Buffer Overflow
Monthly
Stack buffer overflow in LSC Indoor Camera V7.6.32 ONVIF GetStreamUri function allows unauthenticated remote attackers to cause denial of service or execute arbitrary code by sending a crafted SOAP request with an oversized Protocol parameter in the Transport element, bypassing input validation and corrupting the stack return instruction pointer.
Remote authenticated attackers can execute arbitrary code on Tenda AC5 routers (firmware version 15.03.06.47) by exploiting a stack-based buffer overflow in the WPS configuration handler. The vulnerability resides in the formWifiWpsOOB function handling POST requests to /goform/WifiWpsOOB, where insufficient validation of the 'index' parameter allows memory corruption. A publicly available exploit code exists (CVSS 8.8, EPSS data not provided), enabling authenticated attackers with low-privilege access to achieve complete device compromise with high impact on confidentiality, integrity, and availability.
Stack-based buffer overflow in Tenda AC5 router firmware version 15.03.06.47 enables remote authenticated attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the formSetCfm function's handling of the funcpara1 parameter in POST requests to /goform/setcfm. A publicly available exploit exists with proof-of-concept code disclosed through VulDB and documented in detailed technical write-ups, significantly lowering the barrier to exploitation for threat actors targeting vulnerable devices.
Remote attackers with low-level credentials can execute arbitrary code on Tenda AC5 wireless routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the formQuickIndex function via a crafted PPPOEPassword parameter in POST requests to /goform/QuickIndex. Publicly available exploit code exists, including detailed proof-of-concept documentation published on Notion, elevating immediate risk for devices exposed to authenticated network users. The CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability with network-based attack vector and low complexity.
Remote attackers with low-level authentication can achieve full system compromise on Tenda AC5 routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the addressNat POST request handler. The fromAddressNat function fails to validate the 'page' parameter, enabling memory corruption that leads to high confidentiality, integrity, and availability impact (CVSS 8.8). Publicly available exploit code exists, significantly lowering the barrier to exploitation.
Certificate chain spoofing in node-forge (npm) <= 1.3.3 lets an attacker present any non-CA leaf certificate as a trusted intermediate CA, because pki.verifyCertificateChain() skips RFC 5280 basicConstraints enforcement when a certificate carries neither the basicConstraints nor the keyUsage extension. An attacker holding such a leaf certificate can sign certificates for arbitrary identities and have node-forge accept the forged chain, defeating authentication for any application relying on it for custom PKI, S/MIME, PKCS#7, or device-certificate validation. Rated CVSS 9.1 by the reporter and fixed in 1.4.0; publicly available exploit code exists (full PoC in the GHSA), but EPSS is only 0.02% and it is not on CISA KEV.
An out-of-bounds read vulnerability in the UPnP service of TP-Link TL-WR841N v14 routers enables adjacent network attackers to crash the UPnP daemon without authentication, resulting in denial of service. Affected devices include firmware versions prior to EN_0.9.1 4.19 Build 260303 and US_0.9.1.4.19 Build 260312. Vendor patches are available. No public exploit identified at time of analysis, with CVSS:4.0 scoring 7.1 (High) reflecting adjacent network access requirements and high availability impact.
GIMP's PSD file parser crashes when processing specially crafted Photoshop documents due to improper null-termination in the fread_pascal_string function, allowing local authenticated users to trigger a denial of service. The vulnerability affects GIMP across Red Hat Enterprise Linux 7, 8, and 9, as well as multiple Debian and Ubuntu releases tracked by their respective security teams. While the CVSS score is low (2.8), the widespread distribution across major Linux vendors and confirmed advisory issuance from Red Hat, Debian, and SUSE indicates this merits coordinated patching despite limited exploitability constraints.
A security vulnerability in A flaw (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
GIMP's PSP file parser fails to validate 32-bit length values in the read_creator_block() function, allowing local attackers to trigger integer overflow and heap buffer overflow via specially crafted PSP image files, resulting in application-level denial of service. Red Hat Enterprise Linux versions 6-9, Ubuntu (7 releases), Debian (9 releases), and SUSE are affected. No public exploit code or active exploitation has been identified at the time of analysis, though the vulnerability has been assigned ENISA EUVD ID EUVD-2026-16340 and tracked across major Linux distributions.
Truncated msgpack fixext format data (codes 0xd4-0xd8) decoded by shamaton/msgpack library versions across v1, v2, and v3 fail to validate input buffer boundaries, triggering out-of-bounds memory reads and runtime panics that enable denial of service. Remote attackers can craft malformed msgpack payloads to crash applications using affected library versions without requiring authentication or user interaction.
Stack buffer overflow in ImageMagick and Magick.NET due to incorrect pointer arithmetic on certain platforms allows local attackers to write one byte past allocated stack boundaries, causing denial of service. ImageMagick versions prior to 7.1.2-18 and 6.9.13-43, along with multiple Magick.NET NuGet packages, are affected. The vulnerability requires local access and specific platform conditions, but succeeds without user interaction.
The Zen C compiler (versions prior to 0.4.4) crashes or enables arbitrary code execution when processing maliciously crafted .zc source files containing excessively long identifiers for structs, functions, or traits, triggering a stack-based buffer overflow (CWE-121). A proof-of-concept exploit exists per SSVC assessment, though attack complexity remains moderate as it requires local access and user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). Vendor-released patch: version 0.4.4.
X11 display interaction path contains an out-of-bounds write vulnerability that allows local attackers to crash affected applications through a single zero byte write. The medium-severity flaw (CVSS 4.0) requires no privileges or user interaction to trigger a denial of service condition. No patch is currently available for this vulnerability.
Out-of-bounds read and write in libpng's ARM/AArch64 Neon-optimized palette expansion allows remote attackers to trigger memory corruption, information disclosure, and denial of service when processing malicious PNG files. libpng versions 1.6.36 through 1.6.55 are affected on ARM platforms with Neon optimization enabled. Version 1.6.56 contains the fix. No public exploit identified at time of analysis, with SSVC framework indicating no active exploitation, non-automatable attack vector, and partial technical impact.
Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attackers to trigger undefined behavior and potential memory corruption through unauthenticated MQTT messages. The data race condition in Charger::shared_context occurs when processing switch_three_phases_while_charging commands without proper locking, yielding CVSS 8.2 (High) with potential for availability disruption and data integrity impact. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication requirements (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).
EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handle_update_energy_transfer_modes function, where variable-length MQTT command payloads are copied into a fixed-size 6-element array without bounds checking. When schema validation is disabled by default, oversized payloads trigger memory corruption that can crash the EV charging service or corrupt adjacent EVSE (Electric Vehicle Supply Equipment) state, affecting the integrity and availability of EV charging infrastructure. No public exploit code has been identified at the time of analysis, but the vulnerability is patched in version 2026.02.0.
Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corrupt EVSE state or crash the charging process by sending oversized MQTT command payloads that bypass disabled schema validation. The ISO15118_chargerImpl::handle_session_setup function copies variable-length payment_options lists into a fixed 2-element array without bounds checking, exposing a CWE-787 buffer overflow vulnerability with availability and integrity impact. No public exploit code has been identified at time of analysis.
EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling triggered by concurrent powermeter public key updates and EV session/error events, resulting in heap corruption and potential denial of service. Unauthenticated remote attackers can exploit this via specially timed network events to crash the charging infrastructure, though successful exploitation requires precise timing due to high attack complexity. The vulnerability affects everest-core and has been patched in version 2026.02.0.
Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unauthenticated attackers to crash the charging station software or corrupt memory by sending crafted UpdateAllowedEnergyTransferModes messages from a Charging Station Management System (CSMS). CVSS 7.5 severity reflects network-accessible denial of service with high availability impact. SSVC assessment indicates no current exploitation and non-automatable attack; no public exploit identified at time of analysis.
Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary code via overly long CAN interface names during initialization. The vulnerability (CWE-121) affects everest-core versions prior to 2026.02.0 with CVSS 8.4 (High severity). Proof-of-concept exploit code exists according to SSVC assessment, and the flaw triggers before privilege checks, enabling attack with no user privileges required. The vulnerability is tracked as EUVD-2026-16199 by ENISA.
Remote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attackers to execute arbitrary code by sending malformed SLAC protocol frames. EVerest-core versions prior to 2026.02.0 are affected due to a stack buffer overflow in HomeplugMessage::setup_payload that trusts an attacker-controlled length parameter in release builds. SSVC analysis indicates proof-of-concept exploit code exists, though the vulnerability is not automatable and requires adjacent network access (CVSS 8.8, AV:A).
Out-of-bounds write vulnerabilities in Siemens CPCI85 Central Processing/Communication and SICORE Base system (versions below V26.10) allow unauthenticated remote attackers to crash critical industrial control system services through maliciously crafted XML requests, resulting in denial-of-service conditions. CISA's SSVC framework marks this as automatable with partial technical impact, though no public exploit has been identified at time of analysis. The CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network accessibility requiring no authentication (PR:N).
Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certificate filenames of exactly 100 characters due to off-by-one boundary check error in IsoMux component. EVerest-core versions prior to 2026.02.0 are affected (CPE cpe:2.3:a:everest:everest-core). The vulnerability has a CVSS score of 8.4 with local attack vector and no privilege requirements (AV:L/PR:N), allowing unauthenticated local attackers to achieve code execution. No public exploit identified at time of analysis, though technical details are available in GitHub security advisory GHSA-cpqf-mcqc-783m.
River Past CamDo 3.7.6 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
River Past Audio Converter 7.7.16 contains a local buffer overflow vulnerability in the activation code field that allows local attackers to crash the application by supplying an oversized input. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MyVideoConverter Pro 3.14 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying an excessively long string to the registration code input field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PassFab Excel Password Recovery 8.3.1 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload in. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PassFab RAR Password Recovery 9.3.2 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PDF Explorer 1.5.66.2 contains a structured exception handler (SEH) overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH records with malicious data. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AnyBurn 4.3 contains a local buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the image file name field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Excel Password Recovery Professional 8.2.0.0 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long string to the 'E-Mail. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MegaPing contains a local buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload to the Destination Address List field in the Finger. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Nsauditor 3.0.28.0 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input to the DNS Lookup tool. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Boxoft wav-wma Converter 1.0 contains a local buffer overflow vulnerability in structured exception handling that allows attackers to execute arbitrary code by crafting malicious WAV files. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Allok Video Splitter 3.1.1217 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service or execute arbitrary code by supplying an oversized string in the. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Linux kernel nfnetlink_osf module fails to validate TCP option lengths in OS fingerprint definitions, allowing null pointer dereference and out-of-bounds memory reads when processing packets with malformed or missing TCP options. The vulnerability affects Linux kernel versions across multiple stable branches (6.1.x through 6.19.x and 7.0-rc5), with EPSS score of 0.02% indicating low practical exploitation probability despite the memory safety issue. No public exploit code or active exploitation has been reported.
Buffer overflow in UTT HiPER 1250GW firmware versions up to 3.2.7-210907-180535 allows authenticated remote attackers to achieve code execution through a malformed GroupName parameter in the DNS filter configuration handler. Public exploit code exists for this vulnerability and no patch is currently available. Affected organizations should restrict network access to administrative interfaces until remediation is possible.
Remote attackers can exploit a stack-based buffer overflow in the /cgi-bin/nas.cgi endpoint of Wavlink WL-NU516U1 by manipulating the Content-Length parameter to achieve unauthenticated remote code execution. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. Authentication is required to trigger the flaw, limiting exposure to authenticated users or those with network access to the device.
Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_sec) allows low-privileged authenticated attackers to execute arbitrary code via crafted network packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches. Publicly available exploit code exists (GitHub/Gist), though EPSS probability remains low (0.05%, 16th percentile) and CISA has not listed this in KEV, suggesting limited observed exploitation despite high CVSS 8.8 score and total technical impact per SSVC framework.
Squid prior to version 7.5 contains an out-of-bounds read vulnerability in ICP (Internet Cache Protocol) traffic handling due to improper input validation, classified as CWE-125. Remote attackers can exploit this to leak small amounts of process memory potentially containing sensitive information by sending malformed ICP requests to deployments with explicitly enabled ICP support (non-zero icp_port configuration). The vulnerability affects all versions of Squid before 7.5, and while no CVSS score or EPSS data is currently available, the information disclosure impact and remote attack vector indicate moderate to significant risk for affected deployments.
The getradiotapfield() function in ZerBea hcxpcapngtool version 7.0.1-43-g2ee308e contains a buffer overflow vulnerability allowing local attackers to trigger a denial of service condition through memory corruption. While the vulnerability is classified as causing information disclosure in the description, the CVSS vector (C:N/I:N/A:H) indicates the primary impact is availability degradation rather than confidentiality compromise. No public exploit code or active exploitation has been identified at the time of analysis, though the local attack vector and lack of required privileges make exploitation feasible for any user with local system access.
Saloon versions prior to v4 contain a path traversal vulnerability in fixture name handling that allows attackers to read or write files outside the configured fixture directory. Users with MockResponse fixtures derived from untrusted input (such as request parameters or configuration values) are affected, as attackers can use path traversal sequences like ../ or absolute paths to access arbitrary files on the system with the privileges of the running process. The vulnerability has been patched in Saloon v4 with input validation and defense-in-depth path verification.
YAML parsing in Node.js and Apple products fails to enforce recursion depth limits, allowing an attacker to trigger a stack overflow with minimal input (2-10 KB of nested flow sequences) that crashes the application with an uncaught RangeError. Applications relying solely on YAML-specific exception handling may fail to catch this error, potentially leading to process termination or service disruption. A patch is available for affected versions.
An unauthenticated information disclosure vulnerability exists in SiYuan note-taking application that allows remote attackers to read the content of all documents, including encrypted or access-restricted files, through two API endpoints (/api/file/readDir and /api/block/getChildBlocks). A working proof-of-concept Python exploit has been published demonstrating complete document enumeration and content retrieval. With a CVSS score of 9.8 (Critical) indicating network-based exploitation requiring no privileges or user interaction, this represents a severe confidentiality breach for all published SiYuan instances.
An off-by-one error in fontconfig before version 2.17.1 allows a one-byte out-of-bounds write in the FcFontCapabilities function within fcfreetype.c during sfnt capability handling. This vulnerability affects all versions of fontconfig prior to 2.17.1 across multiple platforms, potentially enabling local attackers without special privileges to crash the application or execute arbitrary code. A patch is available through the official fontconfig GitLab repository, and given the memory corruption nature of the defect, exploitation is feasible on systems with fontconfig-dependent applications.
Buffer overflow in Linux kernel Bluetooth L2CAP subsystem allows adjacent network attackers to achieve code execution with high integrity and confidentiality impact. The flaw occurs when the kernel incorrectly accepts multiple L2CAP_ECRED_CONN_REQ commands with the same identifier, violating Bluetooth Core Specification requirements. This causes allocation beyond the L2CAP_ECRED_MAX_CID limit (5 channels) in l2cap_ecred_rsp_defer, triggering memory corruption. Affects Linux kernel 5.7+ through multiple stable branches. Vendor patches available for 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and 7.0-rc5. EPSS score of 0.02% suggests low likelihood of mass exploitation, no public POC or active exploitation confirmed at time of analysis.
A buffer overflow vulnerability exists in the Linux kernel's dma_map_sg tracepoint that can be triggered when tracing large scatter-gather lists, particularly with devices like virtio-gpu that create large DRM buffers exceeding 1000 entries. The vulnerability affects all Linux kernel versions prior to the fix and can cause perf buffer overflow warnings and potential kernel instability when dynamic array allocations exceed PERF_MAX_TRACE_SIZE (8192 bytes). While this is a kernel-level issue requiring local access to trigger tracing functionality, it poses a denial-of-service risk and memory safety concern for systems using performance tracing on workloads with large scatter-gather operations.
A metadata validation vulnerability in the Linux kernel's Squashfs filesystem implementation allows out-of-bounds memory access when processing corrupted or malicious filesystem images. Specifically, a negative metadata block offset derived from a corrupted index lookup table is passed to squashfs_copy_data without bounds checking, causing a general protection fault. Any Linux system mounting an untrusted Squashfs image is affected, potentially enabling denial of service or information disclosure attacks, though no active exploitation in the wild is currently documented.
A buffer management vulnerability exists in the Linux kernel's Google Virtual Ethernet (GVE) driver within the gve_tx_clean_pending_packets() function when operating in DQ-QPL (Descriptor Queue with Queue Pair Lists) mode. The function incorrectly interprets buffer IDs as DMA addresses and attempts to unmap memory using the wrong cleanup path, causing out-of-bounds array access and potential memory corruption. This affects Linux kernel versions across multiple stable branches and can be triggered during network device reset operations, potentially leading to kernel crashes or memory safety violations.
A divide-by-zero vulnerability exists in the Linux kernel's ETS (Enhanced Transmission Selection) qdisc offload implementation that can crash the kernel when processing malformed traffic scheduling configurations. The vulnerability affects all Linux kernel versions with the ETS scheduler module enabled, and a local privileged user (or attacker with CAP_NET_ADMIN capability) can trigger a kernel panic by crafting specific netlink messages via the tc (traffic control) utility. While no public exploit code has been confirmed in the wild, the condition is easily reproducible and results in immediate kernel crash, making this a high-priority local denial-of-service vector.
A buffer overflow vulnerability exists in the Linux kernel's IFE (Intermediate Functional Element) traffic control action module where metadata list replacement incorrectly appends new metadata instead of replacing old entries, causing unbounded metadata accumulation. This affects all Linux kernel versions with the vulnerable IFE scheduling code (cpe:2.3:a:linux:linux). An attacker with the ability to modify traffic control rules can trigger an out-of-bounds write via the ife_tlv_meta_encode function, potentially achieving kernel memory corruption and denial of service. The vulnerability is not listed as actively exploited in public KEV databases, but patches are available across multiple stable kernel branches.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's MediaTek MT7925 WiFi driver in the mt7925_mac_write_txwi_80211() function, which fails to validate frame length before accessing management frame fields. This vulnerability affects systems running Linux kernel versions with the vulnerable MT7925 driver code and could allow an attacker with local access or the ability to craft malicious wireless frames to read or write out-of-bounds memory, potentially leading to information disclosure or denial of service. While no CVSS score, EPSS data, or active exploitation reports are currently documented, the vulnerability has been patched across multiple stable Linux kernel branches as indicated by four distinct commit references.
This vulnerability is a race condition in the Linux kernel's PCI Designware endpoint driver where MSI-X interrupt writes to the host can complete after the corresponding Address Translation Unit (ATU) entry is unmapped, potentially corrupting host memory or triggering IOMMU errors. The vulnerability affects all Linux kernel versions with the vulnerable code path in the PCI DWC endpoint implementation (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically impacting systems using PCI endpoint devices with MSI-X interrupt support such as NVMe-PCI endpoint function drivers. An attacker with the ability to trigger high-frequency MSI-X interrupts from a malicious endpoint device could exploit this race condition to cause denial of service through IOMMU faults or potentially corrupt host memory.
A stack-out-of-bounds write vulnerability exists in the Linux kernel's BPF devmap implementation where the get_upper_ifindexes() function iterates over upper network devices without properly validating buffer bounds. An attacker with the ability to create multiple virtual network devices (e.g., more than 8 macvlans) and trigger XDP packet processing with BPF_F_BROADCAST and BPF_F_EXCLUDE_INGRESS flags can write beyond allocated stack memory, potentially causing denial of service or arbitrary code execution. The vulnerability affects all Linux kernel versions using the vulnerable devmap code path and has been patched across multiple stable kernel branches, indicating recognition as a real security concern requiring immediate updates.
A memory corruption vulnerability exists in the Linux kernel's XDP (eXpress Data Path) subsystem where negative tailroom calculations are incorrectly reported as large unsigned integers, allowing buffer overflows during tail growth operations. This affects Linux kernel versions across multiple stable branches when certain Ethernet drivers (notably ixgbevf) report incorrect DMA write sizes, leading to heap corruption, segmentation faults, and general protection faults as demonstrated in the xskxceiver test utility. The vulnerability has no CVSS score assigned and shows no active KEV exploitation status, but represents a critical memory safety issue affecting systems using XDP with affected Ethernet drivers.
A buffer over-read vulnerability exists in the Linux kernel's CXL mailbox command handler where the cxl_payload_from_user_allowed() function casts and dereferences user-supplied payload data without first validating its size. An unprivileged local attacker can send a raw mailbox command with an undersized payload (e.g., 1 byte instead of the expected 16 bytes for CXL_MBOX_OP_CLEAR_LOG) to trigger a kernel memory read past the allocated buffer, causing a KASAN splat and potential denial of service. While not yet listed in the KEV catalog or with public EPSS/CVSS scoring, patch commits are available in the Linux stable kernel repositories, indicating the vulnerability has been resolved upstream.
This vulnerability is a memory leak in the Linux kernel's AF_XDP socket implementation where buffers fail to be properly returned to the free list due to improper list node reinitialization. The vulnerability affects all Linux kernel versions with the AF_XDP subsystem enabled, potentially allowing local attackers or unprivileged users to exhaust kernel memory over time. While not actively exploited in the wild according to available intelligence, the vulnerability has clear patches available in stable kernel branches and represents a real denial-of-service risk for systems relying on XDP functionality.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's MediaTek MT7996 WiFi driver (mt76) within the mt7996_mac_write_txwi_80211() function. The vulnerability occurs when the function accesses management frame fields without first validating the frame length, potentially allowing information disclosure or denial of service on systems using affected MT7996 hardware. Multiple stable kernel patches are available across several kernel versions, indicating the issue has been actively remediated in the upstream Linux project.
The Apple Silicon SMC hwmon driver (macsmc-hwmon) in the Linux kernel contains critical memory safety bugs in sensor population and float conversion logic. Specifically, voltage sensors are incorrectly registered to the temperature sensor array, and float-to-32-bit conversion has flawed exponent handling, potentially leading to out-of-bounds memory access, data corruption, or incorrect fan control on affected Apple Silicon systems. The vulnerability affects Linux kernel versions with the macsmc-hwmon driver and has been patched; no active exploitation or POC is currently known, but the nature of the bugs suggests high real-world risk for systems relying on thermal management.
A descriptor validation bypass in the Linux kernel's ALSA USB audio subsystem allows malicious USB devices to provide truncated UAC3 (USB Audio Class 3) header descriptors that escape validation checks, potentially causing out-of-bounds memory reads. The vulnerability stems from an incorrect protocol version constant (UAC_VERSION_2 instead of UAC_VERSION_3) in the validator table, causing validation logic to never execute for actual UAC3 devices. Affected are all Linux kernel versions containing the vulnerable code path; while CVSS and EPSS scores are not provided, this is a local privilege escalation / denial of service vector requiring physical USB device access or local code execution capability to exploit.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's mt76 WiFi driver, specifically in the mt76_connac2_mac_write_txwi_80211() function which fails to validate frame length before accessing management frame fields. This affects all Linux kernel versions containing the vulnerable mt76 driver code and could allow an attacker to read sensitive kernel memory or trigger a denial of service through a specially crafted WiFi management frame. The vulnerability has been patched across multiple stable kernel branches with fixes available since the issue was identified.
A buffer overflow vulnerability exists in the Linux kernel's EMS USB CAN driver (ems_usb) in the ems_usb_read_bulk_callback() function, where the driver fails to properly validate USB message lengths before parsing and copying data. An attacker with the ability to supply a malicious USB device or intercept USB communications could trigger a buffer overflow by providing specially crafted messages that exceed the expected message boundaries, potentially leading to kernel memory corruption, denial of service, or privilege escalation. No CVSS score, EPSS risk rating, or active exploitation data (KEV status) is currently available, though multiple stable kernel branches have received patches indicating vendor awareness of the issue's severity.
Out-of-bounds memory access in the Linux kernel's accel/rocket DRM driver allows local authenticated users to trigger denial of service and potential information disclosure during probe failure paths. The flaw stems from improper error unwinding in rocket_probe() when rocket_core_init() fails (notably on EPROBE_DEFER), leaving stale counter state that subsequent code dereferences out of bounds. No public exploit identified at time of analysis, and EPSS scores exploitation likelihood at 0.02% (4th percentile), consistent with a hardware-driver-specific issue requiring local access.
An out-of-bounds memory write vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) where a memset() operation clears a command header before validating sufficient space is available in the command slot, potentially leading to memory corruption. The vulnerability affects Linux kernel versions across multiple releases where the amdxdna driver is present and enabled. An attacker with local access and appropriate capabilities to interact with the amdxdna device could trigger this memory corruption to achieve denial of service or potentially escalate privileges.
A size calculation overflow vulnerability exists in the Linux kernel's accel/amdxdna driver that can result in undersized buffer allocations and potential memory corruption. The vulnerability affects Linux kernel versions across multiple branches where the AMD XDNA accelerator driver is compiled. An attacker with local access could exploit this to trigger memory corruption, potentially leading to denial of service or privilege escalation, though exploitation complexity and attack surface requirements remain moderate.
Denial of service in Kea DHCP daemons (versions 2.6.0-2.6.4 and 3.0.0-3.0.2) allows unauthenticated remote attackers to crash affected services by sending maliciously crafted messages to API sockets or HA listeners, triggering a stack overflow. Vulnerable Kea installations across Ubuntu, Red Hat, SUSE, and Debian are susceptible to service interruption attacks with no authentication required. A patch is available for affected distributions.
Improper bounds checking in Apple macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.3 and earlier) permits a local attacker to write out-of-bounds memory through a malicious application, potentially allowing modification of protected filesystem areas. The vulnerability requires user interaction to execute the malicious app and affects the file system's integrity rather than confidentiality. No patch is currently available for this out-of-bounds write condition.
Memory corruption in Apple Safari, iOS, iPadOS, macOS, and visionOS allows remote attackers to crash affected processes by delivering maliciously crafted web content to users. The vulnerability requires user interaction to view the malicious content and does not enable code execution or information disclosure. A patch is currently unavailable for this issue.
Apple iOS, iPadOS, macOS, tvOS, visionOS, and watchOS are vulnerable to a stack overflow vulnerability that can be triggered by user interaction with a malicious app, potentially causing denial-of-service conditions. The vulnerability stems from insufficient input validation and affects multiple recent OS versions across Apple's product ecosystem. While no patch is currently available, users should exercise caution when installing apps from untrusted sources.
Xcode versions prior to 26.4 contain an out-of-bounds read vulnerability that can be triggered by local users with user interaction to cause unexpected application or system termination. This denial-of-service condition affects developers and build systems using vulnerable Xcode installations. No patch is currently available.
macOS versions prior to Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4 contain an out-of-bounds read vulnerability that allows local applications to access and disclose sensitive kernel memory. An attacker with the ability to run code on an affected system can exploit this memory disclosure to obtain privileged information that may aid in further system compromise. No patch is currently available for this HIGH severity vulnerability.
Maliciously crafted media files containing out-of-bounds memory access in Apple's audio processing can crash affected applications across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. An attacker can trigger a denial of service by triggering the vulnerability through a specially crafted audio stream, though no patch is currently available. This impacts multiple recent OS versions where an out-of-bounds read occurs during media file processing.
A buffer overflow vulnerability in Apple macOS Tahoe prior to version 26.4 enables remote attackers to trigger a denial-of-service condition through memory corruption and application crashes without requiring user interaction or authentication. The flaw stems from insufficient bounds checking and currently lacks a security patch. This vulnerability affects all macOS users running vulnerable versions.
Integer overflow vulnerability in Apple macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.2 and earlier) allows remote attackers to trigger heap corruption by processing a specially crafted string without requiring user interaction or privileges. The vulnerability results in denial of service and potential memory corruption but currently lacks a public patch. No active exploitation has been reported.
Insufficient bounds checking in Apple iOS and iPadOS 26.4 allows unauthenticated remote attackers to trigger buffer overflow conditions that corrupt kernel memory or cause system crashes without user interaction. This critical vulnerability affects all devices running the affected OS versions and has no available patch. An attacker can exploit this flaw over the network to achieve denial of service or potentially escalate privileges through kernel memory corruption.
A sandbox escape vulnerability in Apple's WebKit browser engine allows malicious websites to process restricted web content outside the security sandbox, potentially enabling unauthorized access to protected system resources. The vulnerability affects Safari and all Apple operating systems including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has addressed this issue through improved memory handling in Safari 26.4 and corresponding OS updates across all affected platforms.
iOS and iPadOS devices are vulnerable to denial-of-service attacks due to insufficient buffer bounds checking that allows remote attackers to crash affected systems without authentication. The vulnerability affects iOS 26.4 and earlier versions, requiring network access but no user interaction. No patch is currently available for this HIGH severity issue.
Improper memory handling in Apple iOS, iPadOS, and macOS allows remote denial of service when processing maliciously crafted files, potentially causing unexpected application crashes. An attacker can trigger this vulnerability by delivering a specially crafted file to a victim, resulting in app termination without requiring user privileges or interaction beyond opening the file. No patch is currently available for this medium-severity vulnerability affecting multiple Apple platforms.
This vulnerability is a memory handling flaw in Apple's operating systems (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) that allows a malicious application to trigger unexpected system termination or corrupt kernel memory. The vulnerability affects all versions prior to the version 26.4 releases across Apple's entire ecosystem. An attacker can exploit this by crafting a malicious app that triggers improper memory handling, potentially leading to denial of service or privilege escalation through kernel memory corruption.
This vulnerability affects Apple's Safari browser and related Apple operating systems (iOS, iPadOS, macOS Tahoe, and visionOS) due to improper memory handling when processing maliciously crafted web content. The flaw can lead to unexpected process crashes, resulting in a denial of service condition affecting all users of the impacted Safari versions and OS versions below 26.4. While no CVSS score or EPSS data is currently published, the vulnerability has been patched by Apple, suggesting it was discovered through internal security review or responsible disclosure rather than active exploitation.
macOS Tahoe versions prior to 26.4 contain a buffer overflow vulnerability that can cause denial of service through unexpected application termination or memory corruption when exploited by local attackers. The vulnerability stems from insufficient size validation in memory operations and requires no user interaction to trigger. No patch is currently available for affected systems.
A stack-based buffer overflow vulnerability in the P2P API service in BS Producten Petcam with firmware 33.1.0.0818 allows unauthenticated attackers within network range to overwrite the instruction. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A buffer overflow vulnerability in the dgiot binary in LSC Smart Indoor IP Camera V7.6.32. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Thunderbird's mail parser fails to validate string length parameters, allowing a compromised mail server to trigger out-of-bounds memory reads through malformed email content. Affected users running versions prior to 149 and 140.9 could experience application crashes or disclosure of sensitive data from process memory. The vulnerability requires network access but no user interaction, though no patch is currently available.
LibVNCServer versions 0.9.15 and earlier contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows malicious VNC servers to disclose sensitive information or crash client applications. The vulnerability affects any application linking against the vulnerable LibVNCServer library, with exploitation requiring a malicious VNC server that manipulates subrectangle header counts to trigger improper bounds checking in the HandleUltraZipBPP() function. A patch is available from the vendor (commit 009008e), and no active exploitation or public proof-of-concept has been reported as of the intelligence sources reviewed.
Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside the document root when MOVE/COPY methods are combined with prefix location and alias directives. The vulnerability affects NGINX Open Source and NGINX Plus installations using vulnerable configurations, though the low-privilege worker process context limits the scope of file manipulation. No patch is currently available for this high-severity issue.
NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that can lead to NGINX worker process termination or potentially remote code execution. An attacker with local access and the ability to supply a specially crafted MP4 file for processing can exploit this flaw when the mp4 directive is enabled in the configuration. The vulnerability has a CVSS score of 7.8 with high impact on confidentiality, integrity, and availability, though exploitation requires local access (AV:L) and low-level privileges (PR:L).
Multiple memory safety bugs affecting Firefox, Firefox ESR, and Thunderbird browsers present a critical remote code execution risk through memory corruption vulnerabilities. The affected versions include Firefox below 149, Firefox ESR below 115.34 and 140.9, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. These memory safety issues demonstrate evidence of exploitable memory corruption that could allow attackers to execute arbitrary code on affected systems, though no public exploit or active KEV confirmation is currently documented.
Multiple memory safety bugs in Firefox 148 and Thunderbird 148 allow attackers to trigger memory corruption with potential for arbitrary code execution. Firefox versions prior to 149 are vulnerable, as confirmed by Mozilla security advisories. The vulnerability requires no user interaction beyond normal browsing and represents a critical elevation risk due to the presume-exploitable nature of the underlying memory corruption issues.
Stack buffer overflow in LSC Indoor Camera V7.6.32 ONVIF GetStreamUri function allows unauthenticated remote attackers to cause denial of service or execute arbitrary code by sending a crafted SOAP request with an oversized Protocol parameter in the Transport element, bypassing input validation and corrupting the stack return instruction pointer.
Remote authenticated attackers can execute arbitrary code on Tenda AC5 routers (firmware version 15.03.06.47) by exploiting a stack-based buffer overflow in the WPS configuration handler. The vulnerability resides in the formWifiWpsOOB function handling POST requests to /goform/WifiWpsOOB, where insufficient validation of the 'index' parameter allows memory corruption. A publicly available exploit code exists (CVSS 8.8, EPSS data not provided), enabling authenticated attackers with low-privilege access to achieve complete device compromise with high impact on confidentiality, integrity, and availability.
Stack-based buffer overflow in Tenda AC5 router firmware version 15.03.06.47 enables remote authenticated attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the formSetCfm function's handling of the funcpara1 parameter in POST requests to /goform/setcfm. A publicly available exploit exists with proof-of-concept code disclosed through VulDB and documented in detailed technical write-ups, significantly lowering the barrier to exploitation for threat actors targeting vulnerable devices.
Remote attackers with low-level credentials can execute arbitrary code on Tenda AC5 wireless routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the formQuickIndex function via a crafted PPPOEPassword parameter in POST requests to /goform/QuickIndex. Publicly available exploit code exists, including detailed proof-of-concept documentation published on Notion, elevating immediate risk for devices exposed to authenticated network users. The CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability with network-based attack vector and low complexity.
Remote attackers with low-level authentication can achieve full system compromise on Tenda AC5 routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the addressNat POST request handler. The fromAddressNat function fails to validate the 'page' parameter, enabling memory corruption that leads to high confidentiality, integrity, and availability impact (CVSS 8.8). Publicly available exploit code exists, significantly lowering the barrier to exploitation.
Certificate chain spoofing in node-forge (npm) <= 1.3.3 lets an attacker present any non-CA leaf certificate as a trusted intermediate CA, because pki.verifyCertificateChain() skips RFC 5280 basicConstraints enforcement when a certificate carries neither the basicConstraints nor the keyUsage extension. An attacker holding such a leaf certificate can sign certificates for arbitrary identities and have node-forge accept the forged chain, defeating authentication for any application relying on it for custom PKI, S/MIME, PKCS#7, or device-certificate validation. Rated CVSS 9.1 by the reporter and fixed in 1.4.0; publicly available exploit code exists (full PoC in the GHSA), but EPSS is only 0.02% and it is not on CISA KEV.
An out-of-bounds read vulnerability in the UPnP service of TP-Link TL-WR841N v14 routers enables adjacent network attackers to crash the UPnP daemon without authentication, resulting in denial of service. Affected devices include firmware versions prior to EN_0.9.1 4.19 Build 260303 and US_0.9.1.4.19 Build 260312. Vendor patches are available. No public exploit identified at time of analysis, with CVSS:4.0 scoring 7.1 (High) reflecting adjacent network access requirements and high availability impact.
GIMP's PSD file parser crashes when processing specially crafted Photoshop documents due to improper null-termination in the fread_pascal_string function, allowing local authenticated users to trigger a denial of service. The vulnerability affects GIMP across Red Hat Enterprise Linux 7, 8, and 9, as well as multiple Debian and Ubuntu releases tracked by their respective security teams. While the CVSS score is low (2.8), the widespread distribution across major Linux vendors and confirmed advisory issuance from Red Hat, Debian, and SUSE indicates this merits coordinated patching despite limited exploitability constraints.
A security vulnerability in A flaw (CVSS 4.3). Remediation should follow standard vulnerability management procedures.
GIMP's PSP file parser fails to validate 32-bit length values in the read_creator_block() function, allowing local attackers to trigger integer overflow and heap buffer overflow via specially crafted PSP image files, resulting in application-level denial of service. Red Hat Enterprise Linux versions 6-9, Ubuntu (7 releases), Debian (9 releases), and SUSE are affected. No public exploit code or active exploitation has been identified at the time of analysis, though the vulnerability has been assigned ENISA EUVD ID EUVD-2026-16340 and tracked across major Linux distributions.
Truncated msgpack fixext format data (codes 0xd4-0xd8) decoded by shamaton/msgpack library versions across v1, v2, and v3 fail to validate input buffer boundaries, triggering out-of-bounds memory reads and runtime panics that enable denial of service. Remote attackers can craft malformed msgpack payloads to crash applications using affected library versions without requiring authentication or user interaction.
Stack buffer overflow in ImageMagick and Magick.NET due to incorrect pointer arithmetic on certain platforms allows local attackers to write one byte past allocated stack boundaries, causing denial of service. ImageMagick versions prior to 7.1.2-18 and 6.9.13-43, along with multiple Magick.NET NuGet packages, are affected. The vulnerability requires local access and specific platform conditions, but succeeds without user interaction.
The Zen C compiler (versions prior to 0.4.4) crashes or enables arbitrary code execution when processing maliciously crafted .zc source files containing excessively long identifiers for structs, functions, or traits, triggering a stack-based buffer overflow (CWE-121). A proof-of-concept exploit exists per SSVC assessment, though attack complexity remains moderate as it requires local access and user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). Vendor-released patch: version 0.4.4.
X11 display interaction path contains an out-of-bounds write vulnerability that allows local attackers to crash affected applications through a single zero byte write. The medium-severity flaw (CVSS 4.0) requires no privileges or user interaction to trigger a denial of service condition. No patch is currently available for this vulnerability.
Out-of-bounds read and write in libpng's ARM/AArch64 Neon-optimized palette expansion allows remote attackers to trigger memory corruption, information disclosure, and denial of service when processing malicious PNG files. libpng versions 1.6.36 through 1.6.55 are affected on ARM platforms with Neon optimization enabled. Version 1.6.56 contains the fix. No public exploit identified at time of analysis, with SSVC framework indicating no active exploitation, non-automatable attack vector, and partial technical impact.
Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attackers to trigger undefined behavior and potential memory corruption through unauthenticated MQTT messages. The data race condition in Charger::shared_context occurs when processing switch_three_phases_while_charging commands without proper locking, yielding CVSS 8.2 (High) with potential for availability disruption and data integrity impact. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication requirements (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).
EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handle_update_energy_transfer_modes function, where variable-length MQTT command payloads are copied into a fixed-size 6-element array without bounds checking. When schema validation is disabled by default, oversized payloads trigger memory corruption that can crash the EV charging service or corrupt adjacent EVSE (Electric Vehicle Supply Equipment) state, affecting the integrity and availability of EV charging infrastructure. No public exploit code has been identified at the time of analysis, but the vulnerability is patched in version 2026.02.0.
Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corrupt EVSE state or crash the charging process by sending oversized MQTT command payloads that bypass disabled schema validation. The ISO15118_chargerImpl::handle_session_setup function copies variable-length payment_options lists into a fixed 2-element array without bounds checking, exposing a CWE-787 buffer overflow vulnerability with availability and integrity impact. No public exploit code has been identified at time of analysis.
EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling triggered by concurrent powermeter public key updates and EV session/error events, resulting in heap corruption and potential denial of service. Unauthenticated remote attackers can exploit this via specially timed network events to crash the charging infrastructure, though successful exploitation requires precise timing due to high attack complexity. The vulnerability affects everest-core and has been patched in version 2026.02.0.
Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unauthenticated attackers to crash the charging station software or corrupt memory by sending crafted UpdateAllowedEnergyTransferModes messages from a Charging Station Management System (CSMS). CVSS 7.5 severity reflects network-accessible denial of service with high availability impact. SSVC assessment indicates no current exploitation and non-automatable attack; no public exploit identified at time of analysis.
Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary code via overly long CAN interface names during initialization. The vulnerability (CWE-121) affects everest-core versions prior to 2026.02.0 with CVSS 8.4 (High severity). Proof-of-concept exploit code exists according to SSVC assessment, and the flaw triggers before privilege checks, enabling attack with no user privileges required. The vulnerability is tracked as EUVD-2026-16199 by ENISA.
Remote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attackers to execute arbitrary code by sending malformed SLAC protocol frames. EVerest-core versions prior to 2026.02.0 are affected due to a stack buffer overflow in HomeplugMessage::setup_payload that trusts an attacker-controlled length parameter in release builds. SSVC analysis indicates proof-of-concept exploit code exists, though the vulnerability is not automatable and requires adjacent network access (CVSS 8.8, AV:A).
Out-of-bounds write vulnerabilities in Siemens CPCI85 Central Processing/Communication and SICORE Base system (versions below V26.10) allow unauthenticated remote attackers to crash critical industrial control system services through maliciously crafted XML requests, resulting in denial-of-service conditions. CISA's SSVC framework marks this as automatable with partial technical impact, though no public exploit has been identified at time of analysis. The CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network accessibility requiring no authentication (PR:N).
Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certificate filenames of exactly 100 characters due to off-by-one boundary check error in IsoMux component. EVerest-core versions prior to 2026.02.0 are affected (CPE cpe:2.3:a:everest:everest-core). The vulnerability has a CVSS score of 8.4 with local attack vector and no privilege requirements (AV:L/PR:N), allowing unauthenticated local attackers to achieve code execution. No public exploit identified at time of analysis, though technical details are available in GitHub security advisory GHSA-cpqf-mcqc-783m.
River Past CamDo 3.7.6 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
River Past Audio Converter 7.7.16 contains a local buffer overflow vulnerability in the activation code field that allows local attackers to crash the application by supplying an oversized input. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MyVideoConverter Pro 3.14 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying an excessively long string to the registration code input field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PassFab Excel Password Recovery 8.3.1 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload in. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PassFab RAR Password Recovery 9.3.2 contains a structured exception handler (SEH) buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious payload. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PDF Explorer 1.5.66.2 contains a structured exception handler (SEH) overflow vulnerability that allows local attackers to execute arbitrary code by overwriting SEH records with malicious data. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
AnyBurn 4.3 contains a local buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the image file name field. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Excel Password Recovery Professional 8.2.0.0 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long string to the 'E-Mail. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
MegaPing contains a local buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload to the Destination Address List field in the Finger. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Nsauditor 3.0.28.0 contains a structured exception handling buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying malicious input to the DNS Lookup tool. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Boxoft wav-wma Converter 1.0 contains a local buffer overflow vulnerability in structured exception handling that allows attackers to execute arbitrary code by crafting malicious WAV files. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Allok Video Splitter 3.1.1217 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service or execute arbitrary code by supplying an oversized string in the. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Linux kernel nfnetlink_osf module fails to validate TCP option lengths in OS fingerprint definitions, allowing null pointer dereference and out-of-bounds memory reads when processing packets with malformed or missing TCP options. The vulnerability affects Linux kernel versions across multiple stable branches (6.1.x through 6.19.x and 7.0-rc5), with EPSS score of 0.02% indicating low practical exploitation probability despite the memory safety issue. No public exploit code or active exploitation has been reported.
Buffer overflow in UTT HiPER 1250GW firmware versions up to 3.2.7-210907-180535 allows authenticated remote attackers to achieve code execution through a malformed GroupName parameter in the DNS filter configuration handler. Public exploit code exists for this vulnerability and no patch is currently available. Affected organizations should restrict network access to administrative interfaces until remediation is possible.
Remote attackers can exploit a stack-based buffer overflow in the /cgi-bin/nas.cgi endpoint of Wavlink WL-NU516U1 by manipulating the Content-Length parameter to achieve unauthenticated remote code execution. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. Authentication is required to trigger the flaw, limiting exposure to authenticated users or those with network access to the device.
Remote code execution in FreeBSD kernel's RPCSEC_GSS implementation (kgssapi.ko) and userspace RPC servers (librpcgss_sec) allows low-privileged authenticated attackers to execute arbitrary code via crafted network packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches. Publicly available exploit code exists (GitHub/Gist), though EPSS probability remains low (0.05%, 16th percentile) and CISA has not listed this in KEV, suggesting limited observed exploitation despite high CVSS 8.8 score and total technical impact per SSVC framework.
Squid prior to version 7.5 contains an out-of-bounds read vulnerability in ICP (Internet Cache Protocol) traffic handling due to improper input validation, classified as CWE-125. Remote attackers can exploit this to leak small amounts of process memory potentially containing sensitive information by sending malformed ICP requests to deployments with explicitly enabled ICP support (non-zero icp_port configuration). The vulnerability affects all versions of Squid before 7.5, and while no CVSS score or EPSS data is currently available, the information disclosure impact and remote attack vector indicate moderate to significant risk for affected deployments.
The getradiotapfield() function in ZerBea hcxpcapngtool version 7.0.1-43-g2ee308e contains a buffer overflow vulnerability allowing local attackers to trigger a denial of service condition through memory corruption. While the vulnerability is classified as causing information disclosure in the description, the CVSS vector (C:N/I:N/A:H) indicates the primary impact is availability degradation rather than confidentiality compromise. No public exploit code or active exploitation has been identified at the time of analysis, though the local attack vector and lack of required privileges make exploitation feasible for any user with local system access.
Saloon versions prior to v4 contain a path traversal vulnerability in fixture name handling that allows attackers to read or write files outside the configured fixture directory. Users with MockResponse fixtures derived from untrusted input (such as request parameters or configuration values) are affected, as attackers can use path traversal sequences like ../ or absolute paths to access arbitrary files on the system with the privileges of the running process. The vulnerability has been patched in Saloon v4 with input validation and defense-in-depth path verification.
YAML parsing in Node.js and Apple products fails to enforce recursion depth limits, allowing an attacker to trigger a stack overflow with minimal input (2-10 KB of nested flow sequences) that crashes the application with an uncaught RangeError. Applications relying solely on YAML-specific exception handling may fail to catch this error, potentially leading to process termination or service disruption. A patch is available for affected versions.
An unauthenticated information disclosure vulnerability exists in SiYuan note-taking application that allows remote attackers to read the content of all documents, including encrypted or access-restricted files, through two API endpoints (/api/file/readDir and /api/block/getChildBlocks). A working proof-of-concept Python exploit has been published demonstrating complete document enumeration and content retrieval. With a CVSS score of 9.8 (Critical) indicating network-based exploitation requiring no privileges or user interaction, this represents a severe confidentiality breach for all published SiYuan instances.
An off-by-one error in fontconfig before version 2.17.1 allows a one-byte out-of-bounds write in the FcFontCapabilities function within fcfreetype.c during sfnt capability handling. This vulnerability affects all versions of fontconfig prior to 2.17.1 across multiple platforms, potentially enabling local attackers without special privileges to crash the application or execute arbitrary code. A patch is available through the official fontconfig GitLab repository, and given the memory corruption nature of the defect, exploitation is feasible on systems with fontconfig-dependent applications.
Buffer overflow in Linux kernel Bluetooth L2CAP subsystem allows adjacent network attackers to achieve code execution with high integrity and confidentiality impact. The flaw occurs when the kernel incorrectly accepts multiple L2CAP_ECRED_CONN_REQ commands with the same identifier, violating Bluetooth Core Specification requirements. This causes allocation beyond the L2CAP_ECRED_MAX_CID limit (5 channels) in l2cap_ecred_rsp_defer, triggering memory corruption. Affects Linux kernel 5.7+ through multiple stable branches. Vendor patches available for 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, and 7.0-rc5. EPSS score of 0.02% suggests low likelihood of mass exploitation, no public POC or active exploitation confirmed at time of analysis.
A buffer overflow vulnerability exists in the Linux kernel's dma_map_sg tracepoint that can be triggered when tracing large scatter-gather lists, particularly with devices like virtio-gpu that create large DRM buffers exceeding 1000 entries. The vulnerability affects all Linux kernel versions prior to the fix and can cause perf buffer overflow warnings and potential kernel instability when dynamic array allocations exceed PERF_MAX_TRACE_SIZE (8192 bytes). While this is a kernel-level issue requiring local access to trigger tracing functionality, it poses a denial-of-service risk and memory safety concern for systems using performance tracing on workloads with large scatter-gather operations.
A metadata validation vulnerability in the Linux kernel's Squashfs filesystem implementation allows out-of-bounds memory access when processing corrupted or malicious filesystem images. Specifically, a negative metadata block offset derived from a corrupted index lookup table is passed to squashfs_copy_data without bounds checking, causing a general protection fault. Any Linux system mounting an untrusted Squashfs image is affected, potentially enabling denial of service or information disclosure attacks, though no active exploitation in the wild is currently documented.
A buffer management vulnerability exists in the Linux kernel's Google Virtual Ethernet (GVE) driver within the gve_tx_clean_pending_packets() function when operating in DQ-QPL (Descriptor Queue with Queue Pair Lists) mode. The function incorrectly interprets buffer IDs as DMA addresses and attempts to unmap memory using the wrong cleanup path, causing out-of-bounds array access and potential memory corruption. This affects Linux kernel versions across multiple stable branches and can be triggered during network device reset operations, potentially leading to kernel crashes or memory safety violations.
A divide-by-zero vulnerability exists in the Linux kernel's ETS (Enhanced Transmission Selection) qdisc offload implementation that can crash the kernel when processing malformed traffic scheduling configurations. The vulnerability affects all Linux kernel versions with the ETS scheduler module enabled, and a local privileged user (or attacker with CAP_NET_ADMIN capability) can trigger a kernel panic by crafting specific netlink messages via the tc (traffic control) utility. While no public exploit code has been confirmed in the wild, the condition is easily reproducible and results in immediate kernel crash, making this a high-priority local denial-of-service vector.
A buffer overflow vulnerability exists in the Linux kernel's IFE (Intermediate Functional Element) traffic control action module where metadata list replacement incorrectly appends new metadata instead of replacing old entries, causing unbounded metadata accumulation. This affects all Linux kernel versions with the vulnerable IFE scheduling code (cpe:2.3:a:linux:linux). An attacker with the ability to modify traffic control rules can trigger an out-of-bounds write via the ife_tlv_meta_encode function, potentially achieving kernel memory corruption and denial of service. The vulnerability is not listed as actively exploited in public KEV databases, but patches are available across multiple stable kernel branches.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's MediaTek MT7925 WiFi driver in the mt7925_mac_write_txwi_80211() function, which fails to validate frame length before accessing management frame fields. This vulnerability affects systems running Linux kernel versions with the vulnerable MT7925 driver code and could allow an attacker with local access or the ability to craft malicious wireless frames to read or write out-of-bounds memory, potentially leading to information disclosure or denial of service. While no CVSS score, EPSS data, or active exploitation reports are currently documented, the vulnerability has been patched across multiple stable Linux kernel branches as indicated by four distinct commit references.
This vulnerability is a race condition in the Linux kernel's PCI Designware endpoint driver where MSI-X interrupt writes to the host can complete after the corresponding Address Translation Unit (ATU) entry is unmapped, potentially corrupting host memory or triggering IOMMU errors. The vulnerability affects all Linux kernel versions with the vulnerable code path in the PCI DWC endpoint implementation (cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*), specifically impacting systems using PCI endpoint devices with MSI-X interrupt support such as NVMe-PCI endpoint function drivers. An attacker with the ability to trigger high-frequency MSI-X interrupts from a malicious endpoint device could exploit this race condition to cause denial of service through IOMMU faults or potentially corrupt host memory.
A stack-out-of-bounds write vulnerability exists in the Linux kernel's BPF devmap implementation where the get_upper_ifindexes() function iterates over upper network devices without properly validating buffer bounds. An attacker with the ability to create multiple virtual network devices (e.g., more than 8 macvlans) and trigger XDP packet processing with BPF_F_BROADCAST and BPF_F_EXCLUDE_INGRESS flags can write beyond allocated stack memory, potentially causing denial of service or arbitrary code execution. The vulnerability affects all Linux kernel versions using the vulnerable devmap code path and has been patched across multiple stable kernel branches, indicating recognition as a real security concern requiring immediate updates.
A memory corruption vulnerability exists in the Linux kernel's XDP (eXpress Data Path) subsystem where negative tailroom calculations are incorrectly reported as large unsigned integers, allowing buffer overflows during tail growth operations. This affects Linux kernel versions across multiple stable branches when certain Ethernet drivers (notably ixgbevf) report incorrect DMA write sizes, leading to heap corruption, segmentation faults, and general protection faults as demonstrated in the xskxceiver test utility. The vulnerability has no CVSS score assigned and shows no active KEV exploitation status, but represents a critical memory safety issue affecting systems using XDP with affected Ethernet drivers.
A buffer over-read vulnerability exists in the Linux kernel's CXL mailbox command handler where the cxl_payload_from_user_allowed() function casts and dereferences user-supplied payload data without first validating its size. An unprivileged local attacker can send a raw mailbox command with an undersized payload (e.g., 1 byte instead of the expected 16 bytes for CXL_MBOX_OP_CLEAR_LOG) to trigger a kernel memory read past the allocated buffer, causing a KASAN splat and potential denial of service. While not yet listed in the KEV catalog or with public EPSS/CVSS scoring, patch commits are available in the Linux stable kernel repositories, indicating the vulnerability has been resolved upstream.
This vulnerability is a memory leak in the Linux kernel's AF_XDP socket implementation where buffers fail to be properly returned to the free list due to improper list node reinitialization. The vulnerability affects all Linux kernel versions with the AF_XDP subsystem enabled, potentially allowing local attackers or unprivileged users to exhaust kernel memory over time. While not actively exploited in the wild according to available intelligence, the vulnerability has clear patches available in stable kernel branches and represents a real denial-of-service risk for systems relying on XDP functionality.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's MediaTek MT7996 WiFi driver (mt76) within the mt7996_mac_write_txwi_80211() function. The vulnerability occurs when the function accesses management frame fields without first validating the frame length, potentially allowing information disclosure or denial of service on systems using affected MT7996 hardware. Multiple stable kernel patches are available across several kernel versions, indicating the issue has been actively remediated in the upstream Linux project.
The Apple Silicon SMC hwmon driver (macsmc-hwmon) in the Linux kernel contains critical memory safety bugs in sensor population and float conversion logic. Specifically, voltage sensors are incorrectly registered to the temperature sensor array, and float-to-32-bit conversion has flawed exponent handling, potentially leading to out-of-bounds memory access, data corruption, or incorrect fan control on affected Apple Silicon systems. The vulnerability affects Linux kernel versions with the macsmc-hwmon driver and has been patched; no active exploitation or POC is currently known, but the nature of the bugs suggests high real-world risk for systems relying on thermal management.
A descriptor validation bypass in the Linux kernel's ALSA USB audio subsystem allows malicious USB devices to provide truncated UAC3 (USB Audio Class 3) header descriptors that escape validation checks, potentially causing out-of-bounds memory reads. The vulnerability stems from an incorrect protocol version constant (UAC_VERSION_2 instead of UAC_VERSION_3) in the validator table, causing validation logic to never execute for actual UAC3 devices. Affected are all Linux kernel versions containing the vulnerable code path; while CVSS and EPSS scores are not provided, this is a local privilege escalation / denial of service vector requiring physical USB device access or local code execution capability to exploit.
An out-of-bounds (OOB) memory access vulnerability exists in the Linux kernel's mt76 WiFi driver, specifically in the mt76_connac2_mac_write_txwi_80211() function which fails to validate frame length before accessing management frame fields. This affects all Linux kernel versions containing the vulnerable mt76 driver code and could allow an attacker to read sensitive kernel memory or trigger a denial of service through a specially crafted WiFi management frame. The vulnerability has been patched across multiple stable kernel branches with fixes available since the issue was identified.
A buffer overflow vulnerability exists in the Linux kernel's EMS USB CAN driver (ems_usb) in the ems_usb_read_bulk_callback() function, where the driver fails to properly validate USB message lengths before parsing and copying data. An attacker with the ability to supply a malicious USB device or intercept USB communications could trigger a buffer overflow by providing specially crafted messages that exceed the expected message boundaries, potentially leading to kernel memory corruption, denial of service, or privilege escalation. No CVSS score, EPSS risk rating, or active exploitation data (KEV status) is currently available, though multiple stable kernel branches have received patches indicating vendor awareness of the issue's severity.
Out-of-bounds memory access in the Linux kernel's accel/rocket DRM driver allows local authenticated users to trigger denial of service and potential information disclosure during probe failure paths. The flaw stems from improper error unwinding in rocket_probe() when rocket_core_init() fails (notably on EPROBE_DEFER), leaving stale counter state that subsequent code dereferences out of bounds. No public exploit identified at time of analysis, and EPSS scores exploitation likelihood at 0.02% (4th percentile), consistent with a hardware-driver-specific issue requiring local access.
An out-of-bounds memory write vulnerability exists in the Linux kernel's AMD XDNA accelerator driver (accel/amdxdna) where a memset() operation clears a command header before validating sufficient space is available in the command slot, potentially leading to memory corruption. The vulnerability affects Linux kernel versions across multiple releases where the amdxdna driver is present and enabled. An attacker with local access and appropriate capabilities to interact with the amdxdna device could trigger this memory corruption to achieve denial of service or potentially escalate privileges.
A size calculation overflow vulnerability exists in the Linux kernel's accel/amdxdna driver that can result in undersized buffer allocations and potential memory corruption. The vulnerability affects Linux kernel versions across multiple branches where the AMD XDNA accelerator driver is compiled. An attacker with local access could exploit this to trigger memory corruption, potentially leading to denial of service or privilege escalation, though exploitation complexity and attack surface requirements remain moderate.
Denial of service in Kea DHCP daemons (versions 2.6.0-2.6.4 and 3.0.0-3.0.2) allows unauthenticated remote attackers to crash affected services by sending maliciously crafted messages to API sockets or HA listeners, triggering a stack overflow. Vulnerable Kea installations across Ubuntu, Red Hat, SUSE, and Debian are susceptible to service interruption attacks with no authentication required. A patch is available for affected distributions.
Improper bounds checking in Apple macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.3 and earlier) permits a local attacker to write out-of-bounds memory through a malicious application, potentially allowing modification of protected filesystem areas. The vulnerability requires user interaction to execute the malicious app and affects the file system's integrity rather than confidentiality. No patch is currently available for this out-of-bounds write condition.
Memory corruption in Apple Safari, iOS, iPadOS, macOS, and visionOS allows remote attackers to crash affected processes by delivering maliciously crafted web content to users. The vulnerability requires user interaction to view the malicious content and does not enable code execution or information disclosure. A patch is currently unavailable for this issue.
Apple iOS, iPadOS, macOS, tvOS, visionOS, and watchOS are vulnerable to a stack overflow vulnerability that can be triggered by user interaction with a malicious app, potentially causing denial-of-service conditions. The vulnerability stems from insufficient input validation and affects multiple recent OS versions across Apple's product ecosystem. While no patch is currently available, users should exercise caution when installing apps from untrusted sources.
Xcode versions prior to 26.4 contain an out-of-bounds read vulnerability that can be triggered by local users with user interaction to cause unexpected application or system termination. This denial-of-service condition affects developers and build systems using vulnerable Xcode installations. No patch is currently available.
macOS versions prior to Sequoia 15.7.5, Sonoma 14.8.5, and Tahoe 26.4 contain an out-of-bounds read vulnerability that allows local applications to access and disclose sensitive kernel memory. An attacker with the ability to run code on an affected system can exploit this memory disclosure to obtain privileged information that may aid in further system compromise. No patch is currently available for this HIGH severity vulnerability.
Maliciously crafted media files containing out-of-bounds memory access in Apple's audio processing can crash affected applications across iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. An attacker can trigger a denial of service by triggering the vulnerability through a specially crafted audio stream, though no patch is currently available. This impacts multiple recent OS versions where an out-of-bounds read occurs during media file processing.
A buffer overflow vulnerability in Apple macOS Tahoe prior to version 26.4 enables remote attackers to trigger a denial-of-service condition through memory corruption and application crashes without requiring user interaction or authentication. The flaw stems from insufficient bounds checking and currently lacks a security patch. This vulnerability affects all macOS users running vulnerable versions.
Integer overflow vulnerability in Apple macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.2 and earlier) allows remote attackers to trigger heap corruption by processing a specially crafted string without requiring user interaction or privileges. The vulnerability results in denial of service and potential memory corruption but currently lacks a public patch. No active exploitation has been reported.
Insufficient bounds checking in Apple iOS and iPadOS 26.4 allows unauthenticated remote attackers to trigger buffer overflow conditions that corrupt kernel memory or cause system crashes without user interaction. This critical vulnerability affects all devices running the affected OS versions and has no available patch. An attacker can exploit this flaw over the network to achieve denial of service or potentially escalate privileges through kernel memory corruption.
A sandbox escape vulnerability in Apple's WebKit browser engine allows malicious websites to process restricted web content outside the security sandbox, potentially enabling unauthorized access to protected system resources. The vulnerability affects Safari and all Apple operating systems including iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. Apple has addressed this issue through improved memory handling in Safari 26.4 and corresponding OS updates across all affected platforms.
iOS and iPadOS devices are vulnerable to denial-of-service attacks due to insufficient buffer bounds checking that allows remote attackers to crash affected systems without authentication. The vulnerability affects iOS 26.4 and earlier versions, requiring network access but no user interaction. No patch is currently available for this HIGH severity issue.
Improper memory handling in Apple iOS, iPadOS, and macOS allows remote denial of service when processing maliciously crafted files, potentially causing unexpected application crashes. An attacker can trigger this vulnerability by delivering a specially crafted file to a victim, resulting in app termination without requiring user privileges or interaction beyond opening the file. No patch is currently available for this medium-severity vulnerability affecting multiple Apple platforms.
This vulnerability is a memory handling flaw in Apple's operating systems (iOS, iPadOS, macOS, tvOS, visionOS, and watchOS) that allows a malicious application to trigger unexpected system termination or corrupt kernel memory. The vulnerability affects all versions prior to the version 26.4 releases across Apple's entire ecosystem. An attacker can exploit this by crafting a malicious app that triggers improper memory handling, potentially leading to denial of service or privilege escalation through kernel memory corruption.
This vulnerability affects Apple's Safari browser and related Apple operating systems (iOS, iPadOS, macOS Tahoe, and visionOS) due to improper memory handling when processing maliciously crafted web content. The flaw can lead to unexpected process crashes, resulting in a denial of service condition affecting all users of the impacted Safari versions and OS versions below 26.4. While no CVSS score or EPSS data is currently published, the vulnerability has been patched by Apple, suggesting it was discovered through internal security review or responsible disclosure rather than active exploitation.
macOS Tahoe versions prior to 26.4 contain a buffer overflow vulnerability that can cause denial of service through unexpected application termination or memory corruption when exploited by local attackers. The vulnerability stems from insufficient size validation in memory operations and requires no user interaction to trigger. No patch is currently available for affected systems.
A stack-based buffer overflow vulnerability in the P2P API service in BS Producten Petcam with firmware 33.1.0.0818 allows unauthenticated attackers within network range to overwrite the instruction. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A buffer overflow vulnerability in the dgiot binary in LSC Smart Indoor IP Camera V7.6.32. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Thunderbird's mail parser fails to validate string length parameters, allowing a compromised mail server to trigger out-of-bounds memory reads through malformed email content. Affected users running versions prior to 149 and 140.9 could experience application crashes or disclosure of sensitive data from process memory. The vulnerability requires network access but no user interaction, though no patch is currently available.
LibVNCServer versions 0.9.15 and earlier contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows malicious VNC servers to disclose sensitive information or crash client applications. The vulnerability affects any application linking against the vulnerable LibVNCServer library, with exploitation requiring a malicious VNC server that manipulates subrectangle header counts to trigger improper bounds checking in the HandleUltraZipBPP() function. A patch is available from the vendor (commit 009008e), and no active exploitation or public proof-of-concept has been reported as of the intelligence sources reviewed.
Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside the document root when MOVE/COPY methods are combined with prefix location and alias directives. The vulnerability affects NGINX Open Source and NGINX Plus installations using vulnerable configurations, though the low-privilege worker process context limits the scope of file manipulation. No patch is currently available for this high-severity issue.
NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that can lead to NGINX worker process termination or potentially remote code execution. An attacker with local access and the ability to supply a specially crafted MP4 file for processing can exploit this flaw when the mp4 directive is enabled in the configuration. The vulnerability has a CVSS score of 7.8 with high impact on confidentiality, integrity, and availability, though exploitation requires local access (AV:L) and low-level privileges (PR:L).
Multiple memory safety bugs affecting Firefox, Firefox ESR, and Thunderbird browsers present a critical remote code execution risk through memory corruption vulnerabilities. The affected versions include Firefox below 149, Firefox ESR below 115.34 and 140.9, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. These memory safety issues demonstrate evidence of exploitable memory corruption that could allow attackers to execute arbitrary code on affected systems, though no public exploit or active KEV confirmation is currently documented.
Multiple memory safety bugs in Firefox 148 and Thunderbird 148 allow attackers to trigger memory corruption with potential for arbitrary code execution. Firefox versions prior to 149 are vulnerable, as confirmed by Mozilla security advisories. The vulnerability requires no user interaction beyond normal browsing and represents a critical elevation risk due to the presume-exploitable nature of the underlying memory corruption issues.