Skip to main content

Buffer Overflow

36086 CVEs technique

Monthly

CVE-2026-8085 HIGH This Week

Arbitrary code execution in Rockwell Automation Arena Simulation is possible through an out-of-bounds write in the model.exe (Siman) component when a victim opens a maliciously crafted simulation model file. The flaw lets an attacker run code in the context of the current user by tricking an operator or engineer into opening a booby-trapped file, making it a client-side, file-delivery RCE rather than a remotely reachable network service bug. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided, so real-world exploitation appears limited to social-engineering-driven targeting.

Buffer Overflow Memory Corruption RCE Arena
NVD
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-15693 HIGH POC This Week

Stack-based buffer overflow in the Tenda BE12 Pro Wi-Fi router (firmware 16.03.66.23) lets remote attackers corrupt memory by manipulating the 'page' argument of the fromSafeMacFilter handler at /goform/SafeMacFilter. Publicly available exploit code exists, though there is no public exploit identified as being used in active campaigns and it is not listed in CISA KEV. Successful exploitation can crash the device or potentially achieve code execution on the router's embedded OS. EPSS data was not provided.

Tenda Buffer Overflow Stack Overflow Be12 Pro
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-53566 MEDIUM PATCH This Month

Out-of-bounds read in Citrix Secure Access Client for Windows (all versions before 26.6.1.20) enables a local low-privileged attacker to read memory beyond an allocated buffer boundary, resulting in high confidentiality impact with no integrity or availability consequence. The CVSS 4.0 score of 6.8 reflects the local attack vector and low-privilege requirement, meaning an attacker must already hold a foothold on the endpoint. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.

Citrix Buffer Overflow Microsoft Information Disclosure Citrix Secure Access Client For Windows
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-15692 HIGH POC This Week

Stack-based buffer overflow in the Tenda BE12 Pro router firmware 16.03.66.23 lets an authenticated remote attacker corrupt memory via the fromSafeUrlFilter handler at /goform/SafeUrlFilter by supplying an oversized 'page' parameter. Publicly available exploit code exists (published via VulDB), though the flaw is not listed in CISA KEV and no active exploitation has been confirmed. The CVSS 4.0 vector (7.4, PR:L) indicates network reachability with low-privilege authentication and high impact to confidentiality, integrity, and availability of the device.

Tenda Buffer Overflow Stack Overflow Be12 Pro
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.8%
CVE-2026-15691 HIGH POC This Week

Stack-based buffer overflow in the Tenda BE12 Pro (firmware 16.03.66.23) web management interface lets an attacker corrupt memory by supplying an oversized 'page' argument to the fromSafeClientFilter handler at /goform/SafeClientFilter, potentially crashing the device or executing arbitrary code with router privileges. Per the CVSS 4.0 vector the flaw is network-reachable but requires low-level privileges (PR:L). Publicly available exploit code exists (disclosed via VulDB), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

Tenda Buffer Overflow Stack Overflow Be12 Pro
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.8%
CVE-2026-12478 MEDIUM This Month

Out-of-bounds read in libsoup 3.6.6 exposes WebSocket clients to memory disclosure and crashes when connecting to malicious servers. The incomplete fix for CVE-2026-0716 (commit 6ff7ef0) placed the integer overflow guard exclusively inside the masked-frame branch, leaving the unmasked server-to-client frame path entirely unprotected - allowing a crafted payload length near UINT64_MAX to bypass the guard entirely. No public exploit code or active exploitation (CISA KEV) has been identified, but the CVSS AC:H rating reflects the non-trivial preconditions: a specific client configuration and attacker-controlled server are both required.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2025-8412 LOW Monitor

Buffer overflow in SUSE Virtual Machine Driver Pack allows a local attacker with registry modification rights to corrupt driver integrity. Affected are all versions of the pack before upstream commit e7a602ec232756ead019bdf19d6d3b9d010cc94b, targeting virtualized guest environments running SUSE's paravirtual drivers. No public exploit exists and the vendor explicitly states no feasible exploitation path is currently known; no public exploit identified at time of analysis.

Buffer Overflow Virtual Machine Driver Pack
NVD
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-44747 CRITICAL NEWS Act Now

Memory corruption in SAP NetWeaver Application Server ABAP lets an authenticated attacker exploit logical flaws in memory management (an out-of-bounds write) to read or alter data and crash the system, with high impact on confidentiality, integrity, and availability. SAP rates it CVSS 9.9 with a changed scope, meaning a low-privileged user can affect components beyond their own authorization boundary. There is no public exploit identified at time of analysis, but the low attack complexity and network reachability make it a high-priority patch for any exposed ABAP stack.

Buffer Overflow SAP Memory Corruption Sap Netweaver Application Server Abap
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-51105 HIGH This Week

Denial of service in aMule 2.3.3 lets a remote eD2k server crash the client by sending a malformed OP_SERVERMESSAGE packet that overflows a stack buffer (CWE-121). The flaw is triggered client-side when parsing server-supplied message data, so any hostile or spoofed server the client connects to can terminate the application. No public exploit has been identified at time of analysis, and the issue is documented only as an upstream bug report (amule GitHub issue #445), not a released patch.

Buffer Overflow Stack Overflow Denial Of Service N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-58102 CRITICAL PATCH Act Now

Heap out-of-bounds read in the Crypt::OpenSSL::X509 Perl module (versions before 2.1.3) lets a crafted X.509 certificate leak adjacent heap memory to an application that enumerates certificate extensions. When code calls extensions(), extensions_by_long_name(), extensions_by_oid(), or has_extension_oid(), a certificate extension whose textual OID exceeds the fixed 129-byte buffer causes the returned hash key to include bytes read past the allocation, exposing process memory and risking a crash. No public exploit is identified at time of analysis and it is not in CISA KEV, but the fix is confirmed in release 2.1.3 and the flaw is trivially triggerable by any attacker who can supply a certificate.

OpenSSL Buffer Overflow Information Disclosure Crypt
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-60103 MEDIUM PATCH This Month

Out-of-bounds read in Blender 3.0.0 through 5.1.2 allows an attacker to crash the application or disclose heap memory contents by convincing a user to open a specially crafted .blend file containing a malicious member_index value in the SDNA block. The vulnerability stems from missing bounds validation on a signed short index used directly as an array subscript in sdna_expand_names(), enabling both denial-of-service via SIGSEGV and limited heap memory disclosure. No public exploit code or active exploitation has been identified at time of analysis, but the file-based attack vector makes social engineering a realistic delivery mechanism.

Buffer Overflow Information Disclosure Blender
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-13221 CRITICAL PATCH Act Now

Silently incorrect regular-expression matching in the Perl interpreter (all versions through 5.43.9) lets an oversized alternation of more than 65,535 fixed-string branches overflow a 16-bit delta field when the branches are optimized into a trie, truncating the match-decision table. The result is both false-positive and false-negative matches, so any Perl program that uses such a pattern to gate access or filter input can make wrong security decisions. There is no public exploit identified at time of analysis, though the fixing commit ships a deterministic reproducer test, and the flaw is not listed in CISA KEV.

Buffer Overflow Integer Overflow Perl
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-57432 HIGH PATCH This Week

Out-of-bounds heap read in the Perl interpreter (through version 5.43.10) lets an attacker who controls a pack or unpack template disclose adjacent heap memory back to the calling program. An unchecked integer overflow in S_measure_struct wraps the running size total negative, defeating the signed-length guards on the @, X, and x position codes and walking the buffer pointer outside its bounds. No public exploit is identified at time of analysis; the flaw was reported by CPANSec with vendor patches already committed upstream.

Buffer Overflow Integer Overflow Perl
NVD GitHub VulDB
CVSS 3.1
8.4
EPSS
0.2%
CVE-2026-40553 MEDIUM PATCH This Month

Stack-based buffer overflow in gawk's readdir extension (extension/readdir.c, ftype() routine) affects all gawk releases through version 5.4.0, enabling a local attacker to crash the process and theoretically achieve code execution. The RCE angle is explicitly unconfirmed by the reporter (CERT-PL), making denial-of-service the primary demonstrated impact at this time. No public exploit identified at time of analysis; an upstream source-level patch commit is available on GNU Savannah.

Stack Overflow RCE Buffer Overflow Gawk
NVD VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-40468 LOW PATCH Monitor

Integer overflow in GNU gawk's builtin.c (versions 5.4.0 and below) enables heap metadata corruption and memory exhaustion when gawk processes attacker-crafted input. The flaw stems from a CWE-190 integer wraparound condition that can be triggered locally to overwrite heap objects with attacker-controlled bytes, potentially escalating from a denial-of-service to memory corruption with partial integrity impact. No public exploit identified at time of analysis, and CERT-PL reported this with a low CVSS 4.0 base score of 2.1, reflecting a limited, local attack surface with specific attack prerequisites.

Integer Overflow Buffer Overflow Gawk
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15548 HIGH This Week

Stack-based buffer overflow in Shibby Tomato router firmware (versions up to and including 1.28.0000) allows a remote, low-privileged attacker to corrupt the stack of the embedded web server (/usr/sbin/httpd) via the DNS List Rendering function sub_407220, potentially achieving arbitrary code execution on the router. The flaw is remotely reachable and, per the CVSS 4.0 vector, requires low-level authentication (PR:L) to the web administration interface. VulDB assigns an exploit maturity of Proof-of-Concept, meaning publicly available exploit code exists, though it is not listed in CISA KEV and no active exploitation is confirmed. Notably, the Tomato project by Shibby is discontinued and superseded by FreshTomato, so no first-party fix is expected.

Stack Overflow Buffer Overflow Tomato
NVD VulDB
CVSS 4.0
7.4
EPSS
0.7%
CVE-2026-15545 HIGH POC This Week

Out-of-bounds write in the Shibby Tomato router firmware (versions up to and including 1.28.0000) lets authenticated remote users corrupt memory through the apcupsd web component. The flaw sits in the main() function of www/apcupsd/tomatodata.cgi, where crafted input reaches an out-of-bounds write (CWE-787) that can crash the CGI or potentially execute code on the router. Publicly available exploit code exists (via VulDB/Gitee), but there is no confirmed active exploitation; note that this project has been superseded by FreshTomato and is effectively end-of-life.

Memory Corruption Buffer Overflow Tomato
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-15544 HIGH POC This Week

Remote authenticated command execution is possible in Shibby Tomato router firmware through version 1.28.0000, where the getupsvar function in the apcupsd CGI handler (www/apcupsd/tomatodata.cgi) fails to bound the Field argument, producing a stack-based buffer overflow (CWE-121). A logged-in user can send a crafted request to corrupt the stack and hijack control flow with full confidentiality, integrity, and availability impact on the device. Publicly available exploit code exists (VulDB), though there is no evidence of active exploitation; the CVSS 4.0 score is 8.7 with an E:P (proof-of-concept) exploit-maturity flag.

Stack Overflow Buffer Overflow Tomato
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-15543 HIGH POC This Week

Buffer overflow in the Tenda CH22 router (firmware 1.0.0.1) allows a remote, authenticated attacker to corrupt memory by supplying an overlong 'Name' argument to the formCertListInfo function in the /goform/CertListInfo endpoint. The flaw was disclosed by VulDB with publicly available exploit code, and the CVSS 4.0 score of 8.7 reflects high confidentiality, integrity, and availability impact. No public exploit identified in CISA KEV, so this is a proof-of-concept-stage issue rather than confirmed in-the-wild abuse.

Tenda Buffer Overflow Ch22
NVD VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-7162 HIGH NEWS This Week

Local privilege escalation to SYSTEM in WinFsp (Windows File System Proxy) stems from an integer overflow (CWE-190) that a low-privileged local user can trigger to achieve system-level access on the host. The flaw crosses a privilege boundary (CVSS scope change) and is fixed in release v2.2B2. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is theoretical but the SYSTEM-level impact makes it a meaningful local escalation risk.

Integer Overflow Buffer Overflow Winfsp
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-15520 LOW POC PATCH Monitor

Heap-based buffer overflow in GNU LibreDWG 0.13.4-154-g0b573035 allows a local low-privileged attacker to corrupt heap memory by supplying a crafted DWG file processed through the R2004 section decompressor, yielding partial confidentiality, integrity, and availability impact. The vulnerability resides in `decompress_R2004_section` within `src/decode.c` and is exploitable whenever LibreDWG parses attacker-controlled R2004-format DWG content. A public proof-of-concept exploit file has been disclosed on GitHub; no CISA KEV listing is present, indicating no confirmed widespread active exploitation at time of analysis.

Heap Overflow Buffer Overflow Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15551 MEDIUM This Month

Integer overflow in Samsung's open-source rlottie animation rendering library leads to buffer overflow, with high availability impact including potential crash or memory corruption. Exploitation requires local access, low privileges, user interaction, and high attack complexity, making this a lower-urgency finding despite the buffer overflow class. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog. The upstream fix is available as a GitHub pull request (#595), though a formally tagged patched release version has not been independently confirmed.

Integer Overflow Samsung Buffer Overflow Rlottie
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-51540 CRITICAL Act Now

Remote memory corruption in the OpENer EtherNet/IP stack (2.3.0 master branch up to commit 76b95cf) stems from an integer underflow while parsing connected explicit messages via the SendUnitData encapsulation command, allowing network attackers to corrupt memory on the target device. The CVSS 3.1 score of 9.8 (AV:N/PR:N) indicates unauthenticated remote exploitation with full confidentiality, integrity, and availability impact. A public gist by researcher MrAlaskan and a filed GitHub issue accompany the disclosure, so publicly available exploit code exists, though EPSS is low (0.15%, 5th percentile) and it is not on the CISA KEV list.

Buffer Overflow Integer Overflow N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-51541 CRITICAL Act Now

OpENer 2.3.0 (commit 76b95cf) has an out-of-bounds read issue in CIP message parsing when handling malformed explicit requests with a forged EPath size. An attacker can send a valid ENIP SendRRData frame carrying a very short CIP payload whose path_size field claims that many more path words are present than are actually available. Because the parser trusts the attacker-controlled path_size and continues decoding path segments without a remaining-length boundary, it reads beyond the end of the stack receive buffer.

Buffer Overflow N A Information Disclosure
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-51537 CRITICAL Act Now

Out-of-bounds read in the EIPStackGroup OpENer EtherNet/IP stack (version 2.3.0, commit 76b95cf) lets a remote unauthenticated attacker send a crafted ENIP frame carrying a malformed CIP ForwardOpen/LargeForwardOpen request that drives the Connection Manager parser to read past the supplied request buffer, exposing adjacent memory or crashing the stack. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N) it is reachable over the network with no authentication and low complexity, yielding high confidentiality and availability impact. No CISA KEV listing and no EPSS were supplied; no active exploitation is confirmed, though a referenced public gist appears to document the flaw and may contain proof-of-concept material.

Buffer Overflow Information Disclosure N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-51536 CRITICAL Act Now

Stack buffer overflow in the OpENer EtherNet/IP stack (version 2.3.0, commit 76b95cf) lets remote attackers corrupt memory by sending a crafted CIP network packet whose length field is truncated into a negative value, bypassing bounds checks in DecodePaddedEPath. The CVSS vector (AV:N/PR:N/UI:N) indicates unauthenticated remote reachability with high confidentiality and availability impact; no public exploit is identified at time of analysis (not in CISA KEV), though a referenced gist and GitHub issue suggest researcher analysis and possible proof-of-concept material exist. As an OT/ICS protocol stack, exploitation would most plausibly cause denial of service or memory disclosure on embedded industrial devices.

Buffer Overflow Integer Overflow N A
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-15506 HIGH POC This Week

Local privilege escalation in SecureAge CatchPulse endpoint protection (versions up to and including 10.9.3) stems from a heap-based buffer overflow in the kernel driver saappctl.sys, where an authenticated local user can corrupt kernel heap memory to gain code execution at ring 0. Publicly available exploit code exists (demonstrated in a YouTube proof-of-concept), but there is no public exploit identified as being used in active attacks and the issue is not on CISA KEV. The CVSS 4.0 base score of 7.1 reflects local-only reachability but full compromise of confidentiality, integrity, and availability on the host once triggered.

Heap Overflow Buffer Overflow Catchpulse
NVD VulDB GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-10667 HIGH PATCH This Week

Kernel memory corruption in the Zephyr RTOS (versions v1.14.0 through v4.4.0) lets an unprivileged user-mode thread corrupt the kernel's dynamic object-tracking list across the userspace security boundary. The flaw is a use-after-free race (CWE-416) in the obj_list traversal, exploitable only on builds combining CONFIG_SMP, CONFIG_USERSPACE, and CONFIG_DYNAMIC_OBJECTS, and can yield privilege escalation or a kernel crash. No public exploit identified at time of analysis; a vendor patch is available.

Memory Corruption Buffer Overflow Denial Of Service Use After Free Privilege Escalation +1
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-10666 HIGH PATCH This Week

Out-of-bounds stack write in the Zephyr RTOS IPv4 address parser (parse_ipv4() in subsys/net/ip/utils.c) lets an attacker corrupt memory when an application resolves an attacker-influenced "a.b.c.d:port" string, causing at minimum denial of service and potentially control-flow hijack on the affected embedded device. The defect exists in every release from v1.9.0 through v4.4.0 and is reachable through the standard socket resolver (zsock_getaddrinfo), DNS server-string configuration, and the eswifi Wi-Fi DNS-response path. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor fix (two upstream commits and advisory GHSA-532c-7g7f-jhmh) is available.

Memory Corruption Denial Of Service Buffer Overflow Zephyr
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-10665 HIGH PATCH This Week

Out-of-bounds write in the WireGuard subsystem of Zephyr RTOS 4.4.0 lets a malicious or compromised WireGuard peer (or an on-path attacker driving an established session) corrupt memory by sending an oversized transport-data datagram. Because the flawed copy occurs before the Poly1305 authentication check, exploitation needs only a valid receiver session index rather than a valid authenticator, and reliably yields at least a remote denial of service on the target device. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the Zephyr project has published advisory GHSA-3wqm-wgx2-9367 and an upstream fix.

Memory Corruption Denial Of Service Buffer Overflow Zephyr
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-10664 MEDIUM PATCH This Month

Out-of-bounds stack write in Zephyr's nRF70 Wi-Fi driver exposes embedded systems to memory corruption when the nRF70 co-processor returns a power-save event with more than eight TWT flow entries. The vulnerable function `nrf_wifi_event_proc_get_power_save_info()` blindly copies co-processor-supplied TWT entries into a fixed 8-element stack array without validating `num_twt_flows` against `WIFI_MAX_TWT_FLOWS`, enabling heap/stack corruption of approximately 40 bytes per excess entry. No public exploit code exists and the flaw is not listed in CISA KEV, but the adjacent-network attack vector and the indirect over-the-air influence path via a rogue AP manipulating TWT sessions make this a meaningful risk in Wi-Fi 6 (802.11ax) deployment environments running Zephyr with `CONFIG_NRF70_STA_MODE`.

Memory Corruption Buffer Overflow Zephyr
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2026-10663 MEDIUM PATCH This Month

Use-after-free and double-free in Zephyr RTOS's experimental USB host stack (CONFIG_USB_HOST_STACK, introduced in v4.4.0) allows an attacker with physical USB access to crash the target device or corrupt live kernel slab objects by bouncing a USB device connection to trigger a second removal event after the slab has already been freed. The flaw exists because usbh_device_disconnect() frees the root usb_device slab object without clearing the cached ctx->root pointer, and UHC controller drivers (uhc_max3421e, uhc_mcux_common) emit UHC_EVT_DEV_REMOVED directly from hardware line-state with no debounce or re-entry guard. No public exploit identified at time of analysis, and no CISA KEV listing; the physical-access prerequisite substantially constrains the realistic attacker population.

Memory Corruption Buffer Overflow Denial Of Service Use After Free Zephyr
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-15484 HIGH PATCH Monitor

Buffer overflow in the TRENDnet TEW-821DAP (firmware 1.12B01) wireless access point lets an authenticated remote attacker corrupt memory through the ssi-driven /goform/tools_nslookup handler (function sub_41EC14), enabling likely remote code execution or device crash. The device is end-of-life and the vendor has stated it cannot confirm or fix the issue, so no official patch is expected. A public technical write-up describing the overflow exists on GitHub (VulDB-coordinated disclosure), but there is no confirmed active exploitation in CISA KEV.

Buffer Overflow Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-15483 HIGH PATCH Monitor

Buffer overflow in the TRENDnet TEW-821DAP (v1.0R, firmware 1.12B01) dual-band access point lets an authenticated remote attacker corrupt memory via the ssi handler sub_41EC14, reachable through the /goform/tools_nslookup endpoint. Supplying an oversized nslookup_target value overruns a fixed buffer (CWE-120), enabling denial of service and likely arbitrary code execution on the device. No public exploit has been identified at time of analysis; the product is end-of-life and the vendor states it cannot confirm the flaw.

Buffer Overflow Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-15480 HIGH POC This Week

Stack-based buffer overflow in the TRENDnet TEW-635BRM wireless router (firmware up to 1.00.03) lets an authenticated remote attacker overflow a fixed-size stack buffer through the device_name argument handled by the start_httpd function in /sbin/rc, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists (VulDB), though it is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis. The device has been end-of-life since 2011 and the vendor declined to confirm the flaw, meaning no fix will be issued.

Buffer Overflow Stack Overflow Tew 635Brm
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-10660 MEDIUM PATCH This Month

Out-of-bounds write in Zephyr RTOS's Bluetooth BAP Broadcast Assistant (subsys/bluetooth/audio/bap_broadcast_assistant.c v4.4.0 and earlier) allows a BLE-adjacent attacker operating one or more malicious Scan Delegator peripherals to corrupt the target device's memory or cause a denial of service. The root cause is a file-static 512-byte att_buf (net_buf_simple) shared across all connection instances: when the Broadcast Assistant holds two or more concurrent BLE connections, concurrent GATT notification callbacks interleave writes into this buffer without tailroom checks, enabling writes past the BSS boundary into adjacent memory. No public exploit has been identified and exploitation requires high attack complexity, but the memory corruption primitive is serious for embedded/IoT targets where crash recovery may be unavailable.

Memory Corruption Denial Of Service Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-56372 NuGet MEDIUM PATCH This Month

Heap-based out-of-bounds read in ImageMagick before 7.1.2-19 is triggered when processing an image carrying an unrecognized magnify:method value, causing the magnify operation to read beyond allocated heap memory. Affected systems running any version prior to 7.1.2-19 can be impacted when a user or automated pipeline processes a specially crafted image file, with outcomes ranging from partial memory disclosure to application crash. No active exploitation is confirmed (not in CISA KEV) and no public proof-of-concept has been identified at time of analysis, and the CVSS 4.0 score of 4.8 (Medium) reflects the limited local/interactive nature of the attack.

Heap Overflow Denial Of Service Buffer Overflow Imagemagick
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-41154 HIGH This Week

Out-of-bounds kernel memory read/write in Imagination Technologies Graphics DDK (the driver kit for PowerVR GPUs) allows a non-privileged local user to corrupt kernel memory through crafted GPU API calls, potentially achieving privilege escalation. The flaw stems from incorrect buffer indexing in the sparse-memory page-freeing path when pages larger than 4kB are handled. Rated CVSS 7.8 (CWE-787); no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).

Buffer Overflow Memory Corruption Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-34196 HIGH This Week

Local privilege escalation in Imagination Technologies' Graphics DDK (PowerVR GPU driver) lets a non-privileged user trigger a use-after-free by abusing an integer overflow in GPU memory-mapping system calls. The flaw allows two GPU virtual addresses to alias the same physical page; freeing one mapping releases the page while the second dangling mapping retains read/write access, enabling cross-process memory disclosure and corruption. No public exploit is identified at time of analysis and EPSS is low (0.15%), but the local read/write UAF primitive is a strong stepping stone to kernel-level compromise.

Buffer Overflow Use After Free Memory Corruption Graphics Ddk
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-55233 HIGH PATCH This Week

Denial of service in OpenResty 1.29.2.1 through 1.29.2.4 arises from an out-of-bounds write (CWE-787) in the upstream PROXY protocol v2 implementation; when the platform is configured to prepend PROXY protocol v2 headers to upstream connections, header construction in the stream proxy-protocol-v2 patch overruns its allocated buffer and crashes the worker process. Any environment that has explicitly enabled PROXY protocol v2 for upstream connections is affected, degrading availability without any impact to confidentiality or integrity. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; it is resolved in OpenResty 1.29.2.5.

Memory Corruption Denial Of Service Buffer Overflow Openresty
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-55687 HIGH PATCH This Week

Denial of service in Espressif's ESP-IDF JPEG driver (versions 6.0.1, 5.5.4, 5.4.4, 5.3.5 and likely earlier) stems from an out-of-bounds stack write in jpeg_parse_dqt_marker(), where the attacker-controlled DQT marker Tq nibble indexes the qt_tbl array without a 0..3 bounds check. Any application that feeds untrusted JPEG data into the hardware JPEG decode path can be reliably crashed by a single malformed image. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor has released a fix in 6.0.2 with backports pending for the 5.x branches.

Buffer Overflow Denial Of Service Stack Overflow Esp Idf
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-54000 HIGH PATCH This Week

Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM by planting a maliciously crafted process whose Process Environment Block (PEB) contains oversized command-line or current-directory strings. When the osquery agent - typically running as SYSTEM - queries the `processes` table against that process, unchecked PEB string lengths trigger a heap-based out-of-bounds write (CWE-122). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Heap Overflow Microsoft Buffer Overflow Osquery
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-54001 HIGH PATCH This Week

Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a maliciously crafted binary and having the authenticode table query it, triggering a heap out-of-bounds write in the getOriginalProgramName publisher-parsing routine. The flaw is a CWE-122 heap buffer overflow reachable whenever osquery (typically running as SYSTEM) evaluates authenticode publisher metadata against attacker-controlled files. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.

Privilege Escalation Heap Overflow Microsoft Buffer Overflow Osquery
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2026-14461 MEDIUM This Month

Out-of-bounds read in mtr's ipinfo_lookup() function allows a DNS-layer attacker to reliably crash the tool by serving a crafted TXT response during AS-number lookups. mtr through version 0.96 is affected; the root cause is that dn_expand() receives the total response length as its boundary argument rather than the safe, validated packet end - so a >512-byte response carrying a malicious compression pointer in the answer NAME field directs the read past the buffer. No public exploit code and no CISA KEV listing exist at time of analysis, though the crash is described as deterministic once the attacker controls the DNS response.

Buffer Overflow Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.3%
CVE-2026-15028 LOW Monitor

Heap overflow in libarchive's PAX extended header parser allows exploitation via a maliciously crafted tar archive containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation of the affected system could result in a denial of service condition or, in more serious cases, arbitrary code execution under the privileges of the process invoking libarchive. No public exploit code or active exploitation has been confirmed at time of analysis, though a GitHub pull request (#3253) indicating an upstream fix is available suggests the issue is reproducible and patch-ready. The official CVSS score of 3.9 (Low) conflicts materially with the vendor-applied RCE tag, a discrepancy that warrants independent validation.

Denial Of Service RCE Heap Overflow Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
3.9
EPSS
0.3%
CVE-2026-40454 HIGH PATCH This Week

Denial of service in the Apache IoTDB C++ client (versions 1.3.5 before 1.3.8 and 2.0.5 before 2.0.10) allows a malicious or compromised IoTDB server to crash any connected client by returning malformed TsBlock response data. The client's TsBlock deserializer performs out-of-bounds reads (CWE-125) on attacker-controlled server payloads, terminating the client process. There is no public exploit identified at time of analysis, EPSS probability is low (0.14%), and impact is limited to availability of the client - no confidentiality or integrity effect is claimed.

Apache Buffer Overflow Information Disclosure Apache Iotdb C Client
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-40007 HIGH PATCH This Week

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attacker crash the AirGap receiver thread by exploiting unbounded recursion in its readLength method. When the pipe_air_gap_receiver_enabled=true option is set, repeated E-language prefixes in a single socket stream drive recursion arbitrarily deep until the JVM stack is exhausted and a StackOverflowError is raised. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.14%, 4th percentile), consistent with SSVC marking exploitation as 'none' though 'automatable: yes'.

Buffer Overflow Apache Apache Iotdb
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21057 MEDIUM This Month

Out-of-bounds memory write in Samsung Pass prior to version 5.2.10.3 enables local privileged attackers to corrupt process memory, producing high integrity and availability impact with limited confidentiality exposure. The root cause is improper input validation - a buffer overflow class defect - confirmed by Samsung's mobile security team and catalogued under EUVD-2026-42827. No public exploit code or CISA KEV listing has been identified; Samsung has released version 5.2.10.3 as the remediation.

Samsung Buffer Overflow
NVD
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-21049 HIGH This Week

Arbitrary code execution in Samsung's libpadm.so system library on Galaxy devices allows a local, low-privileged attacker to corrupt memory via an out-of-bounds write and run code in the context of the vulnerable component prior to the SMR Jul-2026 Release 1. The flaw was reported internally by Samsung Mobile Security and carries a CVSS 4.0 base score of 8.4 (high). No public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow RCE
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-21048 HIGH This Week

Out-of-bounds write in Samsung's Quram image codec library (libimagecodec.media.quram.so) on Samsung Android devices lets remote attackers corrupt memory outside allocated bounds by delivering a malformed DNG (Adobe Digital Negative) raw image, prior to the SMR Jul-2026 Release 1 patch level. The flaw carries CVSS 4.0 8.3 (High) with a network attack vector, no privileges and no user interaction, but a present attack requirement (AT:P). No public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow
NVD VulDB
CVSS 4.0
8.3
EPSS
0.4%
CVE-2026-21045 HIGH This Week

Out-of-bounds memory write in the Quram image codec (libimagecodec.media.quram.so) used by Samsung mobile devices allows remote attackers to corrupt memory while the library parses a malformed TIFF image, affecting builds prior to SMR Jul-2026 Release 1. Reported by Samsung's own mobile security team, the flaw carries a CVSS 4.0 base score of 8.3 (High) with a network vector and no privileges or user interaction required, though an attack requirement (AT:P) indicates a specific precondition. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow
NVD VulDB
CVSS 4.0
8.3
EPSS
0.4%
CVE-2026-21042 HIGH This Week

Local privilege-escalating code execution in Samsung's libsavsac.so native library (used in Galaxy devices running firmware prior to the SMR Jul-2026 Release 1) allows a low-privileged local attacker to trigger an out-of-bounds write and execute arbitrary code in the context of the affected component. The flaw was reported by Samsung's own Mobile Security team and carries a CVSS 4.0 base score of 8.4 (High). No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Buffer Overflow RCE
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-49837 Go MEDIUM POC PATCH GHSA This Month

Boundary validation failure in GoBGP's BGP OPEN capability parser allows a remote peer to send a malformed OPEN message that causes concrete capability decoders to read beyond the declared CapLen field, enabling attacker-controlled bytes to be interpreted as capability values - most critically, as a 4-octet AS number that influences peer AS validation and BGP session establishment decisions. Affected is GoBGP v4 (pkg:go/github.com_osrg_gobgp_v4), with the 4-octet AS capability (code 65) identified as the highest-impact case. A parser-level proof-of-concept is publicly described in GitHub Security Advisory GHSA-gjrg-jjr3-56cm; no active exploitation has been confirmed and this CVE does not appear in the CISA KEV catalog. IMPORTANT METADATA CONFLICT: The provided intelligence tags label this as 'RCE, Buffer Overflow, Information Disclosure' - all three directly contradict the CVE description, which explicitly states the issue is not arbitrary memory corruption, remote code execution, or information disclosure; security teams must disregard those tags.

RCE Buffer Overflow Information Disclosure
NVD GitHub
CVSS 3.1
5.9
CVE-2026-49836 PyPI MEDIUM POC PATCH GHSA This Month

Path traversal in psd-tools through v1.17.0 exposes any application processing untrusted PSD files to arbitrary file write and secondary arbitrary file read via the SmartObject API. SmartObject.save() consumes the embedded smart-object filename verbatim from the PSD binary - without basename stripping, absolute-path rejection, or directory-escape filtering - allowing a crafted PSD to write attacker-supplied bytes to any path the process can reach. A secondary issue in SmartObject.open() for external-kind objects uses the attacker-controlled fullPath descriptor as a read source, enabling file exfiltration to the write destination. A standalone proof-of-concept is publicly confirmed in the advisory; the fix is vendor-confirmed in v1.17.1 (PR #657). No public exploit identified at time of analysis beyond the advisory-embedded POC, and no CISA KEV listing was found.

Python Path Traversal Buffer Overflow Docker Denial Of Service +1
NVD GitHub
CVE-2026-59857 MEDIUM PATCH This Month

Stack buffer overflow in Vim's SAL sound-folding spell engine prior to version 9.2.0725 crashes the editor by writing a null byte one position past the end of a MAXWLEN-element stack buffer in spell_soundfold_sal(). Exploitation requires a user to open Vim with a SAL-based spell file active under a non-multibyte 8-bit encoding and trigger sound-based spell suggestions on a boundary-length word, corrupting the eval_soundfold() stack frame. No public exploit has been identified at time of analysis, and the impact is limited to availability (editor crash) with no confidentiality or integrity consequences.

Memory Corruption Buffer Overflow Vim
NVD GitHub VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-33799 MEDIUM PATCH This Month

Memory exhaustion in Juniper Networks Junos OS and Junos OS Evolved snmpd allows an authenticated network attacker to crash SNMP monitoring by sending specific valid SNMPv3 queries that trigger an out-of-bounds write and progressive memory leak. The snmpd process will exhaust available memory over time, crash, and restart, rendering SNMP-based network monitoring unavailable for the duration of each crash cycle. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV; however, the CVSS 4.0 supplemental metric AU:Y indicates the attack is automatable.

Memory Corruption Juniper Buffer Overflow Junos Junos Os Evolved
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2026-31267 MEDIUM This Month

Stack-based buffer overflow in the Mercusys MW302R (EU) V1 1.4.10 Build 231023 administrative web interface allows an authenticated attacker with administrative access on the same network segment to crash the device by sending a specially crafted HTTP request. The crash results from control flow being redirected to an arbitrary instruction address - a classic CWE-121 stack overflow pattern that produces denial of service. No public exploit is confirmed in CISA KEV, though a researcher GitHub gist (BarrYPL/13dcd071673866cbbfaaa05085b98cf3) appears to document the finding and may constitute a proof-of-concept write-up. EPSS probability is very low at 0.16% (6th percentile), consistent with a niche consumer router model.

Buffer Overflow Denial Of Service Stack Overflow
NVD GitHub
CVSS 3.1
5.7
EPSS
0.2%
CVE-2026-57021 MEDIUM PATCH This Month

Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes the process when handling crafted network requests, taking down all web-management-dependent services including J-Web, remote-access VPN, and firewall authentication until automatic process recovery. Exploitation is gated on a specific non-default configuration - remote-access VPN with pre-logon compliance check enabled - limiting the exposed population to SRX deployments that actively use this feature. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the official CVSS 5.3 score reflects the limited, reversible availability-only impact.

Memory Corruption Juniper Buffer Overflow Junos Os
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-57019 HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. Only deployments handling MAP-T or non-IP-over-IP traffic (e.g. MPLS over GRE) are exposed; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Juniper Buffer Overflow Junos Os
NVD VulDB
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-51603 HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the RTSP service by sending a crafted second SETUP request after a valid RTSP handshake, knocking the camera offline for every client on the network. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP second-stage URL routing parser; publicly available exploit code exists via a GitHub write-up, though no active exploitation is confirmed and the CVSS availability-only impact means it is a crash, not code execution, at time of analysis.

Buffer Overflow Tenda Denial Of Service Stack Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-51602 HIGH This Week

Denial of service in the RTSP service of Tenda CP3 V3.0 IP cameras (firmware V31.1.9.91) allows an unauthenticated remote attacker on the local network to crash the streaming service with a single crafted SETUP request. Because the second-stage URL routing parser does not validate the URL field length, a request whose URL is exactly four repetitions of a valid RTSP URL overflows a stack buffer and terminates the RTSP process, cutting off all clients. Publicly available exploit code exists (researcher write-up on GitHub); this is not listed in CISA KEV and no active exploitation is confirmed.

Buffer Overflow Tenda Denial Of Service Stack Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-51601 HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the onboard RTSP service by sending a PLAY request whose Range header carries an over-long clock= value, triggering a stack-based buffer overflow (CWE-121). The flaw affects only availability - a successful attack knocks the camera's video streaming offline until it recovers or is restarted, with no confirmed path to code execution or data disclosure. There is a public research write-up on GitHub, but no active exploitation is recorded in CISA KEV and EPSS rates exploitation likelihood as low (0.19%, 9th percentile).

Buffer Overflow Tenda Stack Overflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-15194 LOW Monitor

Use-after-free in Open5GS 2.7.7's AMF component allows a local low-privileged user to access freed memory within the `amf_context_final` function in `src/amf/context.c`, producing a low-severity confidentiality exposure. Exploitation is strictly local - no network vector exists - and a public proof-of-concept is confirmed by the CVSS 4.0 E:P supplemental modifier. This vulnerability is not listed in the CISA KEV catalog and carries a CVSS 4.0 base score of 1.9, reflecting its constrained real-world impact on what is a niche, telecom-research-oriented software stack.

Denial Of Service Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-11404 HIGH PATCH This Week

Denial of service in Cesanta Mongoose before 7.22 lets a remote, unauthenticated attacker crash any TLS service (HTTPS, MQTTS, or WSS) built on the MG_TLS_BUILTIN stack by sending a single crafted TLS ClientHello whose session_id_len byte is used as an unvalidated buffer index, triggering an out-of-bounds read. The flaw sits in the built-in TLS server handshake function mg_tls_server_recv_hello() and requires no authentication or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial and the issue was disclosed by VulnCheck.

Buffer Overflow Information Disclosure Mongoose
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-53720 PyPI MEDIUM PATCH GHSA This Month

Heap buffer overflow in pymonocypher's argon2i_32 function allows memory corruption when callers supply an undersized nb_blocks buffer, violating the library's API contract without triggering any bounds check. Applications using pymonocypher prior to version 4.0.2.8 that invoke the Argon2i password-hashing interface are at risk of heap corruption, which can produce crashes or potentially enable controlled memory writes. No public exploit code has been identified at time of analysis, and no active exploitation has been confirmed.

Heap Overflow Buffer Overflow
NVD GitHub
CVE-2026-60095 MEDIUM This Month

Stack buffer overflow in Vinchin Backup & Recovery through 9.0.0.86562 exposes the agentlink_server service to unauthenticated remote exploitation via the ModuleHandShake function. An attacker supplying an oversized _listen_uuid value triggers unsafe strcpy() into a fixed-length stack buffer, overwriting the saved return address and enabling process crash or control flow hijack. No public exploit or active exploitation has been confirmed at time of analysis, though the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is network-reachable without authentication or user interaction.

Buffer Overflow Stack Overflow Backup Recovery 9 0
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-60094 MEDIUM This Month

Heap buffer overflow in Vinchin Backup & Recovery through version 9.0.0.86562 allows unauthenticated remote attackers to crash the agentlink_server process or corrupt heap memory without any prior access or user interaction. The agentlink_server service accepts a TCP packet body_len field without bounds validation, passing the attacker-controlled value directly to recv() and enabling heap writes of up to approximately 4 GiB beyond the allocated buffer. This vulnerability is not listed in CISA KEV and no public exploit code is confirmed at time of analysis, though the heap overflow magnitude raises concern for potential code execution beyond simple denial-of-service.

Memory Corruption Buffer Overflow Backup Recovery 9 0
NVD VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-15185 LOW POC PATCH Monitor

Out-of-bounds read in GPAC MP4Box version 26.03-DEV allows local low-privileged attackers to cause a low-severity availability impact by supplying a crafted input that manipulates the `num_langs` argument in the `vobsub_read_idx` function of `vobsub.c`. A proof-of-concept exploit has been publicly disclosed via GitHub issue #3611 and the CVSS 4.0 E:P modifier confirms its availability. Two upstream commits have been applied to address the flaw, though no standalone patched release version has been independently confirmed.

Buffer Overflow Information Disclosure Gpac
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15182 LOW POC PATCH Monitor

Heap-based buffer overflow in GNU LibreDWG up to version 0.13.4 allows local low-privileged attackers to corrupt heap memory via a specially crafted DWG file containing malicious BMP image data processed by the dwg_bmp function in src/dwg.c. A public proof-of-concept exploit (a crafted R13/R2000 .dwg file) has been disclosed on GitHub, raising the urgency for affected deployments that process untrusted DWG input. No confirmed active exploitation (CISA KEV) has been recorded, and a vendor-released patch in version 0.14 fully resolves the issue.

Heap Overflow Buffer Overflow Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-58307 MEDIUM PATCH This Month

Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause a denial of service and limited data manipulation by supplying crafted JavaScript input. All versions prior to commit 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c are affected, with the primary real-world impact being an availability loss (crash) and low-confidence integrity effect. No public exploit code or CISA KEV listing has been identified at time of analysis.

Samsung Buffer Overflow Information Disclosure Escargot
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58306 MEDIUM This Month

Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing maliciously crafted input, leading to a high-severity availability impact and a limited integrity impact. The vulnerability affects all Escargot releases before commit ef525f337fafddecde77a3c426212a84bb20cb98, targeting embedded and IoT contexts where the engine is deployed - most notably Samsung TV appliances. No public exploit identified at time of analysis, and no CISA KEV listing, but the local-vector, low-complexity nature of heap overflows makes this reliably triggerable once an attacker can supply crafted input to the engine.

Heap Overflow Samsung Buffer Overflow Escargot
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58304 MEDIUM PATCH This Month

Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause memory corruption leading to high availability impact and limited integrity compromise. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with the engine's primary deployment in Samsung TV appliance and IoT platforms. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the CVSS-assigned high availability impact and the buffer overflow primitive make crash-based denial-of-service the primary realistic threat.

Samsung Buffer Overflow Information Disclosure Escargot
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-58303 MEDIUM This Month

Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corrupt stack memory by supplying malicious JavaScript input, requiring user interaction to trigger. All Escargot releases prior to commit b30b63fc63b403907d8137da1c65aaa4521fe74e are affected, with impacts including high availability loss and limited integrity compromise. No public exploit identified at time of analysis and this vulnerability has not been added to CISA KEV, though the local-vector, user-interaction requirement meaningfully constrains real-world exploitation surface.

Buffer Overflow Samsung Stack Overflow Escargot
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-59692 HIGH This Week

Denial of service in GStreamer's DTLS plugin allows a remote unauthenticated attacker to crash any application that performs a DTLS handshake (notably WebRTC/webrtcbin pipelines) by presenting a TLS certificate with an oversized Subject Distinguished Name. The Subject DN is written into a fixed 2048-byte stack buffer with no bounds checking (CWE-121), and overflowing it corrupts the stack and terminates the process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; impact is limited to availability (process crash), with no code execution or data exposure claimed.

Buffer Overflow Denial Of Service Stack Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59691 HIGH This Week

Heap buffer overflow in GStreamer's rfbsrc (RFB/VNC source) plugin lets a malicious VNC server crash or corrupt the memory of any client that connects to it. When the server advertises a 16bpp framebuffer and sends Hextile-encoded updates, the background-fill path writes 32-bit pixels into a 16-bit buffer, producing an out-of-bounds heap write. No public exploit identified at time of analysis; the primary confirmed impact is denial of service, with potential for further memory corruption. This is a client-side flaw requiring the victim to connect to attacker-controlled infrastructure.

Memory Corruption Denial Of Service Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-57156 HIGH PATCH This Week

Heap-based buffer overflow in FreeRDP (the widely used open-source RDP client library) allows a malicious or compromised RDP server to corrupt client memory and potentially achieve remote code execution in the connecting client's context. The flaw lives in the primary drawing-order parser (update_read_delta_points in libfreerdp/core/orders.c), where an inverted integer-overflow guard let an attacker-controlled point count produce an undersized heap allocation followed by an out-of-bounds write. No public exploit identified at time of analysis; the issue is fixed in FreeRDP 3.28.0 (GHSA-v5wf-j8j4-77h7).

Heap Overflow Buffer Overflow Freerdp
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.5%
CVE-2026-57158 MEDIUM PATCH This Month

Insufficient data exists to characterize CVE-2026-57158 meaningfully. The CVE description is absent, no CVSS vector or score has been published, and the only available intelligence signal is a single vendor source tag ('vendor:ubuntu'). No impact, attack vector, or affected component can be determined from the provided data. Security teams should treat this as an unresolved entry requiring direct vendor advisory lookup before any risk decision is made.

Information Disclosure Buffer Overflow Freerdp
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.5%
CVE-2026-3886 MEDIUM This Month

Integer overflow in the virtio-gpu driver's 2D image allocation path of the Linux kernel exposes virtualized guest systems to potential heap corruption. The flaw resides in an insufficient overflow check performed before allocating memory for a 2D image resource in the virtio-gpu paravirtualized GPU subsystem. An attacker or malicious process with access to GPU resource creation within an affected guest OS could trigger the overflow, potentially leading to out-of-bounds memory writes and kernel-level memory corruption. No public exploit or KEV listing is identified at time of analysis.

Buffer Overflow
NVD
CVE-2026-51605 HIGH This Week

Remote denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.991) allows an unauthenticated attacker on the network to crash the device by sending a specially crafted RTSP TEARDOWN request that overflows a stack buffer. Publicly available exploit code exists via a third-party GitHub write-up, though the flaw affects only availability (no data disclosure or code execution is claimed). No active exploitation has been reported in CISA KEV, and EPSS data was not provided.

Buffer Overflow Tenda Denial Of Service Stack Overflow N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-51604 HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) allows an unauthenticated remote attacker to crash the RTSP service by sending a crafted PLAY request that overflows a fixed-size stack buffer. The flaw is remotely reachable with no authentication or user interaction, but per the description and CVSS the impact is limited to availability loss (device crash/reboot), with no confirmed code execution. A public technical report with reproduction details exists on GitHub; the issue is not listed in CISA KEV and no EPSS score was provided.

Buffer Overflow Tenda Denial Of Service Stack Overflow N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57157 MEDIUM PATCH This Month

CVE-2026-57157 has no published description, CVSS score, or CWE at time of analysis. The sole intelligence signal is a vendor report attributed to Ubuntu, indicating the vulnerability may affect a package in the Ubuntu ecosystem. No impact, affected versions, attack vector, or exploitation details can be determined from the available data. This analysis cannot characterize the vulnerability beyond acknowledging its existence and Ubuntu provenance.

Information Disclosure Buffer Overflow Freerdp
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.5%
CVE-2026-15114 HIGH PATCH This Week

Heap corruption in Google Chrome's Codecs component allows a remote attacker to trigger out-of-bounds read and write operations by luring a victim to open or play a crafted video file, affecting all desktop builds prior to 150.0.7871.115. Rated High by Chromium and CVSS 8.8, it requires user interaction (viewing malicious media) but no privileges, and combines information disclosure with potential memory corruption that could lead to code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Google Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-15108 MEDIUM PATCH This Month

Integer overflow in Extensions API in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. (Chromium security severity: High)

Integer Overflow Buffer Overflow Google
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-15174 MEDIUM PATCH This Month

Denial of service in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 is caused by a heap-based buffer overflow in the Catapult DCT2000 protocol dissector, crashing the application when a crafted capture file is opened. The CVSS local attack vector (AV:L) and required user interaction (UI:R) constrain exploitation to scenarios where an analyst is socially engineered into opening a malicious capture file - no remote or unauthenticated network exploitation path exists. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; vendor-released fixes are available in 4.6.7 and 4.4.17.

Heap Overflow Denial Of Service Buffer Overflow Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15173 MEDIUM PATCH This Month

The pcapng file parser in Wireshark 4.6.0 through 4.6.6 contains a heap-based buffer overflow (CWE-122) that crashes the application, resulting in denial of service. An attacker must convince a user to open a specially crafted pcapng capture file, making this a social-engineering-dependent attack with no network-facing exploitation path. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a vendor patch is available in Wireshark 4.6.7.

Heap Overflow Denial Of Service Buffer Overflow Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15170 MEDIUM PATCH This Month

Heap-based buffer overflow in Wireshark's Z39.50 protocol dissector crashes the application when processing malformed Z39.50 PDUs, resulting in denial of service. Affected versions span the 4.4.x branch (4.4.0-4.4.16) and 4.6.x branch (4.6.0-4.6.6). An attacker can trigger the crash by persuading an analyst to open a crafted packet capture file or by injecting malicious Z39.50 traffic onto a monitored network segment; no active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.

Heap Overflow Denial Of Service Buffer Overflow Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15169 HIGH PATCH This Week

Denial of service in Wireshark's UMTS FP protocol dissector affects the 4.6.0-4.6.6 and 4.4.0-4.4.16 release branches, where a malformed UMTS Frame Protocol packet triggers a heap-based buffer overflow (CWE-122) that crashes the application. A remote attacker who can get the crafted frame parsed - via live capture on a monitored segment or a shared capture file - can reliably terminate the analyzer, with no confidentiality or integrity impact. Publicly available exploit code exists (SSVC=poc) but it is not on CISA KEV, and EPSS is low at 0.14% (4th percentile), indicating minimal observed exploitation pressure.

Heap Overflow Denial Of Service Buffer Overflow Wireshark
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-15167 MEDIUM PATCH This Month

Denial of service in Wireshark's DBS Etherwatch dissector affects release branches 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a malformed capture file or crafted packet can crash the application. The flaw is a stack-based buffer overflow (CWE-121) that manifests only as an availability impact - no confidentiality or integrity loss and no confirmed code execution - carrying a 7.5 (High) CVSS. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2026-15166 MEDIUM PATCH This Month

Stack-based buffer overflow in Wireshark's IEEE 802.11 (Wi-Fi) protocol dissector crashes the application, resulting in denial of service across versions 4.6.0-4.6.6 and 4.4.0-4.4.16. An attacker with the ability to deliver a malicious packet capture file, or inject crafted 802.11 frames into a live capture session, can crash the Wireshark process on a victim analyst's machine. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; vendor-released patches (4.6.7 and 4.4.17) are available.

Buffer Overflow Denial Of Service Stack Overflow Wireshark
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-15165 MEDIUM PATCH This Month

Denial of service in Wireshark 4.6.0 through 4.6.6 lets a remote attacker crash the application by feeding it a malformed TLS packet using the Encrypted Client Hello (ECH) extension, triggering a heap buffer overflow in the ECH decryptor. No authentication or user interaction beyond processing the traffic is required, though impact is limited to availability (analyzer crash) with no code execution or data disclosure claimed. Publicly available exploit code exists per SSVC (POC), EPSS is low at 0.14% (4th percentile), and it is not listed in CISA KEV.

Heap Overflow Denial Of Service Buffer Overflow Wireshark
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
EPSS 0% CVSS 7.0
HIGH This Week

Arbitrary code execution in Rockwell Automation Arena Simulation is possible through an out-of-bounds write in the model.exe (Siman) component when a victim opens a maliciously crafted simulation model file. The flaw lets an attacker run code in the context of the current user by tricking an operator or engineer into opening a booby-trapped file, making it a client-side, file-delivery RCE rather than a remotely reachable network service bug. No public exploit has been identified at time of analysis, and no EPSS or CISA KEV data was provided, so real-world exploitation appears limited to social-engineering-driven targeting.

Buffer Overflow Memory Corruption RCE +1
NVD
EPSS 0% CVSS 7.4
HIGH POC This Week

Stack-based buffer overflow in the Tenda BE12 Pro Wi-Fi router (firmware 16.03.66.23) lets remote attackers corrupt memory by manipulating the 'page' argument of the fromSafeMacFilter handler at /goform/SafeMacFilter. Publicly available exploit code exists, though there is no public exploit identified as being used in active campaigns and it is not listed in CISA KEV. Successful exploitation can crash the device or potentially achieve code execution on the router's embedded OS. EPSS data was not provided.

Tenda Buffer Overflow Stack Overflow +1
NVD VulDB GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Out-of-bounds read in Citrix Secure Access Client for Windows (all versions before 26.6.1.20) enables a local low-privileged attacker to read memory beyond an allocated buffer boundary, resulting in high confidentiality impact with no integrity or availability consequence. The CVSS 4.0 score of 6.8 reflects the local attack vector and low-privilege requirement, meaning an attacker must already hold a foothold on the endpoint. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis.

Citrix Buffer Overflow Microsoft +2
NVD VulDB
EPSS 1% CVSS 7.4
HIGH POC This Week

Stack-based buffer overflow in the Tenda BE12 Pro router firmware 16.03.66.23 lets an authenticated remote attacker corrupt memory via the fromSafeUrlFilter handler at /goform/SafeUrlFilter by supplying an oversized 'page' parameter. Publicly available exploit code exists (published via VulDB), though the flaw is not listed in CISA KEV and no active exploitation has been confirmed. The CVSS 4.0 vector (7.4, PR:L) indicates network reachability with low-privilege authentication and high impact to confidentiality, integrity, and availability of the device.

Tenda Buffer Overflow Stack Overflow +1
NVD VulDB GitHub
EPSS 1% CVSS 7.4
HIGH POC This Week

Stack-based buffer overflow in the Tenda BE12 Pro (firmware 16.03.66.23) web management interface lets an attacker corrupt memory by supplying an oversized 'page' argument to the fromSafeClientFilter handler at /goform/SafeClientFilter, potentially crashing the device or executing arbitrary code with router privileges. Per the CVSS 4.0 vector the flaw is network-reachable but requires low-level privileges (PR:L). Publicly available exploit code exists (disclosed via VulDB), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

Tenda Buffer Overflow Stack Overflow +1
NVD VulDB GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Out-of-bounds read in libsoup 3.6.6 exposes WebSocket clients to memory disclosure and crashes when connecting to malicious servers. The incomplete fix for CVE-2026-0716 (commit 6ff7ef0) placed the integer overflow guard exclusively inside the masked-frame branch, leaving the unmasked server-to-client frame path entirely unprotected - allowing a crafted payload length near UINT64_MAX to bypass the guard entirely. No public exploit code or active exploitation (CISA KEV) has been identified, but the CVSS AC:H rating reflects the non-trivial preconditions: a specific client configuration and attacker-controlled server are both required.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10
NVD
EPSS 0% CVSS 2.0
LOW Monitor

Buffer overflow in SUSE Virtual Machine Driver Pack allows a local attacker with registry modification rights to corrupt driver integrity. Affected are all versions of the pack before upstream commit e7a602ec232756ead019bdf19d6d3b9d010cc94b, targeting virtualized guest environments running SUSE's paravirtual drivers. No public exploit exists and the vendor explicitly states no feasible exploitation path is currently known; no public exploit identified at time of analysis.

Buffer Overflow Virtual Machine Driver Pack
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Memory corruption in SAP NetWeaver Application Server ABAP lets an authenticated attacker exploit logical flaws in memory management (an out-of-bounds write) to read or alter data and crash the system, with high impact on confidentiality, integrity, and availability. SAP rates it CVSS 9.9 with a changed scope, meaning a low-privileged user can affect components beyond their own authorization boundary. There is no public exploit identified at time of analysis, but the low attack complexity and network reachability make it a high-priority patch for any exposed ABAP stack.

Buffer Overflow SAP Memory Corruption +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in aMule 2.3.3 lets a remote eD2k server crash the client by sending a malformed OP_SERVERMESSAGE packet that overflows a stack buffer (CWE-121). The flaw is triggered client-side when parsing server-supplied message data, so any hostile or spoofed server the client connects to can terminate the application. No public exploit has been identified at time of analysis, and the issue is documented only as an upstream bug report (amule GitHub issue #445), not a released patch.

Buffer Overflow Stack Overflow Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Heap out-of-bounds read in the Crypt::OpenSSL::X509 Perl module (versions before 2.1.3) lets a crafted X.509 certificate leak adjacent heap memory to an application that enumerates certificate extensions. When code calls extensions(), extensions_by_long_name(), extensions_by_oid(), or has_extension_oid(), a certificate extension whose textual OID exceeds the fixed 129-byte buffer causes the returned hash key to include bytes read past the allocation, exposing process memory and risking a crash. No public exploit is identified at time of analysis and it is not in CISA KEV, but the fix is confirmed in release 2.1.3 and the flaw is trivially triggerable by any attacker who can supply a certificate.

OpenSSL Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Out-of-bounds read in Blender 3.0.0 through 5.1.2 allows an attacker to crash the application or disclose heap memory contents by convincing a user to open a specially crafted .blend file containing a malicious member_index value in the SDNA block. The vulnerability stems from missing bounds validation on a signed short index used directly as an array subscript in sdna_expand_names(), enabling both denial-of-service via SIGSEGV and limited heap memory disclosure. No public exploit code or active exploitation has been identified at time of analysis, but the file-based attack vector makes social engineering a realistic delivery mechanism.

Buffer Overflow Information Disclosure Blender
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Silently incorrect regular-expression matching in the Perl interpreter (all versions through 5.43.9) lets an oversized alternation of more than 65,535 fixed-string branches overflow a 16-bit delta field when the branches are optimized into a trie, truncating the match-decision table. The result is both false-positive and false-negative matches, so any Perl program that uses such a pattern to gate access or filter input can make wrong security decisions. There is no public exploit identified at time of analysis, though the fixing commit ships a deterministic reproducer test, and the flaw is not listed in CISA KEV.

Buffer Overflow Integer Overflow Perl
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Out-of-bounds heap read in the Perl interpreter (through version 5.43.10) lets an attacker who controls a pack or unpack template disclose adjacent heap memory back to the calling program. An unchecked integer overflow in S_measure_struct wraps the running size total negative, defeating the signed-length guards on the @, X, and x position codes and walking the buffer pointer outside its bounds. No public exploit is identified at time of analysis; the flaw was reported by CPANSec with vendor patches already committed upstream.

Buffer Overflow Integer Overflow Perl
NVD GitHub VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stack-based buffer overflow in gawk's readdir extension (extension/readdir.c, ftype() routine) affects all gawk releases through version 5.4.0, enabling a local attacker to crash the process and theoretically achieve code execution. The RCE angle is explicitly unconfirmed by the reporter (CERT-PL), making denial-of-service the primary demonstrated impact at this time. No public exploit identified at time of analysis; an upstream source-level patch commit is available on GNU Savannah.

Stack Overflow RCE Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Integer overflow in GNU gawk's builtin.c (versions 5.4.0 and below) enables heap metadata corruption and memory exhaustion when gawk processes attacker-crafted input. The flaw stems from a CWE-190 integer wraparound condition that can be triggered locally to overwrite heap objects with attacker-controlled bytes, potentially escalating from a denial-of-service to memory corruption with partial integrity impact. No public exploit identified at time of analysis, and CERT-PL reported this with a low CVSS 4.0 base score of 2.1, reflecting a limited, local attack surface with specific attack prerequisites.

Integer Overflow Buffer Overflow Gawk
NVD VulDB
EPSS 1% CVSS 7.4
HIGH This Week

Stack-based buffer overflow in Shibby Tomato router firmware (versions up to and including 1.28.0000) allows a remote, low-privileged attacker to corrupt the stack of the embedded web server (/usr/sbin/httpd) via the DNS List Rendering function sub_407220, potentially achieving arbitrary code execution on the router. The flaw is remotely reachable and, per the CVSS 4.0 vector, requires low-level authentication (PR:L) to the web administration interface. VulDB assigns an exploit maturity of Proof-of-Concept, meaning publicly available exploit code exists, though it is not listed in CISA KEV and no active exploitation is confirmed. Notably, the Tomato project by Shibby is discontinued and superseded by FreshTomato, so no first-party fix is expected.

Stack Overflow Buffer Overflow Tomato
NVD VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

Out-of-bounds write in the Shibby Tomato router firmware (versions up to and including 1.28.0000) lets authenticated remote users corrupt memory through the apcupsd web component. The flaw sits in the main() function of www/apcupsd/tomatodata.cgi, where crafted input reaches an out-of-bounds write (CWE-787) that can crash the CGI or potentially execute code on the router. Publicly available exploit code exists (via VulDB/Gitee), but there is no confirmed active exploitation; note that this project has been superseded by FreshTomato and is effectively end-of-life.

Memory Corruption Buffer Overflow Tomato
NVD VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

Remote authenticated command execution is possible in Shibby Tomato router firmware through version 1.28.0000, where the getupsvar function in the apcupsd CGI handler (www/apcupsd/tomatodata.cgi) fails to bound the Field argument, producing a stack-based buffer overflow (CWE-121). A logged-in user can send a crafted request to corrupt the stack and hijack control flow with full confidentiality, integrity, and availability impact on the device. Publicly available exploit code exists (VulDB), though there is no evidence of active exploitation; the CVSS 4.0 score is 8.7 with an E:P (proof-of-concept) exploit-maturity flag.

Stack Overflow Buffer Overflow Tomato
NVD VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

Buffer overflow in the Tenda CH22 router (firmware 1.0.0.1) allows a remote, authenticated attacker to corrupt memory by supplying an overlong 'Name' argument to the formCertListInfo function in the /goform/CertListInfo endpoint. The flaw was disclosed by VulDB with publicly available exploit code, and the CVSS 4.0 score of 8.7 reflects high confidentiality, integrity, and availability impact. No public exploit identified in CISA KEV, so this is a proof-of-concept-stage issue rather than confirmed in-the-wild abuse.

Tenda Buffer Overflow Ch22
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation to SYSTEM in WinFsp (Windows File System Proxy) stems from an integer overflow (CWE-190) that a low-privileged local user can trigger to achieve system-level access on the host. The flaw crosses a privilege boundary (CVSS scope change) and is fixed in release v2.2B2. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is theoretical but the SYSTEM-level impact makes it a meaningful local escalation risk.

Integer Overflow Buffer Overflow Winfsp
NVD GitHub VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Heap-based buffer overflow in GNU LibreDWG 0.13.4-154-g0b573035 allows a local low-privileged attacker to corrupt heap memory by supplying a crafted DWG file processed through the R2004 section decompressor, yielding partial confidentiality, integrity, and availability impact. The vulnerability resides in `decompress_R2004_section` within `src/decode.c` and is exploitable whenever LibreDWG parses attacker-controlled R2004-format DWG content. A public proof-of-concept exploit file has been disclosed on GitHub; no CISA KEV listing is present, indicating no confirmed widespread active exploitation at time of analysis.

Heap Overflow Buffer Overflow Libredwg
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM This Month

Integer overflow in Samsung's open-source rlottie animation rendering library leads to buffer overflow, with high availability impact including potential crash or memory corruption. Exploitation requires local access, low privileges, user interaction, and high attack complexity, making this a lower-urgency finding despite the buffer overflow class. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog. The upstream fix is available as a GitHub pull request (#595), though a formally tagged patched release version has not been independently confirmed.

Integer Overflow Samsung Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

Remote memory corruption in the OpENer EtherNet/IP stack (2.3.0 master branch up to commit 76b95cf) stems from an integer underflow while parsing connected explicit messages via the SendUnitData encapsulation command, allowing network attackers to corrupt memory on the target device. The CVSS 3.1 score of 9.8 (AV:N/PR:N) indicates unauthenticated remote exploitation with full confidentiality, integrity, and availability impact. A public gist by researcher MrAlaskan and a filed GitHub issue accompany the disclosure, so publicly available exploit code exists, though EPSS is low (0.15%, 5th percentile) and it is not on the CISA KEV list.

Buffer Overflow Integer Overflow N A
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

OpENer 2.3.0 (commit 76b95cf) has an out-of-bounds read issue in CIP message parsing when handling malformed explicit requests with a forged EPath size. An attacker can send a valid ENIP SendRRData frame carrying a very short CIP payload whose path_size field claims that many more path words are present than are actually available. Because the parser trusts the attacker-controlled path_size and continues decoding path segments without a remaining-length boundary, it reads beyond the end of the stack receive buffer.

Buffer Overflow N A Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Out-of-bounds read in the EIPStackGroup OpENer EtherNet/IP stack (version 2.3.0, commit 76b95cf) lets a remote unauthenticated attacker send a crafted ENIP frame carrying a malformed CIP ForwardOpen/LargeForwardOpen request that drives the Connection Manager parser to read past the supplied request buffer, exposing adjacent memory or crashing the stack. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N) it is reachable over the network with no authentication and low complexity, yielding high confidentiality and availability impact. No CISA KEV listing and no EPSS were supplied; no active exploitation is confirmed, though a referenced public gist appears to document the flaw and may contain proof-of-concept material.

Buffer Overflow Information Disclosure N A
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL Act Now

Stack buffer overflow in the OpENer EtherNet/IP stack (version 2.3.0, commit 76b95cf) lets remote attackers corrupt memory by sending a crafted CIP network packet whose length field is truncated into a negative value, bypassing bounds checks in DecodePaddedEPath. The CVSS vector (AV:N/PR:N/UI:N) indicates unauthenticated remote reachability with high confidentiality and availability impact; no public exploit is identified at time of analysis (not in CISA KEV), though a referenced gist and GitHub issue suggest researcher analysis and possible proof-of-concept material exist. As an OT/ICS protocol stack, exploitation would most plausibly cause denial of service or memory disclosure on embedded industrial devices.

Buffer Overflow Integer Overflow N A
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC This Week

Local privilege escalation in SecureAge CatchPulse endpoint protection (versions up to and including 10.9.3) stems from a heap-based buffer overflow in the kernel driver saappctl.sys, where an authenticated local user can corrupt kernel heap memory to gain code execution at ring 0. Publicly available exploit code exists (demonstrated in a YouTube proof-of-concept), but there is no public exploit identified as being used in active attacks and the issue is not on CISA KEV. The CVSS 4.0 base score of 7.1 reflects local-only reachability but full compromise of confidentiality, integrity, and availability on the host once triggered.

Heap Overflow Buffer Overflow Catchpulse
NVD VulDB GitHub
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Kernel memory corruption in the Zephyr RTOS (versions v1.14.0 through v4.4.0) lets an unprivileged user-mode thread corrupt the kernel's dynamic object-tracking list across the userspace security boundary. The flaw is a use-after-free race (CWE-416) in the obj_list traversal, exploitable only on builds combining CONFIG_SMP, CONFIG_USERSPACE, and CONFIG_DYNAMIC_OBJECTS, and can yield privilege escalation or a kernel crash. No public exploit identified at time of analysis; a vendor patch is available.

Memory Corruption Buffer Overflow Denial Of Service +3
NVD GitHub VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds stack write in the Zephyr RTOS IPv4 address parser (parse_ipv4() in subsys/net/ip/utils.c) lets an attacker corrupt memory when an application resolves an attacker-influenced "a.b.c.d:port" string, causing at minimum denial of service and potentially control-flow hijack on the affected embedded device. The defect exists in every release from v1.9.0 through v4.4.0 and is reachable through the standard socket resolver (zsock_getaddrinfo), DNS server-string configuration, and the eswifi Wi-Fi DNS-response path. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor fix (two upstream commits and advisory GHSA-532c-7g7f-jhmh) is available.

Memory Corruption Denial Of Service Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Out-of-bounds write in the WireGuard subsystem of Zephyr RTOS 4.4.0 lets a malicious or compromised WireGuard peer (or an on-path attacker driving an established session) corrupt memory by sending an oversized transport-data datagram. Because the flawed copy occurs before the Poly1305 authentication check, exploitation needs only a valid receiver session index rather than a valid authenticator, and reliably yields at least a remote denial of service on the target device. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the Zephyr project has published advisory GHSA-3wqm-wgx2-9367 and an upstream fix.

Memory Corruption Denial Of Service Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Out-of-bounds stack write in Zephyr's nRF70 Wi-Fi driver exposes embedded systems to memory corruption when the nRF70 co-processor returns a power-save event with more than eight TWT flow entries. The vulnerable function `nrf_wifi_event_proc_get_power_save_info()` blindly copies co-processor-supplied TWT entries into a fixed 8-element stack array without validating `num_twt_flows` against `WIFI_MAX_TWT_FLOWS`, enabling heap/stack corruption of approximately 40 bytes per excess entry. No public exploit code exists and the flaw is not listed in CISA KEV, but the adjacent-network attack vector and the indirect over-the-air influence path via a rogue AP manipulating TWT sessions make this a meaningful risk in Wi-Fi 6 (802.11ax) deployment environments running Zephyr with `CONFIG_NRF70_STA_MODE`.

Memory Corruption Buffer Overflow Zephyr
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Use-after-free and double-free in Zephyr RTOS's experimental USB host stack (CONFIG_USB_HOST_STACK, introduced in v4.4.0) allows an attacker with physical USB access to crash the target device or corrupt live kernel slab objects by bouncing a USB device connection to trigger a second removal event after the slab has already been freed. The flaw exists because usbh_device_disconnect() frees the root usb_device slab object without clearing the cached ctx->root pointer, and UHC controller drivers (uhc_max3421e, uhc_mcux_common) emit UHC_EVT_DEV_REMOVED directly from hardware line-state with no debounce or re-entry guard. No public exploit identified at time of analysis, and no CISA KEV listing; the physical-access prerequisite substantially constrains the realistic attacker population.

Memory Corruption Buffer Overflow Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH Monitor

Buffer overflow in the TRENDnet TEW-821DAP (firmware 1.12B01) wireless access point lets an authenticated remote attacker corrupt memory through the ssi-driven /goform/tools_nslookup handler (function sub_41EC14), enabling likely remote code execution or device crash. The device is end-of-life and the vendor has stated it cannot confirm or fix the issue, so no official patch is expected. A public technical write-up describing the overflow exists on GitHub (VulDB-coordinated disclosure), but there is no confirmed active exploitation in CISA KEV.

Buffer Overflow Tew 821Dap
NVD VulDB GitHub
EPSS 0% CVSS 8.7
HIGH PATCH Monitor

Buffer overflow in the TRENDnet TEW-821DAP (v1.0R, firmware 1.12B01) dual-band access point lets an authenticated remote attacker corrupt memory via the ssi handler sub_41EC14, reachable through the /goform/tools_nslookup endpoint. Supplying an oversized nslookup_target value overruns a fixed buffer (CWE-120), enabling denial of service and likely arbitrary code execution on the device. No public exploit has been identified at time of analysis; the product is end-of-life and the vendor states it cannot confirm the flaw.

Buffer Overflow Tew 821Dap
NVD VulDB GitHub
EPSS 0% CVSS 7.4
HIGH POC This Week

Stack-based buffer overflow in the TRENDnet TEW-635BRM wireless router (firmware up to 1.00.03) lets an authenticated remote attacker overflow a fixed-size stack buffer through the device_name argument handled by the start_httpd function in /sbin/rc, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists (VulDB), though it is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis. The device has been end-of-life since 2011 and the vendor declined to confirm the flaw, meaning no fix will be issued.

Buffer Overflow Stack Overflow Tew 635Brm
NVD VulDB GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Out-of-bounds write in Zephyr RTOS's Bluetooth BAP Broadcast Assistant (subsys/bluetooth/audio/bap_broadcast_assistant.c v4.4.0 and earlier) allows a BLE-adjacent attacker operating one or more malicious Scan Delegator peripherals to corrupt the target device's memory or cause a denial of service. The root cause is a file-static 512-byte att_buf (net_buf_simple) shared across all connection instances: when the Broadcast Assistant holds two or more concurrent BLE connections, concurrent GATT notification callbacks interleave writes into this buffer without tailroom checks, enabling writes past the BSS boundary into adjacent memory. No public exploit has been identified and exploitation requires high attack complexity, but the memory corruption primitive is serious for embedded/IoT targets where crash recovery may be unavailable.

Memory Corruption Denial Of Service Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Heap-based out-of-bounds read in ImageMagick before 7.1.2-19 is triggered when processing an image carrying an unrecognized magnify:method value, causing the magnify operation to read beyond allocated heap memory. Affected systems running any version prior to 7.1.2-19 can be impacted when a user or automated pipeline processes a specially crafted image file, with outcomes ranging from partial memory disclosure to application crash. No active exploitation is confirmed (not in CISA KEV) and no public proof-of-concept has been identified at time of analysis, and the CVSS 4.0 score of 4.8 (Medium) reflects the limited local/interactive nature of the attack.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Out-of-bounds kernel memory read/write in Imagination Technologies Graphics DDK (the driver kit for PowerVR GPUs) allows a non-privileged local user to corrupt kernel memory through crafted GPU API calls, potentially achieving privilege escalation. The flaw stems from incorrect buffer indexing in the sparse-memory page-freeing path when pages larger than 4kB are handled. Rated CVSS 7.8 (CWE-787); no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).

Buffer Overflow Memory Corruption Graphics Ddk
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation in Imagination Technologies' Graphics DDK (PowerVR GPU driver) lets a non-privileged user trigger a use-after-free by abusing an integer overflow in GPU memory-mapping system calls. The flaw allows two GPU virtual addresses to alias the same physical page; freeing one mapping releases the page while the second dangling mapping retains read/write access, enabling cross-process memory disclosure and corruption. No public exploit is identified at time of analysis and EPSS is low (0.15%), but the local read/write UAF primitive is a strong stepping stone to kernel-level compromise.

Buffer Overflow Use After Free Memory Corruption +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in OpenResty 1.29.2.1 through 1.29.2.4 arises from an out-of-bounds write (CWE-787) in the upstream PROXY protocol v2 implementation; when the platform is configured to prepend PROXY protocol v2 headers to upstream connections, header construction in the stream proxy-protocol-v2 patch overruns its allocated buffer and crashes the worker process. Any environment that has explicitly enabled PROXY protocol v2 for upstream connections is affected, degrading availability without any impact to confidentiality or integrity. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; it is resolved in OpenResty 1.29.2.5.

Memory Corruption Denial Of Service Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Espressif's ESP-IDF JPEG driver (versions 6.0.1, 5.5.4, 5.4.4, 5.3.5 and likely earlier) stems from an out-of-bounds stack write in jpeg_parse_dqt_marker(), where the attacker-controlled DQT marker Tq nibble indexes the qt_tbl array without a 0..3 bounds check. Any application that feeds untrusted JPEG data into the hardware JPEG decode path can be reliably crashed by a single malformed image. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor has released a fix in 6.0.2 with backports pending for the 5.x branches.

Buffer Overflow Denial Of Service Stack Overflow +1
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard (unprivileged) user escalate to SYSTEM by planting a maliciously crafted process whose Process Environment Block (PEB) contains oversized command-line or current-directory strings. When the osquery agent - typically running as SYSTEM - queries the `processes` table against that process, unchecked PEB string lengths trigger a heap-based out-of-bounds write (CWE-122). No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Privilege Escalation Heap Overflow Microsoft +2
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Local privilege escalation in osquery on Windows prior to 5.23.1 lets a standard user escalate to SYSTEM by planting a maliciously crafted binary and having the authenticode table query it, triggering a heap out-of-bounds write in the getOriginalProgramName publisher-parsing routine. The flaw is a CWE-122 heap buffer overflow reachable whenever osquery (typically running as SYSTEM) evaluates authenticode publisher metadata against attacker-controlled files. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS was not provided.

Privilege Escalation Heap Overflow Microsoft +2
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM This Month

Out-of-bounds read in mtr's ipinfo_lookup() function allows a DNS-layer attacker to reliably crash the tool by serving a crafted TXT response during AS-number lookups. mtr through version 0.96 is affected; the root cause is that dn_expand() receives the total response length as its boundary argument rather than the safe, validated packet end - so a >512-byte response carrying a malicious compression pointer in the answer NAME field directs the read past the buffer. No public exploit code and no CISA KEV listing exist at time of analysis, though the crash is described as deterministic once the attacker controls the DNS response.

Buffer Overflow Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 3.9
LOW Monitor

Heap overflow in libarchive's PAX extended header parser allows exploitation via a maliciously crafted tar archive containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation of the affected system could result in a denial of service condition or, in more serious cases, arbitrary code execution under the privileges of the process invoking libarchive. No public exploit code or active exploitation has been confirmed at time of analysis, though a GitHub pull request (#3253) indicating an upstream fix is available suggests the issue is reproducible and patch-ready. The official CVSS score of 3.9 (Low) conflicts materially with the vendor-applied RCE tag, a discrepancy that warrants independent validation.

Denial Of Service RCE Heap Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Apache IoTDB C++ client (versions 1.3.5 before 1.3.8 and 2.0.5 before 2.0.10) allows a malicious or compromised IoTDB server to crash any connected client by returning malformed TsBlock response data. The client's TsBlock deserializer performs out-of-bounds reads (CWE-125) on attacker-controlled server payloads, terminating the client process. There is no public exploit identified at time of analysis, EPSS probability is low (0.14%), and impact is limited to availability of the client - no confidentiality or integrity effect is claimed.

Apache Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attacker crash the AirGap receiver thread by exploiting unbounded recursion in its readLength method. When the pipe_air_gap_receiver_enabled=true option is set, repeated E-language prefixes in a single socket stream drive recursion arbitrarily deep until the JVM stack is exhausted and a StackOverflowError is raised. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.14%, 4th percentile), consistent with SSVC marking exploitation as 'none' though 'automatable: yes'.

Buffer Overflow Apache Apache Iotdb
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Out-of-bounds memory write in Samsung Pass prior to version 5.2.10.3 enables local privileged attackers to corrupt process memory, producing high integrity and availability impact with limited confidentiality exposure. The root cause is improper input validation - a buffer overflow class defect - confirmed by Samsung's mobile security team and catalogued under EUVD-2026-42827. No public exploit code or CISA KEV listing has been identified; Samsung has released version 5.2.10.3 as the remediation.

Samsung Buffer Overflow
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in Samsung's libpadm.so system library on Galaxy devices allows a local, low-privileged attacker to corrupt memory via an out-of-bounds write and run code in the context of the vulnerable component prior to the SMR Jul-2026 Release 1. The flaw was reported internally by Samsung Mobile Security and carries a CVSS 4.0 base score of 8.4 (high). No public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow RCE
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds write in Samsung's Quram image codec library (libimagecodec.media.quram.so) on Samsung Android devices lets remote attackers corrupt memory outside allocated bounds by delivering a malformed DNG (Adobe Digital Negative) raw image, prior to the SMR Jul-2026 Release 1 patch level. The flaw carries CVSS 4.0 8.3 (High) with a network attack vector, no privileges and no user interaction, but a present attack requirement (AT:P). No public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds memory write in the Quram image codec (libimagecodec.media.quram.so) used by Samsung mobile devices allows remote attackers to corrupt memory while the library parses a malformed TIFF image, affecting builds prior to SMR Jul-2026 Release 1. Reported by Samsung's own mobile security team, the flaw carries a CVSS 4.0 base score of 8.3 (High) with a network vector and no privileges or user interaction required, though an attack requirement (AT:P) indicates a specific precondition. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege-escalating code execution in Samsung's libsavsac.so native library (used in Galaxy devices running firmware prior to the SMR Jul-2026 Release 1) allows a low-privileged local attacker to trigger an out-of-bounds write and execute arbitrary code in the context of the affected component. The flaw was reported by Samsung's own Mobile Security team and carries a CVSS 4.0 base score of 8.4 (High). No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Buffer Overflow RCE
NVD VulDB
CVSS 5.9
MEDIUM POC PATCH This Month

Boundary validation failure in GoBGP's BGP OPEN capability parser allows a remote peer to send a malformed OPEN message that causes concrete capability decoders to read beyond the declared CapLen field, enabling attacker-controlled bytes to be interpreted as capability values - most critically, as a 4-octet AS number that influences peer AS validation and BGP session establishment decisions. Affected is GoBGP v4 (pkg:go/github.com_osrg_gobgp_v4), with the 4-octet AS capability (code 65) identified as the highest-impact case. A parser-level proof-of-concept is publicly described in GitHub Security Advisory GHSA-gjrg-jjr3-56cm; no active exploitation has been confirmed and this CVE does not appear in the CISA KEV catalog. IMPORTANT METADATA CONFLICT: The provided intelligence tags label this as 'RCE, Buffer Overflow, Information Disclosure' - all three directly contradict the CVE description, which explicitly states the issue is not arbitrary memory corruption, remote code execution, or information disclosure; security teams must disregard those tags.

RCE Buffer Overflow Information Disclosure
NVD GitHub
MEDIUM POC PATCH This Month

Path traversal in psd-tools through v1.17.0 exposes any application processing untrusted PSD files to arbitrary file write and secondary arbitrary file read via the SmartObject API. SmartObject.save() consumes the embedded smart-object filename verbatim from the PSD binary - without basename stripping, absolute-path rejection, or directory-escape filtering - allowing a crafted PSD to write attacker-supplied bytes to any path the process can reach. A secondary issue in SmartObject.open() for external-kind objects uses the attacker-controlled fullPath descriptor as a read source, enabling file exfiltration to the write destination. A standalone proof-of-concept is publicly confirmed in the advisory; the fix is vendor-confirmed in v1.17.1 (PR #657). No public exploit identified at time of analysis beyond the advisory-embedded POC, and no CISA KEV listing was found.

Python Path Traversal Buffer Overflow +3
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Stack buffer overflow in Vim's SAL sound-folding spell engine prior to version 9.2.0725 crashes the editor by writing a null byte one position past the end of a MAXWLEN-element stack buffer in spell_soundfold_sal(). Exploitation requires a user to open Vim with a SAL-based spell file active under a non-multibyte 8-bit encoding and trigger sound-based spell suggestions on a boundary-length word, corrupting the eval_soundfold() stack frame. No public exploit has been identified at time of analysis, and the impact is limited to availability (editor crash) with no confidentiality or integrity consequences.

Memory Corruption Buffer Overflow Vim
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory exhaustion in Juniper Networks Junos OS and Junos OS Evolved snmpd allows an authenticated network attacker to crash SNMP monitoring by sending specific valid SNMPv3 queries that trigger an out-of-bounds write and progressive memory leak. The snmpd process will exhaust available memory over time, crash, and restart, rendering SNMP-based network monitoring unavailable for the duration of each crash cycle. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV; however, the CVSS 4.0 supplemental metric AU:Y indicates the attack is automatable.

Memory Corruption Juniper Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

Stack-based buffer overflow in the Mercusys MW302R (EU) V1 1.4.10 Build 231023 administrative web interface allows an authenticated attacker with administrative access on the same network segment to crash the device by sending a specially crafted HTTP request. The crash results from control flow being redirected to an arbitrary instruction address - a classic CWE-121 stack overflow pattern that produces denial of service. No public exploit is confirmed in CISA KEV, though a researcher GitHub gist (BarrYPL/13dcd071673866cbbfaaa05085b98cf3) appears to document the finding and may constitute a proof-of-concept write-up. EPSS probability is very low at 0.16% (6th percentile), consistent with a niche consumer router model.

Buffer Overflow Denial Of Service Stack Overflow
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes the process when handling crafted network requests, taking down all web-management-dependent services including J-Web, remote-access VPN, and firewall authentication until automatic process recovery. Exploitation is gated on a specific non-default configuration - remote-access VPN with pre-logon compliance check enabled - limiting the exposed population to SRX deployments that actively use this feature. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the official CVSS 5.3 score reflects the limited, reversible availability-only impact.

Memory Corruption Juniper Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. Only deployments handling MAP-T or non-IP-over-IP traffic (e.g. MPLS over GRE) are exposed; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Juniper Buffer Overflow Junos Os
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the RTSP service by sending a crafted second SETUP request after a valid RTSP handshake, knocking the camera offline for every client on the network. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP second-stage URL routing parser; publicly available exploit code exists via a GitHub write-up, though no active exploitation is confirmed and the CVSS availability-only impact means it is a crash, not code execution, at time of analysis.

Buffer Overflow Tenda Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the RTSP service of Tenda CP3 V3.0 IP cameras (firmware V31.1.9.91) allows an unauthenticated remote attacker on the local network to crash the streaming service with a single crafted SETUP request. Because the second-stage URL routing parser does not validate the URL field length, a request whose URL is exactly four repetitions of a valid RTSP URL overflows a stack buffer and terminates the RTSP process, cutting off all clients. Publicly available exploit code exists (researcher write-up on GitHub); this is not listed in CISA KEV and no active exploitation is confirmed.

Buffer Overflow Tenda Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the onboard RTSP service by sending a PLAY request whose Range header carries an over-long clock= value, triggering a stack-based buffer overflow (CWE-121). The flaw affects only availability - a successful attack knocks the camera's video streaming offline until it recovers or is restarted, with no confirmed path to code execution or data disclosure. There is a public research write-up on GitHub, but no active exploitation is recorded in CISA KEV and EPSS rates exploitation likelihood as low (0.19%, 9th percentile).

Buffer Overflow Tenda Stack Overflow
NVD GitHub
EPSS 0% CVSS 1.9
LOW Monitor

Use-after-free in Open5GS 2.7.7's AMF component allows a local low-privileged user to access freed memory within the `amf_context_final` function in `src/amf/context.c`, producing a low-severity confidentiality exposure. Exploitation is strictly local - no network vector exists - and a public proof-of-concept is confirmed by the CVSS 4.0 E:P supplemental modifier. This vulnerability is not listed in the CISA KEV catalog and carries a CVSS 4.0 base score of 1.9, reflecting its constrained real-world impact on what is a niche, telecom-research-oriented software stack.

Denial Of Service Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Cesanta Mongoose before 7.22 lets a remote, unauthenticated attacker crash any TLS service (HTTPS, MQTTS, or WSS) built on the MG_TLS_BUILTIN stack by sending a single crafted TLS ClientHello whose session_id_len byte is used as an unvalidated buffer index, triggering an out-of-bounds read. The flaw sits in the built-in TLS server handshake function mg_tls_server_recv_hello() and requires no authentication or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial and the issue was disclosed by VulnCheck.

Buffer Overflow Information Disclosure Mongoose
NVD GitHub
MEDIUM PATCH This Month

Heap buffer overflow in pymonocypher's argon2i_32 function allows memory corruption when callers supply an undersized nb_blocks buffer, violating the library's API contract without triggering any bounds check. Applications using pymonocypher prior to version 4.0.2.8 that invoke the Argon2i password-hashing interface are at risk of heap corruption, which can produce crashes or potentially enable controlled memory writes. No public exploit code has been identified at time of analysis, and no active exploitation has been confirmed.

Heap Overflow Buffer Overflow
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Stack buffer overflow in Vinchin Backup & Recovery through 9.0.0.86562 exposes the agentlink_server service to unauthenticated remote exploitation via the ModuleHandShake function. An attacker supplying an oversized _listen_uuid value triggers unsafe strcpy() into a fixed-length stack buffer, overwriting the saved return address and enabling process crash or control flow hijack. No public exploit or active exploitation has been confirmed at time of analysis, though the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is network-reachable without authentication or user interaction.

Buffer Overflow Stack Overflow Backup Recovery 9 0
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Heap buffer overflow in Vinchin Backup & Recovery through version 9.0.0.86562 allows unauthenticated remote attackers to crash the agentlink_server process or corrupt heap memory without any prior access or user interaction. The agentlink_server service accepts a TCP packet body_len field without bounds validation, passing the attacker-controlled value directly to recv() and enabling heap writes of up to approximately 4 GiB beyond the allocated buffer. This vulnerability is not listed in CISA KEV and no public exploit code is confirmed at time of analysis, though the heap overflow magnitude raises concern for potential code execution beyond simple denial-of-service.

Memory Corruption Buffer Overflow Backup Recovery 9 0
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Out-of-bounds read in GPAC MP4Box version 26.03-DEV allows local low-privileged attackers to cause a low-severity availability impact by supplying a crafted input that manipulates the `num_langs` argument in the `vobsub_read_idx` function of `vobsub.c`. A proof-of-concept exploit has been publicly disclosed via GitHub issue #3611 and the CVSS 4.0 E:P modifier confirms its availability. Two upstream commits have been applied to address the flaw, though no standalone patched release version has been independently confirmed.

Buffer Overflow Information Disclosure Gpac
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Heap-based buffer overflow in GNU LibreDWG up to version 0.13.4 allows local low-privileged attackers to corrupt heap memory via a specially crafted DWG file containing malicious BMP image data processed by the dwg_bmp function in src/dwg.c. A public proof-of-concept exploit (a crafted R13/R2000 .dwg file) has been disclosed on GitHub, raising the urgency for affected deployments that process untrusted DWG input. No confirmed active exploitation (CISA KEV) has been recorded, and a vendor-released patch in version 0.14 fully resolves the issue.

Heap Overflow Buffer Overflow Libredwg
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause a denial of service and limited data manipulation by supplying crafted JavaScript input. All versions prior to commit 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c are affected, with the primary real-world impact being an availability loss (crash) and low-confidence integrity effect. No public exploit code or CISA KEV listing has been identified at time of analysis.

Samsung Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing maliciously crafted input, leading to a high-severity availability impact and a limited integrity impact. The vulnerability affects all Escargot releases before commit ef525f337fafddecde77a3c426212a84bb20cb98, targeting embedded and IoT contexts where the engine is deployed - most notably Samsung TV appliances. No public exploit identified at time of analysis, and no CISA KEV listing, but the local-vector, low-complexity nature of heap overflows makes this reliably triggerable once an attacker can supply crafted input to the engine.

Heap Overflow Samsung Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause memory corruption leading to high availability impact and limited integrity compromise. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with the engine's primary deployment in Samsung TV appliance and IoT platforms. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the CVSS-assigned high availability impact and the buffer overflow primitive make crash-based denial-of-service the primary realistic threat.

Samsung Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corrupt stack memory by supplying malicious JavaScript input, requiring user interaction to trigger. All Escargot releases prior to commit b30b63fc63b403907d8137da1c65aaa4521fe74e are affected, with impacts including high availability loss and limited integrity compromise. No public exploit identified at time of analysis and this vulnerability has not been added to CISA KEV, though the local-vector, user-interaction requirement meaningfully constrains real-world exploitation surface.

Buffer Overflow Samsung Stack Overflow +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GStreamer's DTLS plugin allows a remote unauthenticated attacker to crash any application that performs a DTLS handshake (notably WebRTC/webrtcbin pipelines) by presenting a TLS certificate with an oversized Subject Distinguished Name. The Subject DN is written into a fixed 2048-byte stack buffer with no bounds checking (CWE-121), and overflowing it corrupts the stack and terminates the process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; impact is limited to availability (process crash), with no code execution or data exposure claimed.

Buffer Overflow Denial Of Service Stack Overflow +5
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Heap buffer overflow in GStreamer's rfbsrc (RFB/VNC source) plugin lets a malicious VNC server crash or corrupt the memory of any client that connects to it. When the server advertises a 16bpp framebuffer and sends Hextile-encoded updates, the background-fill path writes 32-bit pixels into a 16-bit buffer, producing an out-of-bounds heap write. No public exploit identified at time of analysis; the primary confirmed impact is denial of service, with potential for further memory corruption. This is a client-side flaw requiring the victim to connect to attacker-controlled infrastructure.

Memory Corruption Denial Of Service Buffer Overflow +5
NVD
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Heap-based buffer overflow in FreeRDP (the widely used open-source RDP client library) allows a malicious or compromised RDP server to corrupt client memory and potentially achieve remote code execution in the connecting client's context. The flaw lives in the primary drawing-order parser (update_read_delta_points in libfreerdp/core/orders.c), where an inverted integer-overflow guard let an attacker-controlled point count produce an undersized heap allocation followed by an out-of-bounds write. No public exploit identified at time of analysis; the issue is fixed in FreeRDP 3.28.0 (GHSA-v5wf-j8j4-77h7).

Heap Overflow Buffer Overflow Freerdp
NVD GitHub VulDB
EPSS 1% CVSS 5.1
MEDIUM PATCH This Month

Insufficient data exists to characterize CVE-2026-57158 meaningfully. The CVE description is absent, no CVSS vector or score has been published, and the only available intelligence signal is a single vendor source tag ('vendor:ubuntu'). No impact, attack vector, or affected component can be determined from the provided data. Security teams should treat this as an unresolved entry requiring direct vendor advisory lookup before any risk decision is made.

Information Disclosure Buffer Overflow Freerdp
NVD GitHub VulDB
MEDIUM This Month

Integer overflow in the virtio-gpu driver's 2D image allocation path of the Linux kernel exposes virtualized guest systems to potential heap corruption. The flaw resides in an insufficient overflow check performed before allocating memory for a 2D image resource in the virtio-gpu paravirtualized GPU subsystem. An attacker or malicious process with access to GPU resource creation within an affected guest OS could trigger the overflow, potentially leading to out-of-bounds memory writes and kernel-level memory corruption. No public exploit or KEV listing is identified at time of analysis.

Buffer Overflow
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Remote denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.991) allows an unauthenticated attacker on the network to crash the device by sending a specially crafted RTSP TEARDOWN request that overflows a stack buffer. Publicly available exploit code exists via a third-party GitHub write-up, though the flaw affects only availability (no data disclosure or code execution is claimed). No active exploitation has been reported in CISA KEV, and EPSS data was not provided.

Buffer Overflow Tenda Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) allows an unauthenticated remote attacker to crash the RTSP service by sending a crafted PLAY request that overflows a fixed-size stack buffer. The flaw is remotely reachable with no authentication or user interaction, but per the description and CVSS the impact is limited to availability loss (device crash/reboot), with no confirmed code execution. A public technical report with reproduction details exists on GitHub; the issue is not listed in CISA KEV and no EPSS score was provided.

Buffer Overflow Tenda Denial Of Service +2
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

CVE-2026-57157 has no published description, CVSS score, or CWE at time of analysis. The sole intelligence signal is a vendor report attributed to Ubuntu, indicating the vulnerability may affect a package in the Ubuntu ecosystem. No impact, affected versions, attack vector, or exploitation details can be determined from the available data. This analysis cannot characterize the vulnerability beyond acknowledging its existence and Ubuntu provenance.

Information Disclosure Buffer Overflow Freerdp
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's Codecs component allows a remote attacker to trigger out-of-bounds read and write operations by luring a victim to open or play a crafted video file, affecting all desktop builds prior to 150.0.7871.115. Rated High by Chromium and CVSS 8.8, it requires user interaction (viewing malicious media) but no privileges, and combines information disclosure with potential memory corruption that could lead to code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Google Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Integer overflow in Extensions API in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. (Chromium security severity: High)

Integer Overflow Buffer Overflow Google
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 is caused by a heap-based buffer overflow in the Catapult DCT2000 protocol dissector, crashing the application when a crafted capture file is opened. The CVSS local attack vector (AV:L) and required user interaction (UI:R) constrain exploitation to scenarios where an analyst is socially engineered into opening a malicious capture file - no remote or unauthenticated network exploitation path exists. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; vendor-released fixes are available in 4.6.7 and 4.4.17.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The pcapng file parser in Wireshark 4.6.0 through 4.6.6 contains a heap-based buffer overflow (CWE-122) that crashes the application, resulting in denial of service. An attacker must convince a user to open a specially crafted pcapng capture file, making this a social-engineering-dependent attack with no network-facing exploitation path. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a vendor patch is available in Wireshark 4.6.7.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Heap-based buffer overflow in Wireshark's Z39.50 protocol dissector crashes the application when processing malformed Z39.50 PDUs, resulting in denial of service. Affected versions span the 4.4.x branch (4.4.0-4.4.16) and 4.6.x branch (4.6.0-4.6.6). An attacker can trigger the crash by persuading an analyst to open a crafted packet capture file or by injecting malicious Z39.50 traffic onto a monitored network segment; no active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Wireshark's UMTS FP protocol dissector affects the 4.6.0-4.6.6 and 4.4.0-4.4.16 release branches, where a malformed UMTS Frame Protocol packet triggers a heap-based buffer overflow (CWE-122) that crashes the application. A remote attacker who can get the crafted frame parsed - via live capture on a monitored segment or a shared capture file - can reliably terminate the analyzer, with no confidentiality or integrity impact. Publicly available exploit code exists (SSVC=poc) but it is not on CISA KEV, and EPSS is low at 0.14% (4th percentile), indicating minimal observed exploitation pressure.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark's DBS Etherwatch dissector affects release branches 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a malformed capture file or crafted packet can crash the application. The flaw is a stack-based buffer overflow (CWE-121) that manifests only as an availability impact - no confidentiality or integrity loss and no confirmed code execution - carrying a 7.5 (High) CVSS. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack-based buffer overflow in Wireshark's IEEE 802.11 (Wi-Fi) protocol dissector crashes the application, resulting in denial of service across versions 4.6.0-4.6.6 and 4.4.0-4.4.16. An attacker with the ability to deliver a malicious packet capture file, or inject crafted 802.11 frames into a live capture session, can crash the Wireshark process on a victim analyst's machine. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; vendor-released patches (4.6.7 and 4.4.17) are available.

Buffer Overflow Denial Of Service Stack Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark 4.6.0 through 4.6.6 lets a remote attacker crash the application by feeding it a malformed TLS packet using the Encrypted Client Hello (ECH) extension, triggering a heap buffer overflow in the ECH decryptor. No authentication or user interaction beyond processing the traffic is required, though impact is limited to availability (analyzer crash) with no code execution or data disclosure claimed. Publicly available exploit code exists per SSVC (POC), EPSS is low at 0.14% (4th percentile), and it is not listed in CISA KEV.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD VulDB
Prev Page 4 of 401 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy