Integer Overflow
Monthly
An integer underflow vulnerability is present in Silicon Lab’s implementation of PSA Crypto and SE Manager EC-JPAKE APIs during ZKP parsing. Triggering the underflow can lead to a hard fault, causing a temporary denial of service.
An integer underflow vulnerability in Silicon Labs Secure NCP host implementation allows a buffer overread via a specially crafted packet.
Heap corruption in Google Chrome's V8 engine prior to version 145.0.7632.109 can be triggered through integer overflow vulnerabilities when processing malicious HTML pages. An unauthenticated attacker can exploit this by tricking users into visiting a crafted webpage, potentially achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.
A vulnerability has been found in Vnet/IP Interface Package provided by Yokogawa Electric Corporation. If affected product receives maliciously crafted packets, Vnet/IP software stack process may be terminated. [CVSS 6.5 MEDIUM]
Integer Overflow within atihdwt6.sys can allow a local attacker to cause out of bound read/write potentially leading to loss of confidentiality, integrity and availability
The integer overflow vulnerability within AMD Graphics driver could allow an attacker to bypass size checks potentially resulting in a denial of service [CVSS 5.5 MEDIUM]
Insufficient parameter sanitization in AMD Secure Processor (ASP) Boot Loader could allow an attacker with access to SPIROM upgrade to overwrite the memory, potentially resulting in arbitrary code execution.
DNG SDK 1.7.1 (build 2410) and earlier contain an integer overflow vulnerability that causes application denial-of-service when processing malicious files. Local attackers can exploit this flaw by tricking users into opening a specially crafted file, resulting in application crashes or hangs. No patch is currently available.
Arbitrary code execution in DNG SDK 1.7.1 2410 and earlier stems from an integer overflow vulnerability that executes with user privileges when a victim opens a crafted file. The local attack vector requires user interaction but carries high impact across confidentiality, integrity, and availability with no patch currently available.
Arbitrary code execution in Bridge versions 15.1.3, 16.0.1 and earlier results from an integer overflow vulnerability that executes with user privileges when a victim opens a malicious file. The flaw requires user interaction but carries a high severity rating with no available patch, leaving affected systems vulnerable to immediate compromise.
Arbitrary code execution in Adobe After Effects 25.6 and earlier through an integer overflow vulnerability affecting file processing. An attacker can exploit this by crafting a malicious file that, when opened by a user, executes code with the privileges of the current user. No patch is currently available for this high-severity vulnerability.
Integer overflow in the Bytes library versions 1.2.1 through 1.11.0 allows attackers to corrupt the BytesMut capacity value, leading to out-of-bounds memory access and undefined behavior in release builds. Public exploit code exists for this vulnerability, affecting applications that depend on Bytes for buffer management. A patch is available in version 1.11.1.
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. [CVSS 6.3 MEDIUM]
An integer underflow in the Linux kernel's vsock/virtio credit calculation allows a local attacker with unprivileged access to cause a denial of service by exhausting system resources when the peer shrinks its advertised buffer while data is in flight. The vulnerability enables more data to be queued than the peer can handle, potentially leading to system instability. No patch is currently available for this medium-severity issue.
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 5.9 MEDIUM]
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]
Libexpat versions before 2.7.4 are vulnerable to integer overflow in the doContent function during tag buffer reallocation, enabling local attackers with no privileges to achieve high-impact confidentiality and integrity violations. The flaw stems from missing overflow validation when calculating buffer sizes, allowing memory corruption that could lead to information disclosure or code execution. A patch is available for affected systems.
Denial-of-service in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to crash the NomadBranch.exe service by sending specially crafted UDP packets that trigger a heap buffer overflow. The vulnerability stems from an integer underflow in the UDP command handler that can be exploited without authentication or user interaction. Currently, no patch is available and the attack requires network adjacency to the affected system.
NVIDIA Display Driver for Linux contains a vulnerability in the NVIDIA kernel module where an attacker could cause an integer overflow or wraparound. [CVSS 7.8 HIGH]
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. [CVSS 7.8 HIGH]
Heap use-after-free in Suricata prior to versions 8.0.3 and 7.0.14 can be triggered via integer overflow when processing packets that generate excessive alert conditions, allowing an attacker to crash the IDS/IPS engine or potentially achieve code execution. Affected deployments using large rulesets are at risk when processing malicious or crafted network traffic designed to trigger simultaneous signature matches. Patches are available for both affected versions.
An integer overflow vulnerability in yoyofr modizer before version 4.1.1 allows local attackers with user interaction to achieve high-impact compromise including confidentiality, integrity, and availability violations. The vulnerability requires local access and user interaction to trigger, enabling attackers to execute arbitrary code or cause denial of service through integer wraparound conditions. No patch is currently available for this vulnerability.
GLib's Unicode case conversion function contains an integer overflow flaw that causes undersized memory allocation when processing extremely large strings, enabling out-of-bounds writes. Applications using GLib for string operations could experience crashes or instability when exposed to specially crafted input. No patch is currently available for this medium-severity vulnerability.
A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes. [CVSS 8.8 HIGH]
IronOS soldering iron firmware has an integer overflow vulnerability that could cause unexpected behavior in temperature control.
Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C.
Integer Overflow or Wraparound vulnerability in RawTherapee (rtengine modules). This vulnerability is associated with program files dcraw.Cc.
Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java.
Integer overflow in iccDEV's ICC profile parsing (versions 2.3.1.1 and below) allows remote attackers to corrupt memory or trigger denial of service by crafting malicious profile headers with tampered tag tables or offset fields, with public exploit code available. The vulnerability can potentially enable arbitrary code execution or bypass security checks in applications using affected iccDEV libraries. Users should upgrade to version 2.3.1.2 or later to remediate this risk.
A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. [CVSS 4.4 MEDIUM]
SumatraPDF on Windows is vulnerable to a denial-of-service attack through a maliciously crafted Mobi file that triggers an integer underflow in record validation, causing an out-of-bounds heap read and application crash. The vulnerability stems from an off-by-one error in the PalmDbReader::GetRecord function that only occurs with exactly 2 records, and public exploit code is available. No patch has been released at this time.
EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. [CVSS 8.3 HIGH]
A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. [CVSS 3.7 LOW]
dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. [CVSS 5.5 MEDIUM]
ESPHome versions 2025.9.0 through 2025.12.6 are vulnerable to a denial-of-service attack via integer overflow in the API protobuf decoder, affecting all supported microcontroller platforms (ESP32, ESP8266, RP2040, LibreTiny). Unauthenticated attackers can crash ESPHome devices by sending specially crafted packets with large field length values to bypass bounds checking when API encryption is disabled. Upgrade to version 2025.12.7 or later to remediate.
A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. [CVSS 5.3 MEDIUM]
In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. [CVSS 8.1 HIGH]
In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash. [CVSS 7.1 HIGH]
Glibc versions 2.30 through 2.42 contain an integer overflow in the memalign function family that allows attackers with control over both size and alignment parameters to trigger heap corruption. Public exploit code exists for this vulnerability, which requires carefully crafted inputs with alignment values between 2^62+1 and 2^63 paired with sizes near PTRDIFF_MAX. Local attackers exploiting this flaw could achieve code execution or denial of service on affected systems.
A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. [CVSS 6.5 MEDIUM]
Arbitrary code execution in Microsoft Office Excel results from an integer underflow vulnerability in the Long Term Servicing Channel and Online Server editions, exploitable by local attackers with user interaction. This HIGH severity flaw (CVSS 7.8) grants full system compromise capabilities including code execution, data theft, and service disruption with no available patch.
In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2.
Integer overflow in Firefox and Thunderbird's Graphics component enables sandbox escape, allowing remote attackers to execute arbitrary code with high privileges through a malicious webpage or content requiring user interaction. Affected versions include Firefox below 147, Firefox ESR below 115.32 and 140.7, and Thunderbird below 147 and 140.7. No patch is currently available.
Out-of-bounds memory reads in iccDEV versions 2.3.1.1 and earlier allow local attackers to cause denial of service or leak sensitive information through integer underflow flaws in the CIccCalculatorFunc::SequenceNeedTempReset function. The vulnerability requires user interaction and affects systems processing ICC color profiles. A patch is available in version 2.3.1.2.
iccDEV versions 2.3.1.1 and earlier are vulnerable to use-after-free, heap buffer overflow, and integer overflow flaws in the CIccSparseMatrix function, allowing local attackers with user interaction to achieve arbitrary code execution. The vulnerability affects all systems using vulnerable iccDEV libraries for ICC color profile processing and is resolved in version 2.3.1.2.
Integer overflow in iccDEV's CIccXmlArrayType::ParseTextCountNum() function allows local attackers with user interaction to achieve arbitrary code execution through maliciously crafted ICC color profile files. The vulnerability affects iccDEV versions 2.3.1 and below, impacting users who process untrusted color profiles. Public exploit code exists for this vulnerability, and a patch is available in version 2.3.1.1.
In dpe, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
An integer underflow vulnerability in the Silicon Labs Z-Wave Protocol Controller can lead to out of bounds memory reads.
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. [CVSS 7.5 HIGH]
Local privilege escalation to root on Apple platforms via integer overflow in timestamp handling allows authenticated users with low-level access to fully compromise system integrity and confidentiality. Affects iOS, iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS prior to February 2025 security updates. Vendor-released patches available across all platforms. EPSS probability is minimal (0.02%, 4th percentile), and no public exploit identified at time of analysis, though the local attack vector with low complexity and authenticated requirement reduces remote exploitation risk but creates insider threat exposure.
In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
KissFFT versions prior to the fix commit 1b083165 contain an integer overflow in kiss_fft_alloc() in kiss_fft.c on platforms where size_t is 32-bit. The nfft parameter is not validated before being used in a size calculation (sizeof(kiss_fft_cpx) * (nfft - 1)), which can wrap to a small value when nfft is large. As a result, malloc() allocates an undersized buffer and the subsequent twiddle-factor initialization loop writes nfft elements, causing a heap buffer overflow. This vulnerability only affects 32-bit architectures.
Integer Overflow or Wraparound vulnerability in Avast Antivirus (25.1.981.6) on Windows allows Privilege Escalation.This issue affects Antivirus: from 25.1.981.6 before 25.3.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An integer underflow vulnerability has been identified in Aicloud. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in loss of confidentiality or availability. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in crash or denial of service. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
eProsima Fast-DDS v3.3 and before has an infinite loop vulnerability caused by integer overflow in the Time_t:: fraction() function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Substance3D - Stager versions 3.1.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Illustrator on iPad versions 3.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Illustrator on iPad versions 3.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Memory corruption while processing large input data from a remote source via a communication interface. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
This vulnerability is an undefined behavior issue in the Linux kernel's font handling code where a signed 32-bit left shift by 31 bits violates C language semantics, detected by UBSAN (Undefined Behavior Sanitizer). The vulnerability affects multiple Linux kernel versions starting from 2.6.23 and can be triggered by local users with low privileges during framebuffer console initialization, leading to denial of service through undefined behavior exploitation. While the EPSS score is extremely low at 0.01% (percentile 3%), patches are available from the kernel vendor and the issue has been resolved in stable releases.
In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems() nl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the number of MBSSID elements in the nested...
In the Linux kernel, the following vulnerability has been resolved: dm-stripe: fix a possible integer overflow There's a possible integer overflow in stripe_io_hints if we have too large chunk size. Test if the overflow happened, and if it did, don't set limits->io_min and limits->io_opt;
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf An integer overflow occurs in the iwl_write_to_user_buf() function, which is called by the iwl_dbgfs_monitor_data_read() function. static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, void *buf, ssize_t *size, ssize_t *bytes_copied) { int buf_size_left = count - *bytes_copied; buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); if (*size > buf_size_left) *size = buf_size_left; If the user passes a SIZE_MAX value to the "ssize_t count" parameter, the ssize_t count parameter is assigned to "int buf_size_left". Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a negative number, so "*size" is assigned "buf_size_left" and goes into the third argument of the copy_to_user function, causing a heap overflow. This is not a security vulnerability because iwl_dbgfs_monitor_data_read() is a debugfs operation with 0400 privileges.
In the Linux kernel, the following vulnerability has been resolved: x86/MCE/AMD: Use an u64 for bank_map Thee maximum number of MCA banks is 64 (MAX_NR_BANKS), see a0bc32b3cacf ("x86/mce: Increase maximum number of banks to 64"). However, the bank_map which contains a bitfield of which banks to initialize is of type unsigned int and that overflows when those bit numbers are >= 32, leading to UBSAN complaining correctly: UBSAN: shift-out-of-bounds in arch/x86/kernel/cpu/mce/amd.c:1365:38 shift exponent 32 is too large for 32-bit type 'int' Change the bank_map to a u64 and use the proper BIT_ULL() macro when modifying bits in there. [ bp: Rewrite commit message. ]
In the Linux kernel, the following vulnerability has been resolved: i2c: rtl9300: ensure data length is within supported range Add an explicit check for the xfer length to 'rtl9300_i2c_config_xfer' to ensure the data length isn't within the supported range. In particular a data length of 0 is not supported by the hardware and causes unintended or destructive behaviour. This limitation becomes obvious when looking at the register documentation [1]. 4 bits are reserved for DATA_WIDTH and the value of these 4 bits is used as N + 1, allowing a data length range of 1 <= len <= 16. Affected by this is the SMBus Quick Operation which works with a data length of 0. Passing 0 as the length causes an underflow of the value due to: (len - 1) & 0xf and effectively specifying a transfer length of 16 via the registers. This causes a 16-byte write operation instead of a Quick Write. For example, on SFP modules without write-protected EEPROM this soft-bricks them by overwriting some initial bytes. For completeness, also add a quirk for the zero length. [1] https://svanheule.net/realtek/longan/register/i2c_mst1_ctrl2
Sandbox escape due to integer overflow in the Graphics: Canvas2D component. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long(). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_like are used together. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Artifex Ghostscript through 10.05.1, ocr_begin_page in devices/gdevpdfocr.c has an integer overflow that leads to a heap-based buffer overflow in ocr_line8. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.
A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.
Dover Fueling Solutions ProGauge MagLink LX4 Devices fail to handle Unix time values beyond a certain point. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A undefined behavior vulnerability exists in the Linux kernel's TTM (Translation Table Maps) memory management subsystem where shifting a signed 32-bit value by 31 bits during bit flag operations causes undefined behavior. This affects all Linux kernel versions using the affected TTM code path, and while the vulnerability itself is difficult to exploit directly, it can be triggered by local attackers with low privileges during GPU memory operations, resulting in denial of service through kernel panic or undefined system behavior. The EPSS score of 0.01% and lack of known public exploits indicate this is a low real-world exploitation probability, but the CVSS 5.5 score reflects the availability impact when triggered.
Ashlar-Vellum Cobalt VC6 File Parsing Integer Overflow Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Ashlar-Vellum Cobalt LI File Parsing Integer Overflow Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Rated low severity (CVSS 2.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
An integer underflow vulnerability is present in Silicon Lab’s implementation of PSA Crypto and SE Manager EC-JPAKE APIs during ZKP parsing. Triggering the underflow can lead to a hard fault, causing a temporary denial of service.
An integer underflow vulnerability in Silicon Labs Secure NCP host implementation allows a buffer overread via a specially crafted packet.
Heap corruption in Google Chrome's V8 engine prior to version 145.0.7632.109 can be triggered through integer overflow vulnerabilities when processing malicious HTML pages. An unauthenticated attacker can exploit this by tricking users into visiting a crafted webpage, potentially achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. No patch is currently available for this vulnerability.
A vulnerability has been found in Vnet/IP Interface Package provided by Yokogawa Electric Corporation. If affected product receives maliciously crafted packets, Vnet/IP software stack process may be terminated. [CVSS 6.5 MEDIUM]
Integer Overflow within atihdwt6.sys can allow a local attacker to cause out of bound read/write potentially leading to loss of confidentiality, integrity and availability
The integer overflow vulnerability within AMD Graphics driver could allow an attacker to bypass size checks potentially resulting in a denial of service [CVSS 5.5 MEDIUM]
Insufficient parameter sanitization in AMD Secure Processor (ASP) Boot Loader could allow an attacker with access to SPIROM upgrade to overwrite the memory, potentially resulting in arbitrary code execution.
DNG SDK 1.7.1 (build 2410) and earlier contain an integer overflow vulnerability that causes application denial-of-service when processing malicious files. Local attackers can exploit this flaw by tricking users into opening a specially crafted file, resulting in application crashes or hangs. No patch is currently available.
Arbitrary code execution in DNG SDK 1.7.1 2410 and earlier stems from an integer overflow vulnerability that executes with user privileges when a victim opens a crafted file. The local attack vector requires user interaction but carries high impact across confidentiality, integrity, and availability with no patch currently available.
Arbitrary code execution in Bridge versions 15.1.3, 16.0.1 and earlier results from an integer overflow vulnerability that executes with user privileges when a victim opens a malicious file. The flaw requires user interaction but carries a high severity rating with no available patch, leaving affected systems vulnerable to immediate compromise.
Arbitrary code execution in Adobe After Effects 25.6 and earlier through an integer overflow vulnerability affecting file processing. An attacker can exploit this by crafting a malicious file that, when opened by a user, executes code with the privileges of the current user. No patch is currently available for this high-severity vulnerability.
Integer overflow in the Bytes library versions 1.2.1 through 1.11.0 allows attackers to corrupt the BytesMut capacity value, leading to out-of-bounds memory access and undefined behavior in release builds. Public exploit code exists for this vulnerability, affecting applications that depend on Bytes for buffer management. A patch is available in version 1.11.1.
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. [CVSS 6.3 MEDIUM]
An integer underflow in the Linux kernel's vsock/virtio credit calculation allows a local attacker with unprivileged access to cause a denial of service by exhausting system resources when the peer shrinks its advertised buffer while data is in flight. The vulnerability enables more data to be queued than the peer can handle, potentially leading to system instability. No patch is currently available for this medium-severity issue.
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 5.9 MEDIUM]
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]
Libexpat versions before 2.7.4 are vulnerable to integer overflow in the doContent function during tag buffer reallocation, enabling local attackers with no privileges to achieve high-impact confidentiality and integrity violations. The flaw stems from missing overflow validation when calculating buffer sizes, allowing memory corruption that could lead to information disclosure or code execution. A patch is available for affected systems.
Denial-of-service in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to crash the NomadBranch.exe service by sending specially crafted UDP packets that trigger a heap buffer overflow. The vulnerability stems from an integer underflow in the UDP command handler that can be exploited without authentication or user interaction. Currently, no patch is available and the attack requires network adjacency to the affected system.
NVIDIA Display Driver for Linux contains a vulnerability in the NVIDIA kernel module where an attacker could cause an integer overflow or wraparound. [CVSS 7.8 HIGH]
NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. [CVSS 7.8 HIGH]
Heap use-after-free in Suricata prior to versions 8.0.3 and 7.0.14 can be triggered via integer overflow when processing packets that generate excessive alert conditions, allowing an attacker to crash the IDS/IPS engine or potentially achieve code execution. Affected deployments using large rulesets are at risk when processing malicious or crafted network traffic designed to trigger simultaneous signature matches. Patches are available for both affected versions.
An integer overflow vulnerability in yoyofr modizer before version 4.1.1 allows local attackers with user interaction to achieve high-impact compromise including confidentiality, integrity, and availability violations. The vulnerability requires local access and user interaction to trigger, enabling attackers to execute arbitrary code or cause denial of service through integer wraparound conditions. No patch is currently available for this vulnerability.
GLib's Unicode case conversion function contains an integer overflow flaw that causes undersized memory allocation when processing extremely large strings, enabling out-of-bounds writes. Applications using GLib for string operations could experience crashes or instability when exposed to specially crafted input. No patch is currently available for this medium-severity vulnerability.
A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes. [CVSS 8.8 HIGH]
IronOS soldering iron firmware has an integer overflow vulnerability that could cause unexpected behavior in temperature control.
Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C.
Integer Overflow or Wraparound vulnerability in RawTherapee (rtengine modules). This vulnerability is associated with program files dcraw.Cc.
Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java.
Integer overflow in iccDEV's ICC profile parsing (versions 2.3.1.1 and below) allows remote attackers to corrupt memory or trigger denial of service by crafting malicious profile headers with tampered tag tables or offset fields, with public exploit code available. The vulnerability can potentially enable arbitrary code execution or bypass security checks in applications using affected iccDEV libraries. Users should upgrade to version 2.3.1.2 or later to remediate this risk.
A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user "-v/--verbose") can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. [CVSS 4.4 MEDIUM]
SumatraPDF on Windows is vulnerable to a denial-of-service attack through a maliciously crafted Mobi file that triggers an integer underflow in record validation, causing an out-of-bounds heap read and application crash. The vulnerability stems from an off-by-one error in the PalmDbReader::GetRecord function that only occurs with exactly 2 records, and public exploit code is available. No patch has been released at this time.
EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. [CVSS 8.3 HIGH]
A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. [CVSS 3.7 LOW]
dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. [CVSS 5.5 MEDIUM]
ESPHome versions 2025.9.0 through 2025.12.6 are vulnerable to a denial-of-service attack via integer overflow in the API protobuf decoder, affecting all supported microcontroller platforms (ESP32, ESP8266, RP2040, LibreTiny). Unauthenticated attackers can crash ESPHome devices by sending specially crafted packets with large field length values to bypass bounds checking when API encryption is disabled. Upgrade to version 2025.12.7 or later to remediate.
A vulnerability was identified in raysan5 raylib up to 909f040. Affected by this issue is the function LoadFontData of the file src/rtext.c. [CVSS 5.3 MEDIUM]
In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. [CVSS 8.1 HIGH]
In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash. [CVSS 7.1 HIGH]
Glibc versions 2.30 through 2.42 contain an integer overflow in the memalign function family that allows attackers with control over both size and alignment parameters to trigger heap corruption. Public exploit code exists for this vulnerability, which requires carefully crafted inputs with alignment values between 2^62+1 and 2^63 paired with sizes near PTRDIFF_MAX. Local attackers exploiting this flaw could achieve code execution or denial of service on affected systems.
A flaw was found in vsftpd. This vulnerability allows a denial of service (DoS) via an integer overflow in the ls command parameter parsing, triggered by a remote, authenticated attacker sending a crafted STAT command with a specific byte sequence. [CVSS 6.5 MEDIUM]
Arbitrary code execution in Microsoft Office Excel results from an integer underflow vulnerability in the Long Term Servicing Channel and Online Server editions, exploitable by local attackers with user interaction. This HIGH severity flaw (CVSS 7.8) grants full system compromise capabilities including code execution, data theft, and service disruption with no available patch.
In the Linux kernel, the following vulnerability has been resolved: caif: fix integer underflow in cffrml_receive() The cffrml_receive() function extracts a length field from the packet header and, when FCS is disabled, subtracts 2 from this length without validating that len >= 2.
Integer overflow in Firefox and Thunderbird's Graphics component enables sandbox escape, allowing remote attackers to execute arbitrary code with high privileges through a malicious webpage or content requiring user interaction. Affected versions include Firefox below 147, Firefox ESR below 115.32 and 140.7, and Thunderbird below 147 and 140.7. No patch is currently available.
Out-of-bounds memory reads in iccDEV versions 2.3.1.1 and earlier allow local attackers to cause denial of service or leak sensitive information through integer underflow flaws in the CIccCalculatorFunc::SequenceNeedTempReset function. The vulnerability requires user interaction and affects systems processing ICC color profiles. A patch is available in version 2.3.1.2.
iccDEV versions 2.3.1.1 and earlier are vulnerable to use-after-free, heap buffer overflow, and integer overflow flaws in the CIccSparseMatrix function, allowing local attackers with user interaction to achieve arbitrary code execution. The vulnerability affects all systems using vulnerable iccDEV libraries for ICC color profile processing and is resolved in version 2.3.1.2.
Integer overflow in iccDEV's CIccXmlArrayType::ParseTextCountNum() function allows local attackers with user interaction to achieve arbitrary code execution through maliciously crafted ICC color profile files. The vulnerability affects iccDEV versions 2.3.1 and below, impacting users who process untrusted color profiles. Public exploit code exists for this vulnerability, and a patch is available in version 2.3.1.1.
In dpe, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]
An integer underflow vulnerability in the Silicon Labs Z-Wave Protocol Controller can lead to out of bounds memory reads.
An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. [CVSS 7.5 HIGH]
Local privilege escalation to root on Apple platforms via integer overflow in timestamp handling allows authenticated users with low-level access to fully compromise system integrity and confidentiality. Affects iOS, iPadOS, macOS (Sequoia, Sonoma, Tahoe), tvOS, visionOS, and watchOS prior to February 2025 security updates. Vendor-released patches available across all platforms. EPSS probability is minimal (0.02%, 4th percentile), and no public exploit identified at time of analysis, though the local attack vector with low complexity and authenticated requirement reduces remote exploitation risk but creates insider threat exposure.
In multiple functions of mem_protect.c, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. Users are recommended to upgrade to version 2.4.66, which fixes the issue.
KissFFT versions prior to the fix commit 1b083165 contain an integer overflow in kiss_fft_alloc() in kiss_fft.c on platforms where size_t is 32-bit. The nfft parameter is not validated before being used in a size calculation (sizeof(kiss_fft_cpx) * (nfft - 1)), which can wrap to a small value when nfft is large. As a result, malloc() allocates an undersized buffer and the subsequent twiddle-factor initialization loop writes nfft elements, causing a heap buffer overflow. This vulnerability only affects 32-bit architectures.
Integer Overflow or Wraparound vulnerability in Avast Antivirus (25.1.981.6) on Windows allows Privilege Escalation.This issue affects Antivirus: from 25.1.981.6 before 25.3.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
An integer underflow vulnerability has been identified in Aicloud. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in loss of confidentiality or availability. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in crash or denial of service. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Multiple vulnerabilities exist in cbor2 through version 5.7.0 in the decode_definite_long_string() function of the C extension decoder (source/decoder.c): (1) Integer Underflow Leading to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
eProsima Fast-DDS v3.3 and before has an infinite loop vulnerability caused by integer overflow in the Time_t:: fraction() function. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Integer wraparound in multiple PostgreSQL libpq client library functions allows an application input provider or network peer to cause libpq to undersize an allocation and write out-of-bounds by. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Substance3D - Stager versions 3.1.5 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Illustrator on iPad versions 3.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Illustrator on iPad versions 3.0.9 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Memory corruption while processing large input data from a remote source via a communication interface. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
This vulnerability is an undefined behavior issue in the Linux kernel's font handling code where a signed 32-bit left shift by 31 bits violates C language semantics, detected by UBSAN (Undefined Behavior Sanitizer). The vulnerability affects multiple Linux kernel versions starting from 2.6.23 and can be triggered by local users with low privileges during framebuffer console initialization, leading to denial of service through undefined behavior exploitation. While the EPSS score is extremely low at 0.01% (percentile 3%), patches are available from the kernel vendor and the issue has been resolved in stable releases.
In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems() nl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the number of MBSSID elements in the nested...
In the Linux kernel, the following vulnerability has been resolved: dm-stripe: fix a possible integer overflow There's a possible integer overflow in stripe_io_hints if we have too large chunk size. Test if the overflow happened, and if it did, don't set limits->io_min and limits->io_opt;
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted LUA script to read out-of-bound data or crash the server and subsequent denial of service. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to block a script by restricting both the EVAL and FUNCTION command families.
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf An integer overflow occurs in the iwl_write_to_user_buf() function, which is called by the iwl_dbgfs_monitor_data_read() function. static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count, void *buf, ssize_t *size, ssize_t *bytes_copied) { int buf_size_left = count - *bytes_copied; buf_size_left = buf_size_left - (buf_size_left % sizeof(u32)); if (*size > buf_size_left) *size = buf_size_left; If the user passes a SIZE_MAX value to the "ssize_t count" parameter, the ssize_t count parameter is assigned to "int buf_size_left". Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a negative number, so "*size" is assigned "buf_size_left" and goes into the third argument of the copy_to_user function, causing a heap overflow. This is not a security vulnerability because iwl_dbgfs_monitor_data_read() is a debugfs operation with 0400 privileges.
In the Linux kernel, the following vulnerability has been resolved: x86/MCE/AMD: Use an u64 for bank_map Thee maximum number of MCA banks is 64 (MAX_NR_BANKS), see a0bc32b3cacf ("x86/mce: Increase maximum number of banks to 64"). However, the bank_map which contains a bitfield of which banks to initialize is of type unsigned int and that overflows when those bit numbers are >= 32, leading to UBSAN complaining correctly: UBSAN: shift-out-of-bounds in arch/x86/kernel/cpu/mce/amd.c:1365:38 shift exponent 32 is too large for 32-bit type 'int' Change the bank_map to a u64 and use the proper BIT_ULL() macro when modifying bits in there. [ bp: Rewrite commit message. ]
In the Linux kernel, the following vulnerability has been resolved: i2c: rtl9300: ensure data length is within supported range Add an explicit check for the xfer length to 'rtl9300_i2c_config_xfer' to ensure the data length isn't within the supported range. In particular a data length of 0 is not supported by the hardware and causes unintended or destructive behaviour. This limitation becomes obvious when looking at the register documentation [1]. 4 bits are reserved for DATA_WIDTH and the value of these 4 bits is used as N + 1, allowing a data length range of 1 <= len <= 16. Affected by this is the SMBus Quick Operation which works with a data length of 0. Passing 0 as the length causes an underflow of the value due to: (len - 1) & 0xf and effectively specifying a transfer length of 16 via the registers. This causes a 16-byte write operation instead of a Quick Write. For example, on SFP modules without write-protected EEPROM this soft-bricks them by overwriting some initial bytes. For completeness, also add a quirk for the zero length. [1] https://svanheule.net/realtek/longan/register/i2c_mst1_ctrl2
Sandbox escape due to integer overflow in the Graphics: Canvas2D component. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
go-f3 is a Golang implementation of Fast Finality for Filecoin (F3). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
pytorch v2.8.0 was discovered to contain an integer overflow in the component torch.nan_to_num-.long(). Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
pytorch v2.8.0 was discovered to display unexpected behavior when the components torch.rot90 and torch.randn_like are used together. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Artifex Ghostscript through 10.05.1, ocr_begin_page in devices/gdevpdfocr.c has an integer overflow that leads to a heap-based buffer overflow in ocr_line8. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity.
A vulnerability was identified in the handling of Bluetooth Low Energy (BLE) fixed channels (such as SMP or ATT). Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.
Dover Fueling Solutions ProGauge MagLink LX4 Devices fail to handle Unix time values beyond a certain point. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A undefined behavior vulnerability exists in the Linux kernel's TTM (Translation Table Maps) memory management subsystem where shifting a signed 32-bit value by 31 bits during bit flag operations causes undefined behavior. This affects all Linux kernel versions using the affected TTM code path, and while the vulnerability itself is difficult to exploit directly, it can be triggered by local attackers with low privileges during GPU memory operations, resulting in denial of service through kernel panic or undefined system behavior. The EPSS score of 0.01% and lack of known public exploits indicate this is a low real-world exploitation probability, but the CVSS 5.5 score reflects the availability impact when triggered.
Ashlar-Vellum Cobalt VC6 File Parsing Integer Overflow Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Ashlar-Vellum Cobalt LI File Parsing Integer Overflow Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Rated low severity (CVSS 2.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available.