Buffer Overflow
Monthly
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, affecting Affinity 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, allowing disclosure of sensitive information from adjacent memory regions. While the CVSS score of 6.1 indicates moderate severity with high confidentiality impact, actual exploitation requires user interaction (opening a file) and is limited to information disclosure without code execution capability.
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries when processing specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions in the product line; attackers with local access and user interaction can trigger the flaw to disclose sensitive information from process memory. While the CVSS score of 6.1 indicates medium severity with high confidentiality impact and low availability impact, the attack requires local file system access and user interaction (opening a malicious EMF file), limiting widespread exploitation risk.
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affecting Affinity version 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from process memory. With a CVSS score of 6.1 and a local attack vector requiring user interaction, this vulnerability poses a moderate risk of information disclosure with minimal availability impact.
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affecting Affinity version 3.0.1.3808 and potentially earlier versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from the application's memory space. With a CVSS score of 6.1 and a local attack vector requiring user interaction, this vulnerability poses a moderate risk primarily through information disclosure, though local denial of service is also possible.
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file handling functionality, affecting Affinity version 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from process memory such as authentication tokens, cryptographic keys, or other confidential data. The vulnerability requires user interaction (opening a file) and local access, making it a moderate-priority issue with a CVSS base score of 6.1, though the high confidentiality impact warrants prompt patching.
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality that allows attackers to read memory beyond allocated buffer boundaries. Canva Affinity version 3.0.1.3808 and potentially earlier versions are affected. An attacker can craft a malicious EMF file that, when opened by a user, triggers the out-of-bounds read to disclose sensitive information from process memory; the vulnerability requires user interaction (opening the file) but no elevated privileges, making it a practical attack vector for phishing or drive-by downloads.
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries by crafting malicious EMF files. Affinity version 3.0.1.3808 and potentially earlier versions are affected. An attacker with local access can exploit this vulnerability through user interaction (opening a crafted EMF file) to disclose sensitive information from process memory, with potential for denial of service through application crashes.
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries through specially crafted EMF files. Affinity version 3.0.1.3808 and potentially earlier versions are affected, with the vulnerability requiring only local access and user interaction (opening a malicious file) to trigger. Successful exploitation enables disclosure of sensitive information from application memory, with potential limited impact on system availability; no active exploitation or public proof-of-concept has been confirmed at this time based on available intelligence sources.
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) image processing functionality of Canva Affinity, enabling attackers to read memory beyond allocated buffer boundaries through specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions, allowing unauthenticated local attackers with no special privileges to trigger the flaw via user interaction (opening a malicious file). Successful exploitation can disclose sensitive information from process memory, with a secondary risk of application instability (low availability impact). No active exploitation in the wild or public proof-of-concept has been confirmed based on available intelligence, but the vulnerability has been formally disclosed by Talos Intelligence and tracked in NIST NVD and ENISA EUVD databases.
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file handling functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries when processing specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions, requiring local access and user interaction (opening a malicious EMF file). Successful exploitation can lead to disclosure of sensitive information from process memory, with limited impact on system availability. No active exploitation in the wild has been confirmed via KEV status, and the CVSS 6.1 score reflects moderate risk balanced between high confidentiality impact and lower attack complexity.
Canva Affinity's EMF file parser is vulnerable to out-of-bounds read attacks when processing specially crafted files, allowing attackers to extract sensitive information from application memory. This local vulnerability requires user interaction to trigger and has no available patch, affecting users who open malicious EMF documents in Affinity.
Canva Affinity's EMF file parser is vulnerable to an out-of-bounds read (CWE-125) when processing specially crafted EMF files, allowing local attackers to extract sensitive data from application memory. This medium-severity vulnerability affects users who open untrusted EMF files and currently has no available patch. The attack requires user interaction and local access but poses a real information disclosure risk.
Stack-based buffer overflow in Wazuh manager versions 3.9.0 through 4.14.3 allows remote attackers with high privileges to crash the `wazuh-analysisd` service via malformed JSON events, resulting in denial of service. The vulnerability stems from unsafe use of sprintf with floating-point format specifiers in the Security Configuration Assessment decoder, and may potentially enable remote code execution on affected Wazuh installations.
Stack-based buffer overflow in Wazuh 4.4.0 through 4.14.2 allows authenticated remote attackers with high privileges to trigger an integer underflow in the database synchronization module, causing denial of service or potential code execution. The vulnerability exists in SQL query construction logic within wdb_delta_event.c where improper size calculations on buffers exceeding 2048 bytes can corrupt the stack. A patch is available in version 4.14.3.
The NewXMLTree method in affected products is vulnerable to a denial of service condition where an out-of-bounds write of a single zero byte can trigger an application crash. An unauthenticated remote attacker can exploit this memory corruption vulnerability without user interaction to cause service disruption. No patch is currently available for this issue.
Remote code execution in UTT HiPER 810G up to version 1.7.7-171114 through a buffer overflow in the /goform/formApLbConfig endpoint allows authenticated attackers to achieve complete system compromise. The vulnerability stems from unsafe use of strcpy() on the loadBalanceNameOld parameter, and public exploit code is currently available. No patch has been released for affected devices.
Denial of service in libucl allows remote attackers to crash affected applications by submitting maliciously crafted UCL configuration files containing null bytes in object keys, triggering a segmentation fault in the ucl_object_emit function. The vulnerability requires user interaction but has high impact potential with no available patch, affecting systems that parse untrusted UCL input. An attacker can remotely exploit this with low complexity to disable services relying on libucl for configuration parsing.
A critical heap buffer overflow vulnerability exists in YAML::Syck through version 1.36 for Perl, allowing remote attackers to potentially execute arbitrary code or cause denial of service without authentication. The vulnerability stems from multiple memory corruption issues including heap overflow when processing YAML class names exceeding 512 bytes, buffer overread in base64 decoding, and memory leaks. With a CVSS score of 9.1 and network-based attack vector requiring no user interaction, this presents a severe risk to applications parsing untrusted YAML input.
Remote code execution in Tenda AC8 firmware versions up to 16.03.50.11 results from a stack-based buffer overflow in the HTTP endpoint handling password change requests. An unauthenticated attacker can exploit this vulnerability over the network to execute arbitrary commands with full system privileges. Public exploit code exists for this vulnerability and no patch is currently available.
A buffer overflow vulnerability (CVSS 6.0). Remediation should follow standard vulnerability management procedures.
Buffer overflow in pyOpenSSL's cookie generation callback allows attackers to corrupt memory and potentially achieve remote code execution by supplying oversized cookie values exceeding 256 bytes. The vulnerability affects applications using custom cookie callbacks with OpenSSL integration, where insufficient length validation permits writing beyond allocated buffer boundaries. A patch is available that implements proper cookie size validation.
Heap-based buffer overflow vulnerability in Softing Industrial Automation GmbH smartLink SW-PN and smartLink SW-HT (Webserver modules) allows overflow buffers.This issue affects: smartLink SW-PN: through 1.03 smartLink SW-HT: through 1.42
Remote code execution in LB-LINK BL-WR9000 2.4.9 via buffer overflow in the /goform/get_hidessid_cfg endpoint allows authenticated attackers to achieve complete system compromise over the network. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with login credentials can trigger the overflow in the sub_44D844 function to execute arbitrary code with full system privileges.
Stack Overflow's infrastructure contains a stack-based buffer overflow in a virtual configuration function that can be exploited remotely by authenticated attackers to achieve complete system compromise. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. An attacker with valid credentials can manipulate input to the vulnerable endpoint and execute arbitrary code with full system privileges.
An out-of-bounds write vulnerability (CWE-787) exists in OpenHarmony versions up to and including v5.1.0, enabling local attackers to execute arbitrary code within pre-installed applications. The vulnerability requires local access and low privileges but can result in complete confidentiality compromise. This is a memory corruption issue that, while restricted to specific scenarios, poses a meaningful risk to OpenHarmony device security given the local attack vector and high impact on confidentiality.
An out-of-bounds write vulnerability in OpenHarmony v5.1.0 and earlier versions allows local attackers with limited privileges to achieve arbitrary code execution within pre-installed applications through memory corruption. The vulnerability, tracked as CVE-2025-41432 and assigned CVSS 5.5, exploits CWE-787 (out-of-bounds write) and is limited to restricted attack scenarios that require local access and low privilege levels. While not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the availability of vulnerability disclosure documentation and the nature of memory corruption bugs suggest heightened risk for motivated threat actors.
Mumble before version 1.6.870 contains an out-of-bounds array access vulnerability (CWE-125) that allows remote attackers to crash the client application, resulting in denial of service. The vulnerability requires network access but no authentication or user interaction, affecting all users of vulnerable Mumble client versions. While the CVSS score of 3.7 is relatively low and only impacts availability with no confidentiality or integrity compromise, this vulnerability poses a practical risk to voice communication availability in production deployments.
Stack-based buffer overflow in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-326, DNS-1100-4, and others) through the UPnP_AV_Server_Path_Setting function in /cgi-bin/app_mgr.cgi allows authenticated remote attackers to achieve complete system compromise with high integrity, confidentiality, and availability impact. Public exploit code exists for this vulnerability, and no patch is currently available.
Stack-based buffer overflow in D-Link DNS storage appliances (DNS-120, DNS-340L, DNS-1200-05 and others) through the /cgi-bin/gui_mgr.cgi endpoint allows remote authenticated attackers to achieve code execution. Public exploit code exists for this vulnerability, and no patch is currently available. Affected firmware versions are dated up to February 5, 2026.
Stack-based buffer overflow in D-Link DNS NAS devices (DNS-120 through DNS-1550-04) allows authenticated attackers to achieve remote code execution via the Downloads_Schedule_Info function in /cgi-bin/download_mgr.cgi. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed over the network with high impact on confidentiality, integrity, and availability.
Stack-based buffer overflow in D-Link DNS and DNR network storage devices allows authenticated remote attackers to execute arbitrary code by manipulating the f_idx parameter in the local_backup_mgr.cgi endpoint. Public exploit code exists for this vulnerability, which affects multiple device models up to firmware version 20260205 with no patch currently available. An attacker with valid credentials can trigger memory corruption to achieve complete system compromise including code execution, data theft, and service disruption.
An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to access sensitive information and cause a Denial of Service (DoS) via supplying a crafted packet.
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c).
Remote code execution in D-Link DIR-619L 2.06B01 results from a stack-based buffer overflow in the formSchedule function when the curTime parameter is manipulated via the /goform/formSchedule endpoint. An authenticated remote attacker can exploit this vulnerability to achieve full system compromise, and public exploit code is currently available. This vulnerability affects only end-of-life devices that no longer receive security updates.
Stack-based buffer overflow vulnerability in GPAC's MP4Box component, specifically in the swf_def_bits_jpeg function of src/scene_manager/swf_parse.c, affecting versions up to 2.5-DEV-rev2167. An authenticated attacker can exploit this remotely by manipulating the szName argument to cause a stack overflow, resulting in information disclosure, data modification, or denial of service. A public proof-of-concept exists, and a vendor patch is available; exploitation requires valid credentials (CVSS 6.3 with authenticated access requirement).
Critical stack-based buffer overflow vulnerability in the D-Link DIR-816 router (version 1.10CNB05) that allows remote attackers to execute arbitrary code without authentication. A public proof-of-concept exploit is available on GitHub, making this vulnerability actively exploitable. However, D-Link no longer supports this product, meaning no patch will be released.
Critical stack-based buffer overflow vulnerability in D-Link DIR-816 router firmware version 1.10CNB05, affecting the wireless configuration interface (/goform/form2WlanBasicSetup.cgi). A publicly available proof-of-concept exploit exists, allowing remote attackers without authentication to achieve complete system compromise. The vulnerability affects end-of-life products no longer supported by D-Link, making patches unlikely.
Critical stack-based buffer overflow vulnerability in the D-Link DIR-816 router (version 1.10CNB05) that allows remote attackers to achieve full system compromise without authentication. A public proof-of-concept exploit is available on GitHub, and the vulnerability affects end-of-life products no longer supported by D-Link, making this a high-risk issue for organizations still using these devices.
Critical stack-based buffer overflow vulnerability in the D-Link DIR-816 router (firmware version 1.10CNB05) that allows remote attackers to execute arbitrary code without authentication. A public proof-of-concept exploit is available, and the vulnerability affects end-of-life products no longer supported by D-Link, making this a high-risk issue for organizations still using these devices.
Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.
CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versions prior to 1.2.1, affecting IoT devices using Tuya's cloud platform. An attacker who compromises or controls the Tuya cloud service can send malformed DP (data point) events to trigger memory disclosure or denial-of-service conditions. While rated CVSS 7.7, the exploitation requires local access according to the vector, creating some contradiction with the cloud-based attack scenario described.
Single-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that allows remote code execution when IoT devices connect to attacker-controlled WiFi access points. This affects Tuya's Arduino library used in smart home devices, with a CVSS score of 8.4, though the local attack vector (AV:L) suggests physical proximity is required despite the remote exploitation capability described.
Stack-based buffer overflow vulnerability in TRENDnet TEW-632BRP firmware version 1.010B32, specifically in the ping_response.cgi file's HTTP POST request handler. An authenticated attacker with high privileges can exploit this vulnerability remotely to achieve code execution with high impact to confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub, though the vulnerability is not listed in CISA KEV and no EPSS score is provided.
Remote code execution via stack-based buffer overflow in Belkin F9K1122 router firmware allows authenticated attackers to achieve complete system compromise through the /goform/formReboot endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The high CVSS score of 8.8 reflects the severity of unauthenticated remote exploitation potential in networked deployments.
A buffer overflow vulnerability in A flaw (CVSS 6.1) that allows an attacker. Remediation should follow standard vulnerability management procedures.
Heap-based buffer overflow (out-of-bounds read) in GNU Binutils' BFD linker component that affects RHEL 6, 7, 8, and 10, as well as multiple Debian and Ubuntu releases. An attacker can exploit this vulnerability by distributing a malicious XCOFF object file, which when processed by a user, may disclose sensitive information from process memory or crash the application. While the CVSS score of 6.1 indicates medium severity with user interaction required, the vulnerability impacts widely-deployed enterprise Linux distributions across Red Hat, Debian, and Ubuntu ecosystems.
Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.
Stack overflow vulnerability in PX4 autopilot drone flight control software (versions prior to 1.17.0-rc2) where the Zenoh uORB subscriber fails to validate incoming payload sizes, allowing remote attackers to crash the Zenoh bridge task. No active exploitation (not in KEV), no known POC, and the local attack vector (CVSS AV:L) limits real-world impact despite the high 7.8 CVSS score.
PX4 autopilot versions prior to 1.17.0-rc2 contain an unbounded memcpy vulnerability in the tattu_can module that allows stack memory corruption when processing specially crafted CAN frames. An attacker with CAN bus injection capability can trigger denial of service or memory corruption in drone systems where tattu_can is enabled, potentially compromising flight safety and system stability.
Buffer overflow vulnerability in PX4 autopilot drone firmware versions before 1.17.0-rc2 that allows adjacent network attackers to crash the system by sending oversized CRSF packets. The vulnerability requires the CRSF receiver protocol to be enabled on a serial port and can cause memory corruption leading to denial of service. No active exploitation (not in KEV) or public POC has been reported.
PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that allows a malicious BST device to trigger a buffer overflow by reporting an oversized dev_name_len parameter without bounds checking. An attacker with physical access to inject a malicious BST device can crash the autopilot task or potentially achieve arbitrary code execution, impacting drone flight safety and control systems. No active KEV exploitation data or public POC is currently documented, but the vulnerability is patched in version 1.17.0-rc2.
Critical out-of-bounds write vulnerability in GStreamer's rtpqdm2depay component that allows remote code execution when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction, though attack vectors vary by implementation. With a CVSS score of 8.8 and active patch available, this represents a significant risk for applications using GStreamer for media processing.
CVE-2026-3086 is an out-of-bounds write vulnerability in GStreamer's H.266 codec parser that allows remote code execution when processing malformed APS (Adaptation Parameter Set) units. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to exploit, such as processing a malicious H.266 video file. No evidence of active exploitation (not in KEV), no public POC, and no EPSS score available yet.
Heap-based buffer overflow vulnerability in GStreamer's rtpqdm2depay component that allows remote attackers to execute arbitrary code when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE indicates no version restrictions) and requires user interaction to exploit, though attack vectors may vary based on implementation. No active exploitation is known (not in KEV), and no EPSS score is available to assess real-world exploitation probability.
Heap-based buffer overflow vulnerability in the GStreamer multimedia framework's JPEG parser that allows remote code execution when processing malicious Huffman tables. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to exploit, with a CVSS score of 7.8. No active exploitation in the wild has been reported (not in KEV), and no EPSS data is available.
Stack-based buffer overflow in GStreamer's H.266 codec parser that allows remote code execution when processing malicious video files. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to trigger, such as opening a malicious media file. No active exploitation (not in KEV) or public PoC has been reported, with EPSS data unavailable.
CVE-2026-2923 is an out-of-bounds write vulnerability in GStreamer's DVB Subtitles handling that allows remote code execution when processing malformed subtitle coordinates. This vulnerability affects all versions of GStreamer (CPE indicates no version restrictions) and requires user interaction to exploit, though attack vectors may vary by implementation. No evidence of active exploitation (not in KEV), no public POC available, and no EPSS data provided.
Critical remote code execution vulnerability in GStreamer's RealMedia demuxer component, allowing attackers to execute arbitrary code via malformed video packets that trigger an out-of-bounds write. The vulnerability affects all versions of GStreamer (CPE indicates wildcard versioning) and requires user interaction to process malicious media files. While no active exploitation is reported (not in KEV), the availability of a vendor patch and ZDI advisory suggests this vulnerability has been responsibly disclosed and addressed.
Heap-based buffer overflow vulnerability in GStreamer's ASF Demuxer component that allows remote attackers to execute arbitrary code when processing malicious ASF media files. The vulnerability requires user interaction (opening/processing a malicious file) and affects all versions of GStreamer based on the CPE data. No evidence of active exploitation (not in KEV) or public proof-of-concept exists, though Zero Day Initiative tracked it as ZDI-CAN-28843.
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers to execute arbitrary code through malformed PUT requests to the HomeKit Accessory Protocol (HAP) characteristics endpoint. While authentication is normally required, the advisory notes the authentication mechanism can be bypassed, effectively allowing unauthenticated remote code execution. No EPSS score or KEV listing is available, suggesting this is not currently being exploited in the wild.
Heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows unauthenticated network-adjacent attackers to execute arbitrary code. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restrictions) through the hk_hap_pair_storage_put function on TCP port 8080. No EPSS data or KEV listing is available, and while ZDI has published an advisory, no public POC or active exploitation has been reported.
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers with authentication (which can be bypassed) to achieve remote code execution as root. The vulnerability affects the HomeKit Accessory Protocol (HAP) implementation on TCP port 8080 and has a high CVSS score of 8.0, though no active exploitation or public PoC has been reported.
Critical heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows network-adjacent attackers to execute arbitrary code without authentication. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restriction) and stems from improper input validation in the hk_hap_pair_storage_put function. No active exploitation (not in KEV) or EPSS score is reported, but the high CVSS score (8.8) and RCE capability make this a significant threat for local network attackers.
Heap-based buffer overflow vulnerability in the Philips Hue Bridge's Zigbee stack that allows network-adjacent attackers to execute arbitrary code when users initiate device pairing. The vulnerability affects all versions of Philips Hue Bridge and has a CVSS score of 8.0, requiring physical proximity and user interaction to exploit. No EPSS data or KEV listing is available, suggesting this is not actively exploited in the wild.
Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript.
Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers.
Stack overflow in HMS Networks Ewon Flexy/Cosy+ firmware.
A buffer overflow vulnerability exists in the 'su' command of UNIX Fourth Research Edition (v4) from 1973, allowing local users to gain root privileges by overflowing a 100-byte password buffer. While this has a high CVSS score (7.4), it affects an ancient operating system that is extremely unlikely to be in production use today, existing only in historical computing labs or museums. No evidence of active exploitation exists (not in KEV), and the vulnerability was discovered as part of historical security research.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0.
Heap overflow in FreeRDP gdi_surface_bits() before 3.24.0.
FreeRDP versions prior to 3.24.0 contain an out-of-bounds read vulnerability in MS-ADPCM and IMA-ADPCM audio decoders that allows unauthenticated remote attackers to read sensitive information from process memory. The vulnerability affects all FreeRDP installations using these audio codecs; an attacker can trigger the flaw by providing specially crafted audio data during RDP session establishment, potentially disclosing confidential data such as credentials or session tokens without requiring privileges or interaction beyond basic RDP connection initiation.
Size_t integer underflow vulnerability in FreeRDP's IMA-ADPCM and MS-ADPCM audio decoders that triggers a heap buffer overflow write via the RDPSND audio channel. All FreeRDP versions prior to 3.24.0 are affected. An unauthenticated remote attacker can exploit this vulnerability over the network without user interaction to cause information disclosure and data corruption, though not denial of service based on the CVSS impact ratings.
FreeRDP versions prior to 3.24.0 contain a client-side heap out-of-bounds read/write vulnerability in the bitmap cache subsystem caused by an off-by-one boundary check error. A malicious RDP server can exploit this by sending a specially crafted CACHE_BITMAP_ORDER (Rev1) packet with cacheId equal to maxCells, allowing access to memory one element past the allocated array boundary. This vulnerability affects FreeRDP clients connecting to untrusted or compromised servers and could lead to information disclosure or denial of service, though the CVSS score of 5.3 and lack of confidentiality impact suggest limited real-world severity.
A client-side heap buffer overflow vulnerability exists in FreeRDP's AVC420/AVC444 YUV-to-RGB color space conversion code due to missing horizontal bounds validation of H.264 metablock region coordinates. FreeRDP versions prior to 3.24.0 are affected, allowing a malicious RDP server to trigger out-of-bounds memory writes via specially crafted WIRE_TO_SURFACE_PDU_1 packets with oversized regionRects left coordinates, resulting in denial of service through heap corruption. The vulnerability requires no user interaction or authentication and has a CVSS score of 5.3 with EPSS risk classification indicating moderate exploitation likelihood; no public exploit code is known to exist at this time.
OOB write in GNU inetutils telnetd through 2.7 via LINEMODE SLC handler.
Unauthenticated attackers can trigger out-of-bounds memory access in the web interface of multiple Omada switches through improper input validation, potentially achieving remote code execution or causing denial-of-service. Affected products include Sg2005p PD 1.x, Sg2008 4.2x/4.3x, and Sg2008p 3.2x/3.3x, which require only network access to the vulnerable interface. A patch is available to address this high-severity vulnerability (CVSS 7.7).
Memory corruption vulnerability in all versions of Digilent DASYLab data acquisition software that occurs when processing maliciously crafted files, potentially allowing attackers to leak sensitive information or execute arbitrary code. The vulnerability requires user interaction (opening a malicious file) and has a CVSS score of 7.8, with no current evidence of active exploitation or public proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab software that allows attackers to achieve information disclosure or arbitrary code execution through specially crafted files. The vulnerability requires user interaction (opening a malicious file) and has a CVSS score of 7.8, with no current evidence of active exploitation (not in KEV) or public proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab that allows attackers to execute arbitrary code or steal information by tricking users into opening malicious files. The vulnerability has a CVSS score of 7.8 (High) and requires user interaction, with no evidence of active exploitation (not in KEV) or publicly available proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab data acquisition software that allows attackers to achieve arbitrary code execution or information disclosure by tricking users into opening malicious .DSB files. With a CVSS score of 7.8 and requiring only user interaction, this out-of-bounds write vulnerability poses significant risk, though no active exploitation or public POCs have been reported.
Undici's WebSocket frame parser fails to properly validate 64-bit length fields, causing integer overflow in internal calculations that leaves the parser in an invalid state and crashes the process with a fatal TypeError. An unauthenticated remote attacker can exploit this to achieve denial of service by sending a specially crafted WebSocket frame. Versions 7.24.0, 6.24.0, and later contain fixes for this vulnerability.
Medium severity vulnerability in Ella Networks Core. Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service.
High severity vulnerability in Ella Networks Core. Ella Core panics when processing a malformed integrity protected NGAP/NAS message with a length under 7 bytes.
ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by stack-based buffer overflow (CVSS 6.7).
D-Link DIR-513 router (v1.10) has a stack buffer overflow in the curTime parameter of formSetWizardSelectMode. This is an end-of-life router with no expected patch, meaning exploitation will remain possible indefinitely.
Heap buffer overflow vulnerability in LibreDWG versions v0.13.3.7571 up to v0.13.3.7835 allows a crafted DWG file to cause a Denial of Service (DoS) via the function decompress_R2004_section at decode.c.
Local attackers can achieve heap buffer overflow in llama.cpp versions before b8146 through integer overflow in the GGUF file parsing function, enabling arbitrary code execution with high integrity and confidentiality impact. The vulnerability stems from undersized heap allocation followed by unvalidated writes of over 528 bytes of attacker-controlled data, bypassing a previous fix for the same component. This affects systems running vulnerable LLM inference implementations on local machines where user interaction is required to trigger the malicious GGUF file processing.
Stack-based buffer overflow in Tenda i12 version 1.0.0.6(2204) allows remote authenticated attackers to achieve complete system compromise through improper input validation in the wifiSSIDget function. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with network access and valid credentials can trigger the overflow via the index parameter to execute arbitrary code with elevated privileges.
Remote code execution in Tenda i12 firmware version 1.0.0.6(2204) via stack-based buffer overflow in the WifiMacFilterGet function allows authenticated attackers to achieve full system compromise. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.
Stack-based buffer overflow in Tenda i12 1.0.0.6(2204) allows remote attackers with user privileges to achieve complete system compromise through malicious input to the cmdinput parameter in /goform/exeCommand. Public exploit code exists for this vulnerability, and no patch is currently available to remediate the issue.
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file processing functionality, affecting Affinity 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, allowing disclosure of sensitive information from adjacent memory regions. While the CVSS score of 6.1 indicates moderate severity with high confidentiality impact, actual exploitation requires user interaction (opening a file) and is limited to information disclosure without code execution capability.
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries when processing specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions in the product line; attackers with local access and user interaction can trigger the flaw to disclose sensitive information from process memory. While the CVSS score of 6.1 indicates medium severity with high confidentiality impact and low availability impact, the attack requires local file system access and user interaction (opening a malicious EMF file), limiting widespread exploitation risk.
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affecting Affinity version 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from process memory. With a CVSS score of 6.1 and a local attack vector requiring user interaction, this vulnerability poses a moderate risk of information disclosure with minimal availability impact.
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality, affecting Affinity version 3.0.1.3808 and potentially earlier versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from the application's memory space. With a CVSS score of 6.1 and a local attack vector requiring user interaction, this vulnerability poses a moderate risk primarily through information disclosure, though local denial of service is also possible.
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file handling functionality, affecting Affinity version 3.0.1.3808 and potentially other versions. An attacker can craft a malicious EMF file that, when opened by a user in Affinity, triggers an out-of-bounds memory read, potentially disclosing sensitive information from process memory such as authentication tokens, cryptographic keys, or other confidential data. The vulnerability requires user interaction (opening a file) and local access, making it a moderate-priority issue with a CVSS base score of 6.1, though the high confidentiality impact warrants prompt patching.
An out-of-bounds read vulnerability exists in Canva Affinity's EMF (Enhanced Metafile) file parsing functionality that allows attackers to read memory beyond allocated buffer boundaries. Canva Affinity version 3.0.1.3808 and potentially earlier versions are affected. An attacker can craft a malicious EMF file that, when opened by a user, triggers the out-of-bounds read to disclose sensitive information from process memory; the vulnerability requires user interaction (opening the file) but no elevated privileges, making it a practical attack vector for phishing or drive-by downloads.
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries by crafting malicious EMF files. Affinity version 3.0.1.3808 and potentially earlier versions are affected. An attacker with local access can exploit this vulnerability through user interaction (opening a crafted EMF file) to disclose sensitive information from process memory, with potential for denial of service through application crashes.
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file parsing functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries through specially crafted EMF files. Affinity version 3.0.1.3808 and potentially earlier versions are affected, with the vulnerability requiring only local access and user interaction (opening a malicious file) to trigger. Successful exploitation enables disclosure of sensitive information from application memory, with potential limited impact on system availability; no active exploitation or public proof-of-concept has been confirmed at this time based on available intelligence sources.
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) image processing functionality of Canva Affinity, enabling attackers to read memory beyond allocated buffer boundaries through specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions, allowing unauthenticated local attackers with no special privileges to trigger the flaw via user interaction (opening a malicious file). Successful exploitation can disclose sensitive information from process memory, with a secondary risk of application instability (low availability impact). No active exploitation in the wild or public proof-of-concept has been confirmed based on available intelligence, but the vulnerability has been formally disclosed by Talos Intelligence and tracked in NIST NVD and ENISA EUVD databases.
An out-of-bounds read vulnerability exists in the EMF (Enhanced Metafile) file handling functionality of Canva Affinity, allowing attackers to read memory beyond allocated buffer boundaries when processing specially crafted EMF files. The vulnerability affects Canva Affinity version 3.0.1.3808 and potentially other versions, requiring local access and user interaction (opening a malicious EMF file). Successful exploitation can lead to disclosure of sensitive information from process memory, with limited impact on system availability. No active exploitation in the wild has been confirmed via KEV status, and the CVSS 6.1 score reflects moderate risk balanced between high confidentiality impact and lower attack complexity.
Canva Affinity's EMF file parser is vulnerable to out-of-bounds read attacks when processing specially crafted files, allowing attackers to extract sensitive information from application memory. This local vulnerability requires user interaction to trigger and has no available patch, affecting users who open malicious EMF documents in Affinity.
Canva Affinity's EMF file parser is vulnerable to an out-of-bounds read (CWE-125) when processing specially crafted EMF files, allowing local attackers to extract sensitive data from application memory. This medium-severity vulnerability affects users who open untrusted EMF files and currently has no available patch. The attack requires user interaction and local access but poses a real information disclosure risk.
Stack-based buffer overflow in Wazuh manager versions 3.9.0 through 4.14.3 allows remote attackers with high privileges to crash the `wazuh-analysisd` service via malformed JSON events, resulting in denial of service. The vulnerability stems from unsafe use of sprintf with floating-point format specifiers in the Security Configuration Assessment decoder, and may potentially enable remote code execution on affected Wazuh installations.
Stack-based buffer overflow in Wazuh 4.4.0 through 4.14.2 allows authenticated remote attackers with high privileges to trigger an integer underflow in the database synchronization module, causing denial of service or potential code execution. The vulnerability exists in SQL query construction logic within wdb_delta_event.c where improper size calculations on buffers exceeding 2048 bytes can corrupt the stack. A patch is available in version 4.14.3.
The NewXMLTree method in affected products is vulnerable to a denial of service condition where an out-of-bounds write of a single zero byte can trigger an application crash. An unauthenticated remote attacker can exploit this memory corruption vulnerability without user interaction to cause service disruption. No patch is currently available for this issue.
Remote code execution in UTT HiPER 810G up to version 1.7.7-171114 through a buffer overflow in the /goform/formApLbConfig endpoint allows authenticated attackers to achieve complete system compromise. The vulnerability stems from unsafe use of strcpy() on the loadBalanceNameOld parameter, and public exploit code is currently available. No patch has been released for affected devices.
Denial of service in libucl allows remote attackers to crash affected applications by submitting maliciously crafted UCL configuration files containing null bytes in object keys, triggering a segmentation fault in the ucl_object_emit function. The vulnerability requires user interaction but has high impact potential with no available patch, affecting systems that parse untrusted UCL input. An attacker can remotely exploit this with low complexity to disable services relying on libucl for configuration parsing.
A critical heap buffer overflow vulnerability exists in YAML::Syck through version 1.36 for Perl, allowing remote attackers to potentially execute arbitrary code or cause denial of service without authentication. The vulnerability stems from multiple memory corruption issues including heap overflow when processing YAML class names exceeding 512 bytes, buffer overread in base64 decoding, and memory leaks. With a CVSS score of 9.1 and network-based attack vector requiring no user interaction, this presents a severe risk to applications parsing untrusted YAML input.
Remote code execution in Tenda AC8 firmware versions up to 16.03.50.11 results from a stack-based buffer overflow in the HTTP endpoint handling password change requests. An unauthenticated attacker can exploit this vulnerability over the network to execute arbitrary commands with full system privileges. Public exploit code exists for this vulnerability and no patch is currently available.
A buffer overflow vulnerability (CVSS 6.0). Remediation should follow standard vulnerability management procedures.
Buffer overflow in pyOpenSSL's cookie generation callback allows attackers to corrupt memory and potentially achieve remote code execution by supplying oversized cookie values exceeding 256 bytes. The vulnerability affects applications using custom cookie callbacks with OpenSSL integration, where insufficient length validation permits writing beyond allocated buffer boundaries. A patch is available that implements proper cookie size validation.
Heap-based buffer overflow vulnerability in Softing Industrial Automation GmbH smartLink SW-PN and smartLink SW-HT (Webserver modules) allows overflow buffers.This issue affects: smartLink SW-PN: through 1.03 smartLink SW-HT: through 1.42
Remote code execution in LB-LINK BL-WR9000 2.4.9 via buffer overflow in the /goform/get_hidessid_cfg endpoint allows authenticated attackers to achieve complete system compromise over the network. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. An attacker with login credentials can trigger the overflow in the sub_44D844 function to execute arbitrary code with full system privileges.
Stack Overflow's infrastructure contains a stack-based buffer overflow in a virtual configuration function that can be exploited remotely by authenticated attackers to achieve complete system compromise. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. An attacker with valid credentials can manipulate input to the vulnerable endpoint and execute arbitrary code with full system privileges.
An out-of-bounds write vulnerability (CWE-787) exists in OpenHarmony versions up to and including v5.1.0, enabling local attackers to execute arbitrary code within pre-installed applications. The vulnerability requires local access and low privileges but can result in complete confidentiality compromise. This is a memory corruption issue that, while restricted to specific scenarios, poses a meaningful risk to OpenHarmony device security given the local attack vector and high impact on confidentiality.
An out-of-bounds write vulnerability in OpenHarmony v5.1.0 and earlier versions allows local attackers with limited privileges to achieve arbitrary code execution within pre-installed applications through memory corruption. The vulnerability, tracked as CVE-2025-41432 and assigned CVSS 5.5, exploits CWE-787 (out-of-bounds write) and is limited to restricted attack scenarios that require local access and low privilege levels. While not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the availability of vulnerability disclosure documentation and the nature of memory corruption bugs suggest heightened risk for motivated threat actors.
Mumble before version 1.6.870 contains an out-of-bounds array access vulnerability (CWE-125) that allows remote attackers to crash the client application, resulting in denial of service. The vulnerability requires network access but no authentication or user interaction, affecting all users of vulnerable Mumble client versions. While the CVSS score of 3.7 is relatively low and only impacts availability with no confidentiality or integrity compromise, this vulnerability poses a practical risk to voice communication availability in production deployments.
Stack-based buffer overflow in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-326, DNS-1100-4, and others) through the UPnP_AV_Server_Path_Setting function in /cgi-bin/app_mgr.cgi allows authenticated remote attackers to achieve complete system compromise with high integrity, confidentiality, and availability impact. Public exploit code exists for this vulnerability, and no patch is currently available.
Stack-based buffer overflow in D-Link DNS storage appliances (DNS-120, DNS-340L, DNS-1200-05 and others) through the /cgi-bin/gui_mgr.cgi endpoint allows remote authenticated attackers to achieve code execution. Public exploit code exists for this vulnerability, and no patch is currently available. Affected firmware versions are dated up to February 5, 2026.
Stack-based buffer overflow in D-Link DNS NAS devices (DNS-120 through DNS-1550-04) allows authenticated attackers to achieve remote code execution via the Downloads_Schedule_Info function in /cgi-bin/download_mgr.cgi. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed over the network with high impact on confidentiality, integrity, and availability.
Stack-based buffer overflow in D-Link DNS and DNR network storage devices allows authenticated remote attackers to execute arbitrary code by manipulating the f_idx parameter in the local_backup_mgr.cgi endpoint. Public exploit code exists for this vulnerability, which affects multiple device models up to firmware version 20260205 with no patch currently available. An attacker with valid credentials can trigger memory corruption to achieve complete system compromise including code execution, data theft, and service disruption.
An out-of-bounds memory access (OOB) in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to access sensitive information and cause a Denial of Service (DoS) via supplying a crafted packet.
Out-of-bounds read in FFmpeg 8.0 and 8.0.1 RV60 video decoder (libavcodec/rv60dec.c).
Remote code execution in D-Link DIR-619L 2.06B01 results from a stack-based buffer overflow in the formSchedule function when the curTime parameter is manipulated via the /goform/formSchedule endpoint. An authenticated remote attacker can exploit this vulnerability to achieve full system compromise, and public exploit code is currently available. This vulnerability affects only end-of-life devices that no longer receive security updates.
Stack-based buffer overflow vulnerability in GPAC's MP4Box component, specifically in the swf_def_bits_jpeg function of src/scene_manager/swf_parse.c, affecting versions up to 2.5-DEV-rev2167. An authenticated attacker can exploit this remotely by manipulating the szName argument to cause a stack overflow, resulting in information disclosure, data modification, or denial of service. A public proof-of-concept exists, and a vendor patch is available; exploitation requires valid credentials (CVSS 6.3 with authenticated access requirement).
Critical stack-based buffer overflow vulnerability in the D-Link DIR-816 router (version 1.10CNB05) that allows remote attackers to execute arbitrary code without authentication. A public proof-of-concept exploit is available on GitHub, making this vulnerability actively exploitable. However, D-Link no longer supports this product, meaning no patch will be released.
Critical stack-based buffer overflow vulnerability in D-Link DIR-816 router firmware version 1.10CNB05, affecting the wireless configuration interface (/goform/form2WlanBasicSetup.cgi). A publicly available proof-of-concept exploit exists, allowing remote attackers without authentication to achieve complete system compromise. The vulnerability affects end-of-life products no longer supported by D-Link, making patches unlikely.
Critical stack-based buffer overflow vulnerability in the D-Link DIR-816 router (version 1.10CNB05) that allows remote attackers to achieve full system compromise without authentication. A public proof-of-concept exploit is available on GitHub, and the vulnerability affects end-of-life products no longer supported by D-Link, making this a high-risk issue for organizations still using these devices.
Critical stack-based buffer overflow vulnerability in the D-Link DIR-816 router (firmware version 1.10CNB05) that allows remote attackers to execute arbitrary code without authentication. A public proof-of-concept exploit is available, and the vulnerability affects end-of-life products no longer supported by D-Link, making this a high-risk issue for organizations still using these devices.
Heap-based buffer overflow vulnerability in the DnsServer component of Tuya's arduino-TuyaOpen library (versions before 1.2.1) that allows attackers on the same LAN to execute arbitrary code on IoT/embedded devices by sending malicious DNS responses. With a CVSS score of 8.8 and tags indicating RCE capability, this represents a significant risk for connected embedded devices, though no active exploitation (not in KEV) or public PoC has been identified.
CVE-2026-28521 is an out-of-bounds memory read vulnerability in the TuyaIoT component of arduino-TuyaOpen library versions prior to 1.2.1, affecting IoT devices using Tuya's cloud platform. An attacker who compromises or controls the Tuya cloud service can send malformed DP (data point) events to trigger memory disclosure or denial-of-service conditions. While rated CVSS 7.7, the exploitation requires local access according to the vector, creating some contradiction with the cloud-based attack scenario described.
Single-byte buffer overflow vulnerability in the WiFiMulti component of arduino-TuyaOpen (versions before 1.2.1) that allows remote code execution when IoT devices connect to attacker-controlled WiFi access points. This affects Tuya's Arduino library used in smart home devices, with a CVSS score of 8.4, though the local attack vector (AV:L) suggests physical proximity is required despite the remote exploitation capability described.
Stack-based buffer overflow vulnerability in TRENDnet TEW-632BRP firmware version 1.010B32, specifically in the ping_response.cgi file's HTTP POST request handler. An authenticated attacker with high privileges can exploit this vulnerability remotely to achieve code execution with high impact to confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub, though the vulnerability is not listed in CISA KEV and no EPSS score is provided.
Remote code execution via stack-based buffer overflow in Belkin F9K1122 router firmware allows authenticated attackers to achieve complete system compromise through the /goform/formReboot endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The high CVSS score of 8.8 reflects the severity of unauthenticated remote exploitation potential in networked deployments.
A buffer overflow vulnerability in A flaw (CVSS 6.1) that allows an attacker. Remediation should follow standard vulnerability management procedures.
Heap-based buffer overflow (out-of-bounds read) in GNU Binutils' BFD linker component that affects RHEL 6, 7, 8, and 10, as well as multiple Debian and Ubuntu releases. An attacker can exploit this vulnerability by distributing a malicious XCOFF object file, which when processed by a user, may disclose sensitive information from process memory or crash the application. While the CVSS score of 6.1 indicates medium severity with user interaction required, the vulnerability impacts widely-deployed enterprise Linux distributions across Red Hat, Debian, and Ubuntu ecosystems.
Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.
Stack overflow vulnerability in PX4 autopilot drone flight control software (versions prior to 1.17.0-rc2) where the Zenoh uORB subscriber fails to validate incoming payload sizes, allowing remote attackers to crash the Zenoh bridge task. No active exploitation (not in KEV), no known POC, and the local attack vector (CVSS AV:L) limits real-world impact despite the high 7.8 CVSS score.
PX4 autopilot versions prior to 1.17.0-rc2 contain an unbounded memcpy vulnerability in the tattu_can module that allows stack memory corruption when processing specially crafted CAN frames. An attacker with CAN bus injection capability can trigger denial of service or memory corruption in drone systems where tattu_can is enabled, potentially compromising flight safety and system stability.
Buffer overflow vulnerability in PX4 autopilot drone firmware versions before 1.17.0-rc2 that allows adjacent network attackers to crash the system by sending oversized CRSF packets. The vulnerability requires the CRSF receiver protocol to be enabled on a serial port and can cause memory corruption leading to denial of service. No active exploitation (not in KEV) or public POC has been reported.
PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that allows a malicious BST device to trigger a buffer overflow by reporting an oversized dev_name_len parameter without bounds checking. An attacker with physical access to inject a malicious BST device can crash the autopilot task or potentially achieve arbitrary code execution, impacting drone flight safety and control systems. No active KEV exploitation data or public POC is currently documented, but the vulnerability is patched in version 1.17.0-rc2.
Critical out-of-bounds write vulnerability in GStreamer's rtpqdm2depay component that allows remote code execution when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction, though attack vectors vary by implementation. With a CVSS score of 8.8 and active patch available, this represents a significant risk for applications using GStreamer for media processing.
CVE-2026-3086 is an out-of-bounds write vulnerability in GStreamer's H.266 codec parser that allows remote code execution when processing malformed APS (Adaptation Parameter Set) units. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to exploit, such as processing a malicious H.266 video file. No evidence of active exploitation (not in KEV), no public POC, and no EPSS score available yet.
Heap-based buffer overflow vulnerability in GStreamer's rtpqdm2depay component that allows remote attackers to execute arbitrary code when processing malformed X-QDM RTP payloads. The vulnerability affects all versions of GStreamer (CPE indicates no version restrictions) and requires user interaction to exploit, though attack vectors may vary based on implementation. No active exploitation is known (not in KEV), and no EPSS score is available to assess real-world exploitation probability.
Heap-based buffer overflow vulnerability in the GStreamer multimedia framework's JPEG parser that allows remote code execution when processing malicious Huffman tables. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to exploit, with a CVSS score of 7.8. No active exploitation in the wild has been reported (not in KEV), and no EPSS data is available.
Stack-based buffer overflow in GStreamer's H.266 codec parser that allows remote code execution when processing malicious video files. The vulnerability affects all versions of GStreamer (CPE shows wildcard versioning) and requires user interaction to trigger, such as opening a malicious media file. No active exploitation (not in KEV) or public PoC has been reported, with EPSS data unavailable.
CVE-2026-2923 is an out-of-bounds write vulnerability in GStreamer's DVB Subtitles handling that allows remote code execution when processing malformed subtitle coordinates. This vulnerability affects all versions of GStreamer (CPE indicates no version restrictions) and requires user interaction to exploit, though attack vectors may vary by implementation. No evidence of active exploitation (not in KEV), no public POC available, and no EPSS data provided.
Critical remote code execution vulnerability in GStreamer's RealMedia demuxer component, allowing attackers to execute arbitrary code via malformed video packets that trigger an out-of-bounds write. The vulnerability affects all versions of GStreamer (CPE indicates wildcard versioning) and requires user interaction to process malicious media files. While no active exploitation is reported (not in KEV), the availability of a vendor patch and ZDI advisory suggests this vulnerability has been responsibly disclosed and addressed.
Heap-based buffer overflow vulnerability in GStreamer's ASF Demuxer component that allows remote attackers to execute arbitrary code when processing malicious ASF media files. The vulnerability requires user interaction (opening/processing a malicious file) and affects all versions of GStreamer based on the CPE data. No evidence of active exploitation (not in KEV) or public proof-of-concept exists, though Zero Day Initiative tracked it as ZDI-CAN-28843.
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers to execute arbitrary code through malformed PUT requests to the HomeKit Accessory Protocol (HAP) characteristics endpoint. While authentication is normally required, the advisory notes the authentication mechanism can be bypassed, effectively allowing unauthenticated remote code execution. No EPSS score or KEV listing is available, suggesting this is not currently being exploited in the wild.
Heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows unauthenticated network-adjacent attackers to execute arbitrary code. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restrictions) through the hk_hap_pair_storage_put function on TCP port 8080. No EPSS data or KEV listing is available, and while ZDI has published an advisory, no public POC or active exploitation has been reported.
Heap-based buffer overflow vulnerability in Philips Hue Bridge devices that allows network-adjacent attackers with authentication (which can be bypassed) to achieve remote code execution as root. The vulnerability affects the HomeKit Accessory Protocol (HAP) implementation on TCP port 8080 and has a high CVSS score of 8.0, though no active exploitation or public PoC has been reported.
Critical heap-based buffer overflow vulnerability in Philips Hue Bridge's HomeKit implementation that allows network-adjacent attackers to execute arbitrary code without authentication. The vulnerability affects all versions of Philips Hue Bridge (CPE indicates no version restriction) and stems from improper input validation in the hk_hap_pair_storage_put function. No active exploitation (not in KEV) or EPSS score is reported, but the high CVSS score (8.8) and RCE capability make this a significant threat for local network attackers.
Heap-based buffer overflow vulnerability in the Philips Hue Bridge's Zigbee stack that allows network-adjacent attackers to execute arbitrary code when users initiate device pairing. The vulnerability affects all versions of Philips Hue Bridge and has a CVSS score of 8.0, requiring physical proximity and user interaction to exploit. No EPSS data or KEV listing is available, suggesting this is not actively exploited in the wild.
Chrome's V8 JavaScript engine contains an inappropriate implementation (CVE-2026-3910, CVSS 8.8) that allows remote attackers to execute arbitrary code within the browser sandbox via crafted HTML pages. KEV-listed with public PoC, this V8 vulnerability affects all Chromium-based browsers and enables drive-by exploitation through any web page containing malicious JavaScript.
Google Chrome's Skia graphics library contains an out-of-bounds write (CVE-2026-3909, CVSS 8.8) enabling remote attackers to perform memory corruption through crafted HTML pages. KEV-listed with public PoC and patches available, this vulnerability in the core graphics rendering engine affects all Chromium-based browsers.
Stack overflow in HMS Networks Ewon Flexy/Cosy+ firmware.
A buffer overflow vulnerability exists in the 'su' command of UNIX Fourth Research Edition (v4) from 1973, allowing local users to gain root privileges by overflowing a 100-byte password buffer. While this has a high CVSS score (7.4), it affects an ancient operating system that is extremely unlikely to be in production use today, existing only in historical computing labs or museums. No evidence of active exploitation exists (not in KEV), and the vulnerability was discovered as part of historical security research.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, there is an out-of-bounds read in freerdp_bitmap_decompress_planar when SrcSize is 0. The function dereferences *srcp (which points to pSrcData) without first verifying that SrcSize >= 1. When SrcSize is 0 and pSrcData is non-NULL, this reads one byte past the end of the source buffer. This vulnerability is fixed in 3.24.0.
Heap overflow in FreeRDP gdi_surface_bits() before 3.24.0.
FreeRDP versions prior to 3.24.0 contain an out-of-bounds read vulnerability in MS-ADPCM and IMA-ADPCM audio decoders that allows unauthenticated remote attackers to read sensitive information from process memory. The vulnerability affects all FreeRDP installations using these audio codecs; an attacker can trigger the flaw by providing specially crafted audio data during RDP session establishment, potentially disclosing confidential data such as credentials or session tokens without requiring privileges or interaction beyond basic RDP connection initiation.
Size_t integer underflow vulnerability in FreeRDP's IMA-ADPCM and MS-ADPCM audio decoders that triggers a heap buffer overflow write via the RDPSND audio channel. All FreeRDP versions prior to 3.24.0 are affected. An unauthenticated remote attacker can exploit this vulnerability over the network without user interaction to cause information disclosure and data corruption, though not denial of service based on the CVSS impact ratings.
FreeRDP versions prior to 3.24.0 contain a client-side heap out-of-bounds read/write vulnerability in the bitmap cache subsystem caused by an off-by-one boundary check error. A malicious RDP server can exploit this by sending a specially crafted CACHE_BITMAP_ORDER (Rev1) packet with cacheId equal to maxCells, allowing access to memory one element past the allocated array boundary. This vulnerability affects FreeRDP clients connecting to untrusted or compromised servers and could lead to information disclosure or denial of service, though the CVSS score of 5.3 and lack of confidentiality impact suggest limited real-world severity.
A client-side heap buffer overflow vulnerability exists in FreeRDP's AVC420/AVC444 YUV-to-RGB color space conversion code due to missing horizontal bounds validation of H.264 metablock region coordinates. FreeRDP versions prior to 3.24.0 are affected, allowing a malicious RDP server to trigger out-of-bounds memory writes via specially crafted WIRE_TO_SURFACE_PDU_1 packets with oversized regionRects left coordinates, resulting in denial of service through heap corruption. The vulnerability requires no user interaction or authentication and has a CVSS score of 5.3 with EPSS risk classification indicating moderate exploitation likelihood; no public exploit code is known to exist at this time.
OOB write in GNU inetutils telnetd through 2.7 via LINEMODE SLC handler.
Unauthenticated attackers can trigger out-of-bounds memory access in the web interface of multiple Omada switches through improper input validation, potentially achieving remote code execution or causing denial-of-service. Affected products include Sg2005p PD 1.x, Sg2008 4.2x/4.3x, and Sg2008p 3.2x/3.3x, which require only network access to the vulnerable interface. A patch is available to address this high-severity vulnerability (CVSS 7.7).
Memory corruption vulnerability in all versions of Digilent DASYLab data acquisition software that occurs when processing maliciously crafted files, potentially allowing attackers to leak sensitive information or execute arbitrary code. The vulnerability requires user interaction (opening a malicious file) and has a CVSS score of 7.8, with no current evidence of active exploitation or public proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab software that allows attackers to achieve information disclosure or arbitrary code execution through specially crafted files. The vulnerability requires user interaction (opening a malicious file) and has a CVSS score of 7.8, with no current evidence of active exploitation (not in KEV) or public proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab that allows attackers to execute arbitrary code or steal information by tricking users into opening malicious files. The vulnerability has a CVSS score of 7.8 (High) and requires user interaction, with no evidence of active exploitation (not in KEV) or publicly available proof-of-concept code.
Memory corruption vulnerability in all versions of Digilent DASYLab data acquisition software that allows attackers to achieve arbitrary code execution or information disclosure by tricking users into opening malicious .DSB files. With a CVSS score of 7.8 and requiring only user interaction, this out-of-bounds write vulnerability poses significant risk, though no active exploitation or public POCs have been reported.
Undici's WebSocket frame parser fails to properly validate 64-bit length fields, causing integer overflow in internal calculations that leaves the parser in an invalid state and crashes the process with a fatal TypeError. An unauthenticated remote attacker can exploit this to achieve denial of service by sending a specially crafted WebSocket frame. Versions 7.24.0, 6.24.0, and later contain fixes for this vulnerability.
Medium severity vulnerability in Ella Networks Core. Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service.
High severity vulnerability in Ella Networks Core. Ella Core panics when processing a malformed integrity protected NGAP/NAS message with a length under 7 bytes.
ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by stack-based buffer overflow (CVSS 6.7).
D-Link DIR-513 router (v1.10) has a stack buffer overflow in the curTime parameter of formSetWizardSelectMode. This is an end-of-life router with no expected patch, meaning exploitation will remain possible indefinitely.
Heap buffer overflow vulnerability in LibreDWG versions v0.13.3.7571 up to v0.13.3.7835 allows a crafted DWG file to cause a Denial of Service (DoS) via the function decompress_R2004_section at decode.c.
Local attackers can achieve heap buffer overflow in llama.cpp versions before b8146 through integer overflow in the GGUF file parsing function, enabling arbitrary code execution with high integrity and confidentiality impact. The vulnerability stems from undersized heap allocation followed by unvalidated writes of over 528 bytes of attacker-controlled data, bypassing a previous fix for the same component. This affects systems running vulnerable LLM inference implementations on local machines where user interaction is required to trigger the malicious GGUF file processing.
Stack-based buffer overflow in Tenda i12 version 1.0.0.6(2204) allows remote authenticated attackers to achieve complete system compromise through improper input validation in the wifiSSIDget function. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with network access and valid credentials can trigger the overflow via the index parameter to execute arbitrary code with elevated privileges.
Remote code execution in Tenda i12 firmware version 1.0.0.6(2204) via stack-based buffer overflow in the WifiMacFilterGet function allows authenticated attackers to achieve full system compromise. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.
Stack-based buffer overflow in Tenda i12 1.0.0.6(2204) allows remote attackers with user privileges to achieve complete system compromise through malicious input to the cmdinput parameter in /goform/exeCommand. Public exploit code exists for this vulnerability, and no patch is currently available to remediate the issue.