Integer Overflow
Monthly
Heap corruption in the Ruby Oj JSON parser (`Oj.load`) is triggered when applications process attacker-controlled JSON strings larger than 2 GB containing an escape sequence, due to an integer overflow in `read_escaped_str` that wraps a 32-bit length to a negative value and is then cast to `size_t`, causing `memcpy` to copy ~2 GB out of bounds. Versions of the `oj` gem prior to 3.17.3 are affected, and no public exploit identified at time of analysis; CVSS and EPSS are not provided.
Heap buffer overflow in libde265 prior to version 1.1.0 allows remote attackers to corrupt heap memory and likely achieve code execution by tricking a user into processing a crafted H.265 video stream. The flaw stems from a 32-bit signed integer overflow in plane allocation sizing that wraps to ~1 KB, after which fill_image() writes the true ~4 GB plane content into the undersized buffer. No public exploit identified at time of analysis, but the upstream commit (8a1b5cf) and GHSA-vv8h-932h-7r86 publicly document the exact overflow location.
Integer overflow in QEMU's virtio-snd virtual sound device allows a malicious guest VM to trigger unbounded host memory allocation by supplying out-of-bounds stream counts via PCM_INFO requests, resulting in a host-side denial of service. Affected deployments are those where QEMU exposes the virtio-snd device to guest VMs - particularly relevant in multi-tenant or cloud virtualization environments where guest workloads may be untrusted. No public exploit code and no active exploitation (CISA KEV) has been identified at the time of this analysis; the CVSS 5.5 Medium score reflects the constrained local attack vector.
Denial-of-service in Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP module (versions 1.000 and prior) allows a remote unauthenticated attacker to crash the device by rapidly opening many TCP connections, which trips an integer overflow in the EtherNet/IP connection-management logic and triggers improper memory access. No public exploit identified at time of analysis, but the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) and high availability impact make this a meaningful operational-technology (OT) concern for plants relying on the affected PLC module. Reported by the vendor and tracked in vendor PSIRT advisory 2026-002, JVN VU#97140216, and CISA ICS advisory ICSA-26-169-05.
Heap out-of-bounds write in OpenEXR 3.4.0 through 3.4.11 lets an attacker who supplies a crafted HTJ2K-compressed EXR file trigger memory corruption during decoding, via an integer overflow in the HTJ2K decoder ht_undo_impl(). Any application that decodes untrusted EXR images using the affected OpenEXRCore library is at risk, with potential for memory corruption and possible code execution. No public exploit has been identified at time of analysis; EPSS risk is low (0.17%, 7th percentile) and CISA SSVC rates exploitation as none.
FastCGI framing desynchronization in HAProxy through 3.4.0 stems from a 16-bit integer overflow in the fcgi_conn demux record length (drl) field, which wraps to zero when a malicious backend sends a record with contentLength 65535 and paddingLength of 1 or more. A hostile FastCGI backend can leverage the misparse to desynchronize HAProxy's FCGI parser, leading to request routing errors, response smuggling, or memory safety issues. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the upstream commit 5985276 widens drl to uint32_t.
Denial-of-service via unbounded factorial evaluation affects NCalc (NCalc.Core and NCalcSync NuGet packages) prior to v6.1.1, allowing remote attackers to exhaust CPU resources or trigger non-terminating computation loops by submitting expressions with extremely large factorial operands such as 9223372036854775807! (Int64.MaxValue). The root cause is CWE-190 integer overflow in MathHelper.cs's factorial calculation logic, which previously lacked bounds validation, allowing operands well beyond any representable result to be passed directly to the computation loop. No public exploit or CISA KEV listing has been identified at time of analysis, though the triggering expressions are trivially constructable and documented in the advisory itself.
Denial of service in Node.js 26.x (fixed in 26.3.1) arises from an unguarded integer overflow when computing WebCrypto cipher output buffer lengths, allowing remote attackers to crash a process that performs SubtleCrypto encrypt/decrypt operations on attacker-influenced data. Rated High by the Node.js project (CVSS 7.5, availability-only impact). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Remote information disclosure and denial of service in RTI Connext Micro core libraries (versions 4.0.0 through 4.2.x) allow unauthenticated network attackers to trigger an integer underflow that results in an out-of-bounds buffer overread. Exploitation requires no authentication or user interaction and can leak sensitive memory contents while potentially crashing the affected process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in rxi microtar 0.1.0 allows remote attackers to hang any consumer of the library at 100% CPU by supplying a crafted tar archive whose header size field triggers a 32-bit integer overflow in mtar_next(). The flaw affects every application that parses untrusted tar streams with this lightweight C library, and no public exploit is identified at time of analysis, though the trigger is trivial to construct from the description alone.
Remote information disclosure in Android's RTCP Feedback packet decoder allows a network attacker to read out-of-bounds process memory on a target device by delivering a maliciously crafted RTCP FB packet. The root cause is a CWE-190 integer overflow in RtcpFbPacket::decodeRtcpFbPacket that causes a miscalculated buffer boundary, enabling the out-of-bounds read. Exploitation requires user interaction (the target must participate in an attacker-influenced media session), and no public exploit has been identified at time of analysis; EPSS of 0.16% (6th percentile) confirms low current exploitation probability.
Denial of service in Pacemaker's CIB remote listener allows unauthenticated remote attackers to crash the cluster service by sending a specially crafted compressed message. The vulnerability is an integer overflow (CWE-190) triggered during pre-authentication message decompression, leading to memory corruption. No public exploit identified at time of analysis, but the pre-auth attack vector and high availability impact on cluster-management infrastructure make this a meaningful risk for exposed deployments.
Local privilege escalation potential in the Linux kernel's net/sched traffic-control subsystem arises from a partial copy-on-write (COW) miss in the pedit action (tcf_pedit_act), where skb_ensure_writable() is sized using tcfp_off_max_hint before the per-key loop and fails to account for the runtime header offset added by typed keys, leaving part of the write region un-COW'd and causing page cache corruption. A local low-privileged attacker able to install tc pedit rules (CAP_NET_ADMIN, obtainable in user namespaces on many distros) can corrupt shared page-cache memory, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS is low at 0.14% (4th percentile) and the issue is not on CISA KEV.
Out-of-bounds read in GStreamer's VMnc decoder allows remote attackers to crash the application or disclose memory contents when a victim opens a maliciously crafted VMnc video file. The flaw stems from a signed integer overflow in payload-size arithmetic that bypasses a length check when cursor dimensions are abnormally large. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap memory corruption in the WavPack audio decoder of GStreamer's gst-plugins-good package allows remote attackers to crash applications or potentially achieve arbitrary code execution when a victim opens a malicious WavPack (.wv) audio file. The flaw, tracked as CVE-2026-53705 and reported by Red Hat, affects Red Hat Enterprise Linux versions 7, 8, 9, and 10, and stems from an integer overflow during buffer size calculation that produces an undersized heap allocation later overrun by decoded samples. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the multimedia decoder attack surface combined with RCE potential makes it a meaningful patching priority.
Integer underflow and out-of-bounds read in driftregion iso14229 through version 0.9.0 allows remote unauthenticated attackers to crash a UDS server or read up to 65535 bytes of memory past the 4KB receive buffer by sending a single-byte 0x27 SecurityAccess diagnostic request. The Handle_0x27_SecurityAccess() function in iso14229.c at line 1447 fails to validate that recv_len is at least 2 before computing key-data length via unsigned subtraction, uniquely among all other sub-function handlers in the library. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental metric E:P indicates publicly available exploit code exists, and the vulnerability is exposed across CAN bus, OBD-II, ISO-TP, and DoIP transports in the default diagnostic session on automotive ECUs, industrial controllers, and IoT devices.
Integer overflow in GPAC's MP4Box causes an out-of-memory crash when processing crafted MP4 files with malformed Protection System Specific Header (PSSH) metadata during DASH segmentation. The function mp4_mux_cenc_insert_pssh() in filters/mux_isom.c fails to validate attacker-controlled kid_count and dataSize fields before using them in a buffer size calculation, causing realloc() to request approximately 61 GB (0xe40000100 bytes), which crashes the process. A public proof-of-concept MP4 file is available on GitHub; no active exploitation has been confirmed and no CISA KEV listing exists. The CVSS 3.1 score of 4.3 MEDIUM reflects the user-interaction requirement and limited availability impact.
Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash the LDAP service or achieve remote code execution after a successful SASL bind with integrity protection (SSF > 0). The flaw stems from an integer overflow in sasl_io_start_packet() that bypasses the nsslapd-maxsasliosize ceiling, enabling roughly 2 MB of attacker-controlled heap corruption. No public exploit identified at time of analysis, and the impact is amplified in FreeIPA and Red Hat Identity Management deployments where any enrolled user, host, or service principal qualifies as an authenticated attacker.
Heap out-of-bounds read in MIT krb5's LDAP KDB plugin allows a compromised or malicious LDAP backend to crash the KDC or kadmind process, or leak heap memory. The flaw exists in berval2tl_data() within libkdb_ldap and is triggered when the LDAP server returns a krbExtraData attribute with bv_len less than 2, causing an unsigned integer underflow that drives a memcpy of up to 65,534 bytes from a near-zero-length source buffer. Exploitation requires prior control of the LDAP KDB backend server (PR:H, AC:H), constraining real-world risk to insider or supply-chain threat scenarios; no public exploit or CISA KEV listing exists at time of analysis.
