Skip to main content

Buffer Overflow

36130 CVEs technique

Monthly

CVE-2026-53147 HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's Thunderbolt (thunderbolt) XDomain driver allows an adjacent peer connected over a Thunderbolt link to leak kernel heap memory or crash the host. The flaw lives in tb_xdp_handle_request(), which casts a received XDomain packet to protocol-specific structs without confirming the kmemdup allocation is large enough, so a deliberately undersized packet that still passes the generic header-length check triggers reads past the buffer. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and it is not CISA KEV-listed.

Linux Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-53143 HIGH PATCH This Week

Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). Exploitation requires local access with the ability to drive CRIU checkpoint/restore of a GPU compute process; there is no public exploit identified at time of analysis and EPSS is low (0.18%).

Linux Buffer Overflow Checkpoint
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53138 HIGH PATCH This Week

Out-of-bounds read and unbounded-iteration denial of service in the Linux kernel's AMD Display (amdgpu DC) driver arises when the bios_parser/bios_parser2 code walks VBIOS record chains that lack a proper 0xFF terminator record. A local attacker able to supply a malformed VBIOS image can force hundreds of thousands of probe-time iterations (with record_size=1) and, near the image boundary, trigger struct casts that read past the 2-byte header validated by GET_IMAGE. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 6th percentile), consistent with a local, firmware-dependent memory-safety bug rather than a broadly exploited remote flaw.

Linux Amd Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53137 HIGH PATCH This Week

Out-of-bounds kernel heap write in the AMD Display (amdgpu) driver's HDMI HDCP 2.x repeater authentication path affects Linux kernels from 5.6 through the 7.1 release candidates. When reading a downstream sink's RxStatus register, the driver in mod_hdcp_read_rx_id_list() uses an attacker-influenced 10-bit message-size field (up to 1023 bytes) as the I2C read length without bounding it to the 177-byte rx_id_list buffer, so a malicious HDMI repeater can force a write past the buffer and corrupt kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.21%, 11th percentile); it is not listed in CISA KEV.

Memory Corruption Linux Amd Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53136 HIGH PATCH This Week

Out-of-bounds heap write in the Linux kernel amdgpu DRM display driver (drm/amd/display) arises because the VBIOS integrated info tables (v1_11 and v2_1) expose unvalidated u8 HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C settings into fixed-size arrays (9 and 3 elements). A malformed VBIOS can set these counts up to 255, overrunning the destination arrays during driver probe on AMD GPU systems. No public exploit has been identified and EPSS is very low (0.17%), but the memory-corruption primitive (CWE-787) carries high confidentiality, integrity, and availability impact per the CVSS 7.8 rating.

Memory Corruption Linux Amd Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53133 HIGH PATCH This Week

Memory corruption in the Linux kernel's RDMA/umem subsystem occurs because __rdma_block_iter_next() uses 32-bit types to reassemble scatter-gather entries, truncating DMA addresses for block sizes of 4GB or larger when an IOMMU linearizes the mapping. Affected versions span the long-lived 5.2 through 7.1 development line; a low-privileged local actor with RDMA device access can drive the kernel to compute wrong DMA addresses, yielding high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with the narrow hardware/configuration prerequisites.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-12246 HIGH PATCH This Week

Stack buffer overflow in NSD 4.14.0 (NLnet Labs authoritative DNS server) allows a party able to introduce zone data to overwrite up to 111 attacker-controlled bytes on the stack when a specially crafted APL resource record - carrying an adflength larger than the address family permits - is serialized as the zone is written to disk. Per the CVSS 4.0 vector (PR:L), exploitation requires low privileges and yields high integrity and availability impact, consistent with memory corruption leading to crash or potential code execution. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Nsd Red Hat Suse
NVD VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-54226 MEDIUM This Month

Remote denial-of-service in Apache Kvrocks via an integer overflow in the RESTORE command's IntSet deserialization path. An attacker who can send commands to a Kvrocks instance can supply a crafted RDB-serialized IntSet payload to the RESTORE command, triggering an integer overflow that crashes the server process. This vulnerability was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two other Kvrocks CVEs (CVE-2026-46751, CVE-2026-46752), suggesting a coordinated security audit of the project; no public exploit code or CISA KEV listing has been identified at time of analysis.

Buffer Overflow Apache Integer Overflow
NVD VulDB
CVSS 4.0
6.4
EPSS
0.3%
CVE-2026-46752 CRITICAL Act Now

Memory corruption in Apache Kvrocks' embedded Lua scripting engine allows a client able to run EVAL/EVALSHA commands to trigger a stack buffer overflow in the bit.tohex() function, potentially crashing the server or corrupting process memory toward code execution. Kvrocks is a Redis-protocol-compatible distributed key-value store, and this flaw was disclosed via the oss-security mailing list on 2026-06-25 alongside three other Kvrocks issues. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Path Traversal Buffer Overflow Apache Heap Overflow
NVD VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-46751 MEDIUM This Month

Lua sandbox escape in Apache Kvrocks exposes the host environment to authenticated users who hold EVAL command privileges. The database fails to strip the `loadstring` function from its Lua scripting environment, which is a standard hardening step in Redis-protocol-compatible systems; retaining it allows a sandboxed Lua script to load and execute arbitrary Lua bytecode dynamically, effectively escaping the intended script isolation. No public exploit code or CISA KEV listing exists at time of analysis; however, sandbox escapes of this class are well-understood and exploitable by any user granted EVAL access.

Path Traversal Buffer Overflow Apache
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-2050 HIGH This Week

Arbitrary code execution in GIMP results from a heap-based buffer overflow in the HDR file parser, where attacker-controlled length data is copied into an undersized heap buffer without bounds validation. Any user who opens a maliciously crafted HDR image (or visits a page that delivers one) can be exploited, with code running in the context of the GIMP process. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Heap Overflow Buffer Overflow RCE Gimp
NVD VulDB
CVSS 3.1
7.8
EPSS
0.5%
CVE-2026-13033 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (InterestGroups component, part of the Privacy Sandbox/Protected Audience ad-auction API) affects all desktop versions prior to 149.0.7827.197. A crafted HTML page triggers an out-of-bounds read and write that a remote attacker can leverage to execute arbitrary code in the renderer; Chromium rates this Critical and assigns CVSS 8.8. There is no public exploit identified at time of analysis, but a vendor patch is already available, making prompt updating the priority.

Google RCE Buffer Overflow Information Disclosure Red Hat
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-53076 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's eBPF subsystem (pcpu_init_value) lets a local, low-privileged user with BPF access leak adjacent kernel memory and potentially crash the system. The flaw triggers when a per-CPU map is updated from a BPF_MAP_TYPE_CGROUP_STORAGE map whose value_size is not 8-byte aligned (e.g. 4 bytes), causing copy_map_value_long to read past the true source size. The issue is fixed in stable kernels; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.16%, 5th percentile).

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53068 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's Arm Mali 'komeda' DRM display driver allows a local low-privileged user to bypass AFBC framebuffer size validation via an integer overflow, supplying an undersized GEM buffer object that the driver treats as valid. Exploitation requires local access to the DRM device on hardware using the komeda driver, and there is no public exploit identified at time of analysis; EPSS probability is very low (0.16%, 6th percentile). The flaw was found by the Linux Verification Center using SVACE static analysis and is fixed across multiple stable kernel series.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53059 MEDIUM PATCH This Month

Out-of-bounds kernel heap write in the Linux kernel's device-mapper dm-log module (dm_log) lets a privileged local actor corrupt vmalloc-allocated memory by overflowing a 32-bit region_count. In create_log_context(), dm_sector_div_up() returns a 64-bit sector_t that is truncated into an unsigned int, so a dm target with very large ti->len and small region_size under-allocates the clean_bits/sync_bits/recovering_bits bitsets while later log operations index the full untruncated region space. Tracked as CVE-2026-53059 (CWE-190) with CVSS 7.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the upstream report includes a working reproducer and a confirmed kernel crash.

Integer Overflow Linux Buffer Overflow
NVD VulDB
CVSS 3.1
6.3
EPSS
0.2%
CVE-2026-53047 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be causing an undersized allocation. The allocation is also inconsistent with the initial array allocation in efi_capsule_open() that allocates one entry with sizeof(phys_addr_t), and the efi_capsule_write() function that stores phys_addr_t values (not pointers) via page_to_phys(). On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses. This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site.

Linux Buffer Overflow
NVD VulDB
EPSS
0.2%
CVE-2026-53044 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's NVIDIA Tegra Control Backbone (CBB) driver (soc/tegra: cbb) stems from an incorrect ARRAY_SIZE calculation in the fabric lookup tables, which can be triggered during a target timeout lookup on Tegra-based systems. A local, low-privileged attacker on affected Tegra hardware could read out-of-bounds kernel memory (information disclosure) or crash the system (denial of service), with CVSS 7.1. The flaw has been fixed upstream; there is no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53043 CRITICAL PATCH Act Now

Out-of-bounds memory read in the Linux kernel's OCFS2 distributed lock manager (dlm_match_regions) lets a remote host send a crafted DLM_QUERY_REGION message whose attacker-controlled qr_numregions field (up to 255) drives loops past the fixed 1024-byte/32-entry qr_regions buffer. Because the o2net transport only checks message byte length and not field values, this enables disclosure of adjacent kernel memory and likely node crashes. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 7th percentile); the issue is fixed across multiple stable kernel branches.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-53041 HIGH PATCH This Week

Memory-safety failure in the Linux kernel OCFS2 filesystem's listxattr() path allows a local low-privileged user to crash the kernel (and potentially leak adjacent kernel heap memory) when an OCFS2 inode carries both inline and block-based extended attributes. Introduced by refactor commit 936b8834366e, the bug causes copy_to_user() to be invoked with a length larger than the allocated list buffer, tripping the hardened usercopy check (kernel BUG at mm/usercopy.c:102). EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not in CISA KEV.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53040 HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's OCFS2 filesystem driver allows a local user to leak kernel memory or crash the system by issuing the OCFS2_IOC_INFO ioctl with the OCFS2_INFO_FL_NON_COHERENT flag against a crafted or malicious OCFS2 image. The non-coherent freefrag scan path trusts the on-disk bg_bits group-descriptor field as a bitmap limit without validation, driving the bitmap walk past the end of the block buffer. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a local, filesystem-mount-dependent kernel bug rather than a remotely scanned threat.

Linux Buffer Overflow Memory Corruption Use After Free
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53038 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ima_fs: Correctly create securityfs files for unsupported hash algos ima_tpm_chip->allocated_banks[i].crypto_id is initialized to HASH_ALGO__LAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be valid because it is accessed by hash_algo_name[]. On 6.12.40 I observe the following read out-of-bounds in hash_algo_name: ================================================================== BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440 Read of size 8 at addr ffffffff83e18138 by task swapper/0/1 CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3 Call Trace: <TASK> dump_stack_lvl+0x61/0x90 print_report+0xc4/0x580 ? kasan_addr_to_slab+0x26/0x80 ? create_securityfs_measurement_lists+0x396/0x440 kasan_report+0xc2/0x100 ? create_securityfs_measurement_lists+0x396/0x440 create_securityfs_measurement_lists+0x396/0x440 ima_fs_init+0xa3/0x300 ima_init+0x7d/0xd0 init_ima+0x28/0x100 do_one_initcall+0xa6/0x3e0 kernel_init_freeable+0x455/0x740 kernel_init+0x24/0x1d0 ret_from_fork+0x38/0x80 ret_from_fork_asm+0x11/0x20 </TASK> The buggy address belongs to the variable: hash_algo_name+0xb8/0x420 Memory state around the buggy address: ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9 ^ ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9 ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 ================================================================== Seems like the TPM chip supports sha3_256, which isn't yet in tpm_algorithms: tpm tpm0: TPM with unsupported bank algorithm 0x0027 That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0 Library Part 2: Structures", page 51 [1]. See also the related U-Boot algorithms update [2]. Thus solve the problem by creating a file name with "_tpm_alg_<ID>" postfix if the crypto algorithm isn't initialized. This is how it looks on the test machine (patch ported to v6.12 release): # ls -1 /sys/kernel/security/ima/ ascii_runtime_measurements ascii_runtime_measurements_tpm_alg_27 ascii_runtime_measurements_sha1 ascii_runtime_measurements_sha256 binary_runtime_measurements binary_runtime_measurements_tpm_alg_27 binary_runtime_measurements_sha1 binary_runtime_measurements_sha256 policy runtime_measurements_count violations [1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf [2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53021 MEDIUM PATCH This Month

Integer overflow in the Linux kernel SCSI target core allows a local attacker with low privileges to crash the kernel via crafted UNMAP commands. The `sbc_execute_unmap()` function performs a capacity bounds check on LBA + range but fails to guard against 64-bit wraparound, meaning an attacker can supply values that overflow to bypass the check and trigger a kernel panic. No public exploit code or CISA KEV listing exists; EPSS is 0.18% (7th percentile), reflecting the niche attack surface limited to systems actively running SCSI target daemons. Patches are confirmed available across all supported stable kernel branches.

Buffer Overflow Linux Integer Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-53004 HIGH PATCH This Week

Out-of-bounds write in the Linux kernel SCTP stack (sctp_getsockopt_peer_auth_chunks) lets a local unprivileged process trigger an 8-byte overrun past its own supplied getsockopt buffer, silently corrupting adjacent data in the caller's userspace address space. The bug is a size-check that omits the 8-byte sizeof(struct sctp_authchunks) header, so a buffer sized exactly to num_chunks passes validation but copy_to_user still writes the struct header. There is no public exploit identified at time of analysis (not in CISA KEV; EPSS 0.18%), though the kernel changelog cites a working reproducer on v7.0-13-generic, and a vendor patch is available.

Buffer Overflow Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-53002 CRITICAL PATCH Act Now

Stack out-of-bounds write in the Linux kernel's netfilter connection-tracking SIP application-layer gateway (ALG) allows remote attackers to corrupt kernel stack memory by sending crafted SIP/SDP traffic through a NAT device. The flaw lives in mangle_content_len(), reached via nf_nat_sdp_session → process_sdp when rewriting the SDP Content-Length during SIP INVITE handling, where an unbounded sprintf() overflowed an undersized stack buffer (caught by KASAN). There is no public exploit identified at time of analysis and EPSS is low (0.18%), so despite the NVD 9.8 rating the practical risk is gated by whether the SIP conntrack/NAT helper is in use.

Linux Buffer Overflow Memory Corruption
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52999 CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's netfilter nfnetlink_osf (passive OS fingerprinting) module occurs when the shared nf_osf_hdr_ctx->optp pointer is not reset after a fingerprint fully matches during TCP option parsing. Affecting systems that use the osf match with NF_OSF_LOGLEVEL_ALL enabled, the flaw causes subsequent fingerprint checks to parse beyond the end of the TCP options buffer, reading garbage data and producing incorrect or missing match logs. Although carrying a 9.1 CVSS, this is a functional/correctness bug in a niche feature; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-52992 HIGH PATCH This Week

Out-of-bounds heap write in the Linux kernel's ADFS (Acorn Disc Filing System) driver allows a local attacker to corrupt kernel memory by mounting a crafted new-format ADFS disc image whose disc record declares a zone count of zero. adfs_read_map() forwards nzones==0 to kmalloc_array(0, ...), which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], an out-of-bounds write before the allocated buffer. The flaw was found by syzkaller; there is no public exploit identified at time of analysis and EPSS scores it at just 0.18% (8th percentile).

Buffer Overflow Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52989 CRITICAL PATCH Act Now

Memory-safety flaw in the Linux kernel's NVMe-over-TCP target driver (nvmet-tcp) lets a connected initiator drive the kernel into reading received network data through an uninitialized iov_iter. Because nvmet_tcp_build_pdu_iovec() reported out-of-bounds PDU length/offset only via a fatal-error side effect while returning void, callers such as nvmet_tcp_handle_h2c_data_pdu() continued and advanced the receive state machine over an uninitialized cmd->recv_msg.msg_iter, leading to memory corruption or denial of service. NVD rates this 9.8 (CVSS:3.1 AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52972 MEDIUM PATCH This Month

Integer overflow in the Linux kernel's AF_ALG socket interface (crypto/af_alg.c) lets a local user supply an oversized AEAD associated-data length that wraps during TX buffer size arithmetic, corrupting size checks; the fix caps AD length to 0x80000000. Carrying CVSS 7.0 (AV:L/AC:H/PR:L), it affects any kernel exposing the algif AEAD interface and threatens confidentiality, integrity, and availability through resulting memory corruption. There is no public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local-only, high-complexity issue.

Integer Overflow Linux Buffer Overflow
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-52969 HIGH PATCH This Week

Local privilege-relevant memory corruption in the Linux kernel's KVM subsystem (kvm_reset_dirty_gfn) lets any process holding /dev/kvm bypass a dirty-ring bounds check via a u64 integer overflow, driving a near-U64_MAX guest frame number into gfn_to_rmap() for an out-of-bounds kvm_rmap_head load and a conditional write-flag clear. Affected are kernels from 5.11 through the 7.x line running VMs on the shadow-paging (legacy/rmap) MMU path. This is a local (AV:L), low-privilege (PR:L) issue rated CVSS 7.8; there is no public exploit identified at time of analysis, EPSS is low at 0.19% (9th percentile), and it is not on CISA KEV.

Integer Overflow Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52968 HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's KVM s390 PCI adapter-interrupt-forwarding (AIF) code allows a low-privileged local actor on IBM Z (s390x) hosts to read and corrupt kernel memory. The flaw stems from double-scaled pointer arithmetic when indexing the GAIT table in kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward(), triggered when an adapter interrupt source (aisb) index reaches 32 or higher under ZPCI_NR_DEVICES=512. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.18%, 8th percentile).

Buffer Overflow Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52967 HIGH PATCH This Week

Out-of-bounds read and denial-of-service in the Linux kernel SMB/CIFS client (cifs.ko) affects systems mounting SMB shares on 32-bit architectures. When parsing a malicious SMB2 error response, the symlink_data() routine mishandles a hostile ErrorDataLength value, causing either an infinite loop or a read past the buffer that can hang the client or leak adjacent kernel memory. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile), but the bug is reachable by any malicious or compromised SMB server a vulnerable client connects to.

Linux Denial Of Service Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-52962 HIGH PATCH This Week

Memory leak in the Linux kernel's Ceph client (CephFS) allows a local, low-privileged user to exhaust kernel buffer memory by repeatedly triggering the retry path in __ceph_setxattr(), where the old_blob holding ci->i_xattrs.prealloc_blob is never released via ceph_buffer_put(). The flaw affects systems mounting CephFS and is addressed by an upstream stable fix; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.18%). Note: the CWE-787 (out-of-bounds write) classification and 'Buffer Overflow' tag conflict with the description, which describes a resource/buffer leak rather than memory corruption.

Buffer Overflow Memory Corruption Linux
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52958 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph client (osdmap_decode) lets a malicious or compromised Ceph monitor/OSD send a corrupted OSD map whose max_osd field exceeds the actual message length, reading past the allocated buffer. The flaw affects kernels using the in-kernel Ceph client (RBD/CephFS) and is fixed across multiple stable branches. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), consistent with a memory-safety bug requiring a hostile Ceph endpoint rather than broad internet exposure.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-52956 HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) component allows a malicious or compromised Ceph peer to crash a connecting host during the CephX authentication handshake. The flaw lives in __ceph_x_decrypt(), which reads a ceph_x_encrypt_header (notably hdr->magic) from a decrypted buffer without first verifying the buffer is large enough - a FRAME_TAG_AUTH_REPLY_MORE frame carrying a ciphertext_len of 8 or fewer bytes triggers an out-of-bounds memory access. CVSS is 7.5 (availability-only); EPSS is low at 0.16% (6th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-52955 CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. Despite a 9.8 CVSS, there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); the realistic attack surface is limited to hosts mounting/connecting to attacker-controlled Ceph (RBD/CephFS) infrastructure.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-52953 HIGH PATCH This Week

Local denial of service in the Linux kernel's Intel VT-d (iommu/vt-d) driver lets a privileged user crash the host by terminating a QEMU/VFIO guest, triggering a general-protection-fault oops. The flaw lives in domain_remove_dev_pasid(), which dereferences the global static blocked domain - a dummy iommu_domain with no backing dmar_domain - during PASID teardown on device reset. No public exploit is identified at time of analysis; EPSS is low (0.17%, 7th percentile) and it is not in CISA KEV.

Linux Canonical Information Disclosure Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-56111 HIGH POC PATCH This Week

Out-of-bounds write in Marlin Firmware (3D printer firmware) through 2.1.2.7 lets attackers corrupt firmware memory through the M421 G-code mesh-bed-leveling handler, which fails to upper-bound the X/Y grid indices before writing a 32-bit float into the z_values array. Any actor able to feed G-code to a printer built with MESH_BED_LEVELING enabled can write an attacker-controlled value past the array, overwriting adjacent firmware state and causing denial of service or unpredictable machine behavior. Publicly available exploit code exists and the fix is committed (1f255d1), but there is no public exploit identified as actively exploited in the wild (not in CISA KEV).

Denial Of Service Buffer Overflow Marlin
NVD GitHub
CVSS 4.0
8.3
EPSS
0.5%
CVE-2026-42450 HIGH PATCH This Week

Stack buffer overflow in OpenColorIO's .spi3d LUT parser allows a crafted color-lookup file to corrupt memory in any application that loads it. The flaw in FileFormatSpi3D.cpp reads attacker-controlled data from a 4096-byte line into 64-byte stack buffers via unbounded sscanf %s, permitting an overflow of roughly 4000 bytes on non-Windows platforms. It affects all OCIO 1.x and 2.x releases prior to 2.5.2 and, while no public exploit has been identified, the same unsafe pattern was found across the .spi3d, .spi1d, .cube, and .lut parsers.

Microsoft Buffer Overflow Opencolorio Suse
NVD GitHub
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-56370 NuGet MEDIUM PATCH This Month

Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.

Denial Of Service RCE Buffer Overflow Information Disclosure Imagemagick +2
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-52942 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel netfilter netdev logger (nf_log_syslog) lets a local low-privileged attacker leak adjacent slab memory into the kernel log and potentially crash the system. The flaw is in dump_mac_header(), whose fallback path tests skb->mac_header != skb->network_header but omits skb_mac_header_was_set(); an unset MAC header (value 0xffff) passes the check and causes a read ~64 KiB past the skb buffer. Fixed in stable kernels (e.g., 6.18.36, 6.12.94, 6.6.143, 6.1.176, 5.15.210, 7.0.13/7.1); no public exploit identified at time of analysis and EPSS is low at 0.17%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52935 HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's xfrm espintcp (ESP-in-TCP IPsec encapsulation) send path allows a local user with a socket using espintcp to corrupt the one-message-at-a-time transmit state, leading to memory disclosure or a crash. The flaw stems from espintcp_sendmsg() reinitializing emsg->skmsg and reusing ctx->partial while a previous partial send is still in flight, attaching a stale offset to a fresh sk_msg. No public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile), reflecting a niche, configuration-dependent attack surface rather than broad exploitability.

Linux Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52927 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel ebtables 32-bit compat layer (compat_mtw_from_user) lets a local low-privileged user holding CAP_NET_ADMIN trigger KASAN-detected OOB reads by supplying an undersized match_size/target_size for an extension whose ->compat_from_user() callback assumes it can read compatsize bytes. It affects Linux from 2.6.34 through builds before the fix and is resolved upstream across all maintained stable branches; no public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2026-52917 HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's SCTP sock_diag subsystem allows a local attacker to disclose adjacent kernel memory and potentially crash the system by racing a diag dump against association teardown. The exact sock_diag lookup (dump_one path) can hold a transport reference, block on lock_sock(), and resume after sctp_association_free() has reaped the association and freed its bind-address list, causing inet_diag_msg_sctpasoc_fill() to dereference an emptied bind-address list as a valid sctp_sockaddr_entry. CVSS is 7.1 (local, high confidentiality and availability impact); EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52915 HIGH PATCH This Week

Local denial of service and potential information disclosure in the Linux kernel's IPv6 netfilter Hop-by-Hop options match (ip6t_hbh) stems from an off-by-one out-of-bounds array access. A local user able to install xtables rules can supply an oversized optsnr value that the hbh_mt6_check() setup path fails to validate, reading/writing past the fixed 16-entry opts[] array (confirmed via a UBSAN array-index-out-of-bounds report at index 16). There is no public exploit identified at time of analysis and EPSS risk is low (0.18%), but a vendor fix has shipped across multiple stable kernel branches.

Linux Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-52914 CRITICAL PATCH Act Now

Denial of service in the Linux kernel's batman-adv mesh networking module arises from faulty length accounting during fragment reassembly, where the accumulated payload length can be truncated during updates, letting malformed fragment chains bypass validation and drive reassembly with inconsistent length state. The flaw affects systems running the B.A.T.M.A.N. Advanced (batman-adv) module across many stable kernel series and results in a local denial of service per the upstream description. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and the NVD CVSS of 9.8 conflicts with the upstream 'local denial of service' characterization.

Linux Denial Of Service Memory Corruption Buffer Overflow
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-9539 MEDIUM PATCH This Month

Out-of-bounds heap read and integer underflow in libslirp's TCP urgent data handler (sosendoob) exposes gigabytes of host process heap memory to a privileged guest VM attacker. All libslirp releases before v4.9.2, as embedded in hypervisors such as QEMU, are affected when guest workloads hold root or CAP_NET_RAW privileges. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the cross-VM-boundary scope change (S:C) and high confidentiality impact make this a material risk in multi-tenant or shared virtualization environments.

Buffer Overflow Information Disclosure Libslirp Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-12848 CRITICAL Act Now

Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on the same network to corrupt memory in the DVRSearch service (UDP/10001) by sending a crafted message that triggers an unbounded memcpy of the device's configured DNS address into a fixed-size stack buffer. The flaw is rated CVSS 10.0 with scope change and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation can fully compromise the embedded controller used for relay/I/O automation.

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD VulDB
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-12847 CRITICAL Act Now

Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to corrupt memory by sending a crafted UDP datagram to port 10001. The flaw stems from an unchecked memcpy of the device's configured gateway field into a fixed-offset reply buffer, enabling code execution on the embedded device with no public exploit identified at time of analysis.

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-12846 CRITICAL Act Now

Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size stack buffer by sending a crafted UDP packet to the DVRSearch service on port 10001. The flaw, tracked as CWE-121 with a maximum CVSS 10.0 score and scope change, can be triggered by any host able to reach the device on the network, with no public exploit identified at time of analysis.

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-12485 CRITICAL Act Now

Stack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers to corrupt memory via the DVRSearch service on UDP port 10001. The vulnerable code path uses memcpy with an attacker-influenced length derived from a stored IP address into a fixed-size stack buffer, yielding potential remote code execution at CVSS 10.0 with scope change. No public exploit identified at time of analysis, though Talos has published a vulnerability report (TALOS-2026-2377).

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-12488 MEDIUM This Month

Stack-based buffer overflow (CWE-121) in the GV-Cloud component of GeoVision GV-VMS V20 20.0.2 enables a remote attacker with a network-intercept position to crash the video management system, causing high-impact denial of service against physical security infrastructure. Exploitation requires impersonating the legitimate GV-Cloud server - achieved via MitM techniques - and delivering a specially crafted network payload that corrupts stack memory in the GV-Cloud client handler. Reported by Cisco Talos (TALOS-2026-2411); no public exploit has been identified at time of analysis and no CISA KEV listing exists.

Denial Of Service Stack Overflow Buffer Overflow Geovision
NVD VulDB
CVSS 3.1
6.2
EPSS
0.2%
CVE-2025-60474 HIGH POC This Week

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by supplying a crafted media file. The flaw is an out-of-bounds read of a language metadata string in gf_media_import (media_import.c), where three characters were read without verifying the string's length. Publicly available exploit code exists (sigdevel PoC), but it is not listed in CISA KEV and EPSS is low (0.19%, 8th percentile), indicating minimal observed real-world exploitation.

Buffer Overflow Denial Of Service Stack Overflow N A
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-60468 MEDIUM POC This Month

Heap use-after-free in GPAC MP4Box 2.5-DEV-rev1593-gfe88c3545-master crashes the application when a local authenticated user processes a specially crafted MPEG-2 TS or MP4 file. The defect resides in `gf_filter_pid_inst_swap_delete_task()` within `filter_core/filter_pid.c`, where PID instance cleanup dereferences already-freed objects during a swap/delete operation, causing a heap corruption and denial of service. No public exploit has triggered active exploitation per CISA KEV, but a proof-of-concept is publicly available; EPSS sits at 0.18% (7th percentile), consistent with limited real-world targeting.

Heap Overflow Denial Of Service Buffer Overflow N A
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-12892 MEDIUM This Month

Heap out-of-bounds read in GStreamer's gst-plugins-bad H.264 parser allows an attacker to crash a media application or leak a single byte of heap memory by tricking a victim into opening a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units. Affected systems span Red Hat Enterprise Linux versions 6 through 10 where gst-plugins-bad is installed. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV; the narrow 1-byte read, required user interaction, and local attack vector substantially limit real-world exploitation impact.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-12891 MEDIUM This Month

Out-of-bounds read in the GStreamer gst-plugins-bad H.266/VVC parser allows a remote attacker to leak up to 8 bytes of application memory by delivering a crafted video file with a manipulated aspect ratio indicator value. Affected platforms include Red Hat Enterprise Linux 8, 9, and 10 wherever gst-plugins-bad processes H.266/VVC content. No public exploit code or active exploitation has been identified at time of analysis; the limited read window and user-interaction requirement constrain practical impact, but the network-reachable vector and zero-authentication requirement lower the delivery barrier.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2020-9695 HIGH This Week

Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Adobe Buffer Overflow Memory Corruption Acrobat Reader
NVD VulDB
CVSS 3.1
7.8
EPSS
0.2%
CVE-2020-9711 MEDIUM This Month

Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Buffer Overflow Information Disclosure Acrobat Reader
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2020-9713 MEDIUM This Month

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Buffer Overflow Information Disclosure Acrobat Reader
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-57053 LOW PATCH Monitor

Out-of-bounds reads of uninitialized memory in GNU libidn before version 1.44 are triggerable through the ToUnicode IDNA APIs when malformed internationalized domain name input is processed by the vulnerable function `idna_to_unicode_internal`. Applications statically or dynamically linked against affected libidn versions that pass attacker-influenced hostname strings to these APIs are exposed to integrity and availability disruption. No public exploit has been identified at time of analysis, and the successor library libidn2 is explicitly confirmed unaffected, providing a viable migration path for defenders.

Buffer Overflow Libidn
NVD VulDB
CVSS 3.1
2.5
EPSS
0.1%
CVE-2026-56117 MEDIUM PATCH This Month

Heap use-after-free in dhcpcd through version 10.3.2 allows local unprivileged attackers to crash the DHCP client daemon by exploiting a double-free race between READ and HANGUP events on the control socket. When an attacker sends a privileged command such as -x, control_recvdata() frees the client fd_list object while the subsequent HANGUP event delivers the same stale pointer to control_hangup(), triggering memory corruption that results in denial of network service on the affected host. No public exploit code or CISA KEV listing exists at time of analysis; the upstream fix is available as commit 78ea09e.

Use After Free Memory Corruption Buffer Overflow Dhcpcd
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-56115 HIGH PATCH This Week

Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacker corrupt client stack memory by replying with a malicious DHCPv6 ADVERTISE. When dhcpcd serializes an oversized RFC6603 OPTION_PD_EXCLUDE body in dhcp6_makemessage(), a one-byte value is written past a fixed 16-byte stack buffer. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV, but a vendor fix (commit 2f00c7b) is available.

Buffer Overflow Memory Corruption Dhcpcd
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-56114 MEDIUM PATCH This Month

Stack memory corruption in dhcpcd through 10.3.2 exposes systems running the DHCPv6 client to availability disruption from unauthenticated attackers on the same network link. The one-byte off-by-one overflow in `dhcp6_makemessage()` is triggered by a crafted DHCPv6 ADVERTISE containing an RFC6603 OPTION_PD_EXCLUDE sub-option with an exclude prefix length of /121 through /128, overflowing a 16-byte stack buffer by exactly one byte. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the upstream fix commit precisely identifies the trigger, making independent exploit development straightforward.

Buffer Overflow Memory Corruption Dhcpcd
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-55556 CRITICAL PATCH Act Now

Heap overflow in rsyslog's contributed imhttp module allows remote unauthenticated clients to corrupt the rsyslog process heap by sending an oversized HTTP Basic Authentication header. The root cause is a one-character typo - `calloc(0, len)` instead of `calloc(1, len)` - which allocates zero or minimal bytes before the Base64 decoder writes up to `len` bytes into the buffer. The practical expected impact is denial of service (rsyslog process crash); remote code execution is theoretically possible but depends on heap allocator behavior, compiler hardening, and platform. No public exploit identified at time of analysis, and the vulnerability is not in CISA KEV.

Buffer Overflow Denial Of Service Suse
NVD GitHub
CVE-2026-12969 MEDIUM PATCH This Month

Heap out-of-bounds read in dnsmasq's find_soa() function allows a remote attacker controlling a DNS zone to leak up to 10 bytes of stale heap memory by serving a crafted NXDOMAIN response. The flaw exists because extract_name() is invoked with extrabytes=0 when parsing NS section records, skipping the mandatory boundary check for the 10-byte fixed-length DNS record trailer fields. Confirmed affected platforms include Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4; no public exploit or CISA KEV listing has been identified at time of analysis.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +3
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-44089 CRITICAL Act Now

Stack-based buffer overflow in the Totolink EX1200L router's login handler (cgi-bin/cstecgi.cgi) allows remote attackers on the adjacent network to crash the device or execute arbitrary code as root. Confirmed on firmware 9.3.5u.6146_B20201023 with no public exploit identified at time of analysis, but vendor contact attempts by CERT-PL were unsuccessful so no patch is available. CVSS 4.0 of 9.4 reflects unauthenticated exploitation with full impact on both the device and downstream systems.

Buffer Overflow Stack Overflow Ex1200L
NVD VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-55654 LOW PATCH Monitor

OpenSSH's GSSAPI authentication cleanup routine contains a heap out-of-bounds read (CWE-125) triggered when the auth-indicators array lacks a trailing NULL terminator, allowing a remote unauthenticated attacker to crash the SSH authentication path and deny SSH service availability. Exploitation is constrained by high attack complexity (AC:H) due to the non-default Kerberos/GSSAPI configuration requirement, limiting real-world exposure to a minority of deployments. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the impact is restricted to partial availability loss with no confidentiality or integrity consequence.

Buffer Overflow Denial Of Service SSH Information Disclosure Red Hat Enterprise Linux 10 +6
NVD VulDB
CVSS 3.1
3.7
EPSS
0.3%
CVE-2026-10658 HIGH This Week

Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Zephyr Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-10651 MEDIUM This Month

Denial of service in Zephyr RTOS Bluetooth Classic SDP parser allows adjacent Bluetooth attackers to crash devices via a malformed 3-byte SDP attribute that triggers a reachable kernel assertion. The flaw resides in bt_sdp_parse_attribute() in subsys/bluetooth/host/classic/sdp.c, where the parser pulls a value-type byte without first verifying buffer length, causing a kernel panic in assert-enabled builds and an out-of-bounds read with undefined behavior when assertions are disabled. No public exploit identified at time of analysis, though the GHSA advisory describes the trigger conditions in enough detail to reproduce.

Buffer Overflow Denial Of Service Zephyr
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-10645 MEDIUM This Month

Out-of-bounds read and denial-of-service in Zephyr RTOS's ext2 filesystem parser expose embedded devices to filesystem-level attacks via maliciously crafted disk images. The flaw resides in ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), where insufficient validation of on-disk directory entry fields - specifically de_rec_len and de_name_len against block boundaries - allows a crafted ext2 image to trigger an oversized memcpy (out-of-bounds read) or a zero-progress infinite loop when de_rec_len equals zero. All Zephyr versions are indicated as affected per the wildcard CPE, no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

Buffer Overflow Path Traversal Denial Of Service Information Disclosure Zephyr
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2026-48502 NuGet HIGH PATCH GHSA This Week

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host processes by sending a crafted MessagePack timestamp extension payload that triggers an uncatchable StackOverflowException. The flaw stems from a stackalloc operation using an attacker-controlled extension length before validation, enabling a tiny payload to claim a massive stack allocation. No public exploit identified at time of analysis, and CVSS 4.0 of 8.2 reflects high availability impact with attack complexity requirements.

Buffer Overflow Information Disclosure Messagepack Csharp
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
CVE-2026-48506 NuGet HIGH PATCH GHSA This Week

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash applications by sending deeply nested MessagePack payloads that trigger uncatchable StackOverflowException via MessagePackReader.TrySkip(). The flaw bypasses the library's own MaximumObjectGraphDepth safeguard because TrySkip() recurses into nested structures without incrementing the depth counter, making any application that deserializes untrusted MessagePack data exploitable. No public exploit identified at time of analysis, but the bug is straightforward to trigger and fixes are already published upstream.

Buffer Overflow Messagepack Csharp
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-12549 MEDIUM This Month

Malformed HTTP Range request handling in libsoup (GNOME's HTTP client/server library, packaged across Red Hat Enterprise Linux 6-10) re-introduces a signed integer underflow originally patched in CVE-2026-2443. A rework commit replaced specific overflow guards with a general signed comparison, meaning a suffix-byte Range request whose length exceeds the resource content size now produces a negative start offset that is passed unclamped to buffer operations, generating malformed HTTP 206 responses and log flooding. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector makes any exposed libsoup HTTP server reachable without credentials.

Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
4.8
EPSS
0.3%
CVE-2026-12725 MEDIUM PATCH This Month

Heap-based buffer overflow in dnsmasq's DNSSEC logging path enables remote denial of service against instances where both DNSSEC validation and query logging are simultaneously enabled. When dnsmasq receives a DS or DNSKEY DNS response containing an algorithm or digest type it does not recognize, its logging routine writes past the end of an internal heap-allocated buffer, corrupting memory and crashing the process. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the network-deliverable attack vector (PR:N) makes the configuration prerequisite the primary limiting factor for defenders.

Buffer Overflow Denial Of Service Heap Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +4
NVD VulDB
CVSS 3.1
5.9
EPSS
0.4%
CVE-2026-12806 HIGH POC This Week

Stack/heap buffer overflow in the Edimax BR-6478AC V2 wireless router (firmware 1.23) lets an authenticated attacker corrupt memory by sending an oversized selSSID parameter to the formWlSiteSurvey handler under /goform/, enabling denial of service and potentially arbitrary code execution on the device. Publicly available exploit code exists, but no public exploit identified at time of analysis as actively used in attacks (not in CISA KEV); the vendor was notified and did not respond, leaving devices unpatched. CVSS 4.0 base score is 7.4 reflecting network reachability of the management interface combined with required low-privilege authentication.

Buffer Overflow Br 6478Ac V2
NVD VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-12805 LOW POC PATCH Monitor

Heap-based buffer overflow in OFFIS DCMTK's XMLNode::parseFile function (ofstd/libsrc/ofxml.cc) affects all versions through 3.7.0, exploitable by any remote party who can supply a crafted or non-seekable XML input to the parser. The root cause - confirmed by the upstream patch commit - is that the original guard `if (!l)` failed to catch a -1 return from ftell(), allowing a corrupted buffer size to propagate into heap allocation and subsequent write. A public proof-of-concept exploit exists per VulDB and a published Medium writeup; no active exploitation is confirmed via CISA KEV. The CVSS 4.0 score of 2.1 reflects passive-interaction and low-impact ratings, but the presence of public exploit code elevates practical risk for any DCMTK deployment that parses externally influenced XML files.

Buffer Overflow Heap Overflow Dcmtk
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-56411 MEDIUM PATCH This Month

Integer overflow in the xmlwf utility bundled with libexpat before 2.8.2 enables heap corruption via XML documents containing an excessive number of NOTATION declarations in a DOCTYPE block. The flaw in endDoctypeDecl allows a crafted XML file to wrap a signed integer counter, producing an undersized heap allocation that can be overflowed with high confidentiality and integrity impact. No confirmed active exploitation (not in CISA KEV) and no public exploit code have been identified at time of analysis; vendor-released patch is available in libexpat 2.8.2.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56410 MEDIUM PATCH This Month

Integer overflow in libexpat's xmlwf tool allows an attacker supplying a crafted XML file with an excessively long DOCTYPE system identifier to trigger a heap buffer overflow via the resolveSystemId function. All libexpat versions before 2.8.2 are affected; the root cause is an unchecked size_t arithmetic operation - both the addition of string lengths and the subsequent multiplication by sizeof(XML_Char) - before a malloc call. No public exploit has been identified at time of analysis, and exploitation requires local access under high-complexity conditions per the CVSS:3.1/AV:L/AC:H vector.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56409 MEDIUM PATCH This Month

Integer overflow in the `xmlwf` command-line utility bundled with libexpat before 2.8.2 allows heap buffer overflow when the `-d outputDir` flag is used with extremely long path values. The overflow occurs during malloc size calculation - `(tcslen(outputDir) + tcslen(file) + 2) * sizeof(XML_Char)` - wrapping the size_t to a near-zero value, causing an undersized allocation followed by out-of-bounds write during filename construction. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the heap overflow primitive is well-understood and could yield code execution in automated XML processing pipelines.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-56408 MEDIUM PATCH This Month

Integer overflow in libexpat's copyString function (xmlparse.c) allows heap buffer overflow when processing specially crafted XML input, affecting all libexpat versions before 2.8.2. The missing bounds check on a size multiplication permits an attacker-controlled string length to wrap around SIZE_MAX, producing an undersized heap allocation that is subsequently overwritten - enabling potential memory corruption, arbitrary code execution, or data disclosure in any application consuming the library. No public exploit has been identified at time of analysis; a vendor-released patch is available in libexpat 2.8.2.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56407 MEDIUM PATCH This Month

Integer overflow in libexpat before 2.8.2 allows heap corruption during XML prolog parsing when accumulated entity value pool length exceeds INT_MAX, yielding high confidentiality and integrity impact per CVSS. The flaw resides in doProlog and the related storeSelfEntityValue path, where poolLength() return values are cast to signed integers without bounds validation - a gap closed in the upstream fix via explicit INT_MAX guards. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the widespread use of libexpat as a dependency across system tools, language runtimes, and XML-processing services means the blast radius of a weaponized exploit would be broad.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56406 MEDIUM PATCH This Month

Integer overflow in libexpat's XML_ParseBuffer function allows potential heap corruption leading to high-confidentiality and high-integrity impact in all libexpat versions before 2.8.2. The overflow occurs because XML_ParseBuffer lacked a bounds check on the byte index accumulator that was already present in the sibling XML_Parse function - a defensive guard omitted asymmetrically between two code paths. Any application that routes XML input through XML_ParseBuffer (a common pattern in incremental parsing) is exposed. No public exploit has been identified at time of analysis and no KEV listing exists, but the high C and I CVSS impact ratings reflect the potential for code execution via heap corruption.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56405 MEDIUM PATCH This Month

Integer overflow in libexpat's getAttributeId routine exposes any application embedding libexpat before version 2.8.2 to memory corruption with high confidentiality and integrity impact when parsing specially crafted XML documents. The flaw occurs when an internal counter traversing the attribute ID table reaches INT_MAX and wraps, producing an invalid index that can corrupt adjacent heap memory. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, but a vendor-released patch is available in libexpat 2.8.2 and upgrade is the recommended remediation.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56404 MEDIUM PATCH This Month

Integer overflow in libexpat's addBinding function (xmlparse.c) before version 2.8.2 allows memory corruption during XML namespace binding processing, with high confidentiality and integrity impact. All libexpat releases from 0 through 2.8.2-pre are affected (CPE: cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*), encompassing a significant downstream attack surface given the library's widespread use in Python, PHP, and system utilities. No public exploit or active exploitation has been confirmed at time of analysis; the official CVSS 3.1 score of 6.9 reflects meaningful impact tempered by high attack complexity and a local attack vector.

Integer Overflow Buffer Overflow Libexpat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56403 MEDIUM PATCH This Month

Integer overflow in libexpat's storeAtts() function before version 2.8.2 allows heap buffer corruption during XML namespace attribute processing. When an XML document contains namespace-qualified attributes whose prefix name or local-part name approaches or exceeds INT_MAX bytes, the combined expanded-name length calculation wraps to a small integer, causing allocation of an undersized heap buffer followed by an out-of-bounds write during the memcpy phase. The vendor CVSS scores this 6.9 with High confidentiality and integrity impact; no public exploit has been identified at time of analysis and the CVE is not listed in the CISA KEV catalog.

Integer Overflow Buffer Overflow Libexpat Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-56378 NuGet MEDIUM PATCH This Month

Heap out-of-bounds read in ImageMagick's PCD image decoder (versions prior to 7.1.2-15 and 6.9.13-40) allows unauthenticated network-reachable attackers to cause denial of service and disclose a single adjacent heap byte by supplying a crafted PCD file to an image-processing endpoint. The vulnerability is rooted in the PCD coder's DecodeImage loop and requires high attack complexity (AC:H) with specific attack prerequisites (AT:P), meaning the target application must actively process attacker-supplied PCD files. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis, though .NET bindings via Magick.NET NuGet packages are also affected and carry a separate fix version.

Information Disclosure Denial Of Service Buffer Overflow Imagemagick Red Hat
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56367 NuGet MEDIUM PATCH This Month

Integer overflow in ImageMagick's PSB/PSD v2 RLE decoder (ReadPSDChannelRLE in coders/psd.c) causes a heap out-of-bounds read exclusively on 32-bit builds, enabling information disclosure or process crash when processing attacker-controlled PSB files. Affected versions span ImageMagick below 7.1.2-15 and 6.9.x below 6.9.13-40, with corresponding Magick.NET NuGet packages below 14.10.3 also confirmed vulnerable. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that exploitation is constrained to 32-bit deployments processing untrusted PSB input.

Information Disclosure Buffer Overflow Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56340 PyPI HIGH PATCH This Week

Denial of service and potential memory corruption in vLLM versions 0.10.2 through 0.12.x stems from missing sparse tensor validation in multimodal embeddings processing, allowing authenticated remote users to submit crafted prompt-embedding requests with malformed tensor indices. Because PyTorch disables sparse tensor invariant checks by default, attackers can crash the inference server or exhaust resources, with potential out-of-bounds or write-what-where memory corruption. No public exploit identified at time of analysis; this continuation of CVE-2025-62164 addresses the root cause that the prior fix only masked by disabling the feature by default.

Denial Of Service Buffer Overflow Vllm
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-9265 CRITICAL PATCH Act Now

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar.

OpenSSL Information Disclosure Crypt Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-54905 Ruby LOW PATCH GHSA Monitor

Write lock exclusivity is silently violated in concurrent-ruby's `ReentrantReadWriteLock`, confirmed on version 1.3.6 and fixed in 1.3.7. After a single thread acquires the read lock exactly 32,768 times reentrantl, its per-thread `@HeldCount` counter overflows into bit 15, which the implementation also uses as the `WRITE_LOCK_HELD` flag - causing `try_write_lock` to return `true` via the fast-path 'already hold write lock' branch without ever setting the global `RUNNING_WRITER` bit. Other threads receive no signal of an active writer and continue acquiring read locks concurrently, breaking mutual exclusion with no exception raised. A publicly available proof-of-concept reproduces the condition; no public exploit identified as actively exploited (not in CISA KEV).

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-49346 HIGH PATCH This Week

Heap buffer overflow in libde265 prior to version 1.1.0 allows remote attackers to corrupt heap memory and likely achieve code execution by tricking a user into processing a crafted H.265 video stream. The flaw stems from a 32-bit signed integer overflow in plane allocation sizing that wraps to ~1 KB, after which fill_image() writes the true ~4 GB plane content into the undersized buffer. No public exploit identified at time of analysis, but the upstream commit (8a1b5cf) and GHSA-vv8h-932h-7r86 publicly document the exact overflow location.

Integer Overflow Buffer Overflow Libde265
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.2%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's Thunderbolt (thunderbolt) XDomain driver allows an adjacent peer connected over a Thunderbolt link to leak kernel heap memory or crash the host. The flaw lives in tb_xdp_handle_request(), which casts a received XDomain packet to protocol-specific structs without confirming the kmemdup allocation is large enough, so a deliberately undersized packet that still passes the generic header-length check triggers reads past the buffer. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and it is not CISA KEV-listed.

Linux Information Disclosure Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). Exploitation requires local access with the ability to drive CRIU checkpoint/restore of a GPU compute process; there is no public exploit identified at time of analysis and EPSS is low (0.18%).

Linux Buffer Overflow Checkpoint
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds read and unbounded-iteration denial of service in the Linux kernel's AMD Display (amdgpu DC) driver arises when the bios_parser/bios_parser2 code walks VBIOS record chains that lack a proper 0xFF terminator record. A local attacker able to supply a malformed VBIOS image can force hundreds of thousands of probe-time iterations (with record_size=1) and, near the image boundary, trigger struct casts that read past the 2-byte header validated by GET_IMAGE. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 6th percentile), consistent with a local, firmware-dependent memory-safety bug rather than a broadly exploited remote flaw.

Linux Amd Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds kernel heap write in the AMD Display (amdgpu) driver's HDMI HDCP 2.x repeater authentication path affects Linux kernels from 5.6 through the 7.1 release candidates. When reading a downstream sink's RxStatus register, the driver in mod_hdcp_read_rx_id_list() uses an attacker-influenced 10-bit message-size field (up to 1023 bytes) as the I2C read length without bounding it to the 177-byte rx_id_list buffer, so a malicious HDMI repeater can force a write past the buffer and corrupt kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.21%, 11th percentile); it is not listed in CISA KEV.

Memory Corruption Linux Amd +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds heap write in the Linux kernel amdgpu DRM display driver (drm/amd/display) arises because the VBIOS integrated info tables (v1_11 and v2_1) expose unvalidated u8 HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C settings into fixed-size arrays (9 and 3 elements). A malformed VBIOS can set these counts up to 255, overrunning the destination arrays during driver probe on AMD GPU systems. No public exploit has been identified and EPSS is very low (0.17%), but the memory-corruption primitive (CWE-787) carries high confidentiality, integrity, and availability impact per the CVSS 7.8 rating.

Memory Corruption Linux Amd +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory corruption in the Linux kernel's RDMA/umem subsystem occurs because __rdma_block_iter_next() uses 32-bit types to reassemble scatter-gather entries, truncating DMA addresses for block sizes of 4GB or larger when an IOMMU linearizes the mapping. Affected versions span the long-lived 5.2 through 7.1 development line; a low-privileged local actor with RDMA device access can drive the kernel to compute wrong DMA addresses, yielding high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with the narrow hardware/configuration prerequisites.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Stack buffer overflow in NSD 4.14.0 (NLnet Labs authoritative DNS server) allows a party able to introduce zone data to overwrite up to 111 attacker-controlled bytes on the stack when a specially crafted APL resource record - carrying an adflength larger than the address family permits - is serialized as the zone is written to disk. Per the CVSS 4.0 vector (PR:L), exploitation requires low privileges and yields high integrity and availability impact, consistent with memory corruption leading to crash or potential code execution. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Buffer Overflow Nsd Red Hat +1
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Remote denial-of-service in Apache Kvrocks via an integer overflow in the RESTORE command's IntSet deserialization path. An attacker who can send commands to a Kvrocks instance can supply a crafted RDB-serialized IntSet payload to the RESTORE command, triggering an integer overflow that crashes the server process. This vulnerability was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two other Kvrocks CVEs (CVE-2026-46751, CVE-2026-46752), suggesting a coordinated security audit of the project; no public exploit code or CISA KEV listing has been identified at time of analysis.

Buffer Overflow Apache Integer Overflow
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Memory corruption in Apache Kvrocks' embedded Lua scripting engine allows a client able to run EVAL/EVALSHA commands to trigger a stack buffer overflow in the bit.tohex() function, potentially crashing the server or corrupting process memory toward code execution. Kvrocks is a Redis-protocol-compatible distributed key-value store, and this flaw was disclosed via the oss-security mailing list on 2026-06-25 alongside three other Kvrocks issues. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Path Traversal Buffer Overflow Apache +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Lua sandbox escape in Apache Kvrocks exposes the host environment to authenticated users who hold EVAL command privileges. The database fails to strip the `loadstring` function from its Lua scripting environment, which is a standard hardening step in Redis-protocol-compatible systems; retaining it allows a sandboxed Lua script to load and execute arbitrary Lua bytecode dynamically, effectively escaping the intended script isolation. No public exploit code or CISA KEV listing exists at time of analysis; however, sandbox escapes of this class are well-understood and exploitable by any user granted EVAL access.

Path Traversal Buffer Overflow Apache
NVD VulDB
EPSS 1% CVSS 7.8
HIGH This Week

Arbitrary code execution in GIMP results from a heap-based buffer overflow in the HDR file parser, where attacker-controlled length data is copied into an undersized heap buffer without bounds validation. Any user who opens a maliciously crafted HDR image (or visits a page that delivers one) can be exploited, with code running in the context of the GIMP process. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Heap Overflow Buffer Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (InterestGroups component, part of the Privacy Sandbox/Protected Audience ad-auction API) affects all desktop versions prior to 149.0.7827.197. A crafted HTML page triggers an out-of-bounds read and write that a remote attacker can leverage to execute arbitrary code in the renderer; Chromium rates this Critical and assigns CVSS 8.8. There is no public exploit identified at time of analysis, but a vendor patch is already available, making prompt updating the priority.

Google RCE Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's eBPF subsystem (pcpu_init_value) lets a local, low-privileged user with BPF access leak adjacent kernel memory and potentially crash the system. The flaw triggers when a per-CPU map is updated from a BPF_MAP_TYPE_CGROUP_STORAGE map whose value_size is not 8-byte aligned (e.g. 4 bytes), causing copy_map_value_long to read past the true source size. The issue is fixed in stable kernels; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.16%, 5th percentile).

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's Arm Mali 'komeda' DRM display driver allows a local low-privileged user to bypass AFBC framebuffer size validation via an integer overflow, supplying an undersized GEM buffer object that the driver treats as valid. Exploitation requires local access to the DRM device on hardware using the komeda driver, and there is no public exploit identified at time of analysis; EPSS probability is very low (0.16%, 6th percentile). The flaw was found by the Linux Verification Center using SVACE static analysis and is fixed across multiple stable kernel series.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Out-of-bounds kernel heap write in the Linux kernel's device-mapper dm-log module (dm_log) lets a privileged local actor corrupt vmalloc-allocated memory by overflowing a 32-bit region_count. In create_log_context(), dm_sector_div_up() returns a 64-bit sector_t that is truncated into an unsigned int, so a dm target with very large ti->len and small region_size under-allocates the clean_bits/sync_bits/recovering_bits bitsets while later log operations index the full untruncated region space. Tracked as CVE-2026-53059 (CWE-190) with CVSS 7.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the upstream report includes a working reproducer and a confirmed kernel crash.

Integer Overflow Linux Buffer Overflow
NVD VulDB
EPSS 0%
PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be causing an undersized allocation. The allocation is also inconsistent with the initial array allocation in efi_capsule_open() that allocates one entry with sizeof(phys_addr_t), and the efi_capsule_write() function that stores phys_addr_t values (not pointers) via page_to_phys(). On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses. This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's NVIDIA Tegra Control Backbone (CBB) driver (soc/tegra: cbb) stems from an incorrect ARRAY_SIZE calculation in the fabric lookup tables, which can be triggered during a target timeout lookup on Tegra-based systems. A local, low-privileged attacker on affected Tegra hardware could read out-of-bounds kernel memory (information disclosure) or crash the system (denial of service), with CVSS 7.1. The flaw has been fixed upstream; there is no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory read in the Linux kernel's OCFS2 distributed lock manager (dlm_match_regions) lets a remote host send a crafted DLM_QUERY_REGION message whose attacker-controlled qr_numregions field (up to 255) drives loops past the fixed 1024-byte/32-entry qr_regions buffer. Because the o2net transport only checks message byte length and not field values, this enables disclosure of adjacent kernel memory and likely node crashes. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 7th percentile); the issue is fixed across multiple stable kernel branches.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Memory-safety failure in the Linux kernel OCFS2 filesystem's listxattr() path allows a local low-privileged user to crash the kernel (and potentially leak adjacent kernel heap memory) when an OCFS2 inode carries both inline and block-based extended attributes. Introduced by refactor commit 936b8834366e, the bug causes copy_to_user() to be invoked with a length larger than the allocated list buffer, tripping the hardened usercopy check (kernel BUG at mm/usercopy.c:102). EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not in CISA KEV.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory read in the Linux kernel's OCFS2 filesystem driver allows a local user to leak kernel memory or crash the system by issuing the OCFS2_IOC_INFO ioctl with the OCFS2_INFO_FL_NON_COHERENT flag against a crafted or malicious OCFS2 image. The non-coherent freefrag scan path trusts the on-disk bg_bits group-descriptor field as a bitmap limit without validation, driving the bitmap walk past the end of the block buffer. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a local, filesystem-mount-dependent kernel bug rather than a remotely scanned threat.

Linux Buffer Overflow Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: ima_fs: Correctly create securityfs files for unsupported hash algos ima_tpm_chip->allocated_banks[i].crypto_id is initialized to HASH_ALGO__LAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be valid because it is accessed by hash_algo_name[]. On 6.12.40 I observe the following read out-of-bounds in hash_algo_name: ================================================================== BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440 Read of size 8 at addr ffffffff83e18138 by task swapper/0/1 CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3 Call Trace: <TASK> dump_stack_lvl+0x61/0x90 print_report+0xc4/0x580 ? kasan_addr_to_slab+0x26/0x80 ? create_securityfs_measurement_lists+0x396/0x440 kasan_report+0xc2/0x100 ? create_securityfs_measurement_lists+0x396/0x440 create_securityfs_measurement_lists+0x396/0x440 ima_fs_init+0xa3/0x300 ima_init+0x7d/0xd0 init_ima+0x28/0x100 do_one_initcall+0xa6/0x3e0 kernel_init_freeable+0x455/0x740 kernel_init+0x24/0x1d0 ret_from_fork+0x38/0x80 ret_from_fork_asm+0x11/0x20 </TASK> The buggy address belongs to the variable: hash_algo_name+0xb8/0x420 Memory state around the buggy address: ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9 ^ ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9 ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 ================================================================== Seems like the TPM chip supports sha3_256, which isn't yet in tpm_algorithms: tpm tpm0: TPM with unsupported bank algorithm 0x0027 That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0 Library Part 2: Structures", page 51 [1]. See also the related U-Boot algorithms update [2]. Thus solve the problem by creating a file name with "_tpm_alg_<ID>" postfix if the crypto algorithm isn't initialized. This is how it looks on the test machine (patch ported to v6.12 release): # ls -1 /sys/kernel/security/ima/ ascii_runtime_measurements ascii_runtime_measurements_tpm_alg_27 ascii_runtime_measurements_sha1 ascii_runtime_measurements_sha256 binary_runtime_measurements binary_runtime_measurements_tpm_alg_27 binary_runtime_measurements_sha1 binary_runtime_measurements_sha256 policy runtime_measurements_count violations [1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf [2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html

Buffer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer overflow in the Linux kernel SCSI target core allows a local attacker with low privileges to crash the kernel via crafted UNMAP commands. The `sbc_execute_unmap()` function performs a capacity bounds check on LBA + range but fails to guard against 64-bit wraparound, meaning an attacker can supply values that overflow to bypass the check and trigger a kernel panic. No public exploit code or CISA KEV listing exists; EPSS is 0.18% (7th percentile), reflecting the niche attack surface limited to systems actively running SCSI target daemons. Patches are confirmed available across all supported stable kernel branches.

Buffer Overflow Linux Integer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds write in the Linux kernel SCTP stack (sctp_getsockopt_peer_auth_chunks) lets a local unprivileged process trigger an 8-byte overrun past its own supplied getsockopt buffer, silently corrupting adjacent data in the caller's userspace address space. The bug is a size-check that omits the 8-byte sizeof(struct sctp_authchunks) header, so a buffer sized exactly to num_chunks passes validation but copy_to_user still writes the struct header. There is no public exploit identified at time of analysis (not in CISA KEV; EPSS 0.18%), though the kernel changelog cites a working reproducer on v7.0-13-generic, and a vendor patch is available.

Buffer Overflow Memory Corruption Linux
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Stack out-of-bounds write in the Linux kernel's netfilter connection-tracking SIP application-layer gateway (ALG) allows remote attackers to corrupt kernel stack memory by sending crafted SIP/SDP traffic through a NAT device. The flaw lives in mangle_content_len(), reached via nf_nat_sdp_session → process_sdp when rewriting the SDP Content-Length during SIP INVITE handling, where an unbounded sprintf() overflowed an undersized stack buffer (caught by KASAN). There is no public exploit identified at time of analysis and EPSS is low (0.18%), so despite the NVD 9.8 rating the practical risk is gated by whether the SIP conntrack/NAT helper is in use.

Linux Buffer Overflow Memory Corruption
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in the Linux kernel's netfilter nfnetlink_osf (passive OS fingerprinting) module occurs when the shared nf_osf_hdr_ctx->optp pointer is not reset after a fingerprint fully matches during TCP option parsing. Affecting systems that use the osf match with NF_OSF_LOGLEVEL_ALL enabled, the flaw causes subsequent fingerprint checks to parse beyond the end of the TCP options buffer, reading garbage data and producing incorrect or missing match logs. Although carrying a 9.1 CVSS, this is a functional/correctness bug in a niche feature; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds heap write in the Linux kernel's ADFS (Acorn Disc Filing System) driver allows a local attacker to corrupt kernel memory by mounting a crafted new-format ADFS disc image whose disc record declares a zone count of zero. adfs_read_map() forwards nzones==0 to kmalloc_array(0, ...), which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], an out-of-bounds write before the allocated buffer. The flaw was found by syzkaller; there is no public exploit identified at time of analysis and EPSS scores it at just 0.18% (8th percentile).

Buffer Overflow Memory Corruption Linux
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Memory-safety flaw in the Linux kernel's NVMe-over-TCP target driver (nvmet-tcp) lets a connected initiator drive the kernel into reading received network data through an uninitialized iov_iter. Because nvmet_tcp_build_pdu_iovec() reported out-of-bounds PDU length/offset only via a fatal-error side effect while returning void, callers such as nvmet_tcp_handle_h2c_data_pdu() continued and advanced the receive state machine over an uninitialized cmd->recv_msg.msg_iter, leading to memory corruption or denial of service. NVD rates this 9.8 (CVSS:3.1 AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Integer overflow in the Linux kernel's AF_ALG socket interface (crypto/af_alg.c) lets a local user supply an oversized AEAD associated-data length that wraps during TX buffer size arithmetic, corrupting size checks; the fix caps AD length to 0x80000000. Carrying CVSS 7.0 (AV:L/AC:H/PR:L), it affects any kernel exposing the algif AEAD interface and threatens confidentiality, integrity, and availability through resulting memory corruption. There is no public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local-only, high-complexity issue.

Integer Overflow Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege-relevant memory corruption in the Linux kernel's KVM subsystem (kvm_reset_dirty_gfn) lets any process holding /dev/kvm bypass a dirty-ring bounds check via a u64 integer overflow, driving a near-U64_MAX guest frame number into gfn_to_rmap() for an out-of-bounds kvm_rmap_head load and a conditional write-flag clear. Affected are kernels from 5.11 through the 7.x line running VMs on the shadow-paging (legacy/rmap) MMU path. This is a local (AV:L), low-privilege (PR:L) issue rated CVSS 7.8; there is no public exploit identified at time of analysis, EPSS is low at 0.19% (9th percentile), and it is not on CISA KEV.

Integer Overflow Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds memory access in the Linux kernel's KVM s390 PCI adapter-interrupt-forwarding (AIF) code allows a low-privileged local actor on IBM Z (s390x) hosts to read and corrupt kernel memory. The flaw stems from double-scaled pointer arithmetic when indexing the GAIT table in kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward(), triggered when an adapter interrupt source (aisb) index reaches 32 or higher under ZPCI_NR_DEVICES=512. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.18%, 8th percentile).

Buffer Overflow Linux Information Disclosure
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds read and denial-of-service in the Linux kernel SMB/CIFS client (cifs.ko) affects systems mounting SMB shares on 32-bit architectures. When parsing a malicious SMB2 error response, the symlink_data() routine mishandles a hostile ErrorDataLength value, causing either an infinite loop or a read past the buffer that can hang the client or leak adjacent kernel memory. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile), but the bug is reachable by any malicious or compromised SMB server a vulnerable client connects to.

Linux Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Memory leak in the Linux kernel's Ceph client (CephFS) allows a local, low-privileged user to exhaust kernel buffer memory by repeatedly triggering the retry path in __ceph_setxattr(), where the old_blob holding ci->i_xattrs.prealloc_blob is never released via ceph_buffer_put(). The flaw affects systems mounting CephFS and is addressed by an upstream stable fix; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.18%). Note: the CWE-787 (out-of-bounds write) classification and 'Buffer Overflow' tag conflict with the description, which describes a resource/buffer leak rather than memory corruption.

Buffer Overflow Memory Corruption Linux
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph client (osdmap_decode) lets a malicious or compromised Ceph monitor/OSD send a corrupted OSD map whose max_osd field exceeds the actual message length, reading past the allocated buffer. The flaw affects kernels using the in-kernel Ceph client (RBD/CephFS) and is fixed across multiple stable branches. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), consistent with a memory-safety bug requiring a hostile Ceph endpoint rather than broad internet exposure.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Linux kernel's libceph (Ceph client) component allows a malicious or compromised Ceph peer to crash a connecting host during the CephX authentication handshake. The flaw lives in __ceph_x_decrypt(), which reads a ceph_x_encrypt_header (notably hdr->magic) from a decrypted buffer without first verifying the buffer is large enough - a FRAME_TAG_AUTH_REPLY_MORE frame carrying a ciphertext_len of 8 or fewer bytes triggers an out-of-bounds memory access. CVSS is 7.5 (availability-only); EPSS is low at 0.16% (6th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. Despite a 9.8 CVSS, there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); the realistic attack surface is limited to hosts mounting/connecting to attacker-controlled Ceph (RBD/CephFS) infrastructure.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local denial of service in the Linux kernel's Intel VT-d (iommu/vt-d) driver lets a privileged user crash the host by terminating a QEMU/VFIO guest, triggering a general-protection-fault oops. The flaw lives in domain_remove_dev_pasid(), which dereferences the global static blocked domain - a dummy iommu_domain with no backing dmar_domain - during PASID teardown on device reset. No public exploit is identified at time of analysis; EPSS is low (0.17%, 7th percentile) and it is not in CISA KEV.

Linux Canonical Information Disclosure +1
NVD VulDB
EPSS 1% CVSS 8.3
HIGH POC PATCH This Week

Out-of-bounds write in Marlin Firmware (3D printer firmware) through 2.1.2.7 lets attackers corrupt firmware memory through the M421 G-code mesh-bed-leveling handler, which fails to upper-bound the X/Y grid indices before writing a 32-bit float into the z_values array. Any actor able to feed G-code to a printer built with MESH_BED_LEVELING enabled can write an attacker-controlled value past the array, overwriting adjacent firmware state and causing denial of service or unpredictable machine behavior. Publicly available exploit code exists and the fix is committed (1f255d1), but there is no public exploit identified as actively exploited in the wild (not in CISA KEV).

Denial Of Service Buffer Overflow Marlin
NVD GitHub
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Stack buffer overflow in OpenColorIO's .spi3d LUT parser allows a crafted color-lookup file to corrupt memory in any application that loads it. The flaw in FileFormatSpi3D.cpp reads attacker-controlled data from a 4096-byte line into 64-byte stack buffers via unbounded sscanf %s, permitting an overflow of roughly 4000 bytes on non-Windows platforms. It affects all OCIO 1.x and 2.x releases prior to 2.5.2 and, while no public exploit has been identified, the same unsafe pattern was found across the .spi3d, .spi1d, .cube, and .lut parsers.

Microsoft Buffer Overflow Opencolorio +1
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.

Denial Of Service RCE Buffer Overflow +4
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel netfilter netdev logger (nf_log_syslog) lets a local low-privileged attacker leak adjacent slab memory into the kernel log and potentially crash the system. The flaw is in dump_mac_header(), whose fallback path tests skb->mac_header != skb->network_header but omits skb_mac_header_was_set(); an unset MAC header (value 0xffff) passes the check and causes a read ~64 KiB past the skb buffer. Fixed in stable kernels (e.g., 6.18.36, 6.12.94, 6.6.143, 6.1.176, 5.15.210, 7.0.13/7.1); no public exploit identified at time of analysis and EPSS is low at 0.17%.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds read in the Linux kernel's xfrm espintcp (ESP-in-TCP IPsec encapsulation) send path allows a local user with a socket using espintcp to corrupt the one-message-at-a-time transmit state, leading to memory disclosure or a crash. The flaw stems from espintcp_sendmsg() reinitializing emsg->skmsg and reusing ctx->partial while a previous partial send is still in flight, attaching a stale offset to a fresh sk_msg. No public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile), reflecting a niche, configuration-dependent attack surface rather than broad exploitability.

Linux Memory Corruption Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel ebtables 32-bit compat layer (compat_mtw_from_user) lets a local low-privileged user holding CAP_NET_ADMIN trigger KASAN-detected OOB reads by supplying an undersized match_size/target_size for an extension whose ->compat_from_user() callback assumes it can read compatsize bytes. It affects Linux from 2.6.34 through builds before the fix and is resolved upstream across all maintained stable branches; no public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile).

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Out-of-bounds kernel memory read in the Linux kernel's SCTP sock_diag subsystem allows a local attacker to disclose adjacent kernel memory and potentially crash the system by racing a diag dump against association teardown. The exact sock_diag lookup (dump_one path) can hold a transport reference, block on lock_sock(), and resume after sctp_association_free() has reaped the association and freed its bind-address list, causing inet_diag_msg_sctpasoc_fill() to dereference an emptied bind-address list as a valid sctp_sockaddr_entry. CVSS is 7.1 (local, high confidentiality and availability impact); EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

Linux Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Local denial of service and potential information disclosure in the Linux kernel's IPv6 netfilter Hop-by-Hop options match (ip6t_hbh) stems from an off-by-one out-of-bounds array access. A local user able to install xtables rules can supply an oversized optsnr value that the hbh_mt6_check() setup path fails to validate, reading/writing past the fixed 16-entry opts[] array (confirmed via a UBSAN array-index-out-of-bounds report at index 16). There is no public exploit identified at time of analysis and EPSS risk is low (0.18%), but a vendor fix has shipped across multiple stable kernel branches.

Linux Buffer Overflow
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Denial of service in the Linux kernel's batman-adv mesh networking module arises from faulty length accounting during fragment reassembly, where the accumulated payload length can be truncated during updates, letting malformed fragment chains bypass validation and drive reassembly with inconsistent length state. The flaw affects systems running the B.A.T.M.A.N. Advanced (batman-adv) module across many stable kernel series and results in a local denial of service per the upstream description. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and the NVD CVSS of 9.8 conflicts with the upstream 'local denial of service' characterization.

Linux Denial Of Service Memory Corruption +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds heap read and integer underflow in libslirp's TCP urgent data handler (sosendoob) exposes gigabytes of host process heap memory to a privileged guest VM attacker. All libslirp releases before v4.9.2, as embedded in hypervisors such as QEMU, are affected when guest workloads hold root or CAP_NET_RAW privileges. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the cross-VM-boundary scope change (S:C) and high confidentiality impact make this a material risk in multi-tenant or shared virtualization environments.

Buffer Overflow Information Disclosure Libslirp +1
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on the same network to corrupt memory in the DVRSearch service (UDP/10001) by sending a crafted message that triggers an unbounded memcpy of the device's configured DNS address into a fixed-size stack buffer. The flaw is rated CVSS 10.0 with scope change and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation can fully compromise the embedded controller used for relay/I/O automation.

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL Act Now

Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to corrupt memory by sending a crafted UDP datagram to port 10001. The flaw stems from an unchecked memcpy of the device's configured gateway field into a fixed-offset reply buffer, enabling code execution on the embedded device with no public exploit identified at time of analysis.

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size stack buffer by sending a crafted UDP packet to the DVRSearch service on port 10001. The flaw, tracked as CWE-121 with a maximum CVSS 10.0 score and scope change, can be triggered by any host able to reach the device on the network, with no public exploit identified at time of analysis.

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD
EPSS 0% CVSS 10.0
CRITICAL Act Now

Stack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers to corrupt memory via the DVRSearch service on UDP port 10001. The vulnerable code path uses memcpy with an attacker-influenced length derived from a stored IP address into a fixed-size stack buffer, yielding potential remote code execution at CVSS 10.0 with scope change. No public exploit identified at time of analysis, though Talos has published a vulnerability report (TALOS-2026-2377).

Stack Overflow Buffer Overflow Gv I O Box 4E
NVD
EPSS 0% CVSS 6.2
MEDIUM This Month

Stack-based buffer overflow (CWE-121) in the GV-Cloud component of GeoVision GV-VMS V20 20.0.2 enables a remote attacker with a network-intercept position to crash the video management system, causing high-impact denial of service against physical security infrastructure. Exploitation requires impersonating the legitimate GV-Cloud server - achieved via MitM techniques - and delivering a specially crafted network payload that corrupts stack memory in the GV-Cloud client handler. Reported by Cisco Talos (TALOS-2026-2411); no public exploit has been identified at time of analysis and no CISA KEV listing exists.

Denial Of Service Stack Overflow Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC This Week

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by supplying a crafted media file. The flaw is an out-of-bounds read of a language metadata string in gf_media_import (media_import.c), where three characters were read without verifying the string's length. Publicly available exploit code exists (sigdevel PoC), but it is not listed in CISA KEV and EPSS is low (0.19%, 8th percentile), indicating minimal observed real-world exploitation.

Buffer Overflow Denial Of Service Stack Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Heap use-after-free in GPAC MP4Box 2.5-DEV-rev1593-gfe88c3545-master crashes the application when a local authenticated user processes a specially crafted MPEG-2 TS or MP4 file. The defect resides in `gf_filter_pid_inst_swap_delete_task()` within `filter_core/filter_pid.c`, where PID instance cleanup dereferences already-freed objects during a swap/delete operation, causing a heap corruption and denial of service. No public exploit has triggered active exploitation per CISA KEV, but a proof-of-concept is publicly available; EPSS sits at 0.18% (7th percentile), consistent with limited real-world targeting.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 4.4
MEDIUM This Month

Heap out-of-bounds read in GStreamer's gst-plugins-bad H.264 parser allows an attacker to crash a media application or leak a single byte of heap memory by tricking a victim into opening a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units. Affected systems span Red Hat Enterprise Linux versions 6 through 10 where gst-plugins-bad is installed. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV; the narrow 1-byte read, required user interaction, and local attack vector substantially limit real-world exploitation impact.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 +4
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Out-of-bounds read in the GStreamer gst-plugins-bad H.266/VVC parser allows a remote attacker to leak up to 8 bytes of application memory by delivering a crafted video file with a manipulated aspect ratio indicator value. Affected platforms include Red Hat Enterprise Linux 8, 9, and 10 wherever gst-plugins-bad processes H.266/VVC content. No public exploit code or active exploitation has been identified at time of analysis; the limited read window and user-interaction requirement constrain practical impact, but the network-reachable vector and zero-authentication requirement lower the delivery barrier.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 +2
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Adobe Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Adobe Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 2.5
LOW PATCH Monitor

Out-of-bounds reads of uninitialized memory in GNU libidn before version 1.44 are triggerable through the ToUnicode IDNA APIs when malformed internationalized domain name input is processed by the vulnerable function `idna_to_unicode_internal`. Applications statically or dynamically linked against affected libidn versions that pass attacker-influenced hostname strings to these APIs are exposed to integrity and availability disruption. No public exploit has been identified at time of analysis, and the successor library libidn2 is explicitly confirmed unaffected, providing a viable migration path for defenders.

Buffer Overflow Libidn
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Heap use-after-free in dhcpcd through version 10.3.2 allows local unprivileged attackers to crash the DHCP client daemon by exploiting a double-free race between READ and HANGUP events on the control socket. When an attacker sends a privileged command such as -x, control_recvdata() frees the client fd_list object while the subsequent HANGUP event delivers the same stale pointer to control_hangup(), triggering memory corruption that results in denial of network service on the affected host. No public exploit code or CISA KEV listing exists at time of analysis; the upstream fix is available as commit 78ea09e.

Use After Free Memory Corruption Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacker corrupt client stack memory by replying with a malicious DHCPv6 ADVERTISE. When dhcpcd serializes an oversized RFC6603 OPTION_PD_EXCLUDE body in dhcp6_makemessage(), a one-byte value is written past a fixed 16-byte stack buffer. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV, but a vendor fix (commit 2f00c7b) is available.

Buffer Overflow Memory Corruption Dhcpcd
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Stack memory corruption in dhcpcd through 10.3.2 exposes systems running the DHCPv6 client to availability disruption from unauthenticated attackers on the same network link. The one-byte off-by-one overflow in `dhcp6_makemessage()` is triggered by a crafted DHCPv6 ADVERTISE containing an RFC6603 OPTION_PD_EXCLUDE sub-option with an exclude prefix length of /121 through /128, overflowing a 16-byte stack buffer by exactly one byte. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the upstream fix commit precisely identifies the trigger, making independent exploit development straightforward.

Buffer Overflow Memory Corruption Dhcpcd
NVD GitHub VulDB
CRITICAL PATCH Act Now

Heap overflow in rsyslog's contributed imhttp module allows remote unauthenticated clients to corrupt the rsyslog process heap by sending an oversized HTTP Basic Authentication header. The root cause is a one-character typo - `calloc(0, len)` instead of `calloc(1, len)` - which allocates zero or minimal bytes before the Base64 decoder writes up to `len` bytes into the buffer. The practical expected impact is denial of service (rsyslog process crash); remote code execution is theoretically possible but depends on heap allocator behavior, compiler hardening, and platform. No public exploit identified at time of analysis, and the vulnerability is not in CISA KEV.

Buffer Overflow Denial Of Service Suse
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Heap out-of-bounds read in dnsmasq's find_soa() function allows a remote attacker controlling a DNS zone to leak up to 10 bytes of stale heap memory by serving a crafted NXDOMAIN response. The flaw exists because extract_name() is invoked with extrabytes=0 when parsing NS section records, skipping the mandatory boundary check for the 10-byte fixed-length DNS record trailer fields. Confirmed affected platforms include Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4; no public exploit or CISA KEV listing has been identified at time of analysis.

Buffer Overflow Information Disclosure Red Hat Enterprise Linux 10 +5
NVD VulDB
EPSS 0% CVSS 9.4
CRITICAL Act Now

Stack-based buffer overflow in the Totolink EX1200L router's login handler (cgi-bin/cstecgi.cgi) allows remote attackers on the adjacent network to crash the device or execute arbitrary code as root. Confirmed on firmware 9.3.5u.6146_B20201023 with no public exploit identified at time of analysis, but vendor contact attempts by CERT-PL were unsuccessful so no patch is available. CVSS 4.0 of 9.4 reflects unauthenticated exploitation with full impact on both the device and downstream systems.

Buffer Overflow Stack Overflow Ex1200L
NVD VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

OpenSSH's GSSAPI authentication cleanup routine contains a heap out-of-bounds read (CWE-125) triggered when the auth-indicators array lacks a trailing NULL terminator, allowing a remote unauthenticated attacker to crash the SSH authentication path and deny SSH service availability. Exploitation is constrained by high attack complexity (AC:H) due to the non-default Kerberos/GSSAPI configuration requirement, limiting real-world exposure to a minority of deployments. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the impact is restricted to partial availability loss with no confidentiality or integrity consequence.

Buffer Overflow Denial Of Service SSH +8
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Denial Of Service Zephyr +1
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Denial of service in Zephyr RTOS Bluetooth Classic SDP parser allows adjacent Bluetooth attackers to crash devices via a malformed 3-byte SDP attribute that triggers a reachable kernel assertion. The flaw resides in bt_sdp_parse_attribute() in subsys/bluetooth/host/classic/sdp.c, where the parser pulls a value-type byte without first verifying buffer length, causing a kernel panic in assert-enabled builds and an out-of-bounds read with undefined behavior when assertions are disabled. No public exploit identified at time of analysis, though the GHSA advisory describes the trigger conditions in enough detail to reproduce.

Buffer Overflow Denial Of Service Zephyr
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM This Month

Out-of-bounds read and denial-of-service in Zephyr RTOS's ext2 filesystem parser expose embedded devices to filesystem-level attacks via maliciously crafted disk images. The flaw resides in ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), where insufficient validation of on-disk directory entry fields - specifically de_rec_len and de_name_len against block boundaries - allows a crafted ext2 image to trigger an oversized memcpy (out-of-bounds read) or a zero-progress infinite loop when de_rec_len equals zero. All Zephyr versions are indicated as affected per the wildcard CPE, no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.

Buffer Overflow Path Traversal Denial Of Service +2
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host processes by sending a crafted MessagePack timestamp extension payload that triggers an uncatchable StackOverflowException. The flaw stems from a stackalloc operation using an attacker-controlled extension length before validation, enabling a tiny payload to claim a massive stack allocation. No public exploit identified at time of analysis, and CVSS 4.0 of 8.2 reflects high availability impact with attack complexity requirements.

Buffer Overflow Information Disclosure Messagepack Csharp
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash applications by sending deeply nested MessagePack payloads that trigger uncatchable StackOverflowException via MessagePackReader.TrySkip(). The flaw bypasses the library's own MaximumObjectGraphDepth safeguard because TrySkip() recurses into nested structures without incrementing the depth counter, making any application that deserializes untrusted MessagePack data exploitable. No public exploit identified at time of analysis, but the bug is straightforward to trigger and fixes are already published upstream.

Buffer Overflow Messagepack Csharp
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Malformed HTTP Range request handling in libsoup (GNOME's HTTP client/server library, packaged across Red Hat Enterprise Linux 6-10) re-introduces a signed integer underflow originally patched in CVE-2026-2443. A rework commit replaced specific overflow guards with a general signed comparison, meaning a suffix-byte Range request whose length exceeds the resource content size now produces a negative start offset that is passed unclamped to buffer operations, generating malformed HTTP 206 responses and log flooding. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector makes any exposed libsoup HTTP server reachable without credentials.

Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 +3
NVD VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Heap-based buffer overflow in dnsmasq's DNSSEC logging path enables remote denial of service against instances where both DNSSEC validation and query logging are simultaneously enabled. When dnsmasq receives a DS or DNSKEY DNS response containing an algorithm or digest type it does not recognize, its logging routine writes past the end of an internal heap-allocated buffer, corrupting memory and crashing the process. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the network-deliverable attack vector (PR:N) makes the configuration prerequisite the primary limiting factor for defenders.

Buffer Overflow Denial Of Service Heap Overflow +6
NVD VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

Stack/heap buffer overflow in the Edimax BR-6478AC V2 wireless router (firmware 1.23) lets an authenticated attacker corrupt memory by sending an oversized selSSID parameter to the formWlSiteSurvey handler under /goform/, enabling denial of service and potentially arbitrary code execution on the device. Publicly available exploit code exists, but no public exploit identified at time of analysis as actively used in attacks (not in CISA KEV); the vendor was notified and did not respond, leaving devices unpatched. CVSS 4.0 base score is 7.4 reflecting network reachability of the management interface combined with required low-privilege authentication.

Buffer Overflow Br 6478Ac V2
NVD VulDB
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Heap-based buffer overflow in OFFIS DCMTK's XMLNode::parseFile function (ofstd/libsrc/ofxml.cc) affects all versions through 3.7.0, exploitable by any remote party who can supply a crafted or non-seekable XML input to the parser. The root cause - confirmed by the upstream patch commit - is that the original guard `if (!l)` failed to catch a -1 return from ftell(), allowing a corrupted buffer size to propagate into heap allocation and subsequent write. A public proof-of-concept exploit exists per VulDB and a published Medium writeup; no active exploitation is confirmed via CISA KEV. The CVSS 4.0 score of 2.1 reflects passive-interaction and low-impact ratings, but the presence of public exploit code elevates practical risk for any DCMTK deployment that parses externally influenced XML files.

Buffer Overflow Heap Overflow Dcmtk
NVD VulDB GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in the xmlwf utility bundled with libexpat before 2.8.2 enables heap corruption via XML documents containing an excessive number of NOTATION declarations in a DOCTYPE block. The flaw in endDoctypeDecl allows a crafted XML file to wrap a signed integer counter, producing an undersized heap allocation that can be overflowed with high confidentiality and integrity impact. No confirmed active exploitation (not in CISA KEV) and no public exploit code have been identified at time of analysis; vendor-released patch is available in libexpat 2.8.2.

Integer Overflow Buffer Overflow Libexpat +2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's xmlwf tool allows an attacker supplying a crafted XML file with an excessively long DOCTYPE system identifier to trigger a heap buffer overflow via the resolveSystemId function. All libexpat versions before 2.8.2 are affected; the root cause is an unchecked size_t arithmetic operation - both the addition of string lengths and the subsequent multiplication by sizeof(XML_Char) - before a malloc call. No public exploit has been identified at time of analysis, and exploitation requires local access under high-complexity conditions per the CVSS:3.1/AV:L/AC:H vector.

Integer Overflow Buffer Overflow Libexpat +2
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Integer overflow in the `xmlwf` command-line utility bundled with libexpat before 2.8.2 allows heap buffer overflow when the `-d outputDir` flag is used with extremely long path values. The overflow occurs during malloc size calculation - `(tcslen(outputDir) + tcslen(file) + 2) * sizeof(XML_Char)` - wrapping the size_t to a near-zero value, causing an undersized allocation followed by out-of-bounds write during filename construction. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the heap overflow primitive is well-understood and could yield code execution in automated XML processing pipelines.

Integer Overflow Buffer Overflow Libexpat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's copyString function (xmlparse.c) allows heap buffer overflow when processing specially crafted XML input, affecting all libexpat versions before 2.8.2. The missing bounds check on a size multiplication permits an attacker-controlled string length to wrap around SIZE_MAX, producing an undersized heap allocation that is subsequently overwritten - enabling potential memory corruption, arbitrary code execution, or data disclosure in any application consuming the library. No public exploit has been identified at time of analysis; a vendor-released patch is available in libexpat 2.8.2.

Integer Overflow Buffer Overflow Libexpat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat before 2.8.2 allows heap corruption during XML prolog parsing when accumulated entity value pool length exceeds INT_MAX, yielding high confidentiality and integrity impact per CVSS. The flaw resides in doProlog and the related storeSelfEntityValue path, where poolLength() return values are cast to signed integers without bounds validation - a gap closed in the upstream fix via explicit INT_MAX guards. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the widespread use of libexpat as a dependency across system tools, language runtimes, and XML-processing services means the blast radius of a weaponized exploit would be broad.

Integer Overflow Buffer Overflow Libexpat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's XML_ParseBuffer function allows potential heap corruption leading to high-confidentiality and high-integrity impact in all libexpat versions before 2.8.2. The overflow occurs because XML_ParseBuffer lacked a bounds check on the byte index accumulator that was already present in the sibling XML_Parse function - a defensive guard omitted asymmetrically between two code paths. Any application that routes XML input through XML_ParseBuffer (a common pattern in incremental parsing) is exposed. No public exploit has been identified at time of analysis and no KEV listing exists, but the high C and I CVSS impact ratings reflect the potential for code execution via heap corruption.

Integer Overflow Buffer Overflow Libexpat +2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's getAttributeId routine exposes any application embedding libexpat before version 2.8.2 to memory corruption with high confidentiality and integrity impact when parsing specially crafted XML documents. The flaw occurs when an internal counter traversing the attribute ID table reaches INT_MAX and wraps, producing an invalid index that can corrupt adjacent heap memory. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, but a vendor-released patch is available in libexpat 2.8.2 and upgrade is the recommended remediation.

Integer Overflow Buffer Overflow Libexpat +2
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's addBinding function (xmlparse.c) before version 2.8.2 allows memory corruption during XML namespace binding processing, with high confidentiality and integrity impact. All libexpat releases from 0 through 2.8.2-pre are affected (CPE: cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*), encompassing a significant downstream attack surface given the library's widespread use in Python, PHP, and system utilities. No public exploit or active exploitation has been confirmed at time of analysis; the official CVSS 3.1 score of 6.9 reflects meaningful impact tempered by high attack complexity and a local attack vector.

Integer Overflow Buffer Overflow Libexpat +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in libexpat's storeAtts() function before version 2.8.2 allows heap buffer corruption during XML namespace attribute processing. When an XML document contains namespace-qualified attributes whose prefix name or local-part name approaches or exceeds INT_MAX bytes, the combined expanded-name length calculation wraps to a small integer, causing allocation of an undersized heap buffer followed by an out-of-bounds write during the memcpy phase. The vendor CVSS scores this 6.9 with High confidentiality and integrity impact; no public exploit has been identified at time of analysis and the CVE is not listed in the CISA KEV catalog.

Integer Overflow Buffer Overflow Libexpat +2
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Heap out-of-bounds read in ImageMagick's PCD image decoder (versions prior to 7.1.2-15 and 6.9.13-40) allows unauthenticated network-reachable attackers to cause denial of service and disclose a single adjacent heap byte by supplying a crafted PCD file to an image-processing endpoint. The vulnerability is rooted in the PCD coder's DecodeImage loop and requires high attack complexity (AC:H) with specific attack prerequisites (AT:P), meaning the target application must actively process attacker-supplied PCD files. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis, though .NET bindings via Magick.NET NuGet packages are also affected and carry a separate fix version.

Information Disclosure Denial Of Service Buffer Overflow +2
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Integer overflow in ImageMagick's PSB/PSD v2 RLE decoder (ReadPSDChannelRLE in coders/psd.c) causes a heap out-of-bounds read exclusively on 32-bit builds, enabling information disclosure or process crash when processing attacker-controlled PSB files. Affected versions span ImageMagick below 7.1.2-15 and 6.9.x below 6.9.13-40, with corresponding Magick.NET NuGet packages below 14.10.3 also confirmed vulnerable. No public exploit code has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 6.3 with AC:H and AT:P reflects that exploitation is constrained to 32-bit deployments processing untrusted PSB input.

Information Disclosure Buffer Overflow Imagemagick +2
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service and potential memory corruption in vLLM versions 0.10.2 through 0.12.x stems from missing sparse tensor validation in multimodal embeddings processing, allowing authenticated remote users to submit crafted prompt-embedding requests with malformed tensor indices. Because PyTorch disables sparse tensor invariant checks by default, attackers can crash the inference server or exhaust resources, with potential out-of-bounds or write-what-where memory corruption. No public exploit identified at time of analysis; this continuation of CVE-2025-62164 addresses the root cause that the prior fix only masked by disabling the feature by default.

Denial Of Service Buffer Overflow Vllm
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Crypt::OpenSSL::PKCS12 versions before 1.96 for Perl permits a heap OOB read in print_attribute UTF8STRING path. print_attribute() copies a UTF8STRING ASN.1 attribute value into a heap buffer sized exactly to its declared length via strncpy, leaving no NUL terminator. Downstream callers run strlen() on the result and pass the inflated length to newSVpvn(), copying attacker-influenced adjacent heap bytes into a Perl scalar.

OpenSSL Information Disclosure Crypt +1
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Write lock exclusivity is silently violated in concurrent-ruby's `ReentrantReadWriteLock`, confirmed on version 1.3.6 and fixed in 1.3.7. After a single thread acquires the read lock exactly 32,768 times reentrantl, its per-thread `@HeldCount` counter overflows into bit 15, which the implementation also uses as the `WRITE_LOCK_HELD` flag - causing `try_write_lock` to return `true` via the fast-path 'already hold write lock' branch without ever setting the global `RUNNING_WRITER` bit. Other threads receive no signal of an active writer and continue acquiring read locks concurrently, breaking mutual exclusion with no exception raised. A publicly available proof-of-concept reproduces the condition; no public exploit identified as actively exploited (not in CISA KEV).

Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Heap buffer overflow in libde265 prior to version 1.1.0 allows remote attackers to corrupt heap memory and likely achieve code execution by tricking a user into processing a crafted H.265 video stream. The flaw stems from a 32-bit signed integer overflow in plane allocation sizing that wraps to ~1 KB, after which fill_image() writes the true ~4 GB plane content into the undersized buffer. No public exploit identified at time of analysis, but the upstream commit (8a1b5cf) and GHSA-vv8h-932h-7r86 publicly document the exact overflow location.

Integer Overflow Buffer Overflow Libde265
NVD GitHub VulDB
Prev Page 9 of 402 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy