow Iptime Nas1Dual
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Remote unauthenticated attackers can crash Eclipse OpenJ9 JITServer instances (versions 0.21-0.58) by sending a specially crafted 32-byte TCP message, triggering a buffer over-read (CWE-125) that causes denial of service. The vulnerability requires no authentication or user interaction, affecting any exposed JITServer endpoint. CVSS 8.7 (High) reflects the severe availability impact, though EPSS data is not available for this recent CVE. Exploit code is publicly available via GitHub PR #23793, which demonstrates the bounds-checking fix, though no active exploitation is confirmed at time of analysis.

Information Disclosure Buffer Overflow Eclipse Openj9
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Heap buffer overflow in GPAC's SVG attribute parser allows local attackers to cause denial of service by providing crafted SVG input that triggers out-of-bounds memory access in the svg_parse_strings() function. The vulnerability requires user interaction (opening a malicious SVG file) and operates with low complexity on local systems. While CVSS score is moderate (5.5) and EPSS probability is very low (0.02%), the issue affects the widely-used multimedia framework's SVG handling and has been confirmed fixed upstream.

Heap Overflow Denial Of Service Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Integer overflow in Pillow 10.3.0 through 12.1.1 bypasses bounds checks during PSD tile extent validation, enabling memory corruption and arbitrary code execution when processing malicious PSD files. This vulnerability (CVE-2026-42311) exploits an incomplete fix for CVE-2026-25990, where the original patch added tile extent validation but used overflow-prone integer types. Attackers craft PSD images with tile dimensions that wrap around during extent sum calculations, defeating the bounds checks and triggering out-of-bounds writes in decode.c and encode.c. Pillow 12.2.0 patches this by avoiding extent addition before comparison. No active exploitation confirmed (not in CISA KEV); publicly available exploit code exists via proof-of-concept test images in the patch commit.

Integer Overflow RCE Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Integer overflow in Pillow's font glyph processing allows remote code execution or denial of service when handling maliciously crafted fonts with extremely large glyph advance values. Pillow versions before 12.2.0 are affected. The vulnerability is triggered during font rendering operations where position tracking accumulates glyph advances without proper bounds checking, leading to wraparound arithmetic that can corrupt memory or crash the interpreter.

Integer Overflow Buffer Overflow Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Heap buffer overflow in Pillow 11.2.1 through 12.1.x allows local attackers to cause denial of service or potentially execute arbitrary code by passing deeply nested list structures as coordinates to ImagePath.Path, ImageDraw.polygon, or ImageDraw.line APIs, which recursively unpack coordinates beyond allocated buffer boundaries.

Heap Overflow Buffer Overflow Red Hat +1
NVD GitHub VulDB
EPSS 0% CVSS 8.3
HIGH POC This Week

Stack-based buffer overflow in WDR201A WiFi Extender firewall.cgi and makeRequest.cgi binaries enables remote unauthenticated attackers to execute arbitrary code through crafted POST requests with oversized Content-Length headers. The vulnerability affects hardware version 2.1 running firmware LFMZX28040922V1.02, with publicly available proof-of-concept exploit code documented via AI-assisted vulnerability research. CVSS 8.3 with high attack complexity indicates exploitation requires advanced technical skills, though the network vector and lack of authentication requirements make this a significant risk for exposed IoT devices.

Stack Overflow RCE Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in Incus prior to version 7.0.0 allows authenticated users to crash the Incus daemon by importing a maliciously crafted backup archive with physical snapshot directories but tampered metadata arrays. The vulnerability stems from an incorrect bounds check (len(slice) >= i-1 instead of len(slice) > i) in the backup restore and migration code paths, enabling out-of-bounds array access that triggers a runtime panic. Repeated exploitation keeps the Incus service offline, confirmed by a publicly available proof-of-concept.

Denial Of Service Information Disclosure Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Integer overflow in CImg Library's _load_pnm() function allows crafted PNM/PGM/PPM image files to bypass memory allocation guards via undersized buffer allocation, potentially triggering heap buffer overflow with local file access and user interaction. CVSS 6.1 (local, user-required interaction). Patch available in commit 4ca26bc and v.3.7.5.

