Stack Overflow
Monthly
Stack-based buffer overflow in TDengine (open-source IoT time-series database) versions 3.4.1.6 and earlier allows an authenticated user to trigger a one-byte out-of-bounds write by submitting SQL containing crafted escape sequences (\%, \_, or \x), leading to denial of service and potentially remote code execution. The flaw sits in the SQL parser's trimString() routine, which validates only a single byte of remaining space in the tmpTokenBuf stack buffer before writing escape-processed data. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in version 3.4.1.14.
Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the j2k_precinct_subband::parse_packet_header() in source/core/coding/coding_units.cpp
Arbitrary code execution in Adobe Media Encoder arises from a stack-based buffer overflow (CWE-121) triggered when a victim opens a maliciously crafted media file, allowing an attacker to run code in the context of the current user. The CVSS 3.1 base score is 7.8 (local vector, user interaction required, no privileges needed). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk is file-delivery-driven rather than remotely wormable.
Denial of service in NVIDIA Triton Inference Server for Linux stems from a stack-based buffer overflow (CWE-121) reachable by remote, unauthenticated attackers over the network. Per the CVSS 3.1 vector, exploitation requires no privileges or user interaction and impacts only availability (A:H), with no confidentiality or integrity effect. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; no EPSS score was provided in the input.
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and .NET Framework (3.5 through 4.8.1) allows a remote, unauthenticated attacker to crash affected applications by triggering a stack-based buffer overflow (CWE-121) over the network. The flaw impacts availability only - there is no confidentiality or integrity loss and no code execution per the CVSS vector (A:H, C:N, I:N). Microsoft has published an advisory with fixes; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack-based buffer overflow in multiple NETGEAR Orbi mesh WiFi models (RBR860, RBRE950/960, RBE970/971, RBS860, RBSE950/960) enables an unauthenticated adjacent-network attacker to crash or force a restart of the affected device, causing a loss of network connectivity. The root cause is CWE-121 (stack-based buffer overflow), meaning a crafted network payload can overwrite stack memory and destabilize the device process. The CVSS 4.0 supplemental metric E:P indicates a proof-of-concept exploit exists, elevating practical risk despite the moderate base score of 5.7.
Local information disclosure, data tampering, and denial of service in the BlackBerry QNX Neutrino kernel stems from a stack buffer overflow in the entry handler of the TraceEvent() system call, affecting QNX Software Development Platform, QNX OS for Safety, and QNX OS for Medical. An attacker able to run code on the target can craft malicious TraceEvent() arguments to corrupt kernel stack memory, leaking sensitive kernel data, altering kernel state, or crashing the RTOS. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; exploitation is rated high-complexity (AC:H) despite requiring no prior privileges.
Local privilege escalation in the Windows File History Service lets an authenticated, low-privileged attacker corrupt a stack buffer (CWE-121) to run code with elevated (SYSTEM-level) privileges on affected Windows client and server releases. The flaw spans a broad range of supported editions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025, including Server Core installations. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.
Remote code execution in Microsoft Fabric Data Warehouse allows an authenticated attacker to run arbitrary code over the network by triggering a stack-based buffer overflow (CWE-121). The flaw carries a CVSS 8.8 rating with high impact to confidentiality, integrity, and availability, and requires only low-privilege access with no user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but a vendor patch is available via MSRC.
Local code execution in Microsoft Office Word (Microsoft 365 Apps, Office 2019/LTSC 2021/2024, Word 2016, and the macOS builds) arises from a stack-based buffer overflow triggered when a victim opens a maliciously crafted document. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows an unauthenticated attacker needs no privileges but does require user interaction, and successful exploitation yields full confidentiality, integrity, and availability impact in the user's security context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Arbitrary code execution in Microsoft Office Word (and the broader Office/365/SharePoint family) arises from a stack-based buffer overflow (CWE-121) that an attacker triggers when a victim opens a maliciously crafted document. The CVSS 3.1 vector (AV:L/UI:R) confirms this is a file-borne, local-context flaw requiring the user to open attacker-supplied content, yielding full confidentiality, integrity, and availability impact in the user's session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch via MSRC.
Local code execution in Microsoft Office Word (via a stack-based buffer overflow, CWE-121) lets an attacker run arbitrary code in the context of the user who opens a maliciously crafted document. The flaw affects Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024 (including Mac editions), and the Word component shared with SharePoint Server 2016/2019/Subscription Edition. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires the victim to open the attacker's file (UI:R).
Local code execution in Microsoft Excel (and the broader Office 2016/2019/LTSC 2021/2024, Microsoft 365 Apps, Office for Mac, and Office Online Server family) results from a stack-based buffer overflow triggered when a victim opens a maliciously crafted spreadsheet. An attacker who convinces a user to open a booby-trapped file can run arbitrary code in the context of that user, with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the ubiquity of Excel and Microsoft's own advisory make this a routine patch-Tuesday-class priority.
Local code execution in Microsoft's Resilient File System (ReFS) driver affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a stack-based buffer overflow (CWE-121) can be triggered when a victim interacts with attacker-crafted ReFS data. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows an unauthenticated but user-interaction-dependent local attack yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so it currently represents a patch-priority rather than an active-exploitation emergency.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash the service by sending crafted network input that overflows a stack buffer (CWE-121). Because AD FS commonly fronts single sign-on for Microsoft 365, Azure AD, and federated web applications, an outage cascades into loss of authentication for every relying-party application. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; a Microsoft patch is available, and the CVSS 3.1 score is 7.5 (availability-only impact).
Local privilege elevation in the Windows Graphics Device Interface (GDI) component allows an already-authenticated, low-privileged user to run code at a higher privilege level by triggering a stack-based buffer overflow (CWE-121). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025, including Server Core installations. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash or render the federation service unavailable by triggering a stack-based buffer overflow over the network. The flaw affects the AD FS role across Windows Server 2012 through 2025 (including Server Core installations) and carries a CVSS 7.5 rating driven entirely by availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available.
Remote denial of service in Microsoft Active Directory Federation Services (ADFS) allows an unauthenticated network attacker to crash the service via a stack-based buffer overflow (CWE-121). The flaw affects the ADFS role across Windows Server 2012 through 2025 (and the underlying Windows 10 1607/1809 servicing components), carries a CVSS 7.5 availability-only score, and was reported by Microsoft with a patch available. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Windows App Installer (the MSIX/AppX package deployment component, msixbundle/App Installer) lets an already-authenticated low-privileged user overflow a stack buffer to gain higher privileges on affected Windows 10, Windows 11, and Windows Server builds. Microsoft self-reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (AV:L/PR:L) rating reflects a locally-launched attack with high confidentiality, integrity, and availability impact.
Local privilege escalation in the Windows NTFS file-system driver allows an authenticated attacker to run code with elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121). The flaw was reported by Microsoft and affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (High).
Denial of service in Microsoft Active Directory Federation Services (AD FS) lets a remote, unauthenticated attacker crash the service by triggering a stack-based buffer overflow (CWE-121) over the network. Because AD FS commonly fronts single sign-on for Microsoft 365, SaaS, and internal web applications, a successful crash can knock out federated authentication for an entire organization. No public exploit identified at time of analysis, and the flaw is availability-only — confidentiality and integrity are not impacted per the CVSS vector.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) allows an authenticated low-privileged user to gain elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121) in the ReFS driver. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows NTFS driver allows an already-authenticated, low-privileged user to gain elevated (likely SYSTEM) privileges by triggering a stack-based buffer overflow, contingent on user interaction. The flaw spans a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has issued a patch and reported the issue itself; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local code execution in Microsoft Excel (and the broader Office family through Microsoft 365 Apps, Office 2019/2021/2024 LTSC, Office for Mac, and Office Online Server) arises from a stack-based buffer overflow (CWE-121) triggered when a user opens a maliciously crafted spreadsheet. An attacker who convinces a victim to open the file runs arbitrary code in the security context of the current user, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; Microsoft has released a patch.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash the service by triggering a stack-based buffer overflow over the network (CVSS 7.5, availability-only impact). Because AD FS brokers single sign-on and federated authentication, a successful attack can knock out login for every downstream application that relies on it. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Microsoft Active Directory Federation Services (AD FS) lets a remote, unauthenticated attacker crash the service by triggering a stack-based buffer overflow (CWE-121) over the network. The flaw affects AD FS as shipped across a broad range of Windows client and server builds (Windows 10/11 and Windows Server 2012 through 2025). Microsoft - the reporting party - has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack-based buffer overflow in the Totolink NR1800X router (firmware 9.1.0u.6279_B20210910) lets remote attackers corrupt memory by supplying an oversized HTTP Host header to the Form_Logout handler at /formLogout.htm, served by the embedded lighttpd web interface. Because the flaw is reachable over the network without authentication and publicly available exploit code exists, it is a strong candidate for opportunistic exploitation despite not yet appearing in CISA KEV. Successful exploitation can crash the device or, given the CWE-121 stack overwrite, potentially achieve code execution on the router.
Stack-based buffer overflow in Fortinet FortiOS, FortiPAM, FortiProxy, and FortiSASE enables arbitrary code execution for a privileged authenticated attacker capable of bypassing ASLR and stack canary protections via crafted HTTP requests. The CVSS temporal metric E:P confirms proof-of-concept exploit code exists, and RL:O confirms an official patch has been released by Fortinet (advisory FG-IR-26-148). This vulnerability is not listed in CISA KEV at time of analysis, and the dual prerequisites of privileged access plus memory-protection bypass substantially constrain real-world exploitability despite the critical CIA impact triad.
Stack-based buffer overflow in the Tenda BE12 Pro router (firmware 16.03.66.23) allows remote attackers to corrupt memory via the fromVirtualSer handler for the /goform/VirtualSer endpoint by supplying an oversized 'page' argument. The flaw carries CVSS 4.0 7.4 and, per its vector, requires low-level privileges (PR:L); publicly available exploit code exists, though there is no public exploit identified as actively used in the wild (not in CISA KEV). Successful exploitation can crash the device or potentially lead to arbitrary code execution on the embedded MIPS/ARM firmware.
Stack-based buffer overflow in the Tenda BE12 Pro Wi-Fi router (firmware 16.03.66.23) lets an attacker corrupt the stack by supplying an oversized 'page' argument to the /goform/DhcpListClient web endpoint handled by the fromDhcpListClient function. The flaw is reachable over the network and publicly available exploit code exists (disclosed via VulDB), though it is not listed in CISA KEV and no EPSS score was provided. Per the supplied CVSS 4.0 vector (PR:L) the attack requires low-level authentication to the device, and successful exploitation can crash the router or potentially achieve arbitrary code execution.
Stack-based buffer overflow in the Tenda BE12 Pro router (firmware 16.03.66.23) lets attackers corrupt memory by manipulating the 'page' argument passed to the fromSetIpBind function of the /goform/SetIpBind endpoint. The flaw is remotely reachable over the network and, per the CVSS 4.0 vector, requires low-level privileges (PR:L) while yielding high confidentiality, integrity, and availability impact - typically resulting in device crash or arbitrary code execution on the router. Publicly available exploit code exists (E:P), disclosed via VulDB, though it is not listed in CISA KEV.
Stack-based buffer overflow in the Tenda BE12 Pro Wi-Fi router (firmware 16.03.66.23) lets remote attackers corrupt memory by manipulating the 'page' argument of the fromSafeMacFilter handler at /goform/SafeMacFilter. Publicly available exploit code exists, though there is no public exploit identified as being used in active campaigns and it is not listed in CISA KEV. Successful exploitation can crash the device or potentially achieve code execution on the router's embedded OS. EPSS data was not provided.
Stack-based buffer overflow in the Tenda BE12 Pro router firmware 16.03.66.23 lets an authenticated remote attacker corrupt memory via the fromSafeUrlFilter handler at /goform/SafeUrlFilter by supplying an oversized 'page' parameter. Publicly available exploit code exists (published via VulDB), though the flaw is not listed in CISA KEV and no active exploitation has been confirmed. The CVSS 4.0 vector (7.4, PR:L) indicates network reachability with low-privilege authentication and high impact to confidentiality, integrity, and availability of the device.
Stack-based buffer overflow in the Tenda BE12 Pro (firmware 16.03.66.23) web management interface lets an attacker corrupt memory by supplying an oversized 'page' argument to the fromSafeClientFilter handler at /goform/SafeClientFilter, potentially crashing the device or executing arbitrary code with router privileges. Per the CVSS 4.0 vector the flaw is network-reachable but requires low-level privileges (PR:L). Publicly available exploit code exists (disclosed via VulDB), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.
Denial of service in aMule 2.3.3 lets a remote eD2k server crash the client by sending a malformed OP_SERVERMESSAGE packet that overflows a stack buffer (CWE-121). The flaw is triggered client-side when parsing server-supplied message data, so any hostile or spoofed server the client connects to can terminate the application. No public exploit has been identified at time of analysis, and the issue is documented only as an upstream bug report (amule GitHub issue #445), not a released patch.
Stack-based buffer overflow in gawk's readdir extension (extension/readdir.c, ftype() routine) affects all gawk releases through version 5.4.0, enabling a local attacker to crash the process and theoretically achieve code execution. The RCE angle is explicitly unconfirmed by the reporter (CERT-PL), making denial-of-service the primary demonstrated impact at this time. No public exploit identified at time of analysis; an upstream source-level patch commit is available on GNU Savannah.
Stack-based buffer overflow in Shibby Tomato router firmware (versions up to and including 1.28.0000) allows a remote, low-privileged attacker to corrupt the stack of the embedded web server (/usr/sbin/httpd) via the DNS List Rendering function sub_407220, potentially achieving arbitrary code execution on the router. The flaw is remotely reachable and, per the CVSS 4.0 vector, requires low-level authentication (PR:L) to the web administration interface. VulDB assigns an exploit maturity of Proof-of-Concept, meaning publicly available exploit code exists, though it is not listed in CISA KEV and no active exploitation is confirmed. Notably, the Tomato project by Shibby is discontinued and superseded by FreshTomato, so no first-party fix is expected.
Remote authenticated command execution is possible in Shibby Tomato router firmware through version 1.28.0000, where the getupsvar function in the apcupsd CGI handler (www/apcupsd/tomatodata.cgi) fails to bound the Field argument, producing a stack-based buffer overflow (CWE-121). A logged-in user can send a crafted request to corrupt the stack and hijack control flow with full confidentiality, integrity, and availability impact on the device. Publicly available exploit code exists (VulDB), though there is no evidence of active exploitation; the CVSS 4.0 score is 8.7 with an E:P (proof-of-concept) exploit-maturity flag.
Stack-based buffer overflow in the TRENDnet TEW-635BRM wireless router (firmware up to 1.00.03) lets an authenticated remote attacker overflow a fixed-size stack buffer through the device_name argument handled by the start_httpd function in /sbin/rc, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists (VulDB), though it is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis. The device has been end-of-life since 2011 and the vendor declined to confirm the flaw, meaning no fix will be issued.
Denial of service in Espressif's ESP-IDF JPEG driver (versions 6.0.1, 5.5.4, 5.4.4, 5.3.5 and likely earlier) stems from an out-of-bounds stack write in jpeg_parse_dqt_marker(), where the attacker-controlled DQT marker Tq nibble indexes the qt_tbl array without a 0..3 bounds check. Any application that feeds untrusted JPEG data into the hardware JPEG decode path can be reliably crashed by a single malformed image. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor has released a fix in 6.0.2 with backports pending for the 5.x branches.
Stack-based buffer overflow in the Mercusys MW302R (EU) V1 1.4.10 Build 231023 administrative web interface allows an authenticated attacker with administrative access on the same network segment to crash the device by sending a specially crafted HTTP request. The crash results from control flow being redirected to an arbitrary instruction address - a classic CWE-121 stack overflow pattern that produces denial of service. No public exploit is confirmed in CISA KEV, though a researcher GitHub gist (BarrYPL/13dcd071673866cbbfaaa05085b98cf3) appears to document the finding and may constitute a proof-of-concept write-up. EPSS probability is very low at 0.16% (6th percentile), consistent with a niche consumer router model.
Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the RTSP service by sending a crafted second SETUP request after a valid RTSP handshake, knocking the camera offline for every client on the network. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP second-stage URL routing parser; publicly available exploit code exists via a GitHub write-up, though no active exploitation is confirmed and the CVSS availability-only impact means it is a crash, not code execution, at time of analysis.
Denial of service in the RTSP service of Tenda CP3 V3.0 IP cameras (firmware V31.1.9.91) allows an unauthenticated remote attacker on the local network to crash the streaming service with a single crafted SETUP request. Because the second-stage URL routing parser does not validate the URL field length, a request whose URL is exactly four repetitions of a valid RTSP URL overflows a stack buffer and terminates the RTSP process, cutting off all clients. Publicly available exploit code exists (researcher write-up on GitHub); this is not listed in CISA KEV and no active exploitation is confirmed.
Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the onboard RTSP service by sending a PLAY request whose Range header carries an over-long clock= value, triggering a stack-based buffer overflow (CWE-121). The flaw affects only availability - a successful attack knocks the camera's video streaming offline until it recovers or is restarted, with no confirmed path to code execution or data disclosure. There is a public research write-up on GitHub, but no active exploitation is recorded in CISA KEV and EPSS rates exploitation likelihood as low (0.19%, 9th percentile).
Stack buffer overflow in Vinchin Backup & Recovery through 9.0.0.86562 exposes the agentlink_server service to unauthenticated remote exploitation via the ModuleHandShake function. An attacker supplying an oversized _listen_uuid value triggers unsafe strcpy() into a fixed-length stack buffer, overwriting the saved return address and enabling process crash or control flow hijack. No public exploit or active exploitation has been confirmed at time of analysis, though the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is network-reachable without authentication or user interaction.
Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corrupt stack memory by supplying malicious JavaScript input, requiring user interaction to trigger. All Escargot releases prior to commit b30b63fc63b403907d8137da1c65aaa4521fe74e are affected, with impacts including high availability loss and limited integrity compromise. No public exploit identified at time of analysis and this vulnerability has not been added to CISA KEV, though the local-vector, user-interaction requirement meaningfully constrains real-world exploitation surface.
Denial of service in GStreamer's DTLS plugin allows a remote unauthenticated attacker to crash any application that performs a DTLS handshake (notably WebRTC/webrtcbin pipelines) by presenting a TLS certificate with an oversized Subject Distinguished Name. The Subject DN is written into a fixed 2048-byte stack buffer with no bounds checking (CWE-121), and overflowing it corrupts the stack and terminates the process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; impact is limited to availability (process crash), with no code execution or data exposure claimed.
Remote denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.991) allows an unauthenticated attacker on the network to crash the device by sending a specially crafted RTSP TEARDOWN request that overflows a stack buffer. Publicly available exploit code exists via a third-party GitHub write-up, though the flaw affects only availability (no data disclosure or code execution is claimed). No active exploitation has been reported in CISA KEV, and EPSS data was not provided.
Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) allows an unauthenticated remote attacker to crash the RTSP service by sending a crafted PLAY request that overflows a fixed-size stack buffer. The flaw is remotely reachable with no authentication or user interaction, but per the description and CVSS the impact is limited to availability loss (device crash/reboot), with no confirmed code execution. A public technical report with reproduction details exists on GitHub; the issue is not listed in CISA KEV and no EPSS score was provided.
Denial of service in Wireshark's DBS Etherwatch dissector affects release branches 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a malformed capture file or crafted packet can crash the application. The flaw is a stack-based buffer overflow (CWE-121) that manifests only as an availability impact - no confidentiality or integrity loss and no confirmed code execution - carrying a 7.5 (High) CVSS. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack-based buffer overflow in Wireshark's IEEE 802.11 (Wi-Fi) protocol dissector crashes the application, resulting in denial of service across versions 4.6.0-4.6.6 and 4.4.0-4.4.16. An attacker with the ability to deliver a malicious packet capture file, or inject crafted 802.11 frames into a live capture session, can crash the Wireshark process on a victim analyst's machine. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; vendor-released patches (4.6.7 and 4.4.17) are available.
Local arbitrary code execution affects an unspecified industrial control system (ICS) product reported through CISA ICS-CERT (advisory ICSA-26-188-06). A stack-based buffer overflow (CWE-121) lets an attacker who can supply crafted input trigger memory corruption and run arbitrary code once a local user interacts with the malicious data, fully compromising confidentiality, integrity, and availability. No public exploit identified at time of analysis and the affected vendor/product is not disclosed in the available data.
Local privilege escalation and memory corruption in Qualcomm Snapdragon WLAN firmware occurs when the driver parses malformed HT40 (40 MHz channel-bonding) layouts during dynamic channel switching, allowing a low-privileged local process to trigger a stack-based buffer overflow (CWE-121) that crosses a trust boundary (CVSS scope changed). Disclosed in the July 2026 Qualcomm security bulletin, it carries a CVSS 8.8 with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stack exhaustion via unbounded recursion in the OP-TEE PKCS#11 Trusted Application allows a local low-privileged user to crash the TA, causing a denial of service within the TrustZone secure world. Affected versions span 3.10.0 through 4.10.x of optee_os running on Arm Cortex-A platforms with TrustZone enabled. No active exploitation has been identified; this is a DoS-only issue with no confidentiality or integrity impact, and a patched release (4.11.0) is available.
Stack-based buffer overflow in radare2 up to version 6.1.6 allows a local low-privileged attacker to crash the application by supplying a crafted MDMP (Windows minidump) file that triggers a memory corruption in the Memory64ListStream parser. Impact is limited to availability - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector (VC:N/VI:N/VA:L). A public proof-of-concept exists via GitHub issue #26051, and an upstream patch commit is available, though no formally tagged release version has been confirmed in the provided data.
Stack-based buffer overflow in the UTT HiPER 1250GW SOHO router (firmware through 3.2.7-210907-180535) lets a network-adjacent attacker corrupt memory by supplying an oversized 'ssid' argument to the /goform/ConfigWirelessBase_5g web handler, potentially achieving code execution or a device crash. The flaw is remotely reachable via the device's web management interface and carries a CVSS 4.0 base score of 7.4 (PR:L, indicating some authentication to the web UI is expected). Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), though there is no public exploit identified as being actively used in the wild.
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the CAN_Receive function within the Synwit SWM341 board support package's CAN handler, allowing a local low-privileged attacker to corrupt the stack and potentially achieve code execution or crash the device. The flaw carries a CVSS 4.0 base score of 7.1, and publicly available exploit code exists. The vendor was contacted but did not respond, and there is no public evidence of active exploitation.
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the recvmsg function within the ls1c CAN handler (bsp/loongson/ls1cdev/libraries/ls1c_can.h) for the Loongson LS1C board support package. A local attacker with low privileges can manipulate the recvmsg call path to overflow a stack buffer, corrupting memory to achieve code execution or crash the device. Publicly available exploit code exists (VulDB), but there is no public exploit identified as actively used in the wild; this is not on CISA KEV, and no vendor patch has been identified as the vendor did not respond to disclosure.
Denial of service in the UTT nv518G gateway/router (firmware nv518GV3v3.2.7-210919-161313) lets a remote attacker crash the device by sending crafted input to the gohead/sub_448384 (FUN_00448384) handler, triggering a stack-based buffer overflow. The CVSS 3.1 vector marks it network-reachable and unauthenticated with high availability impact but no confidentiality or integrity effect. Publicly available exploit code exists via a GitHub CVE report; there is no CISA KEV listing and no EPSS score in the provided data.
Stack-based buffer overflow in FatFs R0.16 and earlier allows an attacker who can present crafted exFAT media to corrupt the stack via f_getlabel(), because the exFAT volume-label length field (XDIR_NumLabel) is trusted without enforcing the specification maximum. FatFs is an embedded FAT/exFAT filesystem library used across microcontroller and IoT firmware, so any device that mounts and reads the label of attacker-supplied storage is exposed. Publicly available exploit code exists (runZero advisory and SSVC 'PoC'), but there is no public exploit identified in active use and it is not listed in CISA KEV.
Stack-based buffer overflow in Apple Safari's web content processing engine causes an unexpected application crash across Safari, iOS/iPadOS, and macOS Tahoe platforms. All versions prior to 26.5.2 are affected; an attacker can trigger the overflow by luring a victim to a maliciously crafted web page, resulting in a denial-of-service through a Safari crash. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, keeping real-world risk moderate despite the broad install base.
Stack-based buffer overflow in the TP-Link TL-WR841N v14 web management interface allows an authenticated attacker on the same local network segment to crash the embedded web server via crafted HTTP requests, forcing the device to automatically reboot. The impact is limited exclusively to availability - no confidentiality or integrity exposure has been identified. No public exploit code or CISA KEV listing exists at time of analysis; the constrained attack prerequisites (adjacent network, administrative credentials) significantly bound real-world risk.
Stack-based buffer overflow in LLVM's ValueSymbolTable module (llvm-project versions up to 22.1.6) allows a local, low-privileged attacker to crash the LLVM process by triggering a malformed invocation of llvm::StringMap::insert in /lib/IR/ValueSymbolTable.cpp, resulting in limited availability impact only - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector. A proof-of-concept exploit has been publicly released, lowering the barrier to triggering the crash in affected developer or CI/CD environments. No active exploitation has been confirmed by CISA KEV, and the LLVM project had not issued a patch or public response as of disclosure.
Stack-based buffer overflows in libxml2's xmlcatalog utility enable memory corruption and potential arbitrary code execution when the tool is invoked in its interactive --shell mode. The usershell() function writes user-supplied input into fixed-size stack buffers (command, arg, argv) without any length validation, allowing overflow of adjacent stack memory including return addresses. Real-world risk is very low: exploitation requires local access, deliberate user invocation of a non-default shell mode, and an attack precondition - reflected in the CVSS 4.0 score of 1.8 - with no public exploit or active exploitation identified. Notably, libxml2 maintainers disputed the security classification, treating this as a bug rather than a vulnerability.
Stack-based buffer overflow in the Wavlink WL-NU516U1-A wireless range extender (firmware M16U1_V240425) lets a remote, low-privileged attacker corrupt memory by sending an oversized Guest_ssid POST parameter to the sub_407504 function in /cgi-bin/wireless.cgi. The flaw was reported by VulDB, publicly available exploit code exists, and it carries a CVSS 4.0 base score of 7.4; there is no evidence of active exploitation in CISA KEV at this time.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote attackers corrupt memory via the 'page' parameter handled by the fromNatStaticSetting function at the /goform/NatStaticSetting endpoint. Publicly available exploit code exists, and the CVSS 4.0 vector (PR:L) indicates an authenticated user on the device's web interface can trigger high confidentiality, integrity and availability impact. There is no public exploit identified as actively used in the wild - exploitation is proof-of-concept only at this time.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets a remote attacker corrupt memory by manipulating the 'page' parameter handled by the fromAddressNat function at the /goform/addressNat endpoint, potentially achieving code execution or device crash. Publicly available exploit code exists and the issue was disclosed by VulDB, though there is no public exploit identified as actively exploited in the wild. With a CVSS 4.0 base score of 7.4 and PR:L, exploitation requires some level of authenticated access to the web management interface.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) allows remote attackers to corrupt memory by manipulating the security_5g argument sent to the formWifiBasicSet handler at /goform/WifiBasicSet, potentially achieving denial of service or arbitrary code execution on the device. The flaw is network-reachable but, per the CVSS 4.0 vector, requires low-level authentication (PR:L), and publicly available exploit code exists. There is no public exploit identified as actively exploited in CISA KEV, and the EPSS score was not provided.
Remote unauthenticated stack-based buffer overflow in the vlsvr login service of GeoVision GV-LPC2011 and GV-LPC2211 license plate capture cameras (firmware V1.12 and earlier) lets a remote attacker corrupt memory by sending an over-length login field, enabling denial of service and potentially arbitrary code execution. The flaw requires no authentication and no user interaction (CVSS 9.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate camera devices (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the ssvr streaming component's RTSP Digest authentication parser. A remote attacker reachable on the RTSP service can send overly long authentication field data to corrupt the stack, crashing the device or potentially executing arbitrary code with no credentials or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.8 rating and unauthenticated network vector make it a high-priority patching target.
Remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (V1.12 and earlier) arise from a stack-based buffer overflow in the ssvr component's RTSP custom authentication handling. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates an unauthenticated remote attacker can trigger memory corruption with a single crafted RTSP request, yielding crash-level DoS and potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the embedded thttpd web server, where overly long parameters in a specific request path overrun a fixed-size stack buffer. An unauthenticated remote attacker (per CVSS PR:N) can send a single crafted HTTP request to corrupt memory and cause denial of service or potentially execute arbitrary code on the device. No public exploit has been identified at time of analysis, but the CVSS 9.8 rating and lack of authentication make this a high-priority embedded-device exposure.
A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Stack overflow in Bento4's MP4 parsing component allows an attacker to crash any application built on the library by supplying a crafted MP4 file. The flaw resides in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity, a dynamic array growth function invoked while processing Track Run (trun) atoms, and affects all Bento4 releases before v1.8.9. A public proof-of-concept exists (poc4.zip), though EPSS sits at 0.17% and CISA KEV has not listed this CVE, indicating no confirmed widespread exploitation at time of analysis.
Remote code execution in THC Hydra through 9.7 allows a malicious or attacker-controlled server to compromise the machine running the Hydra brute-force client during NTLM authentication. When Hydra connects to such a server across its SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, or HTTP-Proxy-Urlenum modules, a crafted NTLM Type-2 challenge with an overlong domain string causes the base64-encoded response to overflow a 500-byte stack buffer by 18 to 330 bytes, enabling code execution on hosts lacking stack protection. No public exploit identified at time of analysis, but a vendor patch (commit 9cc84c2) is available, and the issue inverts the usual threat model - the operator of the offensive tool becomes the victim.
Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on the same network to corrupt memory in the DVRSearch service (UDP/10001) by sending a crafted message that triggers an unbounded memcpy of the device's configured DNS address into a fixed-size stack buffer. The flaw is rated CVSS 10.0 with scope change and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation can fully compromise the embedded controller used for relay/I/O automation.
Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to corrupt memory by sending a crafted UDP datagram to port 10001. The flaw stems from an unchecked memcpy of the device's configured gateway field into a fixed-offset reply buffer, enabling code execution on the embedded device with no public exploit identified at time of analysis.
Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size stack buffer by sending a crafted UDP packet to the DVRSearch service on port 10001. The flaw, tracked as CWE-121 with a maximum CVSS 10.0 score and scope change, can be triggered by any host able to reach the device on the network, with no public exploit identified at time of analysis.
Stack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers to corrupt memory via the DVRSearch service on UDP port 10001. The vulnerable code path uses memcpy with an attacker-influenced length derived from a stored IP address into a fixed-size stack buffer, yielding potential remote code execution at CVSS 10.0 with scope change. No public exploit identified at time of analysis, though Talos has published a vulnerability report (TALOS-2026-2377).
Stack-based buffer overflow (CWE-121) in the GV-Cloud component of GeoVision GV-VMS V20 20.0.2 enables a remote attacker with a network-intercept position to crash the video management system, causing high-impact denial of service against physical security infrastructure. Exploitation requires impersonating the legitimate GV-Cloud server - achieved via MitM techniques - and delivering a specially crafted network payload that corrupts stack memory in the GV-Cloud client handler. Reported by Cisco Talos (TALOS-2026-2411); no public exploit has been identified at time of analysis and no CISA KEV listing exists.
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by supplying a crafted media file. The flaw is an out-of-bounds read of a language metadata string in gf_media_import (media_import.c), where three characters were read without verifying the string's length. Publicly available exploit code exists (sigdevel PoC), but it is not listed in CISA KEV and EPSS is low (0.19%, 8th percentile), indicating minimal observed real-world exploitation.
Stack-based buffer overflow in the Totolink EX1200L router's login handler (cgi-bin/cstecgi.cgi) allows remote attackers on the adjacent network to crash the device or execute arbitrary code as root. Confirmed on firmware 9.3.5u.6146_B20201023 with no public exploit identified at time of analysis, but vendor contact attempts by CERT-PL were unsuccessful so no patch is available. CVSS 4.0 of 9.4 reflects unauthenticated exploitation with full impact on both the device and downstream systems.
Stack-based buffer overflow in the Oj Ruby JSON gem (versions prior to 3.17.3) allows a developer-controlled large :indent value passed to Oj.dump to overwrite up to 2 GB of stack memory, crashing the Ruby process. The flaw is reachable only when application code forwards an untrusted or extreme indent value into Oj.dump, and no public exploit identified at time of analysis demonstrates code execution beyond denial of service.
Remote code execution in Tenda AC7 routers (firmware v15.03.06.44) is possible via a stack buffer overflow in the wanSpeed parameter of the /goform/AdvSetMacMtuWan endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network-based exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the device is not listed in CISA KEV.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote unauthenticated attackers to corrupt memory via the mac parameter in the /goform/AdvSetMacMtuWan web interface endpoint. The flaw carries a CVSS 9.8 critical rating with network attack vector and no authentication required, though no public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV. Tenda SOHO routers in this family have a well-documented history of similar /goform/* stack overflows being weaponized for botnet recruitment.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory via an oversized cloneType parameter sent to the /goform/AdvSetMacMtuWan web interface endpoint. The CVSS 9.8 vector indicates unauthenticated network exploitation with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory through the wanMTU parameter of the /goform/AdvSetMacMtuWan web management endpoint. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis. The flaw is classified as CWE-121 (stack-based buffer overflow), a class historically leveraged for code execution or denial of service on embedded MIPS/ARM SOHO routers.
Stack-based buffer overflow in rxi microtar 0.1.0 allows remote attackers to crash or potentially execute arbitrary code in applications that parse attacker-supplied TAR archives. The flaw lies in raw_to_header() (src/microtar.c:112), which uses strcpy() on fixed-width 100-byte ustar name/linkname fields that are not guaranteed to be null-terminated, enabling a 356-byte out-of-bounds read confirmed via AddressSanitizer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Moxa NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier allows authenticated administrators to corrupt memory by submitting an overlong 'Server location' value on the Basic settings page of the web management interface, yielding root-level command execution on the embedded serial device server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Moxa has issued advisory MPSA-261910 confirming the flaw. The companion CVE-2026-10828 (format string) was disclosed in the same advisory, suggesting the web management stack received broader scrutiny.
Remote code execution in Zyxel GS1900 series managed switches (including GS1900-48HPv2, GS1900-8, GS1900-8HP, GS1900-10HP, GS1900-16, GS1900-24/24E/24EP/24HPv2, and GS1900-48) up to firmware 2.90(ABTQ.1)C0 allows a LAN-adjacent unauthenticated attacker to execute OS commands via a crafted HTTP request to the CGI handler. The flaw is a stack-based buffer overflow (CWE-121) carrying CVSS 8.8 and exposes the switch management plane to anyone on the same Layer-2 segment. No public exploit identified at time of analysis, but the vendor disclosed the issue concurrently with the advisory dated 2026-06-16.
Stack-based buffer overflow in TDengine (open-source IoT time-series database) versions 3.4.1.6 and earlier allows an authenticated user to trigger a one-byte out-of-bounds write by submitting SQL containing crafted escape sequences (\%, \_, or \x), leading to denial of service and potentially remote code execution. The flaw sits in the SQL parser's trimString() routine, which validates only a single byte of remaining space in the tmpTokenBuf stack buffer before writing escape-processed data. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in version 3.4.1.14.
Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the j2k_precinct_subband::parse_packet_header() in source/core/coding/coding_units.cpp
Arbitrary code execution in Adobe Media Encoder arises from a stack-based buffer overflow (CWE-121) triggered when a victim opens a maliciously crafted media file, allowing an attacker to run code in the context of the current user. The CVSS 3.1 base score is 7.8 (local vector, user interaction required, no privileges needed). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk is file-delivery-driven rather than remotely wormable.
Denial of service in NVIDIA Triton Inference Server for Linux stems from a stack-based buffer overflow (CWE-121) reachable by remote, unauthenticated attackers over the network. Per the CVSS 3.1 vector, exploitation requires no privileges or user interaction and impacts only availability (A:H), with no confidentiality or integrity effect. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; no EPSS score was provided in the input.
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and .NET Framework (3.5 through 4.8.1) allows a remote, unauthenticated attacker to crash affected applications by triggering a stack-based buffer overflow (CWE-121) over the network. The flaw impacts availability only - there is no confidentiality or integrity loss and no code execution per the CVSS vector (A:H, C:N, I:N). Microsoft has published an advisory with fixes; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack-based buffer overflow in multiple NETGEAR Orbi mesh WiFi models (RBR860, RBRE950/960, RBE970/971, RBS860, RBSE950/960) enables an unauthenticated adjacent-network attacker to crash or force a restart of the affected device, causing a loss of network connectivity. The root cause is CWE-121 (stack-based buffer overflow), meaning a crafted network payload can overwrite stack memory and destabilize the device process. The CVSS 4.0 supplemental metric E:P indicates a proof-of-concept exploit exists, elevating practical risk despite the moderate base score of 5.7.
Local information disclosure, data tampering, and denial of service in the BlackBerry QNX Neutrino kernel stems from a stack buffer overflow in the entry handler of the TraceEvent() system call, affecting QNX Software Development Platform, QNX OS for Safety, and QNX OS for Medical. An attacker able to run code on the target can craft malicious TraceEvent() arguments to corrupt kernel stack memory, leaking sensitive kernel data, altering kernel state, or crashing the RTOS. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; exploitation is rated high-complexity (AC:H) despite requiring no prior privileges.
Local privilege escalation in the Windows File History Service lets an authenticated, low-privileged attacker corrupt a stack buffer (CWE-121) to run code with elevated (SYSTEM-level) privileges on affected Windows client and server releases. The flaw spans a broad range of supported editions from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025, including Server Core installations. No public exploit was identified at time of analysis, and the CVE is not listed in CISA KEV.
Remote code execution in Microsoft Fabric Data Warehouse allows an authenticated attacker to run arbitrary code over the network by triggering a stack-based buffer overflow (CWE-121). The flaw carries a CVSS 8.8 rating with high impact to confidentiality, integrity, and availability, and requires only low-privilege access with no user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but a vendor patch is available via MSRC.
Local code execution in Microsoft Office Word (Microsoft 365 Apps, Office 2019/LTSC 2021/2024, Word 2016, and the macOS builds) arises from a stack-based buffer overflow triggered when a victim opens a maliciously crafted document. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows an unauthenticated attacker needs no privileges but does require user interaction, and successful exploitation yields full confidentiality, integrity, and availability impact in the user's security context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Microsoft has released a patch.
Arbitrary code execution in Microsoft Office Word (and the broader Office/365/SharePoint family) arises from a stack-based buffer overflow (CWE-121) that an attacker triggers when a victim opens a maliciously crafted document. The CVSS 3.1 vector (AV:L/UI:R) confirms this is a file-borne, local-context flaw requiring the user to open attacker-supplied content, yielding full confidentiality, integrity, and availability impact in the user's session. No public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has released a patch via MSRC.
Local code execution in Microsoft Office Word (via a stack-based buffer overflow, CWE-121) lets an attacker run arbitrary code in the context of the user who opens a maliciously crafted document. The flaw affects Microsoft 365 Apps for Enterprise, Office 2019, Office LTSC 2021/2024 (including Mac editions), and the Word component shared with SharePoint Server 2016/2019/Subscription Edition. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires the victim to open the attacker's file (UI:R).
Local code execution in Microsoft Excel (and the broader Office 2016/2019/LTSC 2021/2024, Microsoft 365 Apps, Office for Mac, and Office Online Server family) results from a stack-based buffer overflow triggered when a victim opens a maliciously crafted spreadsheet. An attacker who convinces a user to open a booby-trapped file can run arbitrary code in the context of that user, with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not on CISA KEV, but the ubiquity of Excel and Microsoft's own advisory make this a routine patch-Tuesday-class priority.
Local code execution in Microsoft's Resilient File System (ReFS) driver affects Windows 11 (24H2, 25H2, 26H1) and Windows Server 2025, where a stack-based buffer overflow (CWE-121) can be triggered when a victim interacts with attacker-crafted ReFS data. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows an unauthenticated but user-interaction-dependent local attack yielding full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis and the flaw is not on CISA KEV, so it currently represents a patch-priority rather than an active-exploitation emergency.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash the service by sending crafted network input that overflows a stack buffer (CWE-121). Because AD FS commonly fronts single sign-on for Microsoft 365, Azure AD, and federated web applications, an outage cascades into loss of authentication for every relying-party application. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV; a Microsoft patch is available, and the CVSS 3.1 score is 7.5 (availability-only impact).
Local privilege elevation in the Windows Graphics Device Interface (GDI) component allows an already-authenticated, low-privileged user to run code at a higher privilege level by triggering a stack-based buffer overflow (CWE-121). Affected platforms span Windows 10 (1607 through 22H2), Windows 11 (24H2/25H2/26H1), and Windows Server 2012 through 2025, including Server Core installations. Reported by Microsoft with a patch available; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash or render the federation service unavailable by triggering a stack-based buffer overflow over the network. The flaw affects the AD FS role across Windows Server 2012 through 2025 (including Server Core installations) and carries a CVSS 7.5 rating driven entirely by availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor patch is available.
Remote denial of service in Microsoft Active Directory Federation Services (ADFS) allows an unauthenticated network attacker to crash the service via a stack-based buffer overflow (CWE-121). The flaw affects the ADFS role across Windows Server 2012 through 2025 (and the underlying Windows 10 1607/1809 servicing components), carries a CVSS 7.5 availability-only score, and was reported by Microsoft with a patch available. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local privilege escalation in Windows App Installer (the MSIX/AppX package deployment component, msixbundle/App Installer) lets an already-authenticated low-privileged user overflow a stack buffer to gain higher privileges on affected Windows 10, Windows 11, and Windows Server builds. Microsoft self-reported the flaw and has shipped a patch; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (AV:L/PR:L) rating reflects a locally-launched attack with high confidentiality, integrity, and availability impact.
Local privilege escalation in the Windows NTFS file-system driver allows an authenticated attacker to run code with elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121). The flaw was reported by Microsoft and affects a broad range of Windows client and server releases from Windows 10 1607 through Windows 11 26H1 and Windows Server 2012 through Server 2025. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.8 (High).
Denial of service in Microsoft Active Directory Federation Services (AD FS) lets a remote, unauthenticated attacker crash the service by triggering a stack-based buffer overflow (CWE-121) over the network. Because AD FS commonly fronts single sign-on for Microsoft 365, SaaS, and internal web applications, a successful crash can knock out federated authentication for an entire organization. No public exploit identified at time of analysis, and the flaw is availability-only — confidentiality and integrity are not impacted per the CVSS vector.
Local privilege escalation in Microsoft Windows Resilient File System (ReFS) allows an authenticated low-privileged user to gain elevated (SYSTEM-level) privileges by triggering a stack-based buffer overflow (CWE-121) in the ReFS driver. The flaw affects a broad range of Windows client and server releases, from Windows 10 1607 through Windows 11 26H1 and Windows Server 2016 through 2025. Microsoft has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in the Microsoft Windows NTFS driver allows an already-authenticated, low-privileged user to gain elevated (likely SYSTEM) privileges by triggering a stack-based buffer overflow, contingent on user interaction. The flaw spans a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. Microsoft has issued a patch and reported the issue itself; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local code execution in Microsoft Excel (and the broader Office family through Microsoft 365 Apps, Office 2019/2021/2024 LTSC, Office for Mac, and Office Online Server) arises from a stack-based buffer overflow (CWE-121) triggered when a user opens a maliciously crafted spreadsheet. An attacker who convinces a victim to open the file runs arbitrary code in the security context of the current user, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV; Microsoft has released a patch.
Denial of service in Microsoft Active Directory Federation Services (AD FS) allows a remote, unauthenticated attacker to crash the service by triggering a stack-based buffer overflow over the network (CVSS 7.5, availability-only impact). Because AD FS brokers single sign-on and federated authentication, a successful attack can knock out login for every downstream application that relies on it. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Denial of service in Microsoft Active Directory Federation Services (AD FS) lets a remote, unauthenticated attacker crash the service by triggering a stack-based buffer overflow (CWE-121) over the network. The flaw affects AD FS as shipped across a broad range of Windows client and server builds (Windows 10/11 and Windows Server 2012 through 2025). Microsoft - the reporting party - has released a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack-based buffer overflow in the Totolink NR1800X router (firmware 9.1.0u.6279_B20210910) lets remote attackers corrupt memory by supplying an oversized HTTP Host header to the Form_Logout handler at /formLogout.htm, served by the embedded lighttpd web interface. Because the flaw is reachable over the network without authentication and publicly available exploit code exists, it is a strong candidate for opportunistic exploitation despite not yet appearing in CISA KEV. Successful exploitation can crash the device or, given the CWE-121 stack overwrite, potentially achieve code execution on the router.
Stack-based buffer overflow in Fortinet FortiOS, FortiPAM, FortiProxy, and FortiSASE enables arbitrary code execution for a privileged authenticated attacker capable of bypassing ASLR and stack canary protections via crafted HTTP requests. The CVSS temporal metric E:P confirms proof-of-concept exploit code exists, and RL:O confirms an official patch has been released by Fortinet (advisory FG-IR-26-148). This vulnerability is not listed in CISA KEV at time of analysis, and the dual prerequisites of privileged access plus memory-protection bypass substantially constrain real-world exploitability despite the critical CIA impact triad.
Stack-based buffer overflow in the Tenda BE12 Pro router (firmware 16.03.66.23) allows remote attackers to corrupt memory via the fromVirtualSer handler for the /goform/VirtualSer endpoint by supplying an oversized 'page' argument. The flaw carries CVSS 4.0 7.4 and, per its vector, requires low-level privileges (PR:L); publicly available exploit code exists, though there is no public exploit identified as actively used in the wild (not in CISA KEV). Successful exploitation can crash the device or potentially lead to arbitrary code execution on the embedded MIPS/ARM firmware.
Stack-based buffer overflow in the Tenda BE12 Pro Wi-Fi router (firmware 16.03.66.23) lets an attacker corrupt the stack by supplying an oversized 'page' argument to the /goform/DhcpListClient web endpoint handled by the fromDhcpListClient function. The flaw is reachable over the network and publicly available exploit code exists (disclosed via VulDB), though it is not listed in CISA KEV and no EPSS score was provided. Per the supplied CVSS 4.0 vector (PR:L) the attack requires low-level authentication to the device, and successful exploitation can crash the router or potentially achieve arbitrary code execution.
Stack-based buffer overflow in the Tenda BE12 Pro router (firmware 16.03.66.23) lets attackers corrupt memory by manipulating the 'page' argument passed to the fromSetIpBind function of the /goform/SetIpBind endpoint. The flaw is remotely reachable over the network and, per the CVSS 4.0 vector, requires low-level privileges (PR:L) while yielding high confidentiality, integrity, and availability impact - typically resulting in device crash or arbitrary code execution on the router. Publicly available exploit code exists (E:P), disclosed via VulDB, though it is not listed in CISA KEV.
Stack-based buffer overflow in the Tenda BE12 Pro Wi-Fi router (firmware 16.03.66.23) lets remote attackers corrupt memory by manipulating the 'page' argument of the fromSafeMacFilter handler at /goform/SafeMacFilter. Publicly available exploit code exists, though there is no public exploit identified as being used in active campaigns and it is not listed in CISA KEV. Successful exploitation can crash the device or potentially achieve code execution on the router's embedded OS. EPSS data was not provided.
Stack-based buffer overflow in the Tenda BE12 Pro router firmware 16.03.66.23 lets an authenticated remote attacker corrupt memory via the fromSafeUrlFilter handler at /goform/SafeUrlFilter by supplying an oversized 'page' parameter. Publicly available exploit code exists (published via VulDB), though the flaw is not listed in CISA KEV and no active exploitation has been confirmed. The CVSS 4.0 vector (7.4, PR:L) indicates network reachability with low-privilege authentication and high impact to confidentiality, integrity, and availability of the device.
Stack-based buffer overflow in the Tenda BE12 Pro (firmware 16.03.66.23) web management interface lets an attacker corrupt memory by supplying an oversized 'page' argument to the fromSafeClientFilter handler at /goform/SafeClientFilter, potentially crashing the device or executing arbitrary code with router privileges. Per the CVSS 4.0 vector the flaw is network-reachable but requires low-level privileges (PR:L). Publicly available exploit code exists (disclosed via VulDB), but there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.
Denial of service in aMule 2.3.3 lets a remote eD2k server crash the client by sending a malformed OP_SERVERMESSAGE packet that overflows a stack buffer (CWE-121). The flaw is triggered client-side when parsing server-supplied message data, so any hostile or spoofed server the client connects to can terminate the application. No public exploit has been identified at time of analysis, and the issue is documented only as an upstream bug report (amule GitHub issue #445), not a released patch.
Stack-based buffer overflow in gawk's readdir extension (extension/readdir.c, ftype() routine) affects all gawk releases through version 5.4.0, enabling a local attacker to crash the process and theoretically achieve code execution. The RCE angle is explicitly unconfirmed by the reporter (CERT-PL), making denial-of-service the primary demonstrated impact at this time. No public exploit identified at time of analysis; an upstream source-level patch commit is available on GNU Savannah.
Stack-based buffer overflow in Shibby Tomato router firmware (versions up to and including 1.28.0000) allows a remote, low-privileged attacker to corrupt the stack of the embedded web server (/usr/sbin/httpd) via the DNS List Rendering function sub_407220, potentially achieving arbitrary code execution on the router. The flaw is remotely reachable and, per the CVSS 4.0 vector, requires low-level authentication (PR:L) to the web administration interface. VulDB assigns an exploit maturity of Proof-of-Concept, meaning publicly available exploit code exists, though it is not listed in CISA KEV and no active exploitation is confirmed. Notably, the Tomato project by Shibby is discontinued and superseded by FreshTomato, so no first-party fix is expected.
Remote authenticated command execution is possible in Shibby Tomato router firmware through version 1.28.0000, where the getupsvar function in the apcupsd CGI handler (www/apcupsd/tomatodata.cgi) fails to bound the Field argument, producing a stack-based buffer overflow (CWE-121). A logged-in user can send a crafted request to corrupt the stack and hijack control flow with full confidentiality, integrity, and availability impact on the device. Publicly available exploit code exists (VulDB), though there is no evidence of active exploitation; the CVSS 4.0 score is 8.7 with an E:P (proof-of-concept) exploit-maturity flag.
Stack-based buffer overflow in the TRENDnet TEW-635BRM wireless router (firmware up to 1.00.03) lets an authenticated remote attacker overflow a fixed-size stack buffer through the device_name argument handled by the start_httpd function in /sbin/rc, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists (VulDB), though it is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis. The device has been end-of-life since 2011 and the vendor declined to confirm the flaw, meaning no fix will be issued.
Denial of service in Espressif's ESP-IDF JPEG driver (versions 6.0.1, 5.5.4, 5.4.4, 5.3.5 and likely earlier) stems from an out-of-bounds stack write in jpeg_parse_dqt_marker(), where the attacker-controlled DQT marker Tq nibble indexes the qt_tbl array without a 0..3 bounds check. Any application that feeds untrusted JPEG data into the hardware JPEG decode path can be reliably crashed by a single malformed image. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; the vendor has released a fix in 6.0.2 with backports pending for the 5.x branches.
Stack-based buffer overflow in the Mercusys MW302R (EU) V1 1.4.10 Build 231023 administrative web interface allows an authenticated attacker with administrative access on the same network segment to crash the device by sending a specially crafted HTTP request. The crash results from control flow being redirected to an arbitrary instruction address - a classic CWE-121 stack overflow pattern that produces denial of service. No public exploit is confirmed in CISA KEV, though a researcher GitHub gist (BarrYPL/13dcd071673866cbbfaaa05085b98cf3) appears to document the finding and may constitute a proof-of-concept write-up. EPSS probability is very low at 0.16% (6th percentile), consistent with a niche consumer router model.
Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the RTSP service by sending a crafted second SETUP request after a valid RTSP handshake, knocking the camera offline for every client on the network. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP second-stage URL routing parser; publicly available exploit code exists via a GitHub write-up, though no active exploitation is confirmed and the CVSS availability-only impact means it is a crash, not code execution, at time of analysis.
Denial of service in the RTSP service of Tenda CP3 V3.0 IP cameras (firmware V31.1.9.91) allows an unauthenticated remote attacker on the local network to crash the streaming service with a single crafted SETUP request. Because the second-stage URL routing parser does not validate the URL field length, a request whose URL is exactly four repetitions of a valid RTSP URL overflows a stack buffer and terminates the RTSP process, cutting off all clients. Publicly available exploit code exists (researcher write-up on GitHub); this is not listed in CISA KEV and no active exploitation is confirmed.
Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the onboard RTSP service by sending a PLAY request whose Range header carries an over-long clock= value, triggering a stack-based buffer overflow (CWE-121). The flaw affects only availability - a successful attack knocks the camera's video streaming offline until it recovers or is restarted, with no confirmed path to code execution or data disclosure. There is a public research write-up on GitHub, but no active exploitation is recorded in CISA KEV and EPSS rates exploitation likelihood as low (0.19%, 9th percentile).
Stack buffer overflow in Vinchin Backup & Recovery through 9.0.0.86562 exposes the agentlink_server service to unauthenticated remote exploitation via the ModuleHandShake function. An attacker supplying an oversized _listen_uuid value triggers unsafe strcpy() into a fixed-length stack buffer, overwriting the saved return address and enabling process crash or control flow hijack. No public exploit or active exploitation has been confirmed at time of analysis, though the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is network-reachable without authentication or user interaction.
Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corrupt stack memory by supplying malicious JavaScript input, requiring user interaction to trigger. All Escargot releases prior to commit b30b63fc63b403907d8137da1c65aaa4521fe74e are affected, with impacts including high availability loss and limited integrity compromise. No public exploit identified at time of analysis and this vulnerability has not been added to CISA KEV, though the local-vector, user-interaction requirement meaningfully constrains real-world exploitation surface.
Denial of service in GStreamer's DTLS plugin allows a remote unauthenticated attacker to crash any application that performs a DTLS handshake (notably WebRTC/webrtcbin pipelines) by presenting a TLS certificate with an oversized Subject Distinguished Name. The Subject DN is written into a fixed 2048-byte stack buffer with no bounds checking (CWE-121), and overflowing it corrupts the stack and terminates the process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; impact is limited to availability (process crash), with no code execution or data exposure claimed.
Remote denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.991) allows an unauthenticated attacker on the network to crash the device by sending a specially crafted RTSP TEARDOWN request that overflows a stack buffer. Publicly available exploit code exists via a third-party GitHub write-up, though the flaw affects only availability (no data disclosure or code execution is claimed). No active exploitation has been reported in CISA KEV, and EPSS data was not provided.
Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) allows an unauthenticated remote attacker to crash the RTSP service by sending a crafted PLAY request that overflows a fixed-size stack buffer. The flaw is remotely reachable with no authentication or user interaction, but per the description and CVSS the impact is limited to availability loss (device crash/reboot), with no confirmed code execution. A public technical report with reproduction details exists on GitHub; the issue is not listed in CISA KEV and no EPSS score was provided.
Denial of service in Wireshark's DBS Etherwatch dissector affects release branches 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a malformed capture file or crafted packet can crash the application. The flaw is a stack-based buffer overflow (CWE-121) that manifests only as an availability impact - no confidentiality or integrity loss and no confirmed code execution - carrying a 7.5 (High) CVSS. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack-based buffer overflow in Wireshark's IEEE 802.11 (Wi-Fi) protocol dissector crashes the application, resulting in denial of service across versions 4.6.0-4.6.6 and 4.4.0-4.4.16. An attacker with the ability to deliver a malicious packet capture file, or inject crafted 802.11 frames into a live capture session, can crash the Wireshark process on a victim analyst's machine. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; vendor-released patches (4.6.7 and 4.4.17) are available.
Local arbitrary code execution affects an unspecified industrial control system (ICS) product reported through CISA ICS-CERT (advisory ICSA-26-188-06). A stack-based buffer overflow (CWE-121) lets an attacker who can supply crafted input trigger memory corruption and run arbitrary code once a local user interacts with the malicious data, fully compromising confidentiality, integrity, and availability. No public exploit identified at time of analysis and the affected vendor/product is not disclosed in the available data.
Local privilege escalation and memory corruption in Qualcomm Snapdragon WLAN firmware occurs when the driver parses malformed HT40 (40 MHz channel-bonding) layouts during dynamic channel switching, allowing a low-privileged local process to trigger a stack-based buffer overflow (CWE-121) that crosses a trust boundary (CVSS scope changed). Disclosed in the July 2026 Qualcomm security bulletin, it carries a CVSS 8.8 with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stack exhaustion via unbounded recursion in the OP-TEE PKCS#11 Trusted Application allows a local low-privileged user to crash the TA, causing a denial of service within the TrustZone secure world. Affected versions span 3.10.0 through 4.10.x of optee_os running on Arm Cortex-A platforms with TrustZone enabled. No active exploitation has been identified; this is a DoS-only issue with no confidentiality or integrity impact, and a patched release (4.11.0) is available.
Stack-based buffer overflow in radare2 up to version 6.1.6 allows a local low-privileged attacker to crash the application by supplying a crafted MDMP (Windows minidump) file that triggers a memory corruption in the Memory64ListStream parser. Impact is limited to availability - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector (VC:N/VI:N/VA:L). A public proof-of-concept exists via GitHub issue #26051, and an upstream patch commit is available, though no formally tagged release version has been confirmed in the provided data.
Stack-based buffer overflow in the UTT HiPER 1250GW SOHO router (firmware through 3.2.7-210907-180535) lets a network-adjacent attacker corrupt memory by supplying an oversized 'ssid' argument to the /goform/ConfigWirelessBase_5g web handler, potentially achieving code execution or a device crash. The flaw is remotely reachable via the device's web management interface and carries a CVSS 4.0 base score of 7.4 (PR:L, indicating some authentication to the web UI is expected). Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), though there is no public exploit identified as being actively used in the wild.
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the CAN_Receive function within the Synwit SWM341 board support package's CAN handler, allowing a local low-privileged attacker to corrupt the stack and potentially achieve code execution or crash the device. The flaw carries a CVSS 4.0 base score of 7.1, and publicly available exploit code exists. The vendor was contacted but did not respond, and there is no public evidence of active exploitation.
Stack-based buffer overflow in RT-Thread RTOS (versions up to and including 5.0.2) affects the recvmsg function within the ls1c CAN handler (bsp/loongson/ls1cdev/libraries/ls1c_can.h) for the Loongson LS1C board support package. A local attacker with low privileges can manipulate the recvmsg call path to overflow a stack buffer, corrupting memory to achieve code execution or crash the device. Publicly available exploit code exists (VulDB), but there is no public exploit identified as actively used in the wild; this is not on CISA KEV, and no vendor patch has been identified as the vendor did not respond to disclosure.
Denial of service in the UTT nv518G gateway/router (firmware nv518GV3v3.2.7-210919-161313) lets a remote attacker crash the device by sending crafted input to the gohead/sub_448384 (FUN_00448384) handler, triggering a stack-based buffer overflow. The CVSS 3.1 vector marks it network-reachable and unauthenticated with high availability impact but no confidentiality or integrity effect. Publicly available exploit code exists via a GitHub CVE report; there is no CISA KEV listing and no EPSS score in the provided data.
Stack-based buffer overflow in FatFs R0.16 and earlier allows an attacker who can present crafted exFAT media to corrupt the stack via f_getlabel(), because the exFAT volume-label length field (XDIR_NumLabel) is trusted without enforcing the specification maximum. FatFs is an embedded FAT/exFAT filesystem library used across microcontroller and IoT firmware, so any device that mounts and reads the label of attacker-supplied storage is exposed. Publicly available exploit code exists (runZero advisory and SSVC 'PoC'), but there is no public exploit identified in active use and it is not listed in CISA KEV.
Stack-based buffer overflow in Apple Safari's web content processing engine causes an unexpected application crash across Safari, iOS/iPadOS, and macOS Tahoe platforms. All versions prior to 26.5.2 are affected; an attacker can trigger the overflow by luring a victim to a maliciously crafted web page, resulting in a denial-of-service through a Safari crash. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, keeping real-world risk moderate despite the broad install base.
Stack-based buffer overflow in the TP-Link TL-WR841N v14 web management interface allows an authenticated attacker on the same local network segment to crash the embedded web server via crafted HTTP requests, forcing the device to automatically reboot. The impact is limited exclusively to availability - no confidentiality or integrity exposure has been identified. No public exploit code or CISA KEV listing exists at time of analysis; the constrained attack prerequisites (adjacent network, administrative credentials) significantly bound real-world risk.
Stack-based buffer overflow in LLVM's ValueSymbolTable module (llvm-project versions up to 22.1.6) allows a local, low-privileged attacker to crash the LLVM process by triggering a malformed invocation of llvm::StringMap::insert in /lib/IR/ValueSymbolTable.cpp, resulting in limited availability impact only - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector. A proof-of-concept exploit has been publicly released, lowering the barrier to triggering the crash in affected developer or CI/CD environments. No active exploitation has been confirmed by CISA KEV, and the LLVM project had not issued a patch or public response as of disclosure.
Stack-based buffer overflows in libxml2's xmlcatalog utility enable memory corruption and potential arbitrary code execution when the tool is invoked in its interactive --shell mode. The usershell() function writes user-supplied input into fixed-size stack buffers (command, arg, argv) without any length validation, allowing overflow of adjacent stack memory including return addresses. Real-world risk is very low: exploitation requires local access, deliberate user invocation of a non-default shell mode, and an attack precondition - reflected in the CVSS 4.0 score of 1.8 - with no public exploit or active exploitation identified. Notably, libxml2 maintainers disputed the security classification, treating this as a bug rather than a vulnerability.
Stack-based buffer overflow in the Wavlink WL-NU516U1-A wireless range extender (firmware M16U1_V240425) lets a remote, low-privileged attacker corrupt memory by sending an oversized Guest_ssid POST parameter to the sub_407504 function in /cgi-bin/wireless.cgi. The flaw was reported by VulDB, publicly available exploit code exists, and it carries a CVSS 4.0 base score of 7.4; there is no evidence of active exploitation in CISA KEV at this time.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote attackers corrupt memory via the 'page' parameter handled by the fromNatStaticSetting function at the /goform/NatStaticSetting endpoint. Publicly available exploit code exists, and the CVSS 4.0 vector (PR:L) indicates an authenticated user on the device's web interface can trigger high confidentiality, integrity and availability impact. There is no public exploit identified as actively used in the wild - exploitation is proof-of-concept only at this time.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets a remote attacker corrupt memory by manipulating the 'page' parameter handled by the fromAddressNat function at the /goform/addressNat endpoint, potentially achieving code execution or device crash. Publicly available exploit code exists and the issue was disclosed by VulDB, though there is no public exploit identified as actively exploited in the wild. With a CVSS 4.0 base score of 7.4 and PR:L, exploitation requires some level of authenticated access to the web management interface.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) allows remote attackers to corrupt memory by manipulating the security_5g argument sent to the formWifiBasicSet handler at /goform/WifiBasicSet, potentially achieving denial of service or arbitrary code execution on the device. The flaw is network-reachable but, per the CVSS 4.0 vector, requires low-level authentication (PR:L), and publicly available exploit code exists. There is no public exploit identified as actively exploited in CISA KEV, and the EPSS score was not provided.
Remote unauthenticated stack-based buffer overflow in the vlsvr login service of GeoVision GV-LPC2011 and GV-LPC2211 license plate capture cameras (firmware V1.12 and earlier) lets a remote attacker corrupt memory by sending an over-length login field, enabling denial of service and potentially arbitrary code execution. The flaw requires no authentication and no user interaction (CVSS 9.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate camera devices (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the ssvr streaming component's RTSP Digest authentication parser. A remote attacker reachable on the RTSP service can send overly long authentication field data to corrupt the stack, crashing the device or potentially executing arbitrary code with no credentials or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.8 rating and unauthenticated network vector make it a high-priority patching target.
Remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (V1.12 and earlier) arise from a stack-based buffer overflow in the ssvr component's RTSP custom authentication handling. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates an unauthenticated remote attacker can trigger memory corruption with a single crafted RTSP request, yielding crash-level DoS and potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the embedded thttpd web server, where overly long parameters in a specific request path overrun a fixed-size stack buffer. An unauthenticated remote attacker (per CVSS PR:N) can send a single crafted HTTP request to corrupt memory and cause denial of service or potentially execute arbitrary code on the device. No public exploit has been identified at time of analysis, but the CVSS 9.8 rating and lack of authentication make this a high-priority embedded-device exposure.
A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Stack overflow in Bento4's MP4 parsing component allows an attacker to crash any application built on the library by supplying a crafted MP4 file. The flaw resides in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity, a dynamic array growth function invoked while processing Track Run (trun) atoms, and affects all Bento4 releases before v1.8.9. A public proof-of-concept exists (poc4.zip), though EPSS sits at 0.17% and CISA KEV has not listed this CVE, indicating no confirmed widespread exploitation at time of analysis.
Remote code execution in THC Hydra through 9.7 allows a malicious or attacker-controlled server to compromise the machine running the Hydra brute-force client during NTLM authentication. When Hydra connects to such a server across its SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, or HTTP-Proxy-Urlenum modules, a crafted NTLM Type-2 challenge with an overlong domain string causes the base64-encoded response to overflow a 500-byte stack buffer by 18 to 330 bytes, enabling code execution on hosts lacking stack protection. No public exploit identified at time of analysis, but a vendor patch (commit 9cc84c2) is available, and the issue inverts the usual threat model - the operator of the offensive tool becomes the victim.
Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on the same network to corrupt memory in the DVRSearch service (UDP/10001) by sending a crafted message that triggers an unbounded memcpy of the device's configured DNS address into a fixed-size stack buffer. The flaw is rated CVSS 10.0 with scope change and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation can fully compromise the embedded controller used for relay/I/O automation.
Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to corrupt memory by sending a crafted UDP datagram to port 10001. The flaw stems from an unchecked memcpy of the device's configured gateway field into a fixed-offset reply buffer, enabling code execution on the embedded device with no public exploit identified at time of analysis.
Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size stack buffer by sending a crafted UDP packet to the DVRSearch service on port 10001. The flaw, tracked as CWE-121 with a maximum CVSS 10.0 score and scope change, can be triggered by any host able to reach the device on the network, with no public exploit identified at time of analysis.
Stack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers to corrupt memory via the DVRSearch service on UDP port 10001. The vulnerable code path uses memcpy with an attacker-influenced length derived from a stored IP address into a fixed-size stack buffer, yielding potential remote code execution at CVSS 10.0 with scope change. No public exploit identified at time of analysis, though Talos has published a vulnerability report (TALOS-2026-2377).
Stack-based buffer overflow (CWE-121) in the GV-Cloud component of GeoVision GV-VMS V20 20.0.2 enables a remote attacker with a network-intercept position to crash the video management system, causing high-impact denial of service against physical security infrastructure. Exploitation requires impersonating the legitimate GV-Cloud server - achieved via MitM techniques - and delivering a specially crafted network payload that corrupts stack memory in the GV-Cloud client handler. Reported by Cisco Talos (TALOS-2026-2411); no public exploit has been identified at time of analysis and no CISA KEV listing exists.
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by supplying a crafted media file. The flaw is an out-of-bounds read of a language metadata string in gf_media_import (media_import.c), where three characters were read without verifying the string's length. Publicly available exploit code exists (sigdevel PoC), but it is not listed in CISA KEV and EPSS is low (0.19%, 8th percentile), indicating minimal observed real-world exploitation.
Stack-based buffer overflow in the Totolink EX1200L router's login handler (cgi-bin/cstecgi.cgi) allows remote attackers on the adjacent network to crash the device or execute arbitrary code as root. Confirmed on firmware 9.3.5u.6146_B20201023 with no public exploit identified at time of analysis, but vendor contact attempts by CERT-PL were unsuccessful so no patch is available. CVSS 4.0 of 9.4 reflects unauthenticated exploitation with full impact on both the device and downstream systems.
Stack-based buffer overflow in the Oj Ruby JSON gem (versions prior to 3.17.3) allows a developer-controlled large :indent value passed to Oj.dump to overwrite up to 2 GB of stack memory, crashing the Ruby process. The flaw is reachable only when application code forwards an untrusted or extreme indent value into Oj.dump, and no public exploit identified at time of analysis demonstrates code execution beyond denial of service.
Remote code execution in Tenda AC7 routers (firmware v15.03.06.44) is possible via a stack buffer overflow in the wanSpeed parameter of the /goform/AdvSetMacMtuWan endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network-based exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the device is not listed in CISA KEV.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote unauthenticated attackers to corrupt memory via the mac parameter in the /goform/AdvSetMacMtuWan web interface endpoint. The flaw carries a CVSS 9.8 critical rating with network attack vector and no authentication required, though no public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV. Tenda SOHO routers in this family have a well-documented history of similar /goform/* stack overflows being weaponized for botnet recruitment.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory via an oversized cloneType parameter sent to the /goform/AdvSetMacMtuWan web interface endpoint. The CVSS 9.8 vector indicates unauthenticated network exploitation with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stack buffer overflow in Tenda AC7 router firmware v15.03.06.44 allows remote attackers to corrupt memory through the wanMTU parameter of the /goform/AdvSetMacMtuWan web management endpoint. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability, though no public exploit identified at time of analysis. The flaw is classified as CWE-121 (stack-based buffer overflow), a class historically leveraged for code execution or denial of service on embedded MIPS/ARM SOHO routers.
Stack-based buffer overflow in rxi microtar 0.1.0 allows remote attackers to crash or potentially execute arbitrary code in applications that parse attacker-supplied TAR archives. The flaw lies in raw_to_header() (src/microtar.c:112), which uses strcpy() on fixed-width 100-byte ustar name/linkname fields that are not guaranteed to be null-terminated, enabling a 356-byte out-of-bounds read confirmed via AddressSanitizer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Moxa NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier allows authenticated administrators to corrupt memory by submitting an overlong 'Server location' value on the Basic settings page of the web management interface, yielding root-level command execution on the embedded serial device server. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but Moxa has issued advisory MPSA-261910 confirming the flaw. The companion CVE-2026-10828 (format string) was disclosed in the same advisory, suggesting the web management stack received broader scrutiny.
Remote code execution in Zyxel GS1900 series managed switches (including GS1900-48HPv2, GS1900-8, GS1900-8HP, GS1900-10HP, GS1900-16, GS1900-24/24E/24EP/24HPv2, and GS1900-48) up to firmware 2.90(ABTQ.1)C0 allows a LAN-adjacent unauthenticated attacker to execute OS commands via a crafted HTTP request to the CGI handler. The flaw is a stack-based buffer overflow (CWE-121) carrying CVSS 8.8 and exposes the switch management plane to anyone on the same Layer-2 segment. No public exploit identified at time of analysis, but the vendor disclosed the issue concurrently with the advisory dated 2026-06-16.