Memory Corruption

In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields.

In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors.

In the Linux kernel, the following vulnerability has been resolved: tpm2-sessions: Fix out of range indexing in name_size 'name_size' does not have any range checks, and it just directly indexes with TPM_ALG_ID, which could lead into memory corruption at worst.

Firefox 146 and Thunderbird 146 contain memory safety bugs with evidence of memory corruption that could potentially be exploited for code execution.

Arbitrary code execution in Firefox and Thunderbird versions prior to 147/140.7 results from memory corruption vulnerabilities that could allow remote attackers to execute malicious code with no user interaction required. Multiple memory safety flaws across Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146, and Thunderbird 146 create conditions for potential exploitation despite no patch currently being available. The high CVSS score of 8.1 reflects the critical nature of achieving full system compromise through network-based attack vectors.

RIOT OS ethos utility has a stack buffer overflow in _handle_char() due to missing bounds checking on serial frame data. Incoming frame bytes overflow a fixed-size stack buffer.

RIOT OS (IoT operating system) tapslip6 utility has a stack buffer overflow due to unbounded strcpy/strcat with user-controlled device name input. PoC available.

TinyOS versions up to and including 2.1.2 contain a stack-based buffer overflow vulnerability in the mcp2200gpio utility. The vulnerability is caused by unsafe use of strcpy() and strcat() functions when constructing device paths during automatic device discovery.

A flaw was found in GNU Wget2. This vulnerability, a stack-based buffer overflow, occurs in the filename sanitization logic when processing attacker-controlled URL paths, particularly when filename restriction options are active. [CVSS 7.6 HIGH]

Llama.cpp server endpoints fail to validate the n_discard parameter from JSON input, allowing negative values that trigger out-of-bounds memory writes when the context buffer fills. This memory corruption vulnerability affects LLM inference operations and can be exploited remotely without authentication to crash the service or achieve code execution; public exploit code exists and no patch is currently available.

Panda3D egg-mkfont (through 1.10.16) has a stack buffer overflow via an unbounded sprintf() with attacker-controlled glyph pattern input. PoC available.

Local privilege escalation in zlib 1.3.1.2 and earlier allows authenticated users to achieve arbitrary code execution through a buffer overflow in the contrib/untgz utility when processing command-line arguments with excessively long archive names. The vulnerability affects only the standalone untgz demonstration tool and does not impact the core zlib library. No patch is currently available.

Memory corruption occurs when a secure application is launched on a device with insufficient memory. [CVSS 7.8 HIGH]

Memory corruption when copying overlapping buffers during memory operations due to incorrect offset calculations. [CVSS 7.8 HIGH]

Memory corruption when accessing resources in kernel driver. [CVSS 7.8 HIGH]

Memory corruption while passing pages to DSP with an unaligned starting address. [CVSS 7.8 HIGH]

Memory corruption while preprocessing IOCTLs in sensors. [CVSS 7.8 HIGH]

Memory Corruption when multiple threads concurrently access and modify shared resources. [CVSS 7.8 HIGH]

Memory corruption while processing identity credential operations in the trusted application. [CVSS 7.8 HIGH]

Memory corruption while processing a secure logging command in the trusted application. [CVSS 7.8 HIGH]

Memory corruption while handling sensor utility operations. [CVSS 6.7 MEDIUM]

Video Collaboration Vc3 Platform Firmware versions up to - contains a security vulnerability (CVSS 7.8).

Memory corruption while deinitializing a HDCP session. [CVSS 7.8 HIGH]

Memory corruption while accessing a synchronization object during concurrent operations. [CVSS 6.7 MEDIUM]

Memory corruption while performing sensor register read operations. [CVSS 6.7 MEDIUM]

Memory corruption while parsing clock configuration data for a specific hardware type. [CVSS 6.7 MEDIUM]

Memory corruption while processing shared command buffer packet between camera userspace and kernel. [CVSS 6.7 MEDIUM]

Memory corruption while handling buffer mapping operations in the cryptographic driver. [CVSS 6.6 MEDIUM]

Memory corruption while processing a config call from userspace. [CVSS 6.7 MEDIUM]

In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In dpe, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In geniezone, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In c2ps, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 6.7 MEDIUM]

Android versions up to 14.0 contains a vulnerability that allows attackers to local escalation of privilege if a malicious actor has already obtained the Syst (CVSS 6.7).

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. [CVSS 7.8 HIGH]

gpsd (before commit dc966aa) has a heap buffer overflow in the NMEA2000 satellite view handler (PGN 129540). A malicious satellite count value overwrites the skyview array, enabling code execution on GPS daemon processes. PoC available, patch available.

A vulnerability was detected in wasm3 up to 0.5.0. Impacted is the function op_SetSlot_i32/op_CallIndirect of the file m3_exec.h. [CVSS 5.3 MEDIUM]

A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. [CVSS 5.3 MEDIUM]

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.5 have a Heap-Use-After-Free (UAF) vulnerability within the MQTT bridge client component (implemented via the underlying NanoNNG library). [CVSS 4.9 MEDIUM]

WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users.

Memory corruption via out-of-bounds write in Apple operating systems allows remote attackers to execute arbitrary code when victims process a malicious file. The vulnerability affects macOS (Sonoma 14.x, Sequoia 15.x, Tahoe 26.x), iOS/iPadOS (18.x, 26.x), tvOS, visionOS, and watchOS 26.x. Despite a high CVSS score of 8.8, EPSS data indicates only 0.05% exploitation probability (15th percentile), and no public exploit code or active exploitation is confirmed. The flaw stems from inadequate bounds checking (CWE-787) in file processing routines, requiring user interaction but no authentication, making it a realistic phishing or malicious download target.

Memory corruption in Apple operating systems due to insufficient bounds checking allows local authenticated users to cause denial of service through malicious data processing, affecting iOS, iPadOS, macOS, tvOS, visionOS, and watchOS. The vulnerability requires local access and user interaction, with no public exploit identified; EPSS score of 0.02% indicates minimal real-world exploitation probability despite the assigned CVSS score of 2.8.

Apple kernel memory corruption in multiple operating systems allows a malicious application to cause unexpected system termination or write kernel memory via an out-of-bounds write flaw addressed in watchOS 26.1, iOS 18.7.2, and macOS Tahoe 26.1.

Memory corruption in macOS kernel allows authenticated local users to execute arbitrary code or crash the system. Apple fixed the vulnerability via improved memory handling in macOS Sequoia 15.7.4, Sonoma 14.8.4, and Tahoe 26.1. With CVSS 7.8 (High severity) reflecting local attack vector requiring low privileges, and EPSS at 0.01% (2nd percentile), this represents a moderate real-world risk despite high CVSS scoring. No public exploit identified at time of analysis, and no evidence of active exploitation (not in CISA KEV).

c-ares is an asynchronous resolver library. Versions 1.32.3 through 1.34.5 terminate a query after maximum attempts when using read_answer() and process_answer(), which can cause a Denial of Service. This issue is fixed in version 1.34.6.

In __pkvm_load_tracing of trace.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

In multiple functions of arm-smmu-v3.c, there is a possible out-of-bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

In init_pkvm_hyp_vcpu of pkvm.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Race condition vulnerability in the audio module. Impact: Successful exploitation of this vulnerability may affect availability.

A stack buffer overflow vulnerability exists in the buffer_get function of duc, a disk management tool, where a condition can evaluate to true due to underflow, allowing an out-of-bounds read.

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via a specially crafted CLI command.This vulnerability affects Fireware OS 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS's CLI could allow an authenticated privileged user to execute arbitrary code via specially crafted IPSec configuration CLI commands.This vulnerability affects Fireware OS 11.0 up to and including 11.12.4+541730, 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

An Out-of-bounds Write vulnerability in WatchGuard Fireware OS’s certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.This vulnerability affects Fireware OS 12.0 up to and including 12.11.4, 12.5 up to and including 12.5.13, and 2025.1 up to and including 2025.1.2.

Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.

Use after free in Media Stream in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low)

Use after free in Digital Credentials in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Type Confusion in V8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

In display, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10184870; Issue ID: MSV-4752.

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795.

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4797.

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795.

In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4803.

In display, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4807.

In smi, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10259774; Issue ID: MSV-5029.

In mmdvfs, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10267218; Issue ID: MSV-5032.

In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01661195; Issue ID: MSV-4297.

Heap-based buffer overflow in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory.

Out-of-bounds write in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory.

Out-of-bounds write in parsing IFD tag in libimagecodec.quram.so prior to SMR Dec-2025 Release 1 allows remote attackers to access out-of-bounds memory.

Out-of-bounds write in decoding metadata in fingerprint trustlet prior to SMR Dec-2025 Release 1 allows local privileged attackers to write out-of-bounds memory.

A use-after-free in the MPEG1or2Demux::newElementaryStream() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted MPEG Program stream.

A use-after-free in the ADTSAudioFileSource::samplingFrequency() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS/AAC file.

Software installed and run as a non-privileged user may conduct improper GPU system calls to trigger reads of stale data that can lead to kernel exceptions and write use-after-free. The Use After Free common weakness enumeration was chosen as the stale data can include handles to resources in which the reference counts can become unbalanced. This can lead to the premature destruction of a resource while in use.

Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r53p0 through r54p1; Arm 5th Gen GPU Architecture Kernel Driver: from r53p0 through r54p1.

Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user process to perform improper GPU memory processing operations to gain access to already freed memory.This issue affects Valhall GPU Kernel Driver: from r53p0 through r54p1; Arm 5th Gen GPU Architecture Kernel Driver: from r53p0 through r54p1.

An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition.

UAF vulnerability in the USB driver module. Rated medium severity (CVSS 5.8). No vendor patch available.

Permission control vulnerability in the memory management module. Rated critical severity (CVSS 9.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Permission control vulnerability in the distributed component. Rated high severity (CVSS 8.0), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

UAF vulnerability in the screen recording framework module. Rated medium severity (CVSS 6.4). No vendor patch available.

Zenitel TCIV-3+ is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

BPv7 dissector crash in Wireshark 4.6.0 allows denial of service. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Stack-based buffer overflow in Azure Application Gateway allows an unauthorized attacker to elevate privileges over a network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.