Remote unauthenticated denial-of-service in TDengine versions 3.4.0.0 through 3.4.1.5 allows attackers to crash the taosd server process by sending a single crafted RPC packet, with no credentials or prior session state required. The flaw is a CWE-191 integer underflow (vendor tags also reference Integer Overflow) in RPC packet handling, fixed in version 3.4.1.6. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Integer overflow (CWE-190) in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained an administrator account to further compromise system integrity and availability. Affected versions span QTS 5.2.x and QuTS hero h5.2.x through h6.0.x; QNAP released patched builds in February and May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory prerequisite of administrator-level access materially constrains real-world exploitability.
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenticated attackers to crash the application by triggering an integer overflow during C2PA content processing. With a CVSS of 7.5 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the bug carries pure availability impact - no data exposure or code execution - but is trivially reachable by anyone who can feed input to the library.
Integer overflow in Adobe Acrobat Reader triggers an application crash when processing a specially crafted file, resulting in a denial-of-service condition. Versions 24.001.30365 and 26.001.21651 and earlier are confirmed affected per Adobe advisory APSB26-63. Impact is limited to availability - no confidentiality or integrity compromise is possible - and no public exploit or active exploitation has been identified at time of analysis.
Remote code execution in Microsoft Windows Kerberos implementation allows an authenticated attacker on an adjacent network segment to trigger an integer overflow and execute arbitrary code. The flaw is rated CVSS 7.1 (High) with high attack complexity and requires low-level privileges, and at the time of analysis there is no public exploit identified. Because Kerberos is a core authentication service in Windows domain environments, successful exploitation has direct implications for domain trust and identity security.
Local privilege escalation in Microsoft Windows SDK enables an authenticated low-privileged attacker to elevate to higher privileges by exploiting a use-after-free memory corruption flaw. The CVSS 7.8 (AV:L/AC:L/PR:L) profile reflects local attack with low complexity and low privileges required, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Local privilege escalation in Microsoft Windows Internet (wininet.dll) allows an authenticated low-privileged attacker to elevate to higher privileges by triggering an integer overflow condition. With a CVSS score of 7.8 and full impact on confidentiality, integrity, and availability, this flaw represents a meaningful post-compromise risk on affected Windows systems, though no public exploit identified at time of analysis. The vulnerability has been reported by Microsoft's own security team (secure@microsoft.com), indicating internal discovery and coordinated disclosure.
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local access to run arbitrary code by triggering an integer overflow, after coaxing a user into interacting with a crafted graphics object. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, though Win32K bugs historically attract rapid exploit development for privilege escalation in post-compromise chains.
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to run code locally to escalate privileges through an integer overflow. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8, but requires user interaction (UI:R) and local access (AV:L), and no public exploit identified at time of analysis.
Remote code execution in Windows Performance Monitor enables unauthenticated network attackers to execute arbitrary code by triggering an integer underflow condition in the component's data handling logic. The flaw carries a CVSS score of 8.1 with high attack complexity, and while no public exploit identified at time of analysis, the SSVC assessment rates technical impact as total. Microsoft has released a patch via MSRC, and the issue is also tracked in VulDB entry 369628.
Remote code execution in Microsoft Windows Performance Monitor (PerfMon) allows unauthenticated network-based attackers to execute arbitrary code by triggering an integer underflow condition. The flaw carries a CVSS 3.1 score of 8.1 driven by high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers exploitability. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but Microsoft has released a patch via MSRC guidance.
Local privilege escalation in the Windows NT OS Kernel allows an authenticated low-privileged user to elevate to higher privileges through an integer underflow condition. The flaw carries a CVSS 7.8 (High) rating with no public exploit identified at time of analysis, but Microsoft has issued a patch via MSRC. Defenders should treat this as a standard Patch-Tuesday-class kernel EoP that becomes a critical post-compromise pivot once initial access is achieved.
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP service by submitting a crafted password hash shorter than 16 bytes during authentication. The SMD5 password storage plugin performs an unsigned integer underflow (CWE-191) when computing salt length from this malformed input, producing a buffer over-read that terminates the server process. No public exploit code exists and this vulnerability has not been confirmed actively exploited (CISA KEV), but the impact is a complete loss of LDAP availability with low attack complexity once the required privilege level is achieved.
Integer overflow in the HarmonyOS and EMUI log service enables a local attacker, without requiring system privileges, to cause a denial-of-service condition and limited integrity impact on affected Huawei devices. The vulnerability is rooted in CWE-190 (Integer Overflow or Wraparound) within the log service component, with the CVSS-defined changed scope indicating the fault can affect components beyond the log service itself. No public exploit code and no confirmed active exploitation have been identified at time of analysis.
Denial of service in Spring Framework 5.3.0 through 5.3.48 allows remote unauthenticated attackers to exhaust server resources by submitting crafted Spring Expression Language (SpEL) expressions that trigger an integer overflow during evaluation. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit identified at time of analysis. Applications that evaluate untrusted SpEL input are at greatest risk.
The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.
Remote denial of service in Comodo Internet Security's Inspect.sys firewall driver lets an unauthenticated attacker crash any Windows host running the product by sending a single crafted IPv6 packet, even when all ports are blocked at the firewall. The flaw is an integer underflow (CWE-191) in IPv6 extension-header parsing that occurs before firewall rule enforcement, producing an out-of-bounds read and an oversized memcpy at DISPATCH_LEVEL and an immediate BSOD. Publicly available exploit code exists, published alongside MalwareTech's technical writeup and a working PoC named ComoDoS.
Heap out-of-bounds read in 7-Zip's Unix ar archive parser (versions 9.18 through 26.00) allows a remote unauthenticated attacker to leak uninitialized heap memory contents by convincing a user to open a specially crafted archive. The ParseLibSymbols function mishandles the BSD-style __.SYMDEF symbol table by reading 4 bytes past the end of a heap allocation when the namesSize field position equals the buffer boundary, exposing heap data with high confidentiality impact. No public exploit has been identified at time of analysis, and no KEV listing exists; version 26.01 patches the issue.
Out-of-bounds write in the SIL Graphite smart-font rendering engine before 1.3.15 allows attackers to corrupt memory by supplying a malicious font file that triggers an integer underflow in the slotat macro. Exploitation requires a victim to render attacker-controlled font content in an application that embeds Graphite (such as Firefox, LibreOffice, or Pango-based renderers), and no public exploit has been identified at time of analysis.
Integer overflow in Chrome's ANGLE graphics layer on Windows enables process memory disclosure for attackers who have already compromised the renderer process. Affected versions are all Google Chrome releases prior to 149.0.7827.53 on Windows. An attacker who has first achieved renderer compromise can trigger the ANGLE integer overflow via a crafted HTML page to read potentially sensitive data from process memory - functioning as a second-stage information leak within a chained exploit. No public exploit identified at time of analysis, and EPSS at 0.03% (11th percentile) reflects low observed exploitation probability.
Integer overflow in Samsung's rlottie animation library allows a crafted Lottie animation file to trigger memory corruption, resulting in high availability impact and low integrity impact on the rendering application. Specifically affecting the gradient color-stop parsing logic in lottiemodel.cpp, the flaw arises when a malformed colorPoints value causes a signed integer multiplication to overflow before being assigned to a size_t, producing an undersized buffer computation. No active exploitation has been identified at time of analysis, and a fix is available upstream via GitHub PR #592, though a formally tagged release version has not been independently confirmed.
Integer overflow in the cilium/ebpf Go library (versions up to 0.21.0) allows a local authenticated user to cause an availability impact by supplying crafted BPF Type Format (BTF) data to the LoadCollectionSpec or LoadCollectionSpecFromReader APIs. The flaw resides in the loadRawSpec function where 32-bit header field arithmetic was performed using signed int types, enabling overflow to bypass bounds checks on StringOff, StringLen, TypeOff, and TypeLen fields. No public exploit identified at time of analysis as a KEV listing, though publicly available exploit code exists per VulDB and the CVSS temporal component E:P confirms a proof-of-concept is circulating.
Denial of service in GoBGP v4.3.0 allows unauthenticated remote attackers to crash or hang BGP speakers by sending a malformed BGP UPDATE message that triggers an integer underflow in the BGPUpdate.DecodeFromBytes parser. The underflow causes uint16 length counters (routelen and pathlen) to wrap to ~65k, leading the parser to silently consume the buffer or fail in ways that disrupt session processing. EPSS is very low (0.04%) and there is no public exploit identified at time of analysis, but the upstream commit demonstrating the bug is publicly visible.
Local privilege escalation in the Android Bluetooth stack (Android 14, 15, 16, and 16-qpr2) allows an adjacent attacker to corrupt the heap of the privileged Bluetooth process via an integer overflow in l2c_fcr_clone_buf. No user interaction or additional execution privileges are required, and at time of analysis there is no public exploit identified, though SSVC rates the technical impact as total.
Integer overflow in Google Android's ubsan_throwing_runtime.cpp enables remote denial of service across Android 14, 15, 16, and 16-qpr2. A network-accessible low-privileged attacker can trigger a process crash through crafted input targeting multiple functions in this runtime component, resulting in complete availability loss with no user interaction required. No public exploit code has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.
Integer overflow in Android's UBSan throwing runtime (ubsan_throwing_runtime.cpp) enables a local attacker with low privileges to cause a persistent denial of service across Android 14 through Android 16 QPR2. The flaw affects multiple functions within the file and requires no user interaction to trigger, making it exploitable by a malicious on-device application without elevated privileges. No public exploit identified at time of analysis, and the local-only attack vector constrains real-world scope, but the persistent nature of the availability impact elevates operational concern over transient crash-based DoS.
Remote denial of service in Google Android (versions 14, 15, 16, and 16-qpr2) is achievable by an authenticated network attacker exploiting an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity network exploitation requiring only low-privilege authentication and no user interaction, resulting in a full availability impact (A:H). No public exploit code or CISA KEV listing has been identified at time of analysis, though the broad version coverage across current and recent Android releases makes this a notable patching priority.
Remote denial of service in Google Android versions 14, 15, 16, and 16-qpr2 stems from an integer overflow across multiple functions in ubsan_throwing_runtime.cpp, a low-level UBSan instrumentation component. An authenticated attacker with low privileges can trigger a full system crash over the network with no user interaction required, achieving complete availability impact (CVSS A:H) with no confidentiality or integrity risk. No public exploit or CISA KEV listing has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.
Persistent denial of service and local privilege escalation in Google Android's UBSan runtime component affect Android 14, 15, 16-qpr2, and 16, stemming from an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. An authenticated local attacker with low-level privileges and no required user interaction can exploit this overflow to trigger persistent availability loss and, per the description, possible privilege escalation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Remote denial of service in Google Android 14, 15, 16, and 16-qpr2 stems from an integer overflow in multiple functions of ubsan_throwing_runtime.cpp, the runtime component of Android's Undefined Behavior Sanitizer (UBSan). An authenticated low-privileged attacker over the network can trigger the overflow to crash the affected component, resulting in high availability impact with no user interaction required. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Remote denial of service in Google Android 14, 15, 16, and 16-qpr2 is possible via an integer overflow in multiple functions of ubsan_throwing_runtime.cpp, a component of Android's UndefinedBehaviorSanitizer runtime. Network-accessible, low-privileged attackers (CVSS PR:L, AV:N, AC:L) can crash affected devices without requiring user interaction, resulting in availability loss with no confidentiality or integrity impact. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Persistent denial of service in Google Android's UBSAN throwing runtime allows a remote low-privileged attacker to crash affected devices via an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. Affected versions span Android 14, 15, 16-qpr2, and 16, indicating broad exposure across the current supported Android ecosystem. No public exploit code or active exploitation has been identified at time of analysis; patches are available via the June 2026 Android Security Bulletin.
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from an integer overflow (CWE-190) that can be triggered without user interaction to achieve code execution. With CVSS 8.4 and SSVC technical impact rated 'total,' a local attacker on the device can elevate privileges across security boundaries without additional execution rights. No public exploit identified at time of analysis and SSVC reports exploitation status as 'none.'
Local code execution in Poppler's Splash rendering backend allows attackers to compromise applications that open attacker-supplied PDFs by triggering an integer overflow in tilingPatternFill that produces an undersized heap allocation and a subsequent out-of-bounds write. The flaw affects Poppler as shipped across Red Hat Enterprise Linux 6 through 10 and Red Hat Hardened Images, with impact including arbitrary code execution, information disclosure, or denial of service in the rendering process. No public exploit identified at time of analysis, and the CVSS 7.8 vector requires user interaction to open a malicious PDF.
Integer overflow in the Janet scripting language's fiber unmarshaling routine (versions up to 1.41.0) allows a local authenticated attacker to cause a denial-of-service condition. The vulnerable function `unmarshal_one_fiber` in `src/core/marsh.c` performs an unchecked addition when computing fiber stack capacity - if `fiber_stacktop` is near INT32_MAX, adding 10 wraps the value, resulting in a dangerously small capacity allocation that crashes the interpreter. No public exploitation in production environments has been confirmed (not listed in CISA KEV), but a public proof-of-concept exploit exists, and the upstream patch has been released as commit d9b1d711.
Remote denial-of-service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the iApp component (TCP/36422) by exhausting a 16-bit xapp_id counter through repeated E42_SETUP_REQUEST messages. The integer wraparound produces duplicate xApp identifiers that violate internal data-structure invariants, terminating the RIC service. No public exploit identified at time of analysis, and EPSS estimates exploitation probability at just 0.05%, though the attack is conceptually trivial to script.
Out-of-bounds read in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module stems from an integer overflow on the s16 buff_pos variable in batadv_iv_ogm_send_to_if, where the size check is performed using int while the position counter uses s16. Adjacent-network attackers on a batman-adv mesh can trigger the overflow by sending crafted OGM (Originator Message) aggregation packets, potentially leaking kernel memory or causing denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the issue carries a CVSS of 8.8 due to high impact on confidentiality, integrity, and availability across adjacent networks.
Local privilege escalation or denial-of-service in the Linux kernel's dm-thin (device-mapper thin provisioning) target stems from a metadata reference-count underflow in rebalance_children(). Local users with access to thin-provisioned device-mapper volumes can trigger 'unable to decrement block' errors that corrupt metadata accounting on shared btree nodes, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 5th percentile) indicating limited exploitation interest despite the high CVSS of 7.8.
Integer overflow in the Linux kernel's ntfs3 filesystem driver allows local attackers to bypass volume boundary validation when mounting or accessing a crafted NTFS volume, leading to memory corruption with high confidentiality, integrity, and availability impact. The flaw resides in run_unpack() where the check `lcn + len > sbi->used.bitmap.nbits` performs raw addition that wraps for large values, sidestepping the bounds check. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 with required user interaction reflects realistic local privilege-escalation potential when untrusted NTFS media is processed.
Integer overflow in the Linux kernel's rxgk (RxRPC GSS Kerberos) token extraction routine allows remote attackers to potentially trigger memory corruption via length-check bypass in rxgk_extract_token(). The flaw affects Linux kernel versions in the 6.16.9-to-6.17 range and was fixed by changing the validation to round down available data instead of rounding up the tested value. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.02%.
Integer overflow in the Linux kernel's device mapper mirror (dm-mirror) subsystem allows a local attacker with device mapper configuration privileges to crash the kernel via a denial-of-service condition. The flaw resides in create_dirty_log() where an unchecked unsigned addition of 2 + param_count wraps around to a small value when param_count approaches UINT_MAX, bypassing an argc bounds check and triggering out-of-bounds reads in dm_dirty_log_create(). No public exploit code exists and EPSS is exceptionally low at 0.02% (5th percentile); this CVE has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.
Local denial of service and potential information disclosure in the Linux kernel's EROFS filesystem affects versions from 5.13 through pre-patch releases, where a crafted EROFS image triggers an unsigned integer underflow in z_erofs_lz4_handle_overlap(). When a malicious image is mounted and a file is read, the LZ4 inplace decompression path wraps the 'outpages - inpages' calculation to a huge value and reads past the decompressed_pages array. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but a reproducible proof-of-concept image is embedded in the upstream commit message.
Out-of-bounds write and data-loss bugs in the Linux kernel SLUB allocator's krealloc() function affect kernels incorporating commit 2cd8231796b5, which introduced NUMA node and alignment forcing to k[v]realloc(). A local attacker with low privileges who can trigger the krealloc_node_align() or kvrealloc() reallocation fallback path - specifically when shrinking an allocation while simultaneously forcing a new alignment or NUMA node - can cause kernel heap memory corruption leading to a system panic or silent heap object corruption. No public exploit exists beyond the lkdtm reproducer in the CVE description; EPSS stands at the 4th percentile and the vulnerability is not in CISA KEV. Vendor-released patches are confirmed available in Linux 6.18.27, 7.0.4, and 7.1-rc1.
Integer underflow in the Linux kernel's AppArmor subsystem (`aa_get_buffer()`) allows a local low-privileged user to cause per-CPU buffer starvation and system-wide denial of service. The `cache->hold` unsigned counter wraps to UINT_MAX when decremented below zero, permanently preventing `aa_put_buffer()` from recycling buffers back to the global pool and forcing repeated `kmalloc(aa_g_path_max)` heap allocations that starve other CPUs. No public exploit exists and EPSS is 0.02% (5th percentile); this is not in CISA KEV, but patches are available across multiple stable kernel branches.
Heap-based buffer overflow in MediaArea MediaInfoLib's LXF (Leitch eXchange Format) parser allows attackers to achieve arbitrary code execution when a victim opens a maliciously crafted LXF media file. The flaw affects MediaInfoLib 26.01 and was reported by Cisco Talos (TALOS-2026-2367); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.
Heap buffer overflow in FastNetMon Community Edition through 1.2.9 originates from a CWE-190 integer overflow in the BGP AS_PATH attribute encoder (IPv4UnicastAnnounce::get_attributes() in src/bgp_protocol.hpp). When an AS_PATH carries more than 63 ASNs, the computed attribute length is silently truncated into a uint8_t field used for buffer sizing while the full data is still written, corrupting the heap. The CVSS 9.8 score implies remote unauthenticated code execution, though the flaw lives in FastNetMon's outbound BGP announcement encoder; no public exploit is identified at time of analysis and no EPSS or KEV data was supplied.
Integer overflow in NewNTUnicodeString within the Go extended syscall package for Windows allows a local low-privileged attacker to silently inject a truncated NTUnicodeString into applications that expect validation failures on oversized input. Affected is golang.org/x/sys/windows before version 0.44.0. Because the function returns a truncated result rather than an error, consuming code may proceed with a malformed string, potentially bypassing length-based security checks or causing downstream logic errors - no public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02%.
Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) occurs when an application writes more than 4GB of data in a single Write call on an SSH channel, triggering an integer overflow in the internal payload size calculation that causes the write loop to spin indefinitely while emitting empty packets. The flaw affects any Go application using this SSH library for large data transfers and is patched upstream with a release in version 0.52.0; no public exploit identified at time of analysis and EPSS probability is very low at 0.02%.
Integer overflow in Arm ArmNN's TensorShape::GetNumElements() enables a crafted TFLite model to bypass buffer size validation and trigger a heap-based buffer over-read, resulting in a denial of service. Affected systems are those that load externally-supplied or untrusted TFLite model files using any ArmNN build through 2026-03-27. An attacker who controls a model file processed by an ArmNN-backed application can crash the host process during the optimization pass via BatchToSpaceNdLayer's InferOutputShapes() routine. No public exploit code and no active exploitation has been identified at time of analysis; EPSS sits at 0.02% (5th percentile), consistent with low real-world threat.
Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (Apple Filing Protocol) file server widely deployed on Linux/Unix systems serving macOS clients. Exploitation is constrained to local, highly-privileged attackers under high-complexity conditions, yielding only limited confidentiality, integrity, and availability impact (CVSS 3.4). No active exploitation is confirmed (not listed in CISA KEV), and no public exploit identified at time of analysis.
Denial of service in Netatalk versions 1.5.0 through 4.4.2 allows remote unauthenticated attackers to crash the AFP (Apple Filing Protocol) service by exploiting an integer underflow in the dsi_writeinit() function. The flaw is network-reachable with low complexity (CVSS 7.5, AV:N/AC:L/PR:N) and no public exploit identified at time of analysis, though the trivial trigger conditions make exploitation straightforward once a proof-of-concept emerges. Netatalk has resolved the issue in version 4.4.3.
Integer overflow in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory corruption that may result in code execution, data tampering, or denial of service. The flaw requires low-level privileges plus user interaction (CVSS 8.0, AV:N/AC:L/PR:L/UI:R) and affects deployments exposing the DALI inference pipeline. No public exploit identified at time of analysis.
Denial of service in NVIDIA Triton Inference Server can be triggered remotely by unauthenticated attackers via an integer overflow condition (CWE-190). The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis. Defenders running Triton in network-exposed inference deployments should prioritize patching since exploitation requires no privileges, no user interaction, and low attack complexity.
Information disclosure in Rsync 3.4.2 and prior allows an authenticated remote sender to leak receiver process memory through an integer overflow in the compressed-token decoder. The flaw exposes environment variables, credentials, heap and stack contents, and library pointers, weakening ASLR and enabling follow-on exploitation; no public exploit identified at time of analysis, but Rsync 3.4.3 bundles the security fix.
Heap memory corruption in Kitty cross-platform GPU terminal emulator (versions 0.46.2 and below) allows remote attackers to trigger out-of-bounds heap reads and writes by emitting crafted graphics protocol escape sequences. The flaw stems from a 32-bit integer overflow in handle_compose_command() that lets malicious x_offset/y_offset values bypass bounds checks. No public exploit identified at time of analysis, but the bug requires no user interaction, no authentication, and works against default configurations whenever attacker-controlled bytes can reach the terminal - including via SSH banners, cat'd files, or piped output.
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Integer underflow in the Linux kernel's MPI crypto library function `mpi_read_raw_from_sgl()` allows a local low-privileged user to trigger an infinite kernel loop via the `KEYCTL_PKEY_ENCRYPT` syscall, causing a system-wide denial of service with soft lockup splats. The flaw was latent since commit `2d4d1eea540b` but became exploitable only after commit `63ba4d67594a` changed how asymmetric key operations construct scatterlists, allowing `out_len > in_len` with a zero-filled buffer to satisfy the underflow condition. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), but the attack path is fully described in the upstream commit message, making independent reproduction straightforward.
Integer overflow in OpenHarmony v6.0 and prior versions enables a local authenticated attacker to trigger a denial-of-service condition, resulting in an availability impact. The vulnerability is low severity with a CVSS score of 3.3, requires local access with low privileges, and no public exploit or active exploitation has been identified at time of analysis. Notably, the CVE tags include 'Information Disclosure' despite the CVSS vector indicating no confidentiality impact (C:N), a discrepancy that warrants vendor clarification.
Remote denial-of-service in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows unauthenticated attackers to crash the privileged instrumentation process by sending a crafted memcached storage command with an oversized `<bytes>` field. The integer overflow in the memcached text protocol parser produces a negative payload length that triggers a Go runtime panic in LargeBufferReader.Peek, halting telemetry collection until OBI is restarted. Publicly available exploit code exists in the GHSA-43g7-cwr8-q3jh advisory, but there is no public exploit identified beyond the PoC and the vulnerability is not listed in CISA KEV.
Signed integer overflow in the NetBSD kernel's cryptodev subsystem (sys/opencrypto/cryptodev.c, prior to commit ec8451e) enables a local low-privileged attacker to crash the kernel via a NULL pointer dereference, causing a full denial of service. The type mismatch between a signed int local variable and an unsigned cop->dst_len source value in cryptodev_op() produces undefined behavior when dst_len exceeds INT_MAX, corrupting UIO pointer arithmetic and - when CONFIG_SVS is disabled - triggering a kernel panic. No public exploit identified at time of analysis, though a technical writeup at nasm.re documents related memory-handling issues in this subsystem.
Denial-of-service in the iskorotkov/avro Go Avro decoder (a maintained fork of the archived hamba/avro) lets unauthenticated remote attackers crash or hang consumers by submitting crafted Avro streams that trigger integer narrowing, signed-integer overflow in cumulative block sizes, or unchecked-negative make() calls. All versions prior to v2.33.0 are affected; the upstream github.com/hamba/avro/v2 (all versions through v2.31.0) is also vulnerable and will not receive a fix because the module is archived. No public exploit identified at time of analysis, though the advisory itself documents concrete PoC input shapes and includes a regression test (TestDecoder_ArrayMultiBlockExceedsMaxInt) that demonstrates the cumulative-overflow path on amd64.
A compromised Trusted OS (TOS) driver could issue a malformed call that could potentially allow memory access outside the intended range resulting in loss of integrity. Rated low severity (CVSS 1.8). No vendor patch available.
Integer overflow in libyang's lyb_read_string() function leads to heap buffer overflow during LYB binary parsing, enabling remote denial-of-service attacks against NETCONF servers, sysrepo, and other YANG data consumers. The vulnerability (CWE-190) allows unauthenticated attackers to crash services by supplying maliciously crafted LYB blobs over network connections. Fixed in version SO 5.2.15. CVSS 7.5 (High) with network attack vector and low complexity, though currently limited to availability impact. No active exploitation confirmed (not in CISA KEV); public exploit code status unknown.
Heap buffer overflow in libsixel versions up to 1.8.7-r1 enables local attackers to corrupt memory and potentially execute code by supplying maliciously crafted SIXEL image data. A signed integer overflow in the SIXEL parser's buffer resizing logic bypasses allocation size checks, allowing out-of-bounds writes with attacker-controlled offsets. The vulnerability requires user interaction to process a malicious SIXEL file but does not require authentication. Fixed in version 1.8.7-r2. No active exploitation confirmed (not in CISA KEV); public exploit code status unknown.
Heap overflow in OpenImageIO's JPEG 2000 decoder allows local attackers with malicious image files to execute arbitrary code. Affects versions before 3.0.18.0 and 3.1.x before 3.1.13.0 when compiled with USE_OPENJPH flag. Integer overflow in buffer size calculation causes undersized heap allocation, leading to memory corruption during pixel writes. No public exploit identified at time of analysis, but SSVC framework indicates POC exists. Vendor-released patches available in versions 3.0.18.0 and 3.1.13.0.
Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. Attack requires victim to open a malicious DPX file (user interaction required per CVSS UI:R). No public exploit code or active exploitation confirmed at time of analysis, though the technical details in the GitHub advisory provide sufficient detail for proof-of-concept development.
Out-of-bounds write in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0 allows remote attackers to crash applications or potentially execute arbitrary code by delivering maliciously crafted CbYCrY image files. A signed integer overflow in the ConvertCbYCrYToRGB() pixel-loop calculation generates large negative pointer offsets, corrupting memory during image processing. EPSS data not available; no evidence of active exploitation (not in CISA KEV); exploitation requires user interaction to process attacker-supplied image files.
Remote code execution in PostgreSQL (versions 14.x-18.x) allows authenticated database users to execute arbitrary code as the database operating system user via integer wraparound vulnerabilities in multiple server features. By passing gigabyte-scale inputs to affected database functions, attackers trigger allocation undersizing that leads to out-of-bounds writes. No active exploitation confirmed (not in CISA KEV), but CVSS 8.8 with network vector and low complexity indicates high exploitability once technical details become public. EPSS data not available at time of analysis.
Integer overflow in simdjson's string_builder::escape_and_append() function allows out-of-bounds memory reads in SIMD routines when processing very large input strings on 32-bit platforms, potentially resulting in information disclosure or memory corruption. The vulnerability affects all versions before 4.6.4 and has been patched by the vendor.
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.
Heap corruption in the Ruby Oj JSON parser (`Oj.load`) is triggered when applications process attacker-controlled JSON strings larger than 2 GB containing an escape sequence, due to an integer overflow in `read_escaped_str` that wraps a 32-bit length to a negative value and is then cast to `size_t`, causing `memcpy` to copy ~2 GB out of bounds. Versions of the `oj` gem prior to 3.17.3 are affected, and no public exploit identified at time of analysis; CVSS and EPSS are not provided.
Heap buffer overflow in libde265 prior to version 1.1.0 allows remote attackers to corrupt heap memory and likely achieve code execution by tricking a user into processing a crafted H.265 video stream. The flaw stems from a 32-bit signed integer overflow in plane allocation sizing that wraps to ~1 KB, after which fill_image() writes the true ~4 GB plane content into the undersized buffer. No public exploit identified at time of analysis, but the upstream commit (8a1b5cf) and GHSA-vv8h-932h-7r86 publicly document the exact overflow location.
Integer overflow in QEMU's virtio-snd virtual sound device allows a malicious guest VM to trigger unbounded host memory allocation by supplying out-of-bounds stream counts via PCM_INFO requests, resulting in a host-side denial of service. Affected deployments are those where QEMU exposes the virtio-snd device to guest VMs - particularly relevant in multi-tenant or cloud virtualization environments where guest workloads may be untrusted. No public exploit code and no active exploitation (CISA KEV) has been identified at the time of this analysis; the CVSS 5.5 Medium score reflects the constrained local attack vector.
Denial-of-service in Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP module (versions 1.000 and prior) allows a remote unauthenticated attacker to crash the device by rapidly opening many TCP connections, which trips an integer overflow in the EtherNet/IP connection-management logic and triggers improper memory access. No public exploit identified at time of analysis, but the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) and high availability impact make this a meaningful operational-technology (OT) concern for plants relying on the affected PLC module. Reported by the vendor and tracked in vendor PSIRT advisory 2026-002, JVN VU#97140216, and CISA ICS advisory ICSA-26-169-05.
Heap out-of-bounds write in OpenEXR 3.4.0 through 3.4.11 lets an attacker who supplies a crafted HTJ2K-compressed EXR file trigger memory corruption during decoding, via an integer overflow in the HTJ2K decoder ht_undo_impl(). Any application that decodes untrusted EXR images using the affected OpenEXRCore library is at risk, with potential for memory corruption and possible code execution. No public exploit has been identified at time of analysis; EPSS risk is low (0.17%, 7th percentile) and CISA SSVC rates exploitation as none.
FastCGI framing desynchronization in HAProxy through 3.4.0 stems from a 16-bit integer overflow in the fcgi_conn demux record length (drl) field, which wraps to zero when a malicious backend sends a record with contentLength 65535 and paddingLength of 1 or more. A hostile FastCGI backend can leverage the misparse to desynchronize HAProxy's FCGI parser, leading to request routing errors, response smuggling, or memory safety issues. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the upstream commit 5985276 widens drl to uint32_t.
Denial-of-service via unbounded factorial evaluation affects NCalc (NCalc.Core and NCalcSync NuGet packages) prior to v6.1.1, allowing remote attackers to exhaust CPU resources or trigger non-terminating computation loops by submitting expressions with extremely large factorial operands such as 9223372036854775807! (Int64.MaxValue). The root cause is CWE-190 integer overflow in MathHelper.cs's factorial calculation logic, which previously lacked bounds validation, allowing operands well beyond any representable result to be passed directly to the computation loop. No public exploit or CISA KEV listing has been identified at time of analysis, though the triggering expressions are trivially constructable and documented in the advisory itself.
Denial of service in Node.js 26.x (fixed in 26.3.1) arises from an unguarded integer overflow when computing WebCrypto cipher output buffer lengths, allowing remote attackers to crash a process that performs SubtleCrypto encrypt/decrypt operations on attacker-influenced data. Rated High by the Node.js project (CVSS 7.5, availability-only impact). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Remote information disclosure and denial of service in RTI Connext Micro core libraries (versions 4.0.0 through 4.2.x) allow unauthenticated network attackers to trigger an integer underflow that results in an out-of-bounds buffer overread. Exploitation requires no authentication or user interaction and can leak sensitive memory contents while potentially crashing the affected process. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in rxi microtar 0.1.0 allows remote attackers to hang any consumer of the library at 100% CPU by supplying a crafted tar archive whose header size field triggers a 32-bit integer overflow in mtar_next(). The flaw affects every application that parses untrusted tar streams with this lightweight C library, and no public exploit is identified at time of analysis, though the trigger is trivial to construct from the description alone.
Remote information disclosure in Android's RTCP Feedback packet decoder allows a network attacker to read out-of-bounds process memory on a target device by delivering a maliciously crafted RTCP FB packet. The root cause is a CWE-190 integer overflow in RtcpFbPacket::decodeRtcpFbPacket that causes a miscalculated buffer boundary, enabling the out-of-bounds read. Exploitation requires user interaction (the target must participate in an attacker-influenced media session), and no public exploit has been identified at time of analysis; EPSS of 0.16% (6th percentile) confirms low current exploitation probability.
Denial of service in Pacemaker's CIB remote listener allows unauthenticated remote attackers to crash the cluster service by sending a specially crafted compressed message. The vulnerability is an integer overflow (CWE-190) triggered during pre-authentication message decompression, leading to memory corruption. No public exploit identified at time of analysis, but the pre-auth attack vector and high availability impact on cluster-management infrastructure make this a meaningful risk for exposed deployments.
Local privilege escalation potential in the Linux kernel's net/sched traffic-control subsystem arises from a partial copy-on-write (COW) miss in the pedit action (tcf_pedit_act), where skb_ensure_writable() is sized using tcfp_off_max_hint before the per-key loop and fails to account for the runtime header offset added by typed keys, leaving part of the write region un-COW'd and causing page cache corruption. A local low-privileged attacker able to install tc pedit rules (CAP_NET_ADMIN, obtainable in user namespaces on many distros) can corrupt shared page-cache memory, with CVSS 7.8 reflecting high confidentiality, integrity, and availability impact. Publicly available exploit code exists, though EPSS is low at 0.14% (4th percentile) and the issue is not on CISA KEV.
Out-of-bounds read in GStreamer's VMnc decoder allows remote attackers to crash the application or disclose memory contents when a victim opens a maliciously crafted VMnc video file. The flaw stems from a signed integer overflow in payload-size arithmetic that bypasses a length check when cursor dimensions are abnormally large. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Heap memory corruption in the WavPack audio decoder of GStreamer's gst-plugins-good package allows remote attackers to crash applications or potentially achieve arbitrary code execution when a victim opens a malicious WavPack (.wv) audio file. The flaw, tracked as CVE-2026-53705 and reported by Red Hat, affects Red Hat Enterprise Linux versions 7, 8, 9, and 10, and stems from an integer overflow during buffer size calculation that produces an undersized heap allocation later overrun by decoded samples. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the multimedia decoder attack surface combined with RCE potential makes it a meaningful patching priority.
Integer underflow and out-of-bounds read in driftregion iso14229 through version 0.9.0 allows remote unauthenticated attackers to crash a UDS server or read up to 65535 bytes of memory past the 4KB receive buffer by sending a single-byte 0x27 SecurityAccess diagnostic request. The Handle_0x27_SecurityAccess() function in iso14229.c at line 1447 fails to validate that recv_len is at least 2 before computing key-data length via unsigned subtraction, uniquely among all other sub-function handlers in the library. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental metric E:P indicates publicly available exploit code exists, and the vulnerability is exposed across CAN bus, OBD-II, ISO-TP, and DoIP transports in the default diagnostic session on automotive ECUs, industrial controllers, and IoT devices.
Integer overflow in GPAC's MP4Box causes an out-of-memory crash when processing crafted MP4 files with malformed Protection System Specific Header (PSSH) metadata during DASH segmentation. The function mp4_mux_cenc_insert_pssh() in filters/mux_isom.c fails to validate attacker-controlled kid_count and dataSize fields before using them in a buffer size calculation, causing realloc() to request approximately 61 GB (0xe40000100 bytes), which crashes the process. A public proof-of-concept MP4 file is available on GitHub; no active exploitation has been confirmed and no CISA KEV listing exists. The CVSS 3.1 score of 4.3 MEDIUM reflects the user-interaction requirement and limited availability impact.
Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash the LDAP service or achieve remote code execution after a successful SASL bind with integrity protection (SSF > 0). The flaw stems from an integer overflow in sasl_io_start_packet() that bypasses the nsslapd-maxsasliosize ceiling, enabling roughly 2 MB of attacker-controlled heap corruption. No public exploit identified at time of analysis, and the impact is amplified in FreeIPA and Red Hat Identity Management deployments where any enrolled user, host, or service principal qualifies as an authenticated attacker.
Heap out-of-bounds read in MIT krb5's LDAP KDB plugin allows a compromised or malicious LDAP backend to crash the KDC or kadmind process, or leak heap memory. The flaw exists in berval2tl_data() within libkdb_ldap and is triggered when the LDAP server returns a krbExtraData attribute with bv_len less than 2, causing an unsigned integer underflow that drives a memcpy of up to 65,534 bytes from a near-zero-length source buffer. Exploitation requires prior control of the LDAP KDB backend server (PR:H, AC:H), constraining real-world risk to insider or supply-chain threat scenarios; no public exploit or CISA KEV listing exists at time of analysis.
Remote unauthenticated denial-of-service in TDengine versions 3.4.0.0 through 3.4.1.5 allows attackers to crash the taosd server process by sending a single crafted RPC packet, with no credentials or prior session state required. The flaw is a CWE-191 integer underflow (vendor tags also reference Integer Overflow) in RPC packet handling, fixed in version 3.4.1.6. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Integer overflow (CWE-190) in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained an administrator account to further compromise system integrity and availability. Affected versions span QTS 5.2.x and QuTS hero h5.2.x through h6.0.x; QNAP released patched builds in February and May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory prerequisite of administrator-level access materially constrains real-world exploitability.
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenticated attackers to crash the application by triggering an integer overflow during C2PA content processing. With a CVSS of 7.5 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the bug carries pure availability impact - no data exposure or code execution - but is trivially reachable by anyone who can feed input to the library.
Integer overflow in Adobe Acrobat Reader triggers an application crash when processing a specially crafted file, resulting in a denial-of-service condition. Versions 24.001.30365 and 26.001.21651 and earlier are confirmed affected per Adobe advisory APSB26-63. Impact is limited to availability - no confidentiality or integrity compromise is possible - and no public exploit or active exploitation has been identified at time of analysis.
Remote code execution in Microsoft Windows Kerberos implementation allows an authenticated attacker on an adjacent network segment to trigger an integer overflow and execute arbitrary code. The flaw is rated CVSS 7.1 (High) with high attack complexity and requires low-level privileges, and at the time of analysis there is no public exploit identified. Because Kerberos is a core authentication service in Windows domain environments, successful exploitation has direct implications for domain trust and identity security.
Local privilege escalation in Microsoft Windows SDK enables an authenticated low-privileged attacker to elevate to higher privileges by exploiting a use-after-free memory corruption flaw. The CVSS 7.8 (AV:L/AC:L/PR:L) profile reflects local attack with low complexity and low privileges required, yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.
Local privilege escalation in Microsoft Windows Internet (wininet.dll) allows an authenticated low-privileged attacker to elevate to higher privileges by triggering an integer overflow condition. With a CVSS score of 7.8 and full impact on confidentiality, integrity, and availability, this flaw represents a meaningful post-compromise risk on affected Windows systems, though no public exploit identified at time of analysis. The vulnerability has been reported by Microsoft's own security team (secure@microsoft.com), indicating internal discovery and coordinated disclosure.
Local code execution in Microsoft Windows Win32K GRFX (graphics) subsystem allows an attacker with low-privilege local access to run arbitrary code by triggering an integer overflow, after coaxing a user into interacting with a crafted graphics object. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, though Win32K bugs historically attract rapid exploit development for privilege escalation in post-compromise chains.
Local code execution in the Windows Win32K GRFX (graphics) subsystem allows an unauthorized attacker with the ability to run code locally to escalate privileges through an integer overflow. The flaw was reported by Microsoft (MSRC) and carries a CVSS 7.8, but requires user interaction (UI:R) and local access (AV:L), and no public exploit identified at time of analysis.
Remote code execution in Windows Performance Monitor enables unauthenticated network attackers to execute arbitrary code by triggering an integer underflow condition in the component's data handling logic. The flaw carries a CVSS score of 8.1 with high attack complexity, and while no public exploit identified at time of analysis, the SSVC assessment rates technical impact as total. Microsoft has released a patch via MSRC, and the issue is also tracked in VulDB entry 369628.
Remote code execution in Microsoft Windows Performance Monitor (PerfMon) allows unauthenticated network-based attackers to execute arbitrary code by triggering an integer underflow condition. The flaw carries a CVSS 3.1 score of 8.1 driven by high impact across confidentiality, integrity, and availability, though high attack complexity (AC:H) tempers exploitability. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but Microsoft has released a patch via MSRC guidance.
Local privilege escalation in the Windows NT OS Kernel allows an authenticated low-privileged user to elevate to higher privileges through an integer underflow condition. The flaw carries a CVSS 7.8 (High) rating with no public exploit identified at time of analysis, but Microsoft has issued a patch via MSRC. Defenders should treat this as a standard Patch-Tuesday-class kernel EoP that becomes a critical post-compromise pivot once initial access is achieved.
Denial-of-service in Red Hat's 389 Directory Server allows a highly privileged network attacker to crash the LDAP service by submitting a crafted password hash shorter than 16 bytes during authentication. The SMD5 password storage plugin performs an unsigned integer underflow (CWE-191) when computing salt length from this malformed input, producing a buffer over-read that terminates the server process. No public exploit code exists and this vulnerability has not been confirmed actively exploited (CISA KEV), but the impact is a complete loss of LDAP availability with low attack complexity once the required privilege level is achieved.
Integer overflow in the HarmonyOS and EMUI log service enables a local attacker, without requiring system privileges, to cause a denial-of-service condition and limited integrity impact on affected Huawei devices. The vulnerability is rooted in CWE-190 (Integer Overflow or Wraparound) within the log service component, with the CVSS-defined changed scope indicating the fault can affect components beyond the log service itself. No public exploit code and no confirmed active exploitation have been identified at time of analysis.
Denial of service in Spring Framework 5.3.0 through 5.3.48 allows remote unauthenticated attackers to exhaust server resources by submitting crafted Spring Expression Language (SpEL) expressions that trigger an integer overflow during evaluation. The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit identified at time of analysis. Applications that evaluate untrusted SpEL input are at greatest risk.
The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. Rated high severity (CVSS 8.2), this vulnerability is low attack complexity. No vendor patch available.
Remote denial of service in Comodo Internet Security's Inspect.sys firewall driver lets an unauthenticated attacker crash any Windows host running the product by sending a single crafted IPv6 packet, even when all ports are blocked at the firewall. The flaw is an integer underflow (CWE-191) in IPv6 extension-header parsing that occurs before firewall rule enforcement, producing an out-of-bounds read and an oversized memcpy at DISPATCH_LEVEL and an immediate BSOD. Publicly available exploit code exists, published alongside MalwareTech's technical writeup and a working PoC named ComoDoS.
Heap out-of-bounds read in 7-Zip's Unix ar archive parser (versions 9.18 through 26.00) allows a remote unauthenticated attacker to leak uninitialized heap memory contents by convincing a user to open a specially crafted archive. The ParseLibSymbols function mishandles the BSD-style __.SYMDEF symbol table by reading 4 bytes past the end of a heap allocation when the namesSize field position equals the buffer boundary, exposing heap data with high confidentiality impact. No public exploit has been identified at time of analysis, and no KEV listing exists; version 26.01 patches the issue.
Out-of-bounds write in the SIL Graphite smart-font rendering engine before 1.3.15 allows attackers to corrupt memory by supplying a malicious font file that triggers an integer underflow in the slotat macro. Exploitation requires a victim to render attacker-controlled font content in an application that embeds Graphite (such as Firefox, LibreOffice, or Pango-based renderers), and no public exploit has been identified at time of analysis.
Integer overflow in Chrome's ANGLE graphics layer on Windows enables process memory disclosure for attackers who have already compromised the renderer process. Affected versions are all Google Chrome releases prior to 149.0.7827.53 on Windows. An attacker who has first achieved renderer compromise can trigger the ANGLE integer overflow via a crafted HTML page to read potentially sensitive data from process memory - functioning as a second-stage information leak within a chained exploit. No public exploit identified at time of analysis, and EPSS at 0.03% (11th percentile) reflects low observed exploitation probability.
Integer overflow in Samsung's rlottie animation library allows a crafted Lottie animation file to trigger memory corruption, resulting in high availability impact and low integrity impact on the rendering application. Specifically affecting the gradient color-stop parsing logic in lottiemodel.cpp, the flaw arises when a malformed colorPoints value causes a signed integer multiplication to overflow before being assigned to a size_t, producing an undersized buffer computation. No active exploitation has been identified at time of analysis, and a fix is available upstream via GitHub PR #592, though a formally tagged release version has not been independently confirmed.
Integer overflow in the cilium/ebpf Go library (versions up to 0.21.0) allows a local authenticated user to cause an availability impact by supplying crafted BPF Type Format (BTF) data to the LoadCollectionSpec or LoadCollectionSpecFromReader APIs. The flaw resides in the loadRawSpec function where 32-bit header field arithmetic was performed using signed int types, enabling overflow to bypass bounds checks on StringOff, StringLen, TypeOff, and TypeLen fields. No public exploit identified at time of analysis as a KEV listing, though publicly available exploit code exists per VulDB and the CVSS temporal component E:P confirms a proof-of-concept is circulating.
Denial of service in GoBGP v4.3.0 allows unauthenticated remote attackers to crash or hang BGP speakers by sending a malformed BGP UPDATE message that triggers an integer underflow in the BGPUpdate.DecodeFromBytes parser. The underflow causes uint16 length counters (routelen and pathlen) to wrap to ~65k, leading the parser to silently consume the buffer or fail in ways that disrupt session processing. EPSS is very low (0.04%) and there is no public exploit identified at time of analysis, but the upstream commit demonstrating the bug is publicly visible.
Local privilege escalation in the Android Bluetooth stack (Android 14, 15, 16, and 16-qpr2) allows an adjacent attacker to corrupt the heap of the privileged Bluetooth process via an integer overflow in l2c_fcr_clone_buf. No user interaction or additional execution privileges are required, and at time of analysis there is no public exploit identified, though SSVC rates the technical impact as total.
Integer overflow in Google Android's ubsan_throwing_runtime.cpp enables remote denial of service across Android 14, 15, 16, and 16-qpr2. A network-accessible low-privileged attacker can trigger a process crash through crafted input targeting multiple functions in this runtime component, resulting in complete availability loss with no user interaction required. No public exploit code has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.
Integer overflow in Android's UBSan throwing runtime (ubsan_throwing_runtime.cpp) enables a local attacker with low privileges to cause a persistent denial of service across Android 14 through Android 16 QPR2. The flaw affects multiple functions within the file and requires no user interaction to trigger, making it exploitable by a malicious on-device application without elevated privileges. No public exploit identified at time of analysis, and the local-only attack vector constrains real-world scope, but the persistent nature of the availability impact elevates operational concern over transient crash-based DoS.
Remote denial of service in Google Android (versions 14, 15, 16, and 16-qpr2) is achievable by an authenticated network attacker exploiting an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms low-complexity network exploitation requiring only low-privilege authentication and no user interaction, resulting in a full availability impact (A:H). No public exploit code or CISA KEV listing has been identified at time of analysis, though the broad version coverage across current and recent Android releases makes this a notable patching priority.
Remote denial of service in Google Android versions 14, 15, 16, and 16-qpr2 stems from an integer overflow across multiple functions in ubsan_throwing_runtime.cpp, a low-level UBSan instrumentation component. An authenticated attacker with low privileges can trigger a full system crash over the network with no user interaction required, achieving complete availability impact (CVSS A:H) with no confidentiality or integrity risk. No public exploit or CISA KEV listing has been identified at time of analysis, and Google addressed the issue in the June 2026 Android Security Bulletin.
Persistent denial of service and local privilege escalation in Google Android's UBSan runtime component affect Android 14, 15, 16-qpr2, and 16, stemming from an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. An authenticated local attacker with low-level privileges and no required user interaction can exploit this overflow to trigger persistent availability loss and, per the description, possible privilege escalation. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Remote denial of service in Google Android 14, 15, 16, and 16-qpr2 stems from an integer overflow in multiple functions of ubsan_throwing_runtime.cpp, the runtime component of Android's Undefined Behavior Sanitizer (UBSan). An authenticated low-privileged attacker over the network can trigger the overflow to crash the affected component, resulting in high availability impact with no user interaction required. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.
Remote denial of service in Google Android 14, 15, 16, and 16-qpr2 is possible via an integer overflow in multiple functions of ubsan_throwing_runtime.cpp, a component of Android's UndefinedBehaviorSanitizer runtime. Network-accessible, low-privileged attackers (CVSS PR:L, AV:N, AC:L) can crash affected devices without requiring user interaction, resulting in availability loss with no confidentiality or integrity impact. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Persistent denial of service in Google Android's UBSAN throwing runtime allows a remote low-privileged attacker to crash affected devices via an integer overflow in multiple functions of ubsan_throwing_runtime.cpp. Affected versions span Android 14, 15, 16-qpr2, and 16, indicating broad exposure across the current supported Android ecosystem. No public exploit code or active exploitation has been identified at time of analysis; patches are available via the June 2026 Android Security Bulletin.
Local privilege escalation in Google Android (versions 14, 15, 16, and 16-qpr2) stems from an integer overflow (CWE-190) that can be triggered without user interaction to achieve code execution. With CVSS 8.4 and SSVC technical impact rated 'total,' a local attacker on the device can elevate privileges across security boundaries without additional execution rights. No public exploit identified at time of analysis and SSVC reports exploitation status as 'none.'
Local code execution in Poppler's Splash rendering backend allows attackers to compromise applications that open attacker-supplied PDFs by triggering an integer overflow in tilingPatternFill that produces an undersized heap allocation and a subsequent out-of-bounds write. The flaw affects Poppler as shipped across Red Hat Enterprise Linux 6 through 10 and Red Hat Hardened Images, with impact including arbitrary code execution, information disclosure, or denial of service in the rendering process. No public exploit identified at time of analysis, and the CVSS 7.8 vector requires user interaction to open a malicious PDF.
Integer overflow in the Janet scripting language's fiber unmarshaling routine (versions up to 1.41.0) allows a local authenticated attacker to cause a denial-of-service condition. The vulnerable function `unmarshal_one_fiber` in `src/core/marsh.c` performs an unchecked addition when computing fiber stack capacity - if `fiber_stacktop` is near INT32_MAX, adding 10 wraps the value, resulting in a dangerously small capacity allocation that crashes the interpreter. No public exploitation in production environments has been confirmed (not listed in CISA KEV), but a public proof-of-concept exploit exists, and the upstream patch has been released as commit d9b1d711.
Remote denial-of-service in FlexRIC v2.0.0 allows unauthenticated attackers to crash the iApp component (TCP/36422) by exhausting a 16-bit xapp_id counter through repeated E42_SETUP_REQUEST messages. The integer wraparound produces duplicate xApp identifiers that violate internal data-structure invariants, terminating the RIC service. No public exploit identified at time of analysis, and EPSS estimates exploitation probability at just 0.05%, though the attack is conceptually trivial to script.
Out-of-bounds read in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module stems from an integer overflow on the s16 buff_pos variable in batadv_iv_ogm_send_to_if, where the size check is performed using int while the position counter uses s16. Adjacent-network attackers on a batman-adv mesh can trigger the overflow by sending crafted OGM (Originator Message) aggregation packets, potentially leaking kernel memory or causing denial of service. EPSS is very low (0.02%, 5th percentile) and there is no public exploit identified at time of analysis, but the issue carries a CVSS of 8.8 due to high impact on confidentiality, integrity, and availability across adjacent networks.
Local privilege escalation or denial-of-service in the Linux kernel's dm-thin (device-mapper thin provisioning) target stems from a metadata reference-count underflow in rebalance_children(). Local users with access to thin-provisioned device-mapper volumes can trigger 'unable to decrement block' errors that corrupt metadata accounting on shared btree nodes, with no public exploit identified at time of analysis and a very low EPSS score (0.02%, 5th percentile) indicating limited exploitation interest despite the high CVSS of 7.8.
Integer overflow in the Linux kernel's ntfs3 filesystem driver allows local attackers to bypass volume boundary validation when mounting or accessing a crafted NTFS volume, leading to memory corruption with high confidentiality, integrity, and availability impact. The flaw resides in run_unpack() where the check `lcn + len > sbi->used.bitmap.nbits` performs raw addition that wraps for large values, sidestepping the bounds check. No public exploit identified at time of analysis and EPSS is very low (0.02%), but CVSS 7.8 with required user interaction reflects realistic local privilege-escalation potential when untrusted NTFS media is processed.
Integer overflow in the Linux kernel's rxgk (RxRPC GSS Kerberos) token extraction routine allows remote attackers to potentially trigger memory corruption via length-check bypass in rxgk_extract_token(). The flaw affects Linux kernel versions in the 6.16.9-to-6.17 range and was fixed by changing the validation to round down available data instead of rounding up the tested value. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.02%.
Integer overflow in the Linux kernel's device mapper mirror (dm-mirror) subsystem allows a local attacker with device mapper configuration privileges to crash the kernel via a denial-of-service condition. The flaw resides in create_dirty_log() where an unchecked unsigned addition of 2 + param_count wraps around to a small value when param_count approaches UINT_MAX, bypassing an argc bounds check and triggering out-of-bounds reads in dm_dirty_log_create(). No public exploit code exists and EPSS is exceptionally low at 0.02% (5th percentile); this CVE has not been added to the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.
Local denial of service and potential information disclosure in the Linux kernel's EROFS filesystem affects versions from 5.13 through pre-patch releases, where a crafted EROFS image triggers an unsigned integer underflow in z_erofs_lz4_handle_overlap(). When a malicious image is mounted and a file is read, the LZ4 inplace decompression path wraps the 'outpages - inpages' calculation to a huge value and reads past the decompressed_pages array. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but a reproducible proof-of-concept image is embedded in the upstream commit message.
Out-of-bounds write and data-loss bugs in the Linux kernel SLUB allocator's krealloc() function affect kernels incorporating commit 2cd8231796b5, which introduced NUMA node and alignment forcing to k[v]realloc(). A local attacker with low privileges who can trigger the krealloc_node_align() or kvrealloc() reallocation fallback path - specifically when shrinking an allocation while simultaneously forcing a new alignment or NUMA node - can cause kernel heap memory corruption leading to a system panic or silent heap object corruption. No public exploit exists beyond the lkdtm reproducer in the CVE description; EPSS stands at the 4th percentile and the vulnerability is not in CISA KEV. Vendor-released patches are confirmed available in Linux 6.18.27, 7.0.4, and 7.1-rc1.
Integer underflow in the Linux kernel's AppArmor subsystem (`aa_get_buffer()`) allows a local low-privileged user to cause per-CPU buffer starvation and system-wide denial of service. The `cache->hold` unsigned counter wraps to UINT_MAX when decremented below zero, permanently preventing `aa_put_buffer()` from recycling buffers back to the global pool and forcing repeated `kmalloc(aa_g_path_max)` heap allocations that starve other CPUs. No public exploit exists and EPSS is 0.02% (5th percentile); this is not in CISA KEV, but patches are available across multiple stable kernel branches.
Heap-based buffer overflow in MediaArea MediaInfoLib's LXF (Leitch eXchange Format) parser allows attackers to achieve arbitrary code execution when a victim opens a maliciously crafted LXF media file. The flaw affects MediaInfoLib 26.01 and was reported by Cisco Talos (TALOS-2026-2367); no public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.01%.
Heap buffer overflow in FastNetMon Community Edition through 1.2.9 originates from a CWE-190 integer overflow in the BGP AS_PATH attribute encoder (IPv4UnicastAnnounce::get_attributes() in src/bgp_protocol.hpp). When an AS_PATH carries more than 63 ASNs, the computed attribute length is silently truncated into a uint8_t field used for buffer sizing while the full data is still written, corrupting the heap. The CVSS 9.8 score implies remote unauthenticated code execution, though the flaw lives in FastNetMon's outbound BGP announcement encoder; no public exploit is identified at time of analysis and no EPSS or KEV data was supplied.
Integer overflow in NewNTUnicodeString within the Go extended syscall package for Windows allows a local low-privileged attacker to silently inject a truncated NTUnicodeString into applications that expect validation failures on oversized input. Affected is golang.org/x/sys/windows before version 0.44.0. Because the function returns a truncated result rather than an error, consuming code may proceed with a malformed string, potentially bypassing length-based security checks or causing downstream logic errors - no public exploit has been identified at time of analysis and EPSS exploitation probability is 0.02%.
Denial of service in the Go golang.org/x/crypto/ssh package (versions prior to 0.52.0) occurs when an application writes more than 4GB of data in a single Write call on an SSH channel, triggering an integer overflow in the internal payload size calculation that causes the write loop to spin indefinitely while emitting empty packets. The flaw affects any Go application using this SSH library for large data transfers and is patched upstream with a release in version 0.52.0; no public exploit identified at time of analysis and EPSS probability is very low at 0.02%.
Integer overflow in Arm ArmNN's TensorShape::GetNumElements() enables a crafted TFLite model to bypass buffer size validation and trigger a heap-based buffer over-read, resulting in a denial of service. Affected systems are those that load externally-supplied or untrusted TFLite model files using any ArmNN build through 2026-03-27. An attacker who controls a model file processed by an ArmNN-backed application can crash the host process during the optimization pass via BatchToSpaceNdLayer's InferOutputShapes() routine. No public exploit code and no active exploitation has been identified at time of analysis; EPSS sits at 0.02% (5th percentile), consistent with low real-world threat.
Integer underflow in Netatalk's volxlate function affects all releases from 3.0.0 through 4.4.2, an open-source AFP (Apple Filing Protocol) file server widely deployed on Linux/Unix systems serving macOS clients. Exploitation is constrained to local, highly-privileged attackers under high-complexity conditions, yielding only limited confidentiality, integrity, and availability impact (CVSS 3.4). No active exploitation is confirmed (not listed in CISA KEV), and no public exploit identified at time of analysis.
Denial of service in Netatalk versions 1.5.0 through 4.4.2 allows remote unauthenticated attackers to crash the AFP (Apple Filing Protocol) service by exploiting an integer underflow in the dsi_writeinit() function. The flaw is network-reachable with low complexity (CVSS 7.5, AV:N/AC:L/PR:N) and no public exploit identified at time of analysis, though the trivial trigger conditions make exploitation straightforward once a proof-of-concept emerges. Netatalk has resolved the issue in version 4.4.3.
Integer overflow in the DALI backend of NVIDIA Triton Inference Server allows authenticated remote attackers to trigger memory corruption that may result in code execution, data tampering, or denial of service. The flaw requires low-level privileges plus user interaction (CVSS 8.0, AV:N/AC:L/PR:L/UI:R) and affects deployments exposing the DALI inference pipeline. No public exploit identified at time of analysis.
Denial of service in NVIDIA Triton Inference Server can be triggered remotely by unauthenticated attackers via an integer overflow condition (CWE-190). The CVSS 7.5 score reflects high availability impact with no confidentiality or integrity loss, and no public exploit has been identified at time of analysis. Defenders running Triton in network-exposed inference deployments should prioritize patching since exploitation requires no privileges, no user interaction, and low attack complexity.
Information disclosure in Rsync 3.4.2 and prior allows an authenticated remote sender to leak receiver process memory through an integer overflow in the compressed-token decoder. The flaw exposes environment variables, credentials, heap and stack contents, and library pointers, weakening ASLR and enabling follow-on exploitation; no public exploit identified at time of analysis, but Rsync 3.4.3 bundles the security fix.
Heap memory corruption in Kitty cross-platform GPU terminal emulator (versions 0.46.2 and below) allows remote attackers to trigger out-of-bounds heap reads and writes by emitting crafted graphics protocol escape sequences. The flaw stems from a 32-bit integer overflow in handle_compose_command() that lets malicious x_offset/y_offset values bypass bounds checks. No public exploit identified at time of analysis, but the bug requires no user interaction, no authentication, and works against default configurations whenever attacker-controlled bytes can reach the terminal - including via SSH banners, cat'd files, or piped output.
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Integer underflow in the Linux kernel's MPI crypto library function `mpi_read_raw_from_sgl()` allows a local low-privileged user to trigger an infinite kernel loop via the `KEYCTL_PKEY_ENCRYPT` syscall, causing a system-wide denial of service with soft lockup splats. The flaw was latent since commit `2d4d1eea540b` but became exploitable only after commit `63ba4d67594a` changed how asymmetric key operations construct scatterlists, allowing `out_len > in_len` with a zero-filled buffer to satisfy the underflow condition. No active exploitation is confirmed (EPSS 0.02%, not in CISA KEV), but the attack path is fully described in the upstream commit message, making independent reproduction straightforward.
Integer overflow in OpenHarmony v6.0 and prior versions enables a local authenticated attacker to trigger a denial-of-service condition, resulting in an availability impact. The vulnerability is low severity with a CVSS score of 3.3, requires local access with low privileges, and no public exploit or active exploitation has been identified at time of analysis. Notably, the CVE tags include 'Information Disclosure' despite the CVSS vector indicating no confidentiality impact (C:N), a discrepancy that warrants vendor clarification.
Remote denial-of-service in OpenTelemetry eBPF Instrumentation (OBI) versions 0.7.0 through 0.8.x allows unauthenticated attackers to crash the privileged instrumentation process by sending a crafted memcached storage command with an oversized `<bytes>` field. The integer overflow in the memcached text protocol parser produces a negative payload length that triggers a Go runtime panic in LargeBufferReader.Peek, halting telemetry collection until OBI is restarted. Publicly available exploit code exists in the GHSA-43g7-cwr8-q3jh advisory, but there is no public exploit identified beyond the PoC and the vulnerability is not listed in CISA KEV.
Signed integer overflow in the NetBSD kernel's cryptodev subsystem (sys/opencrypto/cryptodev.c, prior to commit ec8451e) enables a local low-privileged attacker to crash the kernel via a NULL pointer dereference, causing a full denial of service. The type mismatch between a signed int local variable and an unsigned cop->dst_len source value in cryptodev_op() produces undefined behavior when dst_len exceeds INT_MAX, corrupting UIO pointer arithmetic and - when CONFIG_SVS is disabled - triggering a kernel panic. No public exploit identified at time of analysis, though a technical writeup at nasm.re documents related memory-handling issues in this subsystem.
Denial-of-service in the iskorotkov/avro Go Avro decoder (a maintained fork of the archived hamba/avro) lets unauthenticated remote attackers crash or hang consumers by submitting crafted Avro streams that trigger integer narrowing, signed-integer overflow in cumulative block sizes, or unchecked-negative make() calls. All versions prior to v2.33.0 are affected; the upstream github.com/hamba/avro/v2 (all versions through v2.31.0) is also vulnerable and will not receive a fix because the module is archived. No public exploit identified at time of analysis, though the advisory itself documents concrete PoC input shapes and includes a regression test (TestDecoder_ArrayMultiBlockExceedsMaxInt) that demonstrates the cumulative-overflow path on amd64.
A compromised Trusted OS (TOS) driver could issue a malformed call that could potentially allow memory access outside the intended range resulting in loss of integrity. Rated low severity (CVSS 1.8). No vendor patch available.
Integer overflow in libyang's lyb_read_string() function leads to heap buffer overflow during LYB binary parsing, enabling remote denial-of-service attacks against NETCONF servers, sysrepo, and other YANG data consumers. The vulnerability (CWE-190) allows unauthenticated attackers to crash services by supplying maliciously crafted LYB blobs over network connections. Fixed in version SO 5.2.15. CVSS 7.5 (High) with network attack vector and low complexity, though currently limited to availability impact. No active exploitation confirmed (not in CISA KEV); public exploit code status unknown.
Heap buffer overflow in libsixel versions up to 1.8.7-r1 enables local attackers to corrupt memory and potentially execute code by supplying maliciously crafted SIXEL image data. A signed integer overflow in the SIXEL parser's buffer resizing logic bypasses allocation size checks, allowing out-of-bounds writes with attacker-controlled offsets. The vulnerability requires user interaction to process a malicious SIXEL file but does not require authentication. Fixed in version 1.8.7-r2. No active exploitation confirmed (not in CISA KEV); public exploit code status unknown.
Heap overflow in OpenImageIO's JPEG 2000 decoder allows local attackers with malicious image files to execute arbitrary code. Affects versions before 3.0.18.0 and 3.1.x before 3.1.13.0 when compiled with USE_OPENJPH flag. Integer overflow in buffer size calculation causes undersized heap allocation, leading to memory corruption during pixel writes. No public exploit identified at time of analysis, but SSVC framework indicates POC exists. Vendor-released patches available in versions 3.0.18.0 and 3.1.13.0.
Heap buffer overflow in OpenImageIO 3.0.x (before 3.0.18.0) and 3.1.x (before 3.1.13.0) allows remote attackers to achieve denial of service or potentially arbitrary code execution via crafted DPX image files. The vulnerability stems from signed integer overflow in buffer size calculations within the DPX color converter, causing undersized heap allocations. Attack requires victim to open a malicious DPX file (user interaction required per CVSS UI:R). No public exploit code or active exploitation confirmed at time of analysis, though the technical details in the GitHub advisory provide sufficient detail for proof-of-concept development.
Out-of-bounds write in OpenImageIO versions prior to 3.0.18.0 and 3.1.13.0 allows remote attackers to crash applications or potentially execute arbitrary code by delivering maliciously crafted CbYCrY image files. A signed integer overflow in the ConvertCbYCrYToRGB() pixel-loop calculation generates large negative pointer offsets, corrupting memory during image processing. EPSS data not available; no evidence of active exploitation (not in CISA KEV); exploitation requires user interaction to process attacker-supplied image files.
Remote code execution in PostgreSQL (versions 14.x-18.x) allows authenticated database users to execute arbitrary code as the database operating system user via integer wraparound vulnerabilities in multiple server features. By passing gigabyte-scale inputs to affected database functions, attackers trigger allocation undersizing that leads to out-of-bounds writes. No active exploitation confirmed (not in CISA KEV), but CVSS 8.8 with network vector and low complexity indicates high exploitability once technical details become public. EPSS data not available at time of analysis.
Integer overflow in simdjson's string_builder::escape_and_append() function allows out-of-bounds memory reads in SIMD routines when processing very large input strings on 32-bit platforms, potentially resulting in information disclosure or memory corruption. The vulnerability affects all versions before 4.6.4 and has been patched by the vendor.
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused by unsigned integer underflow in libmodsecurity3 if the user (administrator) uses a rule any of @verifySSN, @verifyCPF, or @verifySVNR. This vulnerability is fixed in 3.0.15.