Integer Overflow Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Heap buffer overflow in BusyBox udhcpc6 (DHCPv6 client) allows network-adjacent attackers to achieve remote code execution or denial of service on embedded systems. The vulnerability stems from incorrect heap buffer allocation in option_to_env() when parsing D6_OPT_DNS_SERVERS options in DHCPv6 responses. Particularly dangerous on embedded devices lacking heap hardening protections. Fixed in commit 42202bf. No active exploitation confirmed (not in CISA KEV), but publicly available proof-of-concept from VulnCheck disclosure increases real-world risk for IoT and embedded deployments.

RCE Denial Of Service Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL Act Now

Buffer overflow in Qualcomm Snapdragon firmware enables authentication bypass on adjacent networks, allowing remote unauthenticated attackers to achieve complete system compromise with high impact to confidentiality, integrity, and availability. The vulnerability stems from incorrect authorization logic (CWE-863) that fails to prevent buffer overflow conditions. CVSS score of 9.6 reflects adjacent network attack vector with low complexity and no required privileges or user interaction, with scope change indicating container/hypervisor escape or lateral movement potential. No CISA KEV listing or public exploit identified at time of analysis, though EPSS data not available to assess exploitation probability.

Authentication Bypass Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Memory corruption in Qualcomm Snapdragon SDK occurs when processing IOCTL commands while the device is in power-save state, allowing local authenticated attackers to trigger a denial of service. The vulnerability affects all versions of Snapdragon and requires local access with user-level privileges; no authentication bypass or privilege escalation is possible, but successful exploitation causes system crash or hang. EPSS and KEV status not provided; no public exploit code has been identified at time of analysis.

Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Use-after-free vulnerability in Qualcomm Snapdragon chipsets enables local privilege escalation to achieve full device compromise. Low-privilege authenticated users can trigger memory corruption during performance counter deselect operations, gaining high-integrity code execution with kernel-level access. Qualcomm has released patches in their May 2026 security bulletin. EPSS data not yet available for this future-dated CVE; no confirmed active exploitation or public exploit code identified at time of analysis.

Buffer Overflow Use After Free Memory Corruption +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption in Qualcomm Snapdragon allows local authenticated attackers with low privileges to achieve arbitrary code execution and full system compromise. The vulnerability triggers when malicious drivers invoke specific IOCTLs with intentionally malformed input/output buffers, bypassing buffer validation checks. EPSS and KEV status not available at time of analysis; advisory references May 2026 bulletin suggesting pre-disclosure analysis.

Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Qualcomm Snapdragon chipsets allows authenticated users to corrupt kernel memory during digital signal processor (DSP) process creation, leading to arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability exploits allocation failure handling at kernel level. Qualcomm has published a security bulletin with remediation details for the May 2026 bulletin cycle. No active exploitation or public exploit code identified at time of analysis, though EPSS data not available to assess probabilistic risk.

Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Information disclosure in Qualcomm Snapdragon firmware allows local authenticated attackers to read sensitive kernel memory via malformed IOCTL handler callbacks that bypass buffer size validation. The vulnerability affects multiple Snapdragon chipset versions and requires local access with limited privileges; exploitation results in confidentiality breach without direct system compromise. No active exploitation has been confirmed at the time of analysis.

Information Disclosure Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Memory corruption in Qualcomm Snapdragon camera subsystem allows local authenticated users to execute arbitrary code with high privileges through crafted input/output control (ioctl) calls targeting camera sensor interfaces with malformed output buffers. CVSS score of 7.8 reflects local attack vector requiring low-privilege account access. No EPSS data or KEV listing at time of analysis, suggesting exploitation has not been publicly observed. Qualcomm security bulletin scheduled for May 2026 indicates vendor-coordinated disclosure with patches expected in that timeframe.

Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Memory corruption in Qualcomm Snapdragon occurs when dynamically resizing a previously allocated buffer while its contents are being concurrently modified, enabling local authenticated attackers with user-level privileges to achieve high confidentiality and integrity impact with CVSS 6.5. No active exploitation has been confirmed at the time of analysis, and patch availability details require verification against the May 2026 Qualcomm security bulletin.

Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial of service in Qualcomm Snapdragon wireless chipsets allows unauthenticated attackers in wireless range to crash the device by sending a malformed Fast Transition response frame during roaming operations. The vulnerability triggers a buffer overflow in the 802.11 frame parser when processing an invalid header structure, resulting in temporary denial of service. No authentication is required and exploitation requires only network adjacency.

Buffer Overflow Snapdragon
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Transient denial of service in Qualcomm Snapdragon occurs during target power rate table processing when configuring wireless channels, caused by a buffer over-read vulnerability. The vulnerability affects all Snapdragon versions and requires adjacent network access with no authentication or user interaction, resulting in service interruption but no data compromise or unauthorized access.

Buffer Overflow Snapdragon
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Out-of-bounds read in mod_proxy_ajp of Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to disclose sensitive information via a crafted AJP protocol request. The vulnerability has a CVSS score of 5.3 (moderate) with no active exploitation confirmed. Upgrade to version 2.4.67 to remediate.

Red Hat Suse Information Disclosure +3
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper null termination and out-of-bounds read vulnerability in Apache HTTP Server through version 2.4.66 allows remote unauthenticated attackers to trigger information disclosure with low complexity exploitation. The vulnerability has a CVSS score of 5.3 (medium) with network-accessible attack vector and no user interaction required, though technical impact is limited to confidentiality (partial information disclosure). Vendor-released patch: version 2.4.67 addresses the issue.

Red Hat Suse Apache +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Buffer over-read in Apache HTTP Server through 2.4.66 enables remote unauthenticated information disclosure at network scale. Attackers can read sensitive memory content without authentication or user interaction, achieving high confidentiality impact with low attack complexity. EPSS exploitation probability and KEV status not provided, but SSVC framework confirms the vulnerability is automatable with partial technical impact and no active exploitation detected at time of analysis. Patch released in version 2.4.67.

Red Hat Suse Apache +2
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap out-of-bounds read in Ollama's GGUF model loader (<0.17.1) leaks sensitive memory contents including API keys, environment variables, and concurrent user data when processing maliciously crafted model files. Attackers can trigger the vulnerability by uploading a GGUF file with tensor offsets exceeding file bounds via the unauthenticated /api/create endpoint, then exfiltrate leaked memory through /api/push to attacker-controlled registries. While default deployments bind to localhost only, the widely-adopted OLLAMA_HOST=0.0.0.0 configuration exposes instances to network exploitation. Vendor-released patch available in version 0.17.1 with GitHub commit 88d57d0483cca907e0b23a968c83627a20b21047 adding bounds validation to fs/ggml/gguf.go and server/quantization.go.

Information Disclosure Buffer Overflow Red Hat +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Heap buffer overflow in GnuTLS DTLS handshake allows remote unauthenticated attackers to crash applications or corrupt memory. The vulnerability stems from inconsistent fragment validation in merge_handshake_packet(), where attackers can send crafted DTLS fragments with conflicting message_length values to trigger out-of-bounds writes. Red Hat reported this affecting RHEL 6-10 and OpenShift Container Platform 4. CVSS 7.5 (High) reflects network-accessible denial of service, though memory corruption may enable further exploitation. No EPSS data, KEV status, or POC availability reported at time of analysis, but the remote unauthenticated attack vector (AV:N/PR:N) and low complexity (AC:L) make this a priority for systems using DTLS.

Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +5
NVD VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

Remote authenticated attackers can execute arbitrary code on Totolink N300RH 3.2.4-B20220812 routers via buffer overflow in the setMacFilterRules function. Exploitation requires low-privilege authentication to the router's web interface, then sending a crafted POST request with an oversized mac_address parameter to /cgi-bin/cstecgi.cgi. Public exploit code is available (documented on Notion), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector, publicly available POC, and vulnerable IoT device suggest moderate real-world risk for internet-exposed routers with default or weak credentials.

Buffer Overflow N300Rh
NVD VulDB
Prev Page 23 of 402 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy