Buffer Overflow

Heap-based out-of-bounds read in libtheora's AVI parser allows local attackers with limited privileges to trigger application crashes or leak heap memory via specially crafted AVI files with truncated header sub-chunks. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and requires user interaction (opening a malicious file), with real-world impact limited to denial-of-service and potential information disclosure rather than code execution.

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.

In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded.

Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 enables authenticated remote attackers to achieve complete device compromise via the formSetFirewall firewall configuration function. The vulnerability has publicly available exploit code and carries an EPSS exploitation probability that warrants attention, though no active exploitation has been confirmed by CISA KEV at time of analysis. The vendor (Belkin) was notified but did not respond, leaving legacy hardware users without an official remediation path.

Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the formSetSystemSettings function within the /goform/formSetSystemSettings endpoint, exploitable via the 'webpage' parameter. Publicly available exploit code exists (GitHub POC), CVSS 8.8 indicating network-exploitable with low complexity requiring only low-privilege authentication. Vendor unresponsive to coordinated disclosure attempts.

Stack-based buffer overflow in Belkin F9K1015 v1.00.10 allows authenticated remote attackers to achieve code execution via the formSetPassword function. The vulnerability requires low-privilege credentials but no user interaction, carrying a CVSS score of 8.8 (High). Public exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no active exploitation is confirmed (not in CISA KEV). The vendor did not respond to responsible disclosure attempts.

Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 allows authenticated remote attackers to achieve code execution and full system compromise via the formReboot endpoint. The vulnerability has a publicly available exploit (GitHub POC) and requires only low-privileged authentication (EPSS risk assessment recommended but data not provided). Vendor did not respond to disclosure, indicating no patch is available.

Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 enables authenticated remote attackers to achieve complete system compromise via crafted 'webpage' parameter to the formWlEncrypt endpoint. Publicly available exploit code exists (GitHub POC). EPSS data not provided, but the low attack complexity (AC:L) and network attack vector (AV:N) combined with confirmed POC availability indicate moderate-to-high exploitation risk. Vendor was notified but did not respond, leaving devices potentially unpatched.

Stack-based buffer overflow in Belkin F9K1015 wireless router firmware version 1.00.10 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the formCrossBandSwitch function accessible via /goform/formCrossBandSwitch endpoint, where unsanitized input to the 'webpage' parameter triggers memory corruption. Publicly available exploit code exists (GitHub POC), elevating practical exploitation risk. CVSS 8.8 score reflects network attack vector with low complexity, requiring only low-privilege authentication. EPSS data not provided, but combination of public exploit and trivial attack complexity suggests elevated real-world risk. Vendor (Belkin) did not respond to coordinated disclosure attempts, and no vendor-released patch identified at time of analysis.

Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 enables authenticated remote attackers to achieve full system compromise (code execution, denial of service, credential theft) via crafted requests to the formWISP5G endpoint. CVSS 8.8 severity with low attack complexity and publicly available exploit code. Vendor has not responded to disclosure, leaving users without an official patch. EPSS data not available, but the combination of network accessibility, low complexity, and public POC elevates real-world risk despite requiring low-privilege authentication.

Stack-based buffer overflow in Tenda i12 router firmware 1.0.0.11(3862) allows authenticated remote attackers to execute arbitrary code via the WiFi SSID configuration interface. The vulnerability is exploitable over the network with low complexity through manipulation of the 'index' or 'wl_radio' parameters in the formwrlSSIDset function. With publicly available exploit code (GitHub POC) and a CVSS score of 8.8, this presents immediate risk to exposed management interfaces. EPSS data not provided, but the combination of network accessibility, authentication bypass potential, and weaponized exploit elevates real-world risk.

Stack-based buffer overflow in Belkin F9K1122 router firmware 1.00.33 enables authenticated remote attackers to achieve full device compromise via crafted 'webpage' parameter in formWlanSetup function. Publicly available exploit code exists, and EPSS data suggests low-probability targeting despite critical CVSS 8.8 severity. Vendor non-responsive to disclosure; no patch released.

Stack-based buffer overflow in Samsung Exynos chipset SMS message processing allows remote attackers to execute arbitrary code or crash devices via malformed SMS RP-DATA messages. Affects 22 Exynos processor and modem variants across mobile, wearable, and IoT devices, requiring no user interaction. CVSS 10.0 with network-level attack vector (PR:N), scope change, and full system impact. EPSS and exploitation status not provided, but SSVC framework indicates automatable attack with total technical impact. No public exploit identified at time of analysis, though the vulnerability class (CWE-121 stack buffer overflow in SMS parsing) has high weaponization potential.

Stack-based buffer overflow in Tenda CH22 router firmware version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution via the formWrlExtraSet function. The vulnerability resides in the /goform/WrlExtraSet endpoint where manipulation of the 'GO' parameter triggers memory corruption. With CVSS 8.8 (network-accessible, low complexity, requires low-privileged authentication), this represents a critical risk to affected devices. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no confirmed active exploitation (CISA KEV) has been reported at time of analysis.

Stack-based buffer overflow in Tenda CH22 router firmware version 1.0.0.1 allows authenticated remote attackers to execute arbitrary code via crafted 'standard' parameter to the formCertLocalPrecreate function in /goform/CertLocalPrecreate endpoint. Publicly available exploit code exists (GitHub), CVSS 7.4 (High), but no active exploitation confirmed (not in CISA KEV). CVSS vector indicates low attack complexity with required authentication (PR:L), affecting all three confidentiality, integrity, and availability at high impact levels.

Buffer overflow in Tenda M3 router firmware 1.0.0.10 allows authenticated remote attackers to achieve code execution via the setAdvPolicyData endpoint. The vulnerability resides in the Destination Handler component's policyType parameter processing. Publicly available exploit code exists (GitHub POC), elevating immediate risk despite low-privilege authentication requirement. CVSS 7.4 reflects network-accessible attack with low complexity; no CISA KEV listing indicates exploitation remains proof-of-concept stage rather than widespread campaign targeting.

Buffer overflow in UTT HiPER 1250GW router firmware (versions ≤3.2.7-210907-180535) allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the strcpy function within /goform/formNatStaticMap endpoint, where manipulation of the NatBind parameter triggers memory corruption. Publicly available exploit code exists (GitHub POC published), significantly lowering exploitation barriers for threat actors with valid credentials. CVSS 8.8 severity reflects network-based attack vector with low complexity, though low-privilege authentication is required, reducing immediate internet-scale exploitation risk.

Stack-based buffer overflow in Tenda AC10 router firmware version 16.03.10.10_multi_TDE01 allows authenticated remote attackers to achieve complete system compromise through the fromSysToolChangePwd function in /bin/httpd. The vulnerability requires only low-privilege authentication (CVSS PR:L) and has low attack complexity, enabling potential remote code execution with full confidentiality, integrity, and availability impact. No public exploit code identified at time of analysis, though detailed technical findings have been published on GitHub documenting multiple vulnerable endpoints.

Stack-based buffer overflow in Tenda AC10 router firmware 16.03.10.10_multi_TDE01 allows authenticated remote attackers to achieve code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the fromSysToolChangePwd function within /bin/httpd, triggered by manipulating the sys.userpass parameter. Publicly available exploit code exists (GitHub repository documented), though no confirmed active exploitation (not in CISA KEV). CVSS 8.8 reflects network-accessible attack requiring only low-privilege authentication with low complexity, making this a realistic threat for internet-exposed routers with default or compromised credentials.

Stack-based buffer overflow in UTT HiPER 1250GW router (versions up to 3.2.7-210907-180535) allows authenticated remote attackers to achieve arbitrary code execution with high integrity and availability impact via malformed Profile parameter in /goform/formRemoteControl endpoint. Publicly available exploit code exists. CVSS 8.8 reflects network accessibility with low attack complexity, though authentication requirement (PR:L) moderately reduces immediate exploit surface. No CISA KEV listing indicates exploitation remains proof-of-concept stage rather than widespread campaign activity.

Integer underflow in Nimiq core-rs-albatross <1.3.0 enables unauthenticated remote attackers to trigger deterministic denial-of-service via crafted peer handshake. Attackers send limit=0 during discovery handshake, causing arithmetic underflow (0-1 wraps to usize::MAX) when session transitions to Established state, resulting in capacity overflow panic when allocating peer contact vector. Upstream fix available (PR/commit); released patched version 1.3.0 confirmed. No public exploit identified at time of analysis, but EPSS indicates low exploitation probability and attack is trivially reproducible given simple network message crafting.

Use-after-free in Electron's offscreen rendering with GPU shared textures allows local attackers with high privileges to cause memory corruption or application crashes by invoking the texture release callback after its backing native state has been freed. The vulnerability affects Electron versions before 42.0.0-alpha.5, 41.1.0, 40.8.5, and 39.8.5, and only impacts applications explicitly enabling shared-texture offscreen rendering via webPreferences.offscreen.useSharedTexture: true.

Heap-based buffer overflow in OpenPrinting CUPS scheduler versions 2.4.16 and prior allows unauthenticated remote attackers to trigger a denial of service condition by crafting malicious job attributes that overflow buffers during filter option string construction. With a CVSS score of 5.3 and network accessibility, this vulnerability impacts availability on exposed CUPS instances; no public exploit code or vendor patch has been released as of publication.

Out-of-bounds write vulnerability in Amazon Athena ODBC driver (pre-2.1.0.0) allows remote attackers to crash the driver through specially crafted query data, requiring user interaction to process malicious queries. Affected versions include all Amazon Athena ODBC driver releases before 2.1.0.0 across Windows, Linux, and macOS platforms. CVSS 7.1 (High) reflects network-based attack with low complexity but requires user interaction (UI:P) and impacts only availability (VA:H). No public exploit identified at time of analysis. Vendor-released patch version 2.1.0.0 is available for all supported platforms with direct download links provided in AWS security bulletin 2026-013.

Integer overflow in NASA cFS CFE_TBL_ValidateCodecLoadSize function (cfe_tbl_passthru_codec.c) on 32-bit systems allows authenticated local attackers with low privileges to cause limited integrity and availability impact, though exploitation requires high attack complexity and no public exploit code has been identified; a fix is planned for an upcoming release milestone.

Heap-based buffer overflow in NASA cFS up to version 7.0.0 exists in the CFE_MSG_GetSize function within the CCSDS Packet Header Handler component (apps/to_lab/fsw/src/to_lab_passthru_encode.c), allowing attackers on the local network to cause memory corruption with limited confidentiality, integrity, and availability impact. The vulnerability requires network adjacency but no authentication or user interaction; no public exploit code has been identified, and the project has not yet released a patch despite early notification through GitHub issue tracking.

Memory corruption in NASA cFS up to version 7.0.0 via manipulation of the CFE_SB_TransmitMsg function in the CCSDS Header Size Handler component allows local attackers with low privileges to corrupt memory, potentially leading to denial of service or information disclosure. No public exploit code or active exploitation has been confirmed; the vendor was notified early but has not yet released a patch as of analysis time.

Buffer overflow in Linux kernel HID-BPF subsystem allows arbitrary return values from dispatch_hid_bpf_raw_requests() to overflow the hid_hw_request buffer without validation. The vulnerability affects all Linux kernel versions with HID-BPF support; attackers with the ability to load or influence BPF programs targeting HID devices can trigger memory corruption. No CVSS score, EPSS data, or confirmed active exploitation has been assigned at time of analysis.

Out-of-bounds memory access in the Linux kernel bnxt_en driver allows a malicious or compromised Broadcom NetXtreme network interface card to corrupt kernel heap memory or crash the system by supplying an unvalidated 16-bit type field in a debug buffer producer async event, affecting all Linux kernel versions using the vulnerable bnxt driver code path.

Buffer overflow in Linux kernel's RedBoot partition table parser allows kernel panic during boot when CONFIG_FORTIFY_SOURCE is enabled with recent compilers. The MTD (Memory Technology Devices) subsystem reads beyond allocated buffer boundaries in partition name validation, triggering fortify-source detection and kernel crash (oops). This affects systems using RedBoot bootloader partitioning on embedded devices; exploitation is involuntary (denial of service via boot failure) rather than attacker-driven, with no public exploit code identified.

Out-of-bounds memory read in Linux kernel USB CDC NCM driver allows local attackers to read kernel memory via malformed USB network devices. The cdc_ncm_rx_verify_ndp16() function fails to account for NDP header offset when validating DPE (Data Packet Element) array bounds, permitting buffer over-read when the NDP is positioned near the end of the network transfer block. No CVSS score, EPSS data, or active exploitation status currently available; patch available in stable kernel releases.

Buffer overflow in Linux kernel cdc_ncm driver allows out-of-bounds memory reads when processing malformed USB CDC NCM (Network Control Model) packets with NDP32 (Normal Data Packet) headers positioned near the end of the network transfer buffer. The vulnerability exists in cdc_ncm_rx_verify_ndp32() where bounds checking fails to account for the ndpoffset value when validating the DPE (Data Packet Element) array size, potentially enabling local denial-of-service or information disclosure on systems with affected USB CDC NCM network devices. No active exploitation or public proof-of-concept identified at time of analysis.

Kernel page fault in Intel IGC network driver XDP TX timestamp handling allows local denial of service when an XDP application requesting TX timestamping shuts down while the interface link remains active. The vulnerability stems from stale xsk_meta pointers left in memory after TX ring shutdown, causing the IRQ handler to dereference invalid kernel addresses and trigger a kernel panic. This affects Linux kernel versions in the igc driver and requires no special privileges or network access, only the ability to run XDP programs on an affected system.

Linux kernel accel/amdxdna driver fails to validate command buffer payload count, allowing out-of-bounds reads in AMD XDNA accelerator command processing. The vulnerability affects the accel/amdxdna subsystem across unspecified Linux kernel versions and permits information disclosure through unvalidated payload size interpretation. No active exploitation, public proof-of-concept, or CVSS data currently available.

Out-of-bounds heap read in Electron's single-instance lock mechanism on macOS and Linux allows local attackers with same-user privileges to leak sensitive application memory through crafted second-instance messages. Affected Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6 are vulnerable only if applications explicitly call app.requestSingleInstanceLock(); no public exploit code is currently identified, but the CVSS 5.3 score reflects moderate confidentiality impact combined with local attack complexity requirements.

Use-after-free memory corruption in Electron framework (versions <39.8.1, <40.7.0, <41.0.0) allows unauthenticated remote attackers to potentially execute arbitrary code when offscreen rendering is enabled and child windows are permitted. The vulnerability triggers when a parent offscreen WebContents is destroyed while child windows remain active, causing subsequent paint operations to dereference freed memory. EPSS data not available; no public exploit identified at time of analysis. Fixed versions released by vendor.

Use-after-free in Electron framework allows memory corruption when native save-file dialogs remain open during session teardown. Affected Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.7 enable local attackers with UI interaction to trigger freed memory dereference via downloaded files, potentially causing application crashes or memory corruption. Only applications that programmatically destroy sessions at runtime and permit downloads are vulnerable; no public exploit code or active exploitation has been identified.

Use-after-free in Electron framework allows memory corruption when handling fullscreen, pointer-lock, or keyboard-lock permission requests in apps with asynchronous `session.setPermissionRequestHandler()` callbacks. Affects npm package electron versions prior to 41.0.0-beta.8, 40.7.0, 39.8.0, and 38.8.6. Remote attackers can trigger memory corruption or crashes if the requesting frame navigates or window closes while the permission handler is pending. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patches available across all affected major version branches.

Use-after-free in Electron's powerMonitor module allows local attackers to trigger memory corruption or application crashes through system power events. All Electron applications (versions <38.8.6, <39.8.1, <40.8.0, <41.0.0-beta.8) that subscribe to powerMonitor events (suspend, resume, lock-screen) are vulnerable when garbage collection frees the PowerMonitor object while OS-level event handlers retain dangling pointers. Exploitation requires local access and specific timing conditions (CVSS 7.0 HIGH, AC:H). No public exploit identified at time of analysis, though the technical details are publicly documented in the GitHub security advisory.

Out-of-bounds read in Apple swift-crypto X-Wing HPKE decapsulation allows remote attackers to trigger memory disclosure or denial of service by supplying a malformed encapsulated key. The vulnerability affects swift-crypto versions prior to 4.3.1 and any macOS or downstream applications using vulnerable versions of the cryptographic library.

Buffer overflow in XZ Utils lzma_index_decoder() allows memory corruption when processing Index records with no data entries prior to version 5.8.3. Unauthenticated remote attackers can trigger a heap overflow via crafted compressed data, potentially causing denial of service or memory corruption. The vulnerability has a low CVSS score (1.7) due to attack time requirement and limited impact scope, with no confirmed active exploitation at time of analysis.

Out-of-bounds memory access in Apple media processing affects iOS, iPadOS, macOS, tvOS, visionOS, and watchOS, allowing remote attackers to trigger unexpected application termination or memory corruption through maliciously crafted media files. The vulnerability requires user interaction (opening/playing the malicious file) but no authentication. Apple has released patched versions for all affected platforms with CVSS 6.3 (moderate severity) and no public exploitation identified at time of analysis.

Memory corruption in macOS Sequoia's image processing subsystem allows unauthenticated remote attackers to potentially execute arbitrary code when a user opens a specially crafted image file. Apple has patched this buffer overflow vulnerability in macOS 15.6. With a CVSS score of 8.8 and requiring only user interaction, this represents a significant attack surface for social engineering campaigns. EPSS data not available, but no public exploit or active exploitation confirmed at time of analysis. The SSVC framework rates this as total technical impact, reinforcing the criticality of applying the vendor patch.

Memory corruption vulnerability in Apple iOS, iPadOS, and macOS allows local attackers to achieve denial of service or potentially arbitrary code execution through malicious file processing. The vulnerability affects iOS and iPadOS versions below 18.6 and macOS Sequoia below 15.6, and has been patched in iOS 18.6, iPadOS 18.6, and macOS Sequoia 15.6. No public exploit identified at time of analysis, and CVSS severity is not numerically specified by Apple, though the buffer overflow classification and file processing attack vector indicate moderate to high real-world risk for users who encounter malicious content.

Integer overflow in macOS kernel allows local applications to trigger unexpected system termination (denial of service) on Sequoia, Sonoma, and Ventura systems. The vulnerability requires local execution (AV:L) with no authentication or user interaction, enabling any installed application to crash the system. Apple has released patches addressing this issue in macOS Sequoia 15.6, Sonoma 14.7.7, and Ventura 13.7.7. No public exploit code or active exploitation has been reported at the time of analysis.

Memory corruption in macOS Sequoia image processing allows remote attackers to achieve arbitrary code execution via maliciously crafted images requiring user interaction. Affects macOS Sequoia versions prior to 15.6, with CVSS 8.8 (High) severity due to potential for complete system compromise. EPSS data unavailable; no public exploit identified at time of analysis. Apple addressed the vulnerability through improved memory handling in macOS 15.6 (released June 2025). Attack requires victim to process a weaponized image file, making social engineering or malicious websites likely delivery vectors.

Out-of-bounds read in NanoMQ MQTT Broker webhook processing allows remote attackers with high privileges to trigger denial of service by sending malformed JSON payloads. Prior to version 0.24.10, the hook_work_cb() function in webhook_inproc.c passes unsanitized binary message buffers directly to cJSON_Parse(), which reads past buffer boundaries when payloads lack null terminators. The vulnerability is reliably exploitable when JSON payload length is a power-of-two >=1024 bytes, bypassing nng's allocation padding protection. No public exploit code or active exploitation has been identified.

Denial-of-service vulnerability in TP-Link Tapo C520WS v2.6 camera allows adjacent network attackers to trigger buffer overflow through crafted HTTP requests with excessively long paths that bypass initial length validation during path normalization, resulting in memory corruption and device reboot without requiring authentication. Vendor has released a patch; no public exploit code identified at time of analysis.

Stack-based buffer overflow in TP-Link Tapo C520WS v2.6 allows remote attackers to trigger denial-of-service by sending oversized configuration parameters to a vulnerable configuration handling component. Successful exploitation causes device crash or reboot, impacting camera availability. Vendor has released a patch.

Heap-based buffer overflow in TP-Link Tapo C520WS v2.6 allows local network attackers to cause denial of service by sending crafted payloads during asynchronous video stream processing, triggering memory corruption and process crashes. The vulnerability stems from insufficient buffer boundary validation in streaming input handling. A vendor patch is available.

Heap-based buffer overflow in TP-Link Tapo C520WS v2.6 allows unauthenticated network attackers to trigger denial-of-service by sending crafted HTTP payloads that bypass boundary validation during segmented request body parsing. The vulnerability exploits insufficient write-boundary verification in the HTTP parsing loop, causing heap memory corruption that crashes or hangs the device process. Patch is available from the vendor.

Heap-based buffer overflow in TP-Link Tapo C520WS v2.6 allows remote attackers on the same network segment to trigger denial-of-service by sending crafted HTTP POST payloads that exceed allocated buffer boundaries. The vulnerability stems from missing validation in HTTP body parsing logic, causing process crashes or unresponsiveness. No CVSS score or vector data is available, limiting precise severity quantification, but the practical attack vector is network-adjacent and does not require authentication.

Mbed TLS versions 2.19.0 through 3.6.5 and 4.0.0 allow remote code execution through memory corruption when attackers modify serialized SSL context or session structures. The vulnerability stems from insufficient validation of deserialized data, enabling arbitrary code execution on systems using affected versions. CISA KEV status and active exploitation data not confirmed in provided intelligence.

Stack-based buffer overflow in Trendnet TEW-657BRM 1.00.1 wireless router allows authenticated remote attackers to achieve code execution via the update_pcdb function in /setup.cgi by manipulating the mac_pc_dba parameter. This vulnerability affects a product discontinued since June 2011 (14+ years end-of-life) with no vendor support or patches available. Publicly available exploit code exists, elevating immediate risk for organizations still operating legacy deployments. CVSS 7.4 with low attack complexity and proof-of-concept availability make this a practical exploitation target despite requiring low-privilege authentication.

Stack-based buffer overflow in Trendnet TEW-657BRM router firmware 1.00.1 allows authenticated remote attackers to achieve arbitrary code execution via the mac_pc_dba parameter in /setup.cgi's add_apcdb function. The product was discontinued in 2011 and receives no vendor support. A public exploit exists on GitHub, significantly lowering the barrier for exploitation against unpatched devices still deployed in production environments.

Out-of-bounds read in LibRaw up to 0.22.0 allows remote unauthenticated attackers to cause denial of service via manipulation of load_flags or raw_width parameters in the TIFF/NEF decoder (nikon_load_padded_packed_raw function). Publicly available exploit code exists, and vendor-released patch version 0.22.1 is available. CVSS 5.3 with low availability impact and confirmed exploit publication indicates moderate real-world risk.

Stack-based buffer overflow in Cesanta Mongoose mDNS Record Handler (versions up to 7.20) allows remote attackers to trigger memory corruption via malformed mDNS record data in the handle_mdns_record function. The vulnerability requires high attack complexity and network-level access but results in limited confidentiality, integrity, and availability impact. Publicly available exploit code exists; vendor released patched version 7.21 with immediate availability.

Heap-based buffer overflow in Cesanta Mongoose versions up to 7.20 allows unauthenticated remote attackers to compromise confidentiality, integrity, and availability through malicious TLS 1.3 handshake manipulation. The vulnerability resides in mg_tls_recv_cert() function's improper handling of the pubkey argument during certificate processing. Publicly available exploit code exists (CVSS temporal E:P), and vendor-released patch is available in version 7.21. CVSS base score 7.3 reflects network-accessible, low-complexity attack requiring no privileges or user interaction.

Out-of-bounds write in LibRaw's JPEG DHT parser (HuffTable::initval function) allows unauthenticated remote attackers to trigger a denial of service via malformed JPEG image files. LibRaw versions up to 0.22.0 are affected; publicly available exploit code exists. CVSS 4.3 (low severity) reflects denial-of-service impact only, with low attack complexity and no authentication required. Vendor-released patch available in version 0.22.1.

Out-of-bounds write in Nothings stb library up to version 1.22 allows remote attackers to corrupt memory and potentially execute code by crafting malicious Vorbis audio files that trigger improper bounds checking in the start_decoder function. Publicly available exploit code exists for this vulnerability, which affects all applications statically linking vulnerable stb_vorbis.c code. The vendor has not responded to disclosure attempts, leaving deployed instances without an official patch.

Out-of-bounds read in Nothings stb library (stb_truetype.h) up to version 1.26 allows remote attackers to trigger memory access violations via malformed TTF font files, resulting in information disclosure. The vulnerability affects the stbtt__buf_get8 function in the TTF file handler and requires user interaction to exploit. Publicly available exploit code exists, though the vendor has not responded to disclosure notifications. CVSS 5.3 with EPSS probability of exploitation (E:P) indicates moderate real-world risk.

Out-of-bounds read in Mbed TLS 3.x before 3.6.6 allows attackers to leak adjacent CCM context data through the multipart CCM API by passing an oversized tag_len parameter to mbedtls_ccm_finish(), which lacks validation against the internal 16-byte authentication buffer. Mbed TLS 4.x contains the same vulnerability in internal code but does not expose the vulnerable function publicly; exploitation requires direct application-level invocation of the affected API. No public exploit code or active exploitation has been reported, but the attack requires no special privileges.

Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to disclose sensitive information and potentially achieve code execution when processing maliciously crafted V7 files. The vulnerability resides in the VS6ComFile!get_macro_mem_COM function and requires user interaction to open a weaponized file. No public exploit identified at time of analysis, though the local attack vector and file format parsing nature make this a realistic social engineering target for industrial control system environments.

Stack-based buffer overflow in Fuji Electric/Hakko Electronics V-SFT versions through 6.2.10.0 enables arbitrary code execution when processing malicious V7 project files. Local attackers can exploit this via social engineering to deliver weaponized files requiring user interaction to open. CVSS 8.4 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with EPSS data unavailable for this newly-assigned CVE. Japanese vulnerability coordination (JPCERT/JVN) indicates regional industrial control system exposure.

Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to extract sensitive memory contents and potentially achieve code execution by opening a malicious V7 project file. The vulnerability requires user interaction (opening a crafted file) but no authentication, with an EPSS probability requiring assessment. No public exploit identified at time of analysis, though JPCERT coordination suggests industrial targeting potential.

Out-of-bounds read in Fuji Electric V-SFT industrial HMI software (versions ≤6.2.10.0) enables local attackers to disclose sensitive information and potentially achieve code execution when victims open maliciously crafted V7 project files. The vulnerability resides in the VS6ComFile!load_link_inf function during V7 file parsing. CVSS 8.4 reflects high confidentiality and integrity impact with low attack complexity requiring user interaction. No public exploit identified at time of analysis, though JPCERT coordination suggests targeted industrial sector awareness.

Stack-based buffer overflow in Fuji Electric/HAKKO Electronics V-SFT automation software (versions ≤6.2.10.0) allows arbitrary code execution when opening a maliciously crafted V7 project file. An attacker must convince a user to open a weaponized file, requiring no authentication but user interaction. EPSS data not available; no public exploit identified at time of analysis, though the specific function (CV7BaseMap::WriteV7DataToRom) and vulnerability class (stack overflow) provide sufficient technical detail for skilled attackers to develop exploits.

Out-of-bounds read in Nothings stb library up to version 1.26 allows remote attackers to trigger information disclosure via a crafted TTF file processed by the stbtt_InitFont_internal function in stb_truetype.h. Exploitation requires user interaction (opening a malicious font file) and publicly available exploit code exists; however, the vendor has not responded to early disclosure notification.

Out-of-bounds heap write in OpenEXR 3.4.0-3.4.7 allows local attackers to crash applications or corrupt memory when processing malicious B44/B44A compressed EXR files. Attack requires user interaction to open a crafted image file. Patched in version 3.4.8. CVSS 8.4 (High) reflects local attack vector with no privileges required but mandatory user action. No confirmed active exploitation or public POC identified at time of analysis, though proof-of-concept development is feasible given the detailed GitHub advisory and commit.

Heap buffer overflow in OpenEXR 3.4.0 through 3.4.6 allows remote code execution when processing maliciously crafted EXR image files with HTJ2K compression and specific channel width configurations. The vulnerability enables controlled heap overwrites of 2-4 bytes per iteration beyond allocated buffer boundaries, exploitable through user interaction with weaponized .exr files. Attack vector is local (AV:L) requiring user action (UI:A) but no privileges (PR:N), with CVSS 8.4 severity. Vendor-released patch available in version 3.4.7. No public exploit identified at time of analysis, though the precise technical details in the security advisory lower exploitation complexity for capable adversaries.

Remote code execution in llama.cpp RPC backend allows unauthenticated attackers with TCP access to achieve arbitrary memory read/write and full ASLR bypass. The vulnerability stems from missing bounds validation in deserialize_tensor() when processing GRAPH_COMPUTE messages with zero-valued buffer fields. Attackers can leverage pointer leaks from ALLOC_BUFFER/BUFFER_GET_BASE operations to reliably exploit this flaw. Fixed in version b8492 (commit 39bf0d3c). CVSS 9.8 (Critical) with network attack vector, low complexity, and no authentication required. No public exploit identified at time of analysis, though the detailed advisory provides sufficient technical context for weaponization.

Cisco IMC web-based management interface allows authenticated administrators to execute arbitrary code as root through improper input validation in HTTP requests. The vulnerability affects Cisco Unified Computing System (standalone) and requires admin-level credentials and network access; successful exploitation grants attacker root-level code execution on the underlying operating system. No public exploit code or active exploitation has been identified at time of analysis.

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memory via malformed UDP packets. Affects default totemudp/totemudpu configurations across Red Hat Enterprise Linux 7/8/9/10 and OpenShift Container Platform 4. CVSS 8.2 (High) with network attack vector, low complexity, and no authentication required. EPSS and exploitation status data not available; no public exploit identified at time of analysis. Impacts high-availability clustering infrastructure commonly used in enterprise production environments.

Out-of-bounds read and write in Linux kernel AppArmor verify_dfa() function allows local attackers to trigger memory corruption via malformed DFA profiles with invalid DEFAULT_TABLE entries. The vulnerability exists because bounds validation is skipped during differential encoding chain traversal, permitting an attacker with CAP_MAC_ADMIN or write access to /sys/kernel/security/apparmor/policy to craft a malicious policy that causes slab-out-of-bounds access. No public exploit code or active exploitation has been identified; patch is available in upstream kernel.

Out-of-bounds read in Linux kernel AppArmor DFA matching allows local attackers to cause memory corruption via malformed input to apparmor_file_open, triggered when the match_char() macro's character parameter is evaluated multiple times during differential encoding chain traversal, causing pointer advancement past buffer boundaries. The vulnerability manifests as a slab-out-of-bounds read detected by KASAN during file open operations and affects all Linux distributions shipping the vulnerable kernel code. No active exploitation in the wild has been confirmed, but the memory corruption vector creates denial-of-service and potential privilege escalation risk for local attackers.

Out-of-bounds read in WebCodecs component of Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via specially crafted HTML pages. The vulnerability affects all Chrome versions below the patched release and requires only HTML delivery (no authentication); exploitation could disclose sensitive data from the browser process memory, though the Chromium project assessed this as Medium severity.

Remote code execution via heap buffer overflow in Google Chrome's GPU component affects all versions prior to 146.0.7680.178, allowing attackers to execute arbitrary code by crafting malicious HTML pages. The vulnerability requires only a remote attacker with no special privileges or user authentication; users need only visit a compromised or attacker-controlled website. No CVSS score was assigned by NVD, though Chromium classified it as High severity. Patch availability confirmed from vendor.

Out-of-bounds read in WebCodecs functionality in Google Chrome prior to version 146.0.7680.178 allows remote attackers to read arbitrary memory contents via a crafted HTML page. The vulnerability affects all Chrome versions before the patched release and requires only user interaction (visiting a malicious webpage) to trigger. No public exploit code or active exploitation has been confirmed at time of analysis.

Remote code execution in Google Chrome prior to version 146.0.7680.178 exploits object corruption in the V8 JavaScript engine, allowing attackers to execute arbitrary code within the Chrome sandbox via a specially crafted HTML page. The vulnerability affects all Chrome versions below the patched release and carries a High Chromium security severity rating.

Integer overflow in ANGLE (Google's OpenGL abstraction layer) in Chrome on Windows before version 146.0.7680.178 enables out-of-bounds memory writes if the renderer process is compromised, allowing an attacker to execute arbitrary code with renderer privileges. The vulnerability requires prior renderer process compromise, limiting the immediate attack surface but representing a critical post-compromise escalation vector. Chromium severity is rated High; patch availability confirms vendor remediation.

Remote code execution in ANGLE (Almost Native Graphics Layer Engine) within Google Chrome on macOS prior to version 146.0.7680.178 allows unauthenticated remote attackers to execute arbitrary code by crafting a malicious HTML page that triggers a heap buffer overflow. This vulnerability affects all Chrome versions below the patched release and poses an immediate risk to macOS users who visit compromised or malicious websites.

Buffer over-read vulnerability in RTI Connext Professional Core Libraries allows unauthenticated remote attackers to read beyond allocated buffer boundaries, potentially leaking sensitive data. Affected versions span multiple major release lines: 7.4.0-7.6.x, 7.0.0-7.3.0.x, 6.1.0-6.1.x, 6.0.0-6.0.x, 5.3.0-5.3.x, and 4.3x-5.2.x. The CVSS 6.3 score reflects low confidentiality impact with network-based attack surface; no public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Buffer overflow in TOTOlink A3600R v5.9c.4959 setAppEasyWizardConfig interface allows remote code execution or denial of service via unvalidated rootSsid parameter in /lib/cste_modules/app.so. The vulnerability affects a Wi-Fi router's configuration endpoint and enables unauthenticated attackers to trigger memory corruption with potential for arbitrary code execution. No CVSS vector or patch status was available at time of analysis.

Buffer overflow in Mbed TLS public key export functionality for Finite Field Diffie-Hellman (FFDH) keys affects versions through 3.6.5 and TF-PSA-Crypto 1.0.0. An attacker can trigger a memory corruption condition during FFDH public key export operations, potentially enabling code execution or denial of service depending on memory layout and application context. No public exploit code or active exploitation has been confirmed at time of analysis.

Buffer overflow in Mbed TLS versions 3.5.0 through 3.6.5 allows remote attackers to cause a denial of service or potentially execute arbitrary code via crafted input to the x509_inet_pton_ipv6() function used in X.509 certificate parsing. The vulnerability is fixed in Mbed TLS 3.6.6 and 4.1.0. No public exploit code or confirmed active exploitation has been identified at the time of analysis.

Heap-based buffer overflow in Axiomatic Bento4 up to version 1.6.0-641 allows local authenticated attackers to cause a denial of service or potentially corrupt memory via the AP4_BitReader::SkipBits function in the DSI v1 Parser component when processing a maliciously crafted n_presentations argument. Public exploit code is available; vendor has not responded to early disclosure.

Heap buffer overflow in iccDEV's icAnsiToUtf8() function allows local attackers to cause denial of service via a crafted ICC color profile processed by the iccToXml tool. The vulnerability exists in versions prior to 2.3.1.6 and stems from unsafe string handling that treats non-null-terminated buffers as C-strings, triggering out-of-bounds memory reads. CVSS 6.2 with local attack vector and no authentication required; vendor-released patch available in version 2.3.1.6.

Stack buffer overflow in iccDEV library versions prior to 2.3.1.6 allows local attackers to cause denial of service by crafting malicious ICC color management profile files that trigger a 4-byte write overflow in CIccTagFixedNum<>::GetValues(). The vulnerability requires local access and no user interaction, with CVSS 6.2 reflecting the high availability impact. No public exploit code or active exploitation has been identified; vendor-released patch version 2.3.1.6 is available.

Heap buffer overflow in iccDEV's CIccApplyCmmSearch::costFunc() function allows local attackers to trigger an out-of-bounds memory read via malformed JSON configuration input to the iccApplySearch tool, resulting in denial of service. The vulnerability affects iccDEV versions prior to 2.3.1.6 and has been patched; no public exploit identified at time of analysis, though the issue is straightforward to trigger with crafted input.

Stack buffer overflow in iccDEV library versions prior to 2.3.1.6 allows local attackers to trigger a denial of service by crafting a malicious ICC color profile that overflows a 4-byte stack buffer in the CIccCalculatorFunc::Apply() function during profile processing. The vulnerability requires local access and no user interaction, with CVSS 6.2 reflecting high availability impact but no direct code execution path; vendor-released patch is available in version 2.3.1.6.