Buffer Overflow
Monthly
Denial of service in Wireshark's ciscodump remote capture utility (extcap) affects versions 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a heap-based buffer overflow (CWE-122) can crash the capture tool. An attacker able to feed crafted data to a running ciscodump session can terminate the process, disrupting live packet capture. A POC is referenced by CISA's SSVC assessment (no public exploit code independently identified), it is not in CISA KEV, and EPSS is very low at 0.10% (1st percentile), indicating minimal likelihood of widespread exploitation.
Memory corruption in the User-ID Terminal Server Agent (TSA) of Palo Alto Networks PAN-OS lets an unauthenticated network attacker crash the service (DoS) or potentially execute arbitrary code by sending crafted traffic to the TSA listener. Multiple out-of-bounds write bugs are involved; the vendor's CVSS 4.0 vector flags the exploit as unproven (E:U), and no public exploit has been identified at time of analysis. Panorama is explicitly not affected, and exposure hinges on whether the optional TSA component is deployed and reachable.
Server-controlled buffer overflow in Das U-Boot (bootloader) through 2026.04-rc3 lets a malicious or compromised NFS server corrupt memory in an U-Boot client built with CONFIG_CMD_NFS. The flaw lives in nfs_readlink_reply() (net/nfs-common.c), where relative symlink targets from consecutive READLINK responses are appended to the fixed 2048-byte nfs_path_buff without cumulative length checks; two responses of ~1100 bytes each overflow it and clobber adjacent BSS state (nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, rpc_id), giving control over the NFS client state machine. Reported by VulnCheck with a CVSS 4.0 base score of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Denial of service (with conditional memory corruption) in Das U-Boot bootloader versions through 2026.04-rc3 lets a network-adjacent attacker crash the device before the OS loads by returning a malformed TCP SYN+ACK to a connection U-Boot has initiated. Because the CVSS 4.0 vector (VA:H, no confidentiality/integrity impact) reflects an availability-only bug rooted in an integer underflow (CWE-191), the practical outcome is a bricked/failed boot; when CONFIG_LMB is disabled, the same underflow can corrupt memory. No public exploit identified at time of analysis; not listed in CISA KEV.
Out-of-bounds read in U-Boot's TCP stack (net/tcp.c, tcp_rx_state_machine()) allows remote unauthenticated attackers to corrupt bootloader TCP connection state by sending a crafted packet with deliberately mismatched IP total length and TCP data offset fields. Affected builds span U-Boot through 2026.04-rc3, but only when compiled with CONFIG_PROT_TCP - a non-default option. Impact is disruption of TCP window calculations via corruption of rmt_win_scale and rmt_timestamp variables, potentially breaking network-based boot sequences. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in CISA KEV.
Heap buffer overflow in ImageMagick's FTXT encoder exposes systems to denial of service and potential information disclosure when processing attacker-crafted image files. All ImageMagick versions before 7.1.2-19 are affected due to missing boundary checks when parsing the ftxt:format parameter, allowing an out-of-bounds read (CWE-125) in the FTXT encoder component. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though a vendor patch is available at 7.1.2-19.
Heap-buffer-overflow read in ImageMagick's GetPixelIndex function exposes limited heap memory contents and can cause partial availability impact in affected 6.x and 7.x branches before the patched releases. The root cause is a metadata-allocation race in OpenPixelCache, which updates image channel metadata before confirming successful pixel cache memory allocation, leaving GetPixelIndex to operate on stale channel counts. Exploitation requires high privilege access and the ability to induce memory or disk allocation failures, yielding only limited confidentiality and availability impact; no public exploit code and no CISA KEV listing are associated with this CVE.
Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader allows a local attacker to crash the application and potentially expose adjacent memory contents by delivering a specially crafted PDF containing malicious JavaScript. The JavaScript manipulates page and document objects to desynchronize internal page-related state from the renderer's trusted page count; when the renderer subsequently accesses page objects using the stale index, it reads beyond valid memory bounds. No public exploit identified at time of analysis and no CISA KEV listing, but the broad affected version ranges across multiple major release branches (13.x, 14.x, and 2026.x) means a large proportion of unpatched Foxit deployments are exposed.
Foxit PDF Reader and PDF Editor crash with potential memory disclosure when processing maliciously crafted PDF documents containing JavaScript that causes reentrancy during page opening or form formatting. The reentrancy leaves the document object in an inconsistent state; when the application subsequently attempts to dereference stale page metadata, it reads from an invalid memory address (CWE-125 out-of-bounds read), resulting in application termination and limited memory content exposure. No public exploit code or active exploitation has been identified at time of analysis; exploitation requires a local user interaction to open a crafted PDF file.
Memory-corruption (buffer overflow) in Foxit PDF Reader and Foxit PDF Editor arises when the digital-signature plugin processes abnormally constructed signature objects: JavaScript triggers signature verification, but the plugin copies an anomalous string without validating its arguments, corrupting memory. A local victim who opens a crafted PDF is affected, and while the vendor describes the outcome as an application crash, the CVSS High confidentiality/integrity/availability impacts indicate potential for code execution. No public exploit identified at time of analysis.
Out-of-bounds read in Foxit PDF Reader and PDF Editor allows a local attacker to crash the application and potentially disclose limited memory contents by delivering a specially crafted PDF containing a malformed image object. The vulnerability triggers when the renderer encounters an abnormal image object, causes it to enter an incorrect processing branch, and subsequently dereferences an invalid buffer pointer during scan line conversion. No public exploit code has been identified and no CISA KEV listing exists, but the CVSS availability impact is rated High, meaning successful exploitation reliably causes application termination.
Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader crashes the application and exposes limited memory contents when a victim opens a specially crafted PDF embedding a semantically malformed color space function. Affected versions span multiple branches across both Editor and Reader products, confirmed through EUVD-2026-42198. No public exploit code or active exploitation has been identified at time of analysis; however, the low attack complexity and file-based delivery mechanism make this a plausible phishing lure in targeted campaigns against organizations relying on Foxit products.
Out-of-bounds read in Foxit PDF Editor and PDF Reader during PRC (Product Representation Compact) 3D content parsing crashes the application and leaks limited memory content. Affects multiple concurrent release trains including versions 2026.1.1, 14.0.4, and 13.2.4 and earlier. Exploitation requires a victim to open a specially crafted PDF containing a malicious PRC entity - no public exploit has been identified at time of analysis.
Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader's PRC 3D file header parser crashes the application and may leak process memory when a victim opens a specially crafted PDF. Affected version ranges span Foxit PDF Reader through 2026.1.1 and multiple Foxit PDF Editor release branches through 13.2.4, 14.0.4, and 2026.1.1. No public exploit code or confirmed active exploitation has been identified at time of analysis; the CVSS availability impact is rated High due to a reliable application crash on trigger, with a minor confidentiality component from out-of-bounds memory exposure.
Out-of-bounds memory access in Foxit PDF Editor and Foxit PDF Reader occurs when the application parses a malformed Unity 3D object embedded in a PDF, resolving attacker-influenced data as a pointer and dereferencing it as a valid address. A victim who opens a crafted PDF triggers the flaw (CVSS 7.8, UI:R), which manifests as a crash but, given the CWE-787 out-of-bounds write classification and High confidentiality/integrity/availability impact, carries potential for memory corruption and code execution in the context of the current user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation via heap buffer overflow in the X.Org Server (versions before 21.1.24) and Xwayland (before 24.1.13) allows a local user holding an X connection to corrupt heap memory by supplying a malicious PCX font. The flaw lives in the SetFont code path, where missing glyph boundary checks let an oversized or malformed glyph write past its heap allocation, yielding full confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis; EPSS is low at 0.28% and CISA SSVC rates exploitation as none.
Heap-based code execution in libXfont2 before 2.0.8 allows an authenticated X client to run arbitrary code inside the X server by supplying a malformed PCF font that trips missing glyph bounds checking in pcfReadFont(). Because X servers frequently run with elevated (often root) privileges, a successful exploit can escalate from a low-privileged client to full host compromise. No public exploit is identified at time of analysis and CISA SSVC rates current exploitation as none, but the technical impact is rated total.
Arbitrary code execution in libXfont2 before 2.0.8 lets an authenticated X client corrupt heap memory inside the X server via a maliciously crafted PCF bitmap font. The flaw sits in ComputeScaledProperties(), where a missing bounds check on the property buffer allows a heap overflow (CWE-122) that runs in the X server's security context - typically root on traditional Linux desktops. There is no public exploit identified at time of analysis; EPSS is modest at 0.58% and CISA SSVC rates exploitation as 'none' with 'total' technical impact.
Arbitrary code execution in the X.Org libXfont2 library (versions before 2.0.8) stems from a heap buffer overflow in the BitmapScaleBitmaps routine, where a 32-bit size calculation overflows during bitmap font scaling. Any client able to connect to the X Server and request scaled bitmap fonts can corrupt heap memory and run code within the X server's process context, which is frequently privileged. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; EPSS is low at 0.37% (29th percentile), consistent with the SSVC finding of no observed exploitation despite total technical impact.
Session Extension information disclosure in SQLite before Fossil check-in 869a51ae84df exposes sensitive process memory when adversarially crafted changesets are processed through the changeset concat or changegroup merge code paths. A local attacker who can deliver a malicious changeset to an application using the Session Extension API can leak heap memory contents and likely crash the process, yielding both low confidentiality and high availability impact consistent with an out-of-bounds read pattern. No active exploitation has been confirmed by CISA KEV, though a researcher gist is referenced that may represent proof-of-concept material; no public exploit is independently confirmed at time of analysis.
Local arbitrary code execution affects an unspecified industrial control system (ICS) product reported through CISA ICS-CERT (advisory ICSA-26-188-06). A stack-based buffer overflow (CWE-121) lets an attacker who can supply crafted input trigger memory corruption and run arbitrary code once a local user interacts with the malicious data, fully compromising confidentiality, integrity, and availability. No public exploit identified at time of analysis and the affected vendor/product is not disclosed in the available data.
Arbitrary code execution in an unnamed ICS/OT application arises from a use-after-free (CWE-416) triggered when the software parses a specially crafted file, letting an attacker run code in the context of the current process. The flaw was reported through CISA's ICS-CERT (advisory ICSA-26-188-06) and carries a CVSS 4.0 base score of 8.4; exploitation is local and requires a user to open the malicious file. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV.
Arbitrary code execution via an out-of-bounds write (CWE-787) affects an industrial control system product covered by CISA ICS advisory ICSA-26-188-06, where an attacker can corrupt memory past an allocated buffer to run code in the context of the affected application. The CVSS 4.0 vector (AV:L/UI:A) indicates the flaw is triggered locally and requires a victim to actively interact - consistent with opening a malicious file or project in engineering/HMI software. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high-impact memory corruption and DHS ICS-CERT reporting warrant prompt patching in OT environments.
Out-of-bounds read in the Perl DBI module's preparse() SQL-normalisation routine allows an attacker who controls SQL passed to the method (where the statement begins with a comment line) to trigger a one-byte read past a buffer, in all DBI releases before 1.650. On memory-hardened builds this faults and crashes the process (availability impact); on normal builds it produces nondeterministic newline retention. This is a CWE-125 flaw reported by CPANSec with no public exploit identified at time of analysis; EPSS is low at 0.19% (8th percentile) and it is not in CISA KEV.
Heap out-of-bounds write in the Perl DBI database-interface module before version 1.650 occurs when DBI preparses a SQL statement containing an extreme number of placeholders. This is a regression: the fix for CVE-2026-10879 under-allocated the placeholder buffer and could not accommodate roughly 1.2 million placeholders, so DBI 1.650 now enforces a hard cap of 99,999 placeholders. Reported by CPANSec with a vendor patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.19%, 8th percentile).
Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the `html_quote_string()` function in `src/convert.c`, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the memory corruption class warrants patching, particularly in environments where wget is used to fetch content from untrusted servers.
Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the fix is confirmed via upstream commit c2640fe on the official GNU Wget GitLab repository.
Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sessions by supplying crafted Content-Range response headers. The parse_content_range() function in src/http.c performs signed integer arithmetic on server-supplied values without overflow guards, triggering undefined behavior under C's signed overflow rules and causing download desynchronization on the affected client. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is known at time of analysis; real-world impact is bounded to availability disruption rather than host compromise based on current data.
Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving a Metalink document whose URL element contains only whitespace, causing clean_metalink_string() in src/metalink.c to decrement a pointer past the start of the heap buffer. The out-of-bounds read (CWE-125) produces abnormal program behavior and is reported by VulnCheck; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed upstream in GitLab commit 37a40fc.
Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to corrupt heap memory and likely crash the LDAP service. The flaw triggers when the server processes an LDAP operation - such as a search request - whose base DN contains a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), causing an out-of-bounds write during RDN attribute-value pair sorting. Per the confirmed CVSS vector (PR:N), no authentication is required; no public exploit code or CISA KEV listing has been identified at time of analysis.
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LDAP client to crash the server by sending an oversized UNBIND packet over a SASL integrity-protected connection. The oversized data overflows a fixed 512-byte heap receive buffer in sasl_io_recv() (sasl_io.c), and in FreeIPA / Red Hat IdM any domain user, enrolled host, or service account with a valid Kerberos ticket can trigger it after GSSAPI authentication. There is no public exploit identified at time of analysis, and this flaw is distinct from the earlier CVE-2025-14905 schema.c overflow, which did not fix this code path.
Heap memory corruption in GIMP's PSD (Photoshop) file parser allows a malicious .psd image to overflow an integer in read_RLE_channel(), producing an undersized heap allocation for the RLE row-length table that is then overwritten row-by-row, potentially yielding denial of service or arbitrary code execution. The flaw affects GIMP as shipped across Red Hat Enterprise Linux 6 through 9 and is triggered when a victim opens or imports a crafted PSD file. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds read in FreeType 2.14.3 exposes partial heap memory and risks process crashes when processing crafted variable fonts via the TT_Get_Var_Design code path. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects server-side or automated font processing pipelines where untrusted font data reaches FT_Get_Var_Design_Coordinates without authentication barriers. No active exploitation is confirmed in CISA KEV; however, a researcher-published gist suggests working proof-of-concept material exists, and EPSS at 0.17% (7th percentile) indicates minimal observed exploitation activity to date.
Local privilege escalation via memory corruption in Qualcomm Snapdragon platforms occurs when asynchronous input parameters are validated and then re-read after modification, a time-of-check/time-of-use race that yields total compromise of confidentiality, integrity, and availability. Affecting a broad range of Snapdragon connectivity, WCD codec, WSA, and compute SoCs, a local low-privileged attacker who can win the race can corrupt memory and gain elevated code execution. No public exploit has been identified at time of analysis and EPSS is negligible (0.09%), but the CVSS 7.0 and 'total' SSVC technical impact make it a meaningful firmware/driver patch target.
Local privilege escalation and memory corruption in Qualcomm Snapdragon WLAN firmware occurs when the driver parses malformed HT40 (40 MHz channel-bonding) layouts during dynamic channel switching, allowing a low-privileged local process to trigger a stack-based buffer overflow (CWE-121) that crosses a trust boundary (CVSS scope changed). Disclosed in the July 2026 Qualcomm security bulletin, it carries a CVSS 8.8 with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon firmware triggers an out-of-bounds write (CWE-787) when prepared commands are updated using invalid port indices supplied from user space that exceed supported read client limits. The vulnerability spans an exceptionally broad portfolio of Snapdragon chipsets covering mobile, automotive, XR/AR, and connectivity platforms. No public exploit has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and the flaw as non-automatable, though the changed scope (S:C) in the CVSS vector indicates impact can propagate beyond the directly vulnerable firmware component.
Local privilege escalation via memory corruption affects Qualcomm Snapdragon platforms, where allocating memory with sizes exceeding the maximum allowed value corrupts adjacent memory (CWE-126, buffer over-read/overflow). A local attacker with low privileges (PR:L) and no user interaction can compromise confidentiality, integrity, and availability (all High), scoring CVSS 7.8. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon silicon allows a local low-privileged attacker to trigger an out-of-bounds write (CWE-787) by submitting input with a buffer plane count or batch size exceeding the maximum allowed value. The scope change in the CVSS vector (S:C) indicates the corruption can escape the vulnerable component's security boundary, yielding partial confidentiality, integrity, and availability impact on an adjacent system component. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms no known exploitation and non-automatable attack conditions.
Out-of-bounds write in Qualcomm Snapdragon's flash command handler allows a local low-privileged attacker to corrupt memory by exploiting a race condition between userspace LED count modifications and kernel-side flash command processing. The CVSS scope change (S:C) indicates the corruption can reach components beyond the immediately vulnerable driver - raising the potential for privilege escalation on affected Snapdragon-based devices. No public exploit code or active exploitation has been identified at time of analysis.
Out-of-bounds write in Qualcomm Snapdragon's JPEG command parser exposes local low-privilege users to memory corruption via crafted JPEG input. Validation checks within the parser fail to account for extra buffer writes, overwriting adjacent memory and enabling a scope change beyond the vulnerable component's boundary - consistent with Snapdragon's isolated subsystem architecture (DSP, camera ISP). Qualcomm disclosed this in its July 2026 Security Bulletin; no public exploit identified at time of analysis.
Local privilege escalation and memory corruption in Qualcomm Snapdragon chipset drivers allows a malicious application to trigger a use-after-free by issuing multiple IOCTL calls that reference the same buffer file descriptor. The flaw affects a broad range of Snapdragon mobile, compute, connectivity (FastConnect/WCN/WCD/WSA) and XR platforms, and successful exploitation can corrupt kernel memory to gain high impact on confidentiality, integrity and availability. There is no public exploit identified at time of analysis, EPSS risk is very low (0.09%), and CISA SSVC rates exploitation as none.
Use-after-free memory corruption in Qualcomm Snapdragon platform driver code allows a local low-privileged process to trigger access of already-freed memory by issuing multiple IOCTL calls that reference the same buffer file descriptor. A successful attacker gains full compromise of confidentiality, integrity, and availability on the affected device, which in practice can mean kernel-level code execution or privilege escalation from an unprivileged app. There is no public exploit identified at time of analysis, EPSS is negligible (0.09%, 1st percentile), and CISA SSVC records no known exploitation.
Local privilege escalation via memory corruption affects a broad range of Qualcomm Snapdragon chipsets, where a use-after-free condition in the device driver's input/output control (ioctl) path for mapping and unmapping persistent memory buffers can be triggered by an authenticated local application. Improper synchronization on these operations lets a low-privileged process corrupt kernel memory to gain full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS is very low (0.09%), consistent with CISA SSVC scoring exploitation as none.
Integer overflow in OP-TEE OS's AES-GCM implementation silently corrupts authentication tag computation when a single operation processes more than 512 megabytes of payload or Additional Authenticated Data (AAD), affecting all deployments running versions 3.0.0 through 4.10.x on Arm TrustZone platforms. The overflow causes the GHASH length counters to wrap, meaning the GCM authentication tag is derived from incorrect bit-length values - defeating AES-GCM's core integrity guarantee without any runtime error or exception. No public exploit has been identified at time of analysis, but the practical impact for systems using OP-TEE for high-value integrity assurance (DRM, secure key storage, attestation) is significant when large payloads traverse the TEE boundary.
Stack exhaustion via unbounded recursion in the OP-TEE PKCS#11 Trusted Application allows a local low-privileged user to crash the TA, causing a denial of service within the TrustZone secure world. Affected versions span 3.10.0 through 4.10.x of optee_os running on Arm Cortex-A platforms with TrustZone enabled. No active exploitation has been identified; this is a DoS-only issue with no confidentiality or integrity impact, and a patched release (4.11.0) is available.
Heap overflow in OP-TEE's ARM Crypto Extensions SHA-3 implementation corrupts TEE kernel memory across all platforms built with CFG_CRYPTO_WITH_CE82=y (ARMv8.2+ SHA3 extensions). The off-by-one error in the accelerated SHA-3 path overwrites memory beyond the hash state buffer, potentially corrupting all TEE kernel heap memory that follows. Affected versions span 3.21.0 through 4.11.0, and no public exploit has been identified at time of analysis, though the memory corruption primitive is significant in the context of a secure enclave.
Stack-based memory corruption in GIMP's PNM image parser lets an attacker execute code or crash the application when a victim opens a malicious PNM/PBM/PGM/PPM file. The flaw is an off-by-one in pnmscanner_gettoken() that writes a null terminator one byte past a stack buffer; it is local and requires the user to open the crafted file (UI:R). No public exploit is identified at time of analysis, and EPSS is low (0.12%), consistent with the CISA SSVC 'Exploitation: none' judgment.
Heap out-of-bounds read in the Perl Imager module (versions before 1.032) lets a crafted SGI image over-read past a decode buffer and crash the process. The flaw lives in the bundled Imager::File::SGI reader's read_rgb_16_rle routine, where a 16-bit RLE literal run is length-checked in pixels but consumed as two bytes per pixel, defeating the bounds guard. No public exploit is identified at time of analysis and it is not listed in CISA KEV; a vendor patch shipped in 1.032.
Heap-based buffer overflow in GPAC's MP4Box component allows a local low-privileged attacker to crash the application by supplying a crafted MP4 file. The vulnerable function `sgpd_del_entry` in `src/isomedia/box_code_base.c` mishandles the `data` argument during Sample Group Description Box parsing, triggering an out-of-bounds heap write. A public proof-of-concept exploit exists; however, the vulnerability is not in CISA KEV and the CVSS 4.0 score of 4.8 reflects limited availability-only impact with no confidentiality or integrity compromise.
Stack-based buffer overflow in radare2 up to version 6.1.6 allows a local low-privileged attacker to crash the application by supplying a crafted MDMP (Windows minidump) file that triggers a memory corruption in the Memory64ListStream parser. Impact is limited to availability - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector (VC:N/VI:N/VA:L). A public proof-of-concept exists via GitHub issue #26051, and an upstream patch commit is available, though no formally tagged release version has been confirmed in the provided data.
Integer overflow in radare2's pb Print Command Handler affects all versions through 6.1.6, exploitable locally by a low-privileged user to crash the radare2 process. The flaw resides in the cmd_print function within libr/core/cmd_print.inc and results in availability impact only - no confidentiality or integrity loss is indicated. Publicly available exploit code exists per the GitHub issue tracker, though no active exploitation has been confirmed via CISA KEV.
Integer overflow in radare2's `r_str_word_get0set` function (libr/util/str.c) allows a local low-privileged attacker to crash the application on versions up to 6.1.6. The CWE-190 integer wraparound can produce a buffer overflow condition, degrading availability of the radare2 analysis session. A public proof-of-concept exists (GitHub issue #26047), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 score of 1.9 reflects genuinely minimal real-world risk given its local-only, low-impact nature.
mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().
Out-of-bounds read in Zephyr RTOS's mDNS detection logic crashes devices resolving short-suffix hostnames when CONFIG_MDNS_RESOLVER is compiled in. The flaw in dns_resolve_name_internal() reads a fixed 7 bytes from a suffix pointer regardless of the actual string length, causing a 1-2 byte over-read past the NUL terminator for suffixes like .org, .com, .net, or .io. Under the specific runtime condition of a tightly-sized allocation adjacent to an unmapped boundary (guard page, MPU domain, or ASAN), the over-read faults and crashes the device; no public exploit has been identified at time of analysis and CVSS 3.7 with AC:H accurately reflects the narrow crash preconditions.
Integer overflow in radare2's hexpairs parser crashes the process for local low-privilege users on versions up to 6.1.6. The flaw exists in the `cmd_anal_opcode` function within `libr/core/cmd_anal.inc.c` and produces only a low availability impact with no confidentiality or integrity consequences. Publicly available exploit code exists, but the local-only attack vector and trivial impact class make this a low-priority finding for most deployments. No active exploitation has been confirmed and this vulnerability is not listed in CISA KEV.
Heap-based buffer overflow in radare2's Java binary parser (all versions up to 6.1.6) allows a local, low-privileged attacker to crash the tool by supplying a crafted Java class file with a malformed Line Number Table attribute. The vulnerable function `r_bin_java_inner_classes_attr_calc_size()` in `shlr/java/class.c` miscalculates buffer sizes, resulting in a heap write beyond allocated bounds and a denial-of-service outcome. A public proof-of-concept exists via GitHub issue #26043; no active exploitation has been confirmed by CISA KEV, and impact is confined to availability with no confidentiality or integrity effects.
Buffer overflow via improper null termination in Pardus Pen affects versions up to and including 4.1.5, with a fix available in 4.2.1. A local, low-privileged user who interacts with crafted input can trigger a CWE-170 null termination error causing out-of-bounds memory reads, resulting in limited confidentiality exposure and availability disruption. No public exploit code and no CISA KEV listing are associated with this CVE; the vulnerability was disclosed by TR-CERT (Turkey's national CERT) and carries a low CVSS base score of 3.9.
Stack-based buffer overflow in the UTT HiPER 1250GW SOHO router (firmware through 3.2.7-210907-180535) lets a network-adjacent attacker corrupt memory by supplying an oversized 'ssid' argument to the /goform/ConfigWirelessBase_5g web handler, potentially achieving code execution or a device crash. The flaw is remotely reachable via the device's web management interface and carries a CVSS 4.0 base score of 7.4 (PR:L, indicating some authentication to the web UI is expected). Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), though there is no public exploit identified as being actively used in the wild.
Out-of-bounds read in ONNX versions up to 1.21.x exposes limited memory contents to low-privileged remote attackers via the convPoolShapeInference_opset19 shape inference function. The CVSS 4.0 score of 2.1 reflects minimal real-world impact - confidentiality-only, low severity - yet a public proof-of-concept is available via GitHub issue #8036. No active exploitation has been confirmed by CISA KEV, and an upstream patch exists at commit a7bf3a0f1d18bb62575236ef6e4944980c40e045 via PR #8051.
Heap-based buffer overflow in PHP's OpenSSL extension affects all maintained PHP branches (8.2.x, 8.3.x, 8.4.x, 8.5.x) when the AES key-wrap-with-padding (AES-WRAP-PAD) algorithm per RFC 5649 is invoked. The output buffer is allocated based only on plaintext length, omitting the mandatory RFC 5649 padding expansion, causing OpenSSL to write beyond the allocated heap region, corrupt heap metadata, and abort the process. No public exploit has been identified at time of analysis; vendor-released patches are available for all affected branches.
Heap-based buffer overflow in Assimp's CSM file handler (versions 6.0.0-6.0.5) allows a local low-privileged attacker to corrupt heap memory by supplying a crafted Character Studio Motion (CSM) file to any application that uses the library for asset import. The flaw exists in `Assimp::CSMImporter::InternReadFile` within `code/AssetLib/CSM/CSMLoader.cpp` and affects all Assimp 6.0.x releases confirmed by EUVD-2026-41601. No public exploit identified at time of analysis as a KEV entry, but a publicly available exploit code (poc.zip) exists, and the upstream patch commit is available though not yet confirmed in a tagged release.
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by luring a victim to a malicious web page that triggers an integer overflow (CWE-190). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R) indicates network-based exploitation requiring user interaction, with high confidentiality, integrity, and availability impact. Microsoft has released a fix; no public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a network attacker can trigger when a victim renders crafted web content. The CVSS 3.1 base score is 8.8 with a network vector requiring user interaction (UI:R), and Microsoft has released an official fix (RL:O). No public exploit identified at time of analysis — the temporal metric E:U marks exploit code as unproven — and it is not listed in CISA KEV.
Memory corruption in RT-Thread's Linux-compatible process (lwp) syscall layer allows a local low-privileged user to crash the RTOS kernel by supplying a crafted `ai_addr` argument to the `sys_getaddrinfo` handler in `components/lwp/lwp_syscall.c`. All RT-Thread versions through 5.0.2 are affected, with impact limited to availability (VA:H) - no confidentiality or integrity loss is indicated. A public proof-of-concept exists (GitHub issue #11428), though exploitation is not confirmed in CISA KEV; the upstream fix remains an unmerged pull request, leaving all deployed versions currently unpatched.
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the CAN_Receive function within the Synwit SWM341 board support package's CAN handler, allowing a local low-privileged attacker to corrupt the stack and potentially achieve code execution or crash the device. The flaw carries a CVSS 4.0 base score of 7.1, and publicly available exploit code exists. The vendor was contacted but did not respond, and there is no public evidence of active exploitation.
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the recvmsg function within the ls1c CAN handler (bsp/loongson/ls1cdev/libraries/ls1c_can.h) for the Loongson LS1C board support package. A local attacker with low privileges can manipulate the recvmsg call path to overflow a stack buffer, corrupting memory to achieve code execution or crash the device. Publicly available exploit code exists (VulDB), but there is no public exploit identified as actively used in the wild; this is not on CISA KEV, and no vendor patch has been identified as the vendor did not respond to disclosure.
Heap-based buffer overflow in GIMP's Paint Shop Pro (PSP) image format parser lets an attacker achieve arbitrary code execution or crash the application when a victim opens a maliciously crafted PSP file. The flaw stems from incorrect buffer-size arithmetic on low bit-depth images, and affects GIMP as shipped across Red Hat Enterprise Linux 6 through 9. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; exploitation requires local file-open interaction (CVSS 7.3).
Two off-by-one errors in FreeIPA's ipa-otpd daemon expose RHEL 6 through 10 deployments configured with an external OAuth2/OIDC Identity Provider to out-of-bounds memory access during the device authorization flow. An attacker who controls or can man-in-the-middle the configured IdP endpoint can serve an oversized authorization response, triggering CWE-787 writes or reads one byte past a fixed-size buffer boundary. The most probable outcome is denial of service of the ipa-otpd daemon; no public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog.
Out-of-bounds heap read in the Net::IP::LPM Perl module (all versions through 1.10) is triggered when an application passes an oversized CIDR prefix length (e.g. add("1.2.3.4/255") or a /255 IPv6 prefix) to the trie builder, which walks the packed address buffer by the attacker-supplied bit count without validating it against the 32-bit/128-bit address width. The read runs at most ~32 bytes past a 4- or 16-byte buffer and its contents are never returned through the module's API, so real-world impact is limited to a possible process abort under AddressSanitizer, valgrind, or a hardened allocator. No public exploit identified at time of analysis; EPSS is low (0.23%, 13th percentile) and SSVC lists exploitation status as none.
Remote denial of service in the IMS (IP Multimedia Subsystem) implementation of Unisoc mobile chipsets allows an unauthenticated remote attacker to crash the affected component via an out-of-bounds read triggered by a missing bounds check. The flaw spans a broad range of Unisoc SoCs (SC7731E, SC9832E, SC9863A, T310/T610/T618, T7200-series, T8100/T8200/T8300, T9100) commonly used in budget Android smartphones. It carries CVSS 7.5 with availability-only impact and no confidentiality or integrity effect; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authenticated command execution in WatchGuard Fireware OS lets a privileged administrator escalate a specially crafted CLI command into arbitrary code execution via an out-of-bounds write (CWE-787). The flaw affects a very broad version span (Fireware OS 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2), placing most currently and historically deployed WatchGuard Firebox appliances in scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 score of 8.6 reflects full confidentiality/integrity/availability impact once the required privileged access is obtained.
Remote code execution in WatchGuard Fireware OS (the operating system powering Firebox network security appliances) allows an authenticated privileged administrator to run arbitrary code on the firewall by sending specially crafted requests to the Management Web UI, which trigger an out-of-bounds write in the networkd process. The flaw spans a wide version range (11.8 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2) and carries a CVSS 4.0 base score of 8.6 (High). It was reported by WatchGuard's own PSIRT; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in WatchGuard Fireware OS (the firmware powering WatchGuard Firebox firewall appliances) allows an unauthenticated attacker positioned on the same local/adjacent network segment to trigger an out-of-bounds write and execute arbitrary code. The flaw spans a wide firmware range - 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2 - and was self-reported by WatchGuard via its PSIRT. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-adjacent, unauthenticated, high-impact profile makes it a serious perimeter-device concern.
Authenticated arbitrary code execution in WatchGuard Fireware OS (12.1-12.12 and 2025.1-2026.2) arises from an out-of-bounds write in the wgagent process, reachable when a privileged user sends specially crafted requests to the Management Web UI. A high-privilege attacker (or one who has compromised admin credentials) can corrupt memory to run code on the firewall appliance, undermining the security gateway itself. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in WatchGuard Fireware OS (the firmware powering Firebox network security appliances) arises from an out-of-bounds write in the ikestubd process, reachable through the Management Web UI. An authenticated user holding privileged (administrative) access can send specially crafted requests to corrupt memory and execute code on the appliance. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; risk is bounded by the requirement for existing privileged access.
Heap out-of-bounds writes in jxl-oxide's jxl-grid crate allow attacker-controlled memory corruption on 32-bit platforms when decoding a crafted JPEG XL image, potentially leading to arbitrary code execution. An integer overflow in AlignedGrid's width×height length calculation produces an undersized backing buffer for huge logical dimensions, after which rendering writes through mutable subgrids beyond the allocation. Publicly available exploit code exists in the advisory (miri/ASan PoC tests); no active exploitation is reported (not in CISA KEV) and no EPSS score was provided.
Double-free memory corruption in GIMP's PSP file format parser exposes local users to denial of service and potential arbitrary code execution when opening a specially crafted Paint Shop Pro image file. The flaw in read_layer_block() allows heap memory corruption that reliably crashes GIMP and, in a more sophisticated exploitation scenario, could enable arbitrary code execution with the privileges of the victim user. No public exploit has been identified and this vulnerability does not appear in the CISA KEV catalog, though upstream tagging of the issue as RCE-capable warrants patching in environments where GIMP users may open untrusted image files.
Persistent denial-of-service in zebrad (Zcash Foundation's Zcash node) up to and including v4.4.1 allows an attacker with mining capability and approximately 1,100-2,100 ZEC to permanently halt all Zebra nodes on the network by mining a single consensus-valid block. The block exploits a credit-before-debit processing order in the finalized transparent state writer, causing an intermediate per-address balance to overflow the MAX_MONEY cap and trigger a Rust panic-abort. Because the triggering block is consensus-valid, the panic recurs on every restart, creating an unrecoverable halt until the node is patched. No public exploit or KEV listing has been identified at time of analysis.
Buffer overflow in GeoVision's GeoWebPlayer addon (also branded "Web Plugin" in GV-VMS and "WS Player" in VMS-Cloud) allows memory corruption and likely code execution in the local WebSocket server process. The `handle_connection_info` handler for the `connectionInfo` command copies attacker-controlled JSON strings (including the `ip` field) into fixed-size stack/heap buffers using unbounded byte-by-byte loops, so an oversized value overruns the buffer. Because the WebSocket server binds to localhost, exploitation is realistically driven by luring an authenticated user's browser to a malicious page that issues the command; no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Stack buffer overflow in GeoVision's GeoWebPlayer addon (also branded "Web Plugin" for GV-VMS and "WS Player" for VMS-Cloud) lets an attacker corrupt fixed-size buffers and potentially achieve code execution against users of GV-VMS, GV-Cloud and related GeoVision products. The flaw lives in the local WebSocket server's connectionInfo command handler, which copies attacker-controlled JSON strings byte-by-byte without length checks; because a malicious web page loaded in the victim's browser can drive that local WebSocket, exploitation is scored network-reachable (CVSS 8.3) but requires user interaction and high attack complexity. No public exploit is identified at time of analysis, though the issue was reported by Cisco Talos, which typically develops proof-of-concept material.
Remote code execution in GeoVision GeoWebPlayer (the browser-facing 'Web Plugin'/'WS Player' addon bundled with GV-VMS, GV-Cloud and related products) is possible because the local WebSocket server's connectionInfo handler copies attacker-controlled JSON fields into fixed-size buffers with unchecked byte-by-byte loops. A remote attacker who lures a user to a malicious web page can drive the victim's browser to send an oversized password field to the localhost WebSocket, overflowing the buffer and achieving code execution (CVSS 8.3). There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Cross-site WebSocket-driven buffer overflow in GeoVision GeoWebPlayer (the 'Web Plugin'/'WS Player' addon bundled with GV-VMS, GV-Cloud and VMS-Cloud) lets an attacker reach the localhost WebSocket server and overflow fixed-size buffers via the `connectionInfo` command's username field, achieving memory corruption and likely code execution (CVSS 8.3, CWE-120). Because the server listens on localhost, exploitation is reached through a victim's browser visiting a malicious page (UI:R, AC:H), giving high confidentiality, integrity and availability impact with a scope change. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw was independently documented by Cisco Talos (TALOS-2026-2375).
Buffer overflow vulnerabilities in GeoVision's GeoWebPlayer WebSocket addon (CWE-120) allow a remote attacker to induce code execution by luring a user running the addon into visiting a malicious webpage that sends a crafted `connectionInfo` WebSocket command with an oversized password field to the locally-listening service. The unbounded manual byte-by-byte copy in `handle_connection_info` overwrites adjacent memory, potentially yielding full process compromise across all impact dimensions (C:H/I:H/A:H). Reported by Cisco Talos (TALOS-2026-2375) and acknowledged by GeoVision; no public exploit code or CISA KEV listing identified at time of analysis.
Remote code execution in GeoVision GeoWebPlayer (the "Web Plugin"/"WS Player" addon bundled with GV-VMS, GV-Cloud and VMS-Cloud) is possible because the addon's localhost WebSocket server processes a 'connectionInfo' command whose handler copies attacker-supplied JSON strings into fixed-size buffers without bounds checks (CWE-120). Because the WebSocket is reachable via the victim's browser (AV:N), a malicious web page can drive the overflow when a user with the addon installed visits it (UI:R), yielding memory corruption with high confidentiality, integrity and availability impact and a scope change. No public exploit identified at time of analysis, though Cisco Talos has published a detailed report (TALOS-2026-2375); no EPSS or CISA KEV data was provided.
Denial-of-service via buffer overflow in UTT nv518G firmware (nv518GV3v3.2.7-210919-161313) allows an adjacent-network attacker to crash the device by sending a crafted request to the GoAhead embedded webserver's sub_497498 handler. The vulnerability is rooted in CWE-119 (improper bounds restriction) and requires no authentication, meaning any host on the same LAN segment can trigger device unavailability. A GitHub-hosted CVE report with technical detail exists, indicating publicly available exploit code, though EPSS at 0.22% (13th percentile) reflects low observed exploitation probability - consistent with the limited geographic and market footprint of UTT devices.
Out-of-bounds read in ArduPilot's MAVLink ground-control-station handler (through Plane-4.6.3) lets a remote attacker on the MAVLink link send a crafted SERIAL_CONTROL message that reads memory beyond intended bounds in GCS_MAVLINK::handle_serial_control(), potentially disclosing adjacent flight-controller memory and/or crashing the autopilot. The CVSS 9.1 rating reflects high confidentiality and availability impact over an unauthenticated network vector, though EPSS is low (0.17%, 6th percentile) and no public exploit is identified at time of analysis. An upstream fix is proposed via GitHub PR #32587 (issue #32524), but no tagged patched release is independently confirmed.
Denial of service in the UTT nv518G security gateway/router (firmware nv518GV3v3.2.7-210919-161313) lets remote attackers crash the device by triggering a buffer overflow in the gohead web-management component's sub_487330 (FUN_00487330) function. The CVSS vector indicates unauthenticated network exploitation with availability-only impact, EPSS is low at 0.22% (13th percentile), and no active exploitation is recorded, though a public technical write-up of the flawed function exists on GitHub.
Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_483ba0 component
Remote denial of service in the UTT nv518G security gateway/router (firmware nv518GV3v3.2.7-210919-161313) allows an unauthenticated attacker to crash the device by triggering a buffer overflow in the gohead/sub_444C8C function of its embedded web management service. The flaw impacts availability only - no code execution, data disclosure, or integrity loss is indicated - and CVSS rates it 7.5 (High). No public exploit identified at time of analysis, though a GitHub reverse-engineering report documents the vulnerable function; EPSS is low at 0.22% (13th percentile) and it is not on the CISA KEV list.
Denial of service in Wireshark's ciscodump remote capture utility (extcap) affects versions 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a heap-based buffer overflow (CWE-122) can crash the capture tool. An attacker able to feed crafted data to a running ciscodump session can terminate the process, disrupting live packet capture. A POC is referenced by CISA's SSVC assessment (no public exploit code independently identified), it is not in CISA KEV, and EPSS is very low at 0.10% (1st percentile), indicating minimal likelihood of widespread exploitation.
Memory corruption in the User-ID Terminal Server Agent (TSA) of Palo Alto Networks PAN-OS lets an unauthenticated network attacker crash the service (DoS) or potentially execute arbitrary code by sending crafted traffic to the TSA listener. Multiple out-of-bounds write bugs are involved; the vendor's CVSS 4.0 vector flags the exploit as unproven (E:U), and no public exploit has been identified at time of analysis. Panorama is explicitly not affected, and exposure hinges on whether the optional TSA component is deployed and reachable.
Server-controlled buffer overflow in Das U-Boot (bootloader) through 2026.04-rc3 lets a malicious or compromised NFS server corrupt memory in an U-Boot client built with CONFIG_CMD_NFS. The flaw lives in nfs_readlink_reply() (net/nfs-common.c), where relative symlink targets from consecutive READLINK responses are appended to the fixed 2048-byte nfs_path_buff without cumulative length checks; two responses of ~1100 bytes each overflow it and clobber adjacent BSS state (nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, rpc_id), giving control over the NFS client state machine. Reported by VulnCheck with a CVSS 4.0 base score of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.
Denial of service (with conditional memory corruption) in Das U-Boot bootloader versions through 2026.04-rc3 lets a network-adjacent attacker crash the device before the OS loads by returning a malformed TCP SYN+ACK to a connection U-Boot has initiated. Because the CVSS 4.0 vector (VA:H, no confidentiality/integrity impact) reflects an availability-only bug rooted in an integer underflow (CWE-191), the practical outcome is a bricked/failed boot; when CONFIG_LMB is disabled, the same underflow can corrupt memory. No public exploit identified at time of analysis; not listed in CISA KEV.
Out-of-bounds read in U-Boot's TCP stack (net/tcp.c, tcp_rx_state_machine()) allows remote unauthenticated attackers to corrupt bootloader TCP connection state by sending a crafted packet with deliberately mismatched IP total length and TCP data offset fields. Affected builds span U-Boot through 2026.04-rc3, but only when compiled with CONFIG_PROT_TCP - a non-default option. Impact is disruption of TCP window calculations via corruption of rmt_win_scale and rmt_timestamp variables, potentially breaking network-based boot sequences. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in CISA KEV.
Heap buffer overflow in ImageMagick's FTXT encoder exposes systems to denial of service and potential information disclosure when processing attacker-crafted image files. All ImageMagick versions before 7.1.2-19 are affected due to missing boundary checks when parsing the ftxt:format parameter, allowing an out-of-bounds read (CWE-125) in the FTXT encoder component. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though a vendor patch is available at 7.1.2-19.
Heap-buffer-overflow read in ImageMagick's GetPixelIndex function exposes limited heap memory contents and can cause partial availability impact in affected 6.x and 7.x branches before the patched releases. The root cause is a metadata-allocation race in OpenPixelCache, which updates image channel metadata before confirming successful pixel cache memory allocation, leaving GetPixelIndex to operate on stale channel counts. Exploitation requires high privilege access and the ability to induce memory or disk allocation failures, yielding only limited confidentiality and availability impact; no public exploit code and no CISA KEV listing are associated with this CVE.
Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader allows a local attacker to crash the application and potentially expose adjacent memory contents by delivering a specially crafted PDF containing malicious JavaScript. The JavaScript manipulates page and document objects to desynchronize internal page-related state from the renderer's trusted page count; when the renderer subsequently accesses page objects using the stale index, it reads beyond valid memory bounds. No public exploit identified at time of analysis and no CISA KEV listing, but the broad affected version ranges across multiple major release branches (13.x, 14.x, and 2026.x) means a large proportion of unpatched Foxit deployments are exposed.
Foxit PDF Reader and PDF Editor crash with potential memory disclosure when processing maliciously crafted PDF documents containing JavaScript that causes reentrancy during page opening or form formatting. The reentrancy leaves the document object in an inconsistent state; when the application subsequently attempts to dereference stale page metadata, it reads from an invalid memory address (CWE-125 out-of-bounds read), resulting in application termination and limited memory content exposure. No public exploit code or active exploitation has been identified at time of analysis; exploitation requires a local user interaction to open a crafted PDF file.
Memory-corruption (buffer overflow) in Foxit PDF Reader and Foxit PDF Editor arises when the digital-signature plugin processes abnormally constructed signature objects: JavaScript triggers signature verification, but the plugin copies an anomalous string without validating its arguments, corrupting memory. A local victim who opens a crafted PDF is affected, and while the vendor describes the outcome as an application crash, the CVSS High confidentiality/integrity/availability impacts indicate potential for code execution. No public exploit identified at time of analysis.
Out-of-bounds read in Foxit PDF Reader and PDF Editor allows a local attacker to crash the application and potentially disclose limited memory contents by delivering a specially crafted PDF containing a malformed image object. The vulnerability triggers when the renderer encounters an abnormal image object, causes it to enter an incorrect processing branch, and subsequently dereferences an invalid buffer pointer during scan line conversion. No public exploit code has been identified and no CISA KEV listing exists, but the CVSS availability impact is rated High, meaning successful exploitation reliably causes application termination.
Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader crashes the application and exposes limited memory contents when a victim opens a specially crafted PDF embedding a semantically malformed color space function. Affected versions span multiple branches across both Editor and Reader products, confirmed through EUVD-2026-42198. No public exploit code or active exploitation has been identified at time of analysis; however, the low attack complexity and file-based delivery mechanism make this a plausible phishing lure in targeted campaigns against organizations relying on Foxit products.
Out-of-bounds read in Foxit PDF Editor and PDF Reader during PRC (Product Representation Compact) 3D content parsing crashes the application and leaks limited memory content. Affects multiple concurrent release trains including versions 2026.1.1, 14.0.4, and 13.2.4 and earlier. Exploitation requires a victim to open a specially crafted PDF containing a malicious PRC entity - no public exploit has been identified at time of analysis.
Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader's PRC 3D file header parser crashes the application and may leak process memory when a victim opens a specially crafted PDF. Affected version ranges span Foxit PDF Reader through 2026.1.1 and multiple Foxit PDF Editor release branches through 13.2.4, 14.0.4, and 2026.1.1. No public exploit code or confirmed active exploitation has been identified at time of analysis; the CVSS availability impact is rated High due to a reliable application crash on trigger, with a minor confidentiality component from out-of-bounds memory exposure.
Out-of-bounds memory access in Foxit PDF Editor and Foxit PDF Reader occurs when the application parses a malformed Unity 3D object embedded in a PDF, resolving attacker-influenced data as a pointer and dereferencing it as a valid address. A victim who opens a crafted PDF triggers the flaw (CVSS 7.8, UI:R), which manifests as a crash but, given the CWE-787 out-of-bounds write classification and High confidentiality/integrity/availability impact, carries potential for memory corruption and code execution in the context of the current user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local privilege escalation via heap buffer overflow in the X.Org Server (versions before 21.1.24) and Xwayland (before 24.1.13) allows a local user holding an X connection to corrupt heap memory by supplying a malicious PCX font. The flaw lives in the SetFont code path, where missing glyph boundary checks let an oversized or malformed glyph write past its heap allocation, yielding full confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis; EPSS is low at 0.28% and CISA SSVC rates exploitation as none.
Heap-based code execution in libXfont2 before 2.0.8 allows an authenticated X client to run arbitrary code inside the X server by supplying a malformed PCF font that trips missing glyph bounds checking in pcfReadFont(). Because X servers frequently run with elevated (often root) privileges, a successful exploit can escalate from a low-privileged client to full host compromise. No public exploit is identified at time of analysis and CISA SSVC rates current exploitation as none, but the technical impact is rated total.
Arbitrary code execution in libXfont2 before 2.0.8 lets an authenticated X client corrupt heap memory inside the X server via a maliciously crafted PCF bitmap font. The flaw sits in ComputeScaledProperties(), where a missing bounds check on the property buffer allows a heap overflow (CWE-122) that runs in the X server's security context - typically root on traditional Linux desktops. There is no public exploit identified at time of analysis; EPSS is modest at 0.58% and CISA SSVC rates exploitation as 'none' with 'total' technical impact.
Arbitrary code execution in the X.Org libXfont2 library (versions before 2.0.8) stems from a heap buffer overflow in the BitmapScaleBitmaps routine, where a 32-bit size calculation overflows during bitmap font scaling. Any client able to connect to the X Server and request scaled bitmap fonts can corrupt heap memory and run code within the X server's process context, which is frequently privileged. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; EPSS is low at 0.37% (29th percentile), consistent with the SSVC finding of no observed exploitation despite total technical impact.
Session Extension information disclosure in SQLite before Fossil check-in 869a51ae84df exposes sensitive process memory when adversarially crafted changesets are processed through the changeset concat or changegroup merge code paths. A local attacker who can deliver a malicious changeset to an application using the Session Extension API can leak heap memory contents and likely crash the process, yielding both low confidentiality and high availability impact consistent with an out-of-bounds read pattern. No active exploitation has been confirmed by CISA KEV, though a researcher gist is referenced that may represent proof-of-concept material; no public exploit is independently confirmed at time of analysis.
Local arbitrary code execution affects an unspecified industrial control system (ICS) product reported through CISA ICS-CERT (advisory ICSA-26-188-06). A stack-based buffer overflow (CWE-121) lets an attacker who can supply crafted input trigger memory corruption and run arbitrary code once a local user interacts with the malicious data, fully compromising confidentiality, integrity, and availability. No public exploit identified at time of analysis and the affected vendor/product is not disclosed in the available data.
Arbitrary code execution in an unnamed ICS/OT application arises from a use-after-free (CWE-416) triggered when the software parses a specially crafted file, letting an attacker run code in the context of the current process. The flaw was reported through CISA's ICS-CERT (advisory ICSA-26-188-06) and carries a CVSS 4.0 base score of 8.4; exploitation is local and requires a user to open the malicious file. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV.
Arbitrary code execution via an out-of-bounds write (CWE-787) affects an industrial control system product covered by CISA ICS advisory ICSA-26-188-06, where an attacker can corrupt memory past an allocated buffer to run code in the context of the affected application. The CVSS 4.0 vector (AV:L/UI:A) indicates the flaw is triggered locally and requires a victim to actively interact - consistent with opening a malicious file or project in engineering/HMI software. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high-impact memory corruption and DHS ICS-CERT reporting warrant prompt patching in OT environments.
Out-of-bounds read in the Perl DBI module's preparse() SQL-normalisation routine allows an attacker who controls SQL passed to the method (where the statement begins with a comment line) to trigger a one-byte read past a buffer, in all DBI releases before 1.650. On memory-hardened builds this faults and crashes the process (availability impact); on normal builds it produces nondeterministic newline retention. This is a CWE-125 flaw reported by CPANSec with no public exploit identified at time of analysis; EPSS is low at 0.19% (8th percentile) and it is not in CISA KEV.
Heap out-of-bounds write in the Perl DBI database-interface module before version 1.650 occurs when DBI preparses a SQL statement containing an extreme number of placeholders. This is a regression: the fix for CVE-2026-10879 under-allocated the placeholder buffer and could not accommodate roughly 1.2 million placeholders, so DBI 1.650 now enforces a hard cap of 99,999 placeholders. Reported by CPANSec with a vendor patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.19%, 8th percentile).
Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the `html_quote_string()` function in `src/convert.c`, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the memory corruption class warrants patching, particularly in environments where wget is used to fetch content from untrusted servers.
Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the fix is confirmed via upstream commit c2640fe on the official GNU Wget GitLab repository.
Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sessions by supplying crafted Content-Range response headers. The parse_content_range() function in src/http.c performs signed integer arithmetic on server-supplied values without overflow guards, triggering undefined behavior under C's signed overflow rules and causing download desynchronization on the affected client. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is known at time of analysis; real-world impact is bounded to availability disruption rather than host compromise based on current data.
Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving a Metalink document whose URL element contains only whitespace, causing clean_metalink_string() in src/metalink.c to decrement a pointer past the start of the heap buffer. The out-of-bounds read (CWE-125) produces abnormal program behavior and is reported by VulnCheck; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed upstream in GitLab commit 37a40fc.
Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to corrupt heap memory and likely crash the LDAP service. The flaw triggers when the server processes an LDAP operation - such as a search request - whose base DN contains a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), causing an out-of-bounds write during RDN attribute-value pair sorting. Per the confirmed CVSS vector (PR:N), no authentication is required; no public exploit code or CISA KEV listing has been identified at time of analysis.
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LDAP client to crash the server by sending an oversized UNBIND packet over a SASL integrity-protected connection. The oversized data overflows a fixed 512-byte heap receive buffer in sasl_io_recv() (sasl_io.c), and in FreeIPA / Red Hat IdM any domain user, enrolled host, or service account with a valid Kerberos ticket can trigger it after GSSAPI authentication. There is no public exploit identified at time of analysis, and this flaw is distinct from the earlier CVE-2025-14905 schema.c overflow, which did not fix this code path.
Heap memory corruption in GIMP's PSD (Photoshop) file parser allows a malicious .psd image to overflow an integer in read_RLE_channel(), producing an undersized heap allocation for the RLE row-length table that is then overwritten row-by-row, potentially yielding denial of service or arbitrary code execution. The flaw affects GIMP as shipped across Red Hat Enterprise Linux 6 through 9 and is triggered when a victim opens or imports a crafted PSD file. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds read in FreeType 2.14.3 exposes partial heap memory and risks process crashes when processing crafted variable fonts via the TT_Get_Var_Design code path. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects server-side or automated font processing pipelines where untrusted font data reaches FT_Get_Var_Design_Coordinates without authentication barriers. No active exploitation is confirmed in CISA KEV; however, a researcher-published gist suggests working proof-of-concept material exists, and EPSS at 0.17% (7th percentile) indicates minimal observed exploitation activity to date.
Local privilege escalation via memory corruption in Qualcomm Snapdragon platforms occurs when asynchronous input parameters are validated and then re-read after modification, a time-of-check/time-of-use race that yields total compromise of confidentiality, integrity, and availability. Affecting a broad range of Snapdragon connectivity, WCD codec, WSA, and compute SoCs, a local low-privileged attacker who can win the race can corrupt memory and gain elevated code execution. No public exploit has been identified at time of analysis and EPSS is negligible (0.09%), but the CVSS 7.0 and 'total' SSVC technical impact make it a meaningful firmware/driver patch target.
Local privilege escalation and memory corruption in Qualcomm Snapdragon WLAN firmware occurs when the driver parses malformed HT40 (40 MHz channel-bonding) layouts during dynamic channel switching, allowing a low-privileged local process to trigger a stack-based buffer overflow (CWE-121) that crosses a trust boundary (CVSS scope changed). Disclosed in the July 2026 Qualcomm security bulletin, it carries a CVSS 8.8 with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon firmware triggers an out-of-bounds write (CWE-787) when prepared commands are updated using invalid port indices supplied from user space that exceed supported read client limits. The vulnerability spans an exceptionally broad portfolio of Snapdragon chipsets covering mobile, automotive, XR/AR, and connectivity platforms. No public exploit has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and the flaw as non-automatable, though the changed scope (S:C) in the CVSS vector indicates impact can propagate beyond the directly vulnerable firmware component.
Local privilege escalation via memory corruption affects Qualcomm Snapdragon platforms, where allocating memory with sizes exceeding the maximum allowed value corrupts adjacent memory (CWE-126, buffer over-read/overflow). A local attacker with low privileges (PR:L) and no user interaction can compromise confidentiality, integrity, and availability (all High), scoring CVSS 7.8. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Memory corruption in Qualcomm Snapdragon silicon allows a local low-privileged attacker to trigger an out-of-bounds write (CWE-787) by submitting input with a buffer plane count or batch size exceeding the maximum allowed value. The scope change in the CVSS vector (S:C) indicates the corruption can escape the vulnerable component's security boundary, yielding partial confidentiality, integrity, and availability impact on an adjacent system component. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms no known exploitation and non-automatable attack conditions.
Out-of-bounds write in Qualcomm Snapdragon's flash command handler allows a local low-privileged attacker to corrupt memory by exploiting a race condition between userspace LED count modifications and kernel-side flash command processing. The CVSS scope change (S:C) indicates the corruption can reach components beyond the immediately vulnerable driver - raising the potential for privilege escalation on affected Snapdragon-based devices. No public exploit code or active exploitation has been identified at time of analysis.
Out-of-bounds write in Qualcomm Snapdragon's JPEG command parser exposes local low-privilege users to memory corruption via crafted JPEG input. Validation checks within the parser fail to account for extra buffer writes, overwriting adjacent memory and enabling a scope change beyond the vulnerable component's boundary - consistent with Snapdragon's isolated subsystem architecture (DSP, camera ISP). Qualcomm disclosed this in its July 2026 Security Bulletin; no public exploit identified at time of analysis.
Local privilege escalation and memory corruption in Qualcomm Snapdragon chipset drivers allows a malicious application to trigger a use-after-free by issuing multiple IOCTL calls that reference the same buffer file descriptor. The flaw affects a broad range of Snapdragon mobile, compute, connectivity (FastConnect/WCN/WCD/WSA) and XR platforms, and successful exploitation can corrupt kernel memory to gain high impact on confidentiality, integrity and availability. There is no public exploit identified at time of analysis, EPSS risk is very low (0.09%), and CISA SSVC rates exploitation as none.
Use-after-free memory corruption in Qualcomm Snapdragon platform driver code allows a local low-privileged process to trigger access of already-freed memory by issuing multiple IOCTL calls that reference the same buffer file descriptor. A successful attacker gains full compromise of confidentiality, integrity, and availability on the affected device, which in practice can mean kernel-level code execution or privilege escalation from an unprivileged app. There is no public exploit identified at time of analysis, EPSS is negligible (0.09%, 1st percentile), and CISA SSVC records no known exploitation.
Local privilege escalation via memory corruption affects a broad range of Qualcomm Snapdragon chipsets, where a use-after-free condition in the device driver's input/output control (ioctl) path for mapping and unmapping persistent memory buffers can be triggered by an authenticated local application. Improper synchronization on these operations lets a low-privileged process corrupt kernel memory to gain full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS is very low (0.09%), consistent with CISA SSVC scoring exploitation as none.
Integer overflow in OP-TEE OS's AES-GCM implementation silently corrupts authentication tag computation when a single operation processes more than 512 megabytes of payload or Additional Authenticated Data (AAD), affecting all deployments running versions 3.0.0 through 4.10.x on Arm TrustZone platforms. The overflow causes the GHASH length counters to wrap, meaning the GCM authentication tag is derived from incorrect bit-length values - defeating AES-GCM's core integrity guarantee without any runtime error or exception. No public exploit has been identified at time of analysis, but the practical impact for systems using OP-TEE for high-value integrity assurance (DRM, secure key storage, attestation) is significant when large payloads traverse the TEE boundary.
Stack exhaustion via unbounded recursion in the OP-TEE PKCS#11 Trusted Application allows a local low-privileged user to crash the TA, causing a denial of service within the TrustZone secure world. Affected versions span 3.10.0 through 4.10.x of optee_os running on Arm Cortex-A platforms with TrustZone enabled. No active exploitation has been identified; this is a DoS-only issue with no confidentiality or integrity impact, and a patched release (4.11.0) is available.
Heap overflow in OP-TEE's ARM Crypto Extensions SHA-3 implementation corrupts TEE kernel memory across all platforms built with CFG_CRYPTO_WITH_CE82=y (ARMv8.2+ SHA3 extensions). The off-by-one error in the accelerated SHA-3 path overwrites memory beyond the hash state buffer, potentially corrupting all TEE kernel heap memory that follows. Affected versions span 3.21.0 through 4.11.0, and no public exploit has been identified at time of analysis, though the memory corruption primitive is significant in the context of a secure enclave.
Stack-based memory corruption in GIMP's PNM image parser lets an attacker execute code or crash the application when a victim opens a malicious PNM/PBM/PGM/PPM file. The flaw is an off-by-one in pnmscanner_gettoken() that writes a null terminator one byte past a stack buffer; it is local and requires the user to open the crafted file (UI:R). No public exploit is identified at time of analysis, and EPSS is low (0.12%), consistent with the CISA SSVC 'Exploitation: none' judgment.
Heap out-of-bounds read in the Perl Imager module (versions before 1.032) lets a crafted SGI image over-read past a decode buffer and crash the process. The flaw lives in the bundled Imager::File::SGI reader's read_rgb_16_rle routine, where a 16-bit RLE literal run is length-checked in pixels but consumed as two bytes per pixel, defeating the bounds guard. No public exploit is identified at time of analysis and it is not listed in CISA KEV; a vendor patch shipped in 1.032.
Heap-based buffer overflow in GPAC's MP4Box component allows a local low-privileged attacker to crash the application by supplying a crafted MP4 file. The vulnerable function `sgpd_del_entry` in `src/isomedia/box_code_base.c` mishandles the `data` argument during Sample Group Description Box parsing, triggering an out-of-bounds heap write. A public proof-of-concept exploit exists; however, the vulnerability is not in CISA KEV and the CVSS 4.0 score of 4.8 reflects limited availability-only impact with no confidentiality or integrity compromise.
Stack-based buffer overflow in radare2 up to version 6.1.6 allows a local low-privileged attacker to crash the application by supplying a crafted MDMP (Windows minidump) file that triggers a memory corruption in the Memory64ListStream parser. Impact is limited to availability - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector (VC:N/VI:N/VA:L). A public proof-of-concept exists via GitHub issue #26051, and an upstream patch commit is available, though no formally tagged release version has been confirmed in the provided data.
Integer overflow in radare2's pb Print Command Handler affects all versions through 6.1.6, exploitable locally by a low-privileged user to crash the radare2 process. The flaw resides in the cmd_print function within libr/core/cmd_print.inc and results in availability impact only - no confidentiality or integrity loss is indicated. Publicly available exploit code exists per the GitHub issue tracker, though no active exploitation has been confirmed via CISA KEV.
Integer overflow in radare2's `r_str_word_get0set` function (libr/util/str.c) allows a local low-privileged attacker to crash the application on versions up to 6.1.6. The CWE-190 integer wraparound can produce a buffer overflow condition, degrading availability of the radare2 analysis session. A public proof-of-concept exists (GitHub issue #26047), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 score of 1.9 reflects genuinely minimal real-world risk given its local-only, low-impact nature.
mrubyc through release3.4.1 was found to contain an out-of-bounds read in builtin missing-method lookup inside mrbc_find_method().
Out-of-bounds read in Zephyr RTOS's mDNS detection logic crashes devices resolving short-suffix hostnames when CONFIG_MDNS_RESOLVER is compiled in. The flaw in dns_resolve_name_internal() reads a fixed 7 bytes from a suffix pointer regardless of the actual string length, causing a 1-2 byte over-read past the NUL terminator for suffixes like .org, .com, .net, or .io. Under the specific runtime condition of a tightly-sized allocation adjacent to an unmapped boundary (guard page, MPU domain, or ASAN), the over-read faults and crashes the device; no public exploit has been identified at time of analysis and CVSS 3.7 with AC:H accurately reflects the narrow crash preconditions.
Integer overflow in radare2's hexpairs parser crashes the process for local low-privilege users on versions up to 6.1.6. The flaw exists in the `cmd_anal_opcode` function within `libr/core/cmd_anal.inc.c` and produces only a low availability impact with no confidentiality or integrity consequences. Publicly available exploit code exists, but the local-only attack vector and trivial impact class make this a low-priority finding for most deployments. No active exploitation has been confirmed and this vulnerability is not listed in CISA KEV.
Heap-based buffer overflow in radare2's Java binary parser (all versions up to 6.1.6) allows a local, low-privileged attacker to crash the tool by supplying a crafted Java class file with a malformed Line Number Table attribute. The vulnerable function `r_bin_java_inner_classes_attr_calc_size()` in `shlr/java/class.c` miscalculates buffer sizes, resulting in a heap write beyond allocated bounds and a denial-of-service outcome. A public proof-of-concept exists via GitHub issue #26043; no active exploitation has been confirmed by CISA KEV, and impact is confined to availability with no confidentiality or integrity effects.
Buffer overflow via improper null termination in Pardus Pen affects versions up to and including 4.1.5, with a fix available in 4.2.1. A local, low-privileged user who interacts with crafted input can trigger a CWE-170 null termination error causing out-of-bounds memory reads, resulting in limited confidentiality exposure and availability disruption. No public exploit code and no CISA KEV listing are associated with this CVE; the vulnerability was disclosed by TR-CERT (Turkey's national CERT) and carries a low CVSS base score of 3.9.
Stack-based buffer overflow in the UTT HiPER 1250GW SOHO router (firmware through 3.2.7-210907-180535) lets a network-adjacent attacker corrupt memory by supplying an oversized 'ssid' argument to the /goform/ConfigWirelessBase_5g web handler, potentially achieving code execution or a device crash. The flaw is remotely reachable via the device's web management interface and carries a CVSS 4.0 base score of 7.4 (PR:L, indicating some authentication to the web UI is expected). Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), though there is no public exploit identified as being actively used in the wild.
Out-of-bounds read in ONNX versions up to 1.21.x exposes limited memory contents to low-privileged remote attackers via the convPoolShapeInference_opset19 shape inference function. The CVSS 4.0 score of 2.1 reflects minimal real-world impact - confidentiality-only, low severity - yet a public proof-of-concept is available via GitHub issue #8036. No active exploitation has been confirmed by CISA KEV, and an upstream patch exists at commit a7bf3a0f1d18bb62575236ef6e4944980c40e045 via PR #8051.
Heap-based buffer overflow in PHP's OpenSSL extension affects all maintained PHP branches (8.2.x, 8.3.x, 8.4.x, 8.5.x) when the AES key-wrap-with-padding (AES-WRAP-PAD) algorithm per RFC 5649 is invoked. The output buffer is allocated based only on plaintext length, omitting the mandatory RFC 5649 padding expansion, causing OpenSSL to write beyond the allocated heap region, corrupt heap metadata, and abort the process. No public exploit has been identified at time of analysis; vendor-released patches are available for all affected branches.
Heap-based buffer overflow in Assimp's CSM file handler (versions 6.0.0-6.0.5) allows a local low-privileged attacker to corrupt heap memory by supplying a crafted Character Studio Motion (CSM) file to any application that uses the library for asset import. The flaw exists in `Assimp::CSMImporter::InternReadFile` within `code/AssetLib/CSM/CSMLoader.cpp` and affects all Assimp 6.0.x releases confirmed by EUVD-2026-41601. No public exploit identified at time of analysis as a KEV entry, but a publicly available exploit code (poc.zip) exists, and the upstream patch commit is available though not yet confirmed in a tagged release.
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by luring a victim to a malicious web page that triggers an integer overflow (CWE-190). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R) indicates network-based exploitation requiring user interaction, with high confidentiality, integrity, and availability impact. Microsoft has released a fix; no public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Edge (Chromium-based) stems from a heap-based buffer overflow (CWE-122) that a network attacker can trigger when a victim renders crafted web content. The CVSS 3.1 base score is 8.8 with a network vector requiring user interaction (UI:R), and Microsoft has released an official fix (RL:O). No public exploit identified at time of analysis — the temporal metric E:U marks exploit code as unproven — and it is not listed in CISA KEV.
Memory corruption in RT-Thread's Linux-compatible process (lwp) syscall layer allows a local low-privileged user to crash the RTOS kernel by supplying a crafted `ai_addr` argument to the `sys_getaddrinfo` handler in `components/lwp/lwp_syscall.c`. All RT-Thread versions through 5.0.2 are affected, with impact limited to availability (VA:H) - no confidentiality or integrity loss is indicated. A public proof-of-concept exists (GitHub issue #11428), though exploitation is not confirmed in CISA KEV; the upstream fix remains an unmerged pull request, leaving all deployed versions currently unpatched.
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the CAN_Receive function within the Synwit SWM341 board support package's CAN handler, allowing a local low-privileged attacker to corrupt the stack and potentially achieve code execution or crash the device. The flaw carries a CVSS 4.0 base score of 7.1, and publicly available exploit code exists. The vendor was contacted but did not respond, and there is no public evidence of active exploitation.
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the recvmsg function within the ls1c CAN handler (bsp/loongson/ls1cdev/libraries/ls1c_can.h) for the Loongson LS1C board support package. A local attacker with low privileges can manipulate the recvmsg call path to overflow a stack buffer, corrupting memory to achieve code execution or crash the device. Publicly available exploit code exists (VulDB), but there is no public exploit identified as actively used in the wild; this is not on CISA KEV, and no vendor patch has been identified as the vendor did not respond to disclosure.
Heap-based buffer overflow in GIMP's Paint Shop Pro (PSP) image format parser lets an attacker achieve arbitrary code execution or crash the application when a victim opens a maliciously crafted PSP file. The flaw stems from incorrect buffer-size arithmetic on low bit-depth images, and affects GIMP as shipped across Red Hat Enterprise Linux 6 through 9. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; exploitation requires local file-open interaction (CVSS 7.3).
Two off-by-one errors in FreeIPA's ipa-otpd daemon expose RHEL 6 through 10 deployments configured with an external OAuth2/OIDC Identity Provider to out-of-bounds memory access during the device authorization flow. An attacker who controls or can man-in-the-middle the configured IdP endpoint can serve an oversized authorization response, triggering CWE-787 writes or reads one byte past a fixed-size buffer boundary. The most probable outcome is denial of service of the ipa-otpd daemon; no public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog.
Out-of-bounds heap read in the Net::IP::LPM Perl module (all versions through 1.10) is triggered when an application passes an oversized CIDR prefix length (e.g. add("1.2.3.4/255") or a /255 IPv6 prefix) to the trie builder, which walks the packed address buffer by the attacker-supplied bit count without validating it against the 32-bit/128-bit address width. The read runs at most ~32 bytes past a 4- or 16-byte buffer and its contents are never returned through the module's API, so real-world impact is limited to a possible process abort under AddressSanitizer, valgrind, or a hardened allocator. No public exploit identified at time of analysis; EPSS is low (0.23%, 13th percentile) and SSVC lists exploitation status as none.
Remote denial of service in the IMS (IP Multimedia Subsystem) implementation of Unisoc mobile chipsets allows an unauthenticated remote attacker to crash the affected component via an out-of-bounds read triggered by a missing bounds check. The flaw spans a broad range of Unisoc SoCs (SC7731E, SC9832E, SC9863A, T310/T610/T618, T7200-series, T8100/T8200/T8300, T9100) commonly used in budget Android smartphones. It carries CVSS 7.5 with availability-only impact and no confidentiality or integrity effect; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Authenticated command execution in WatchGuard Fireware OS lets a privileged administrator escalate a specially crafted CLI command into arbitrary code execution via an out-of-bounds write (CWE-787). The flaw affects a very broad version span (Fireware OS 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2), placing most currently and historically deployed WatchGuard Firebox appliances in scope. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 score of 8.6 reflects full confidentiality/integrity/availability impact once the required privileged access is obtained.
Remote code execution in WatchGuard Fireware OS (the operating system powering Firebox network security appliances) allows an authenticated privileged administrator to run arbitrary code on the firewall by sending specially crafted requests to the Management Web UI, which trigger an out-of-bounds write in the networkd process. The flaw spans a wide version range (11.8 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2) and carries a CVSS 4.0 base score of 8.6 (High). It was reported by WatchGuard's own PSIRT; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in WatchGuard Fireware OS (the firmware powering WatchGuard Firebox firewall appliances) allows an unauthenticated attacker positioned on the same local/adjacent network segment to trigger an out-of-bounds write and execute arbitrary code. The flaw spans a wide firmware range - 11.0 through 11.12.4_Update1, 12.0 through 12.12, and 2025.1 through 2026.2 - and was self-reported by WatchGuard via its PSIRT. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-adjacent, unauthenticated, high-impact profile makes it a serious perimeter-device concern.
Authenticated arbitrary code execution in WatchGuard Fireware OS (12.1-12.12 and 2025.1-2026.2) arises from an out-of-bounds write in the wgagent process, reachable when a privileged user sends specially crafted requests to the Management Web UI. A high-privilege attacker (or one who has compromised admin credentials) can corrupt memory to run code on the firewall appliance, undermining the security gateway itself. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Arbitrary code execution in WatchGuard Fireware OS (the firmware powering Firebox network security appliances) arises from an out-of-bounds write in the ikestubd process, reachable through the Management Web UI. An authenticated user holding privileged (administrative) access can send specially crafted requests to corrupt memory and execute code on the appliance. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; risk is bounded by the requirement for existing privileged access.
Heap out-of-bounds writes in jxl-oxide's jxl-grid crate allow attacker-controlled memory corruption on 32-bit platforms when decoding a crafted JPEG XL image, potentially leading to arbitrary code execution. An integer overflow in AlignedGrid's width×height length calculation produces an undersized backing buffer for huge logical dimensions, after which rendering writes through mutable subgrids beyond the allocation. Publicly available exploit code exists in the advisory (miri/ASan PoC tests); no active exploitation is reported (not in CISA KEV) and no EPSS score was provided.
Double-free memory corruption in GIMP's PSP file format parser exposes local users to denial of service and potential arbitrary code execution when opening a specially crafted Paint Shop Pro image file. The flaw in read_layer_block() allows heap memory corruption that reliably crashes GIMP and, in a more sophisticated exploitation scenario, could enable arbitrary code execution with the privileges of the victim user. No public exploit has been identified and this vulnerability does not appear in the CISA KEV catalog, though upstream tagging of the issue as RCE-capable warrants patching in environments where GIMP users may open untrusted image files.
Persistent denial-of-service in zebrad (Zcash Foundation's Zcash node) up to and including v4.4.1 allows an attacker with mining capability and approximately 1,100-2,100 ZEC to permanently halt all Zebra nodes on the network by mining a single consensus-valid block. The block exploits a credit-before-debit processing order in the finalized transparent state writer, causing an intermediate per-address balance to overflow the MAX_MONEY cap and trigger a Rust panic-abort. Because the triggering block is consensus-valid, the panic recurs on every restart, creating an unrecoverable halt until the node is patched. No public exploit or KEV listing has been identified at time of analysis.
Buffer overflow in GeoVision's GeoWebPlayer addon (also branded "Web Plugin" in GV-VMS and "WS Player" in VMS-Cloud) allows memory corruption and likely code execution in the local WebSocket server process. The `handle_connection_info` handler for the `connectionInfo` command copies attacker-controlled JSON strings (including the `ip` field) into fixed-size stack/heap buffers using unbounded byte-by-byte loops, so an oversized value overruns the buffer. Because the WebSocket server binds to localhost, exploitation is realistically driven by luring an authenticated user's browser to a malicious page that issues the command; no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Stack buffer overflow in GeoVision's GeoWebPlayer addon (also branded "Web Plugin" for GV-VMS and "WS Player" for VMS-Cloud) lets an attacker corrupt fixed-size buffers and potentially achieve code execution against users of GV-VMS, GV-Cloud and related GeoVision products. The flaw lives in the local WebSocket server's connectionInfo command handler, which copies attacker-controlled JSON strings byte-by-byte without length checks; because a malicious web page loaded in the victim's browser can drive that local WebSocket, exploitation is scored network-reachable (CVSS 8.3) but requires user interaction and high attack complexity. No public exploit is identified at time of analysis, though the issue was reported by Cisco Talos, which typically develops proof-of-concept material.
Remote code execution in GeoVision GeoWebPlayer (the browser-facing 'Web Plugin'/'WS Player' addon bundled with GV-VMS, GV-Cloud and related products) is possible because the local WebSocket server's connectionInfo handler copies attacker-controlled JSON fields into fixed-size buffers with unchecked byte-by-byte loops. A remote attacker who lures a user to a malicious web page can drive the victim's browser to send an oversized password field to the localhost WebSocket, overflowing the buffer and achieving code execution (CVSS 8.3). There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Cross-site WebSocket-driven buffer overflow in GeoVision GeoWebPlayer (the 'Web Plugin'/'WS Player' addon bundled with GV-VMS, GV-Cloud and VMS-Cloud) lets an attacker reach the localhost WebSocket server and overflow fixed-size buffers via the `connectionInfo` command's username field, achieving memory corruption and likely code execution (CVSS 8.3, CWE-120). Because the server listens on localhost, exploitation is reached through a victim's browser visiting a malicious page (UI:R, AC:H), giving high confidentiality, integrity and availability impact with a scope change. There is no public exploit identified at time of analysis and it is not in CISA KEV, but the flaw was independently documented by Cisco Talos (TALOS-2026-2375).
Buffer overflow vulnerabilities in GeoVision's GeoWebPlayer WebSocket addon (CWE-120) allow a remote attacker to induce code execution by luring a user running the addon into visiting a malicious webpage that sends a crafted `connectionInfo` WebSocket command with an oversized password field to the locally-listening service. The unbounded manual byte-by-byte copy in `handle_connection_info` overwrites adjacent memory, potentially yielding full process compromise across all impact dimensions (C:H/I:H/A:H). Reported by Cisco Talos (TALOS-2026-2375) and acknowledged by GeoVision; no public exploit code or CISA KEV listing identified at time of analysis.
Remote code execution in GeoVision GeoWebPlayer (the "Web Plugin"/"WS Player" addon bundled with GV-VMS, GV-Cloud and VMS-Cloud) is possible because the addon's localhost WebSocket server processes a 'connectionInfo' command whose handler copies attacker-supplied JSON strings into fixed-size buffers without bounds checks (CWE-120). Because the WebSocket is reachable via the victim's browser (AV:N), a malicious web page can drive the overflow when a user with the addon installed visits it (UI:R), yielding memory corruption with high confidentiality, integrity and availability impact and a scope change. No public exploit identified at time of analysis, though Cisco Talos has published a detailed report (TALOS-2026-2375); no EPSS or CISA KEV data was provided.
Denial-of-service via buffer overflow in UTT nv518G firmware (nv518GV3v3.2.7-210919-161313) allows an adjacent-network attacker to crash the device by sending a crafted request to the GoAhead embedded webserver's sub_497498 handler. The vulnerability is rooted in CWE-119 (improper bounds restriction) and requires no authentication, meaning any host on the same LAN segment can trigger device unavailability. A GitHub-hosted CVE report with technical detail exists, indicating publicly available exploit code, though EPSS at 0.22% (13th percentile) reflects low observed exploitation probability - consistent with the limited geographic and market footprint of UTT devices.
Out-of-bounds read in ArduPilot's MAVLink ground-control-station handler (through Plane-4.6.3) lets a remote attacker on the MAVLink link send a crafted SERIAL_CONTROL message that reads memory beyond intended bounds in GCS_MAVLINK::handle_serial_control(), potentially disclosing adjacent flight-controller memory and/or crashing the autopilot. The CVSS 9.1 rating reflects high confidentiality and availability impact over an unauthenticated network vector, though EPSS is low (0.17%, 6th percentile) and no public exploit is identified at time of analysis. An upstream fix is proposed via GitHub PR #32587 (issue #32524), but no tagged patched release is independently confirmed.
Denial of service in the UTT nv518G security gateway/router (firmware nv518GV3v3.2.7-210919-161313) lets remote attackers crash the device by triggering a buffer overflow in the gohead web-management component's sub_487330 (FUN_00487330) function. The CVSS vector indicates unauthenticated network exploitation with availability-only impact, EPSS is low at 0.22% (13th percentile), and no active exploitation is recorded, though a public technical write-up of the flawed function exists on GitHub.
Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_483ba0 component
Remote denial of service in the UTT nv518G security gateway/router (firmware nv518GV3v3.2.7-210919-161313) allows an unauthenticated attacker to crash the device by triggering a buffer overflow in the gohead/sub_444C8C function of its embedded web management service. The flaw impacts availability only - no code execution, data disclosure, or integrity loss is indicated - and CVSS rates it 7.5 (High). No public exploit identified at time of analysis, though a GitHub reverse-engineering report documents the vulnerable function; EPSS is low at 0.22% (13th percentile) and it is not on the CISA KEV list.