Stack Overflow
Monthly
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-network attackers to corrupt memory via the BlueToothTest handler exposed by the Web FastCGI service. Supplying crafted btMac, pin, or reserved parameters to /api/inner/bttest triggers the overflow inside mod_webd.BlueToothTest, with publicly available exploit code exists demonstrating an off-by-one write. The flaw is reachable from the LAN rather than the public internet, but the vendor has not responded to disclosure and no patched firmware has been published.
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low privileges to corrupt memory via crafted uid or start_offset parameters sent to the /api/upgrade/upgrade firmware chunk upload endpoint. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving deployed devices without an official patch. CVSS 4.0 rates this 8.6 (High) with proof-of-concept maturity (E:P).
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low-privilege credentials to corrupt memory via the uid parameter of the /api/upgrade/accupgradebychunk firmware chunk upload endpoint. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, raising the practical risk despite the adjacent-only attack vector. No public exploit identified as actively exploited in the wild (not on CISA KEV).
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers with low-privileged access to corrupt memory via the port argument processed by the StartReportInformation function in the /api/inner/beforewifitest endpoint of the Web FastCGI Service. Publicly available exploit code exists, and the vendor was notified without response, leaving deployed devices unmitigated. No public exploit identified as active in-the-wild campaigns, but exploitation is feasible given the released PoC.
Stack-based buffer overflow in Ritlabs TinyWeb Server 1.94 and earlier on Win32 allows remote unauthenticated attackers to crash the server or potentially execute arbitrary code by sending a specially crafted HTTP Authorization header, triggering a memory corruption condition in the libeay32.dll component's Header Handler. A public proof-of-concept exploit has been disclosed at nathan2.com/posts/tinyweb/, and the vendor has not responded to responsible disclosure notifications, leaving all known versions unpatched. No active exploitation has been confirmed in CISA KEV, though the combination of a public POC, network-reachable attack surface, and no patch represents a meaningful risk for any deployment of this software.
Stack-based buffer overflow in GPAC's MP4Box tool crashes the process when parsing a crafted MP4 file containing a malformed non-self-delimited Opus packet. The function gf_opus_read_length() in media_tools/av_parsers.c performs a 2-byte out-of-bounds write into a stack-allocated pckh structure at offset 568, confirmed by AddressSanitizer at line 11140. No active exploitation is confirmed in CISA KEV, but a public proof-of-concept MP4 file is available from the reporter, and the CVSS vector (PR:N, UI:R) indicates any user or automated pipeline invoking MP4Box on untrusted Opus-bearing MP4 files is at risk of a process crash.
Stack overflow in Gen Digital's shared antivirus scanning engine crashes the AV process when it parses a malformed Office Open XML (OOXML) file, causing a Denial-of-Service condition. The flaw affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - all products that consume the same Gen Digital VPS (virus definition) update stream. No active exploitation or public exploit code has been identified at time of analysis; the impact is limited to availability (AV process crash) with no confidentiality or integrity consequences.
Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by sending a single crafted SCTP ERROR chunk to a listening SCTP port. The flaw is a stack-based buffer overflow (CWE-121) in sctp_parse_error_chunk, with the publicly disclosed advisory from the Erlang Ecosystem Foundation (EEF) and an upstream commit confirming the fix; no public exploit identified at time of analysis, and the overflow only permits writing 16-bit values interleaved with a fixed tag, limiting impact to DoS plus minor memory disclosure.
Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding Erlang terms containing very large integers, causing Denial of Service. Affected OTP releases span from 17.0 through unfixed branches of 27.x, 28.x, and 29.x, making this a wide-ranging availability risk for C-language nodes that interface with the Erlang runtime. Because overflow bytes are constrained exclusively to ASCII hex digits (0-9, A-F), arbitrary code execution is not feasible - confirmed impact is process crash only. No public exploit has been identified and this CVE is not listed in the CISA KEV catalog.
Stack-based buffer overflow in QNAP File Station 5 enables remote unauthenticated attackers to corrupt memory or destabilize processes through a network-accessible attack path requiring only passive user interaction. Affected versions are all releases prior to 5.5.6.5243; QNAP's own security team (security@qnapsecurity.com.tw) discovered and disclosed the issue via advisory QSA-26-27. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the unauthenticated network attack vector lowers the bar for opportunistic targeting of QNAP NAS deployments.
Stack-based buffer overflow in QNAP File Station 5 allows unauthenticated remote attackers to corrupt process memory or crash the file management service when a victim user passively interacts with a crafted input. Affected versions are all File Station 5 releases prior to 5.5.6.5243, running on QNAP NAS devices accessible over the network. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; QNAP has confirmed and released a fix in version 5.5.6.5243 via advisory QSA-26-32.
Stack-based buffer overflow in QNAP File Station 5 versions 5.5.0 through 5.5.6.5208 allows authenticated remote attackers to corrupt memory and crash processes on affected NAS deployments. CVSS 4.0 score of 8.7 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Stack-based buffer overflows in SimpleBLE prior to version 0.14.0 allow remote attackers within Bluetooth range to crash applications by transmitting crafted BLE advertisements containing oversized manufacturer-specific data or service data, requiring no pairing or connection. A separate local overflow exists in the dongl backend's Protocol::simpleble_write function via caller-controlled input. No public exploit identified at time of analysis, but the patch diff and acknowledgement to researcher Mr-IoT confirm three tracked issues (EVE-2026-001/002/003).
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) occurs via a stack-based buffer overflow triggered when a victim opens a malicious PDF. Successful exploitation runs attacker code in the context of the current user, making this a viable initial-access vector through phishing or drive-by document delivery. No public exploit identified at time of analysis, but the bug class (CWE-121) and Acrobat's broad install base historically attract weaponization quickly after disclosure.
Stack-based buffer overflow in Adobe InCopy 21.3, 20.5.3 and earlier enables arbitrary code execution in the context of the logged-in user when a victim opens a maliciously crafted document. The flaw is locally exploitable via file-format parsing and requires user interaction, with no public exploit identified at time of analysis. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability but constrained reachability through the document-open vector.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously crafted document, triggering a stack-based buffer overflow (CWE-121) that runs attacker code in the context of the current user. Adobe issued advisory APSB26-58 for this issue; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a victim opens a malicious document file. Exploitation runs in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. The issue was reported by Adobe and addressed in security bulletin APSB26-58.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a user opens a malicious document. Successful exploitation runs attacker-controlled code in the context of the current user, but requires social engineering since the attack vector is local and user interaction is mandatory. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Microsoft Active Directory Domain Services allows an authenticated network attacker to trigger a stack-based buffer overflow (CWE-121) and execute arbitrary code on the targeted domain controller. With CVSS 8.8 (AV:N/AC:L/PR:L/UI:N) and high impact across confidentiality, integrity, and availability, successful exploitation could enable full domain compromise. There is no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Local code execution in Microsoft Office is possible via a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction, yielding full confidentiality, integrity, and availability impact on the host. The flaw is rated 8.4 (CVSS:3.1) and was disclosed by Microsoft's Security Response Center, but no public exploit has been identified at the time of analysis. Despite the CWE-121 tagging as a stack overflow, the description and CWE-122 class indicate the corruption occurs on the heap, so defenders should treat this as a memory-corruption RCE-class issue requiring prompt patching.
Remote code execution in the Windows DHCP Client is possible when a stack-based buffer overflow (CWE-121) is triggered by a crafted DHCP server response, allowing an unauthorized network attacker to run arbitrary code with no user interaction. The flaw carries a CVSS 9.8 critical rating reflecting network reachability, low complexity, and full impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because the DHCP client runs early in the network stack on virtually every Windows host, successful exploitation grants attacker-controlled code execution in a highly privileged context.
Stack-based buffer overflow in NETGEAR Orbi mesh router firmware (RBE, RBR, RBS series) enables authenticated administrators with local network access to submit malformed buffer input that bypasses validation and triggers unauthorized modification of router software and functionality. The attack surface is significantly constrained by the requirement for both administrative credentials (PR:H) and adjacent network positioning (AV:A), limiting realistic exposure to insider threats or scenarios where an attacker has already compromised admin credentials within the LAN. No public exploit identified at time of analysis, SSVC confirms exploitation status as none, and vendor-released patches are available across all affected model lines.
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. FORTIFY_SOURCE compiler hardening constrains impact to denial of service - preventing arbitrary code execution - but service disruption against a critical authentication infrastructure component remains operationally significant. No public exploit identified at time of analysis.
Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to corrupt stack memory or crash processes via a network-accessible attack path. Affected versions span QTS 5.2.x and multiple QuTS hero release trains (h5.2.x, h5.3.x, h6.0.x), with vendor-released patches dated February-May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory high-privilege prerequisite substantially limits realistic attack surface.
Unauthenticated remote memory corruption in the SAP Kernel of SAP NetWeaver Application Server ABAP and ABAP Platform allows attackers to compromise confidentiality, integrity, and availability by sending crafted RFC requests that trigger logical errors in memory management. The CVSS 9.8 score reflects network-reachable, no-privileges, no-interaction exploitation against a foundational SAP component, though no public exploit identified at time of analysis and exploitation status beyond the vendor disclosure is not confirmed in CISA KEV.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. No public exploit identified at time of analysis, though a research write-up referencing the vulnerable function exists in a public GitHub repository. The combination of network-reachable attack surface, no authentication requirement, and low complexity makes opportunistic abuse against exposed admin interfaces realistic.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser function. No public exploit identified at time of analysis, though a research repository documenting the flaw is referenced. The CVSS 7.5 (High) score reflects pure availability impact with no confidentiality or integrity loss.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request containing an oversized macAddr parameter to the formDelStaState handler. The flaw is a stack-based buffer overflow with high availability impact and no confidentiality/integrity loss per CVSS, and no public exploit identified at time of analysis beyond a research repository on GitHub.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. No public exploit identified at time of analysis, though a researcher-published proof-of-concept repository on GitHub documents the issue. EPSS and KEV data are not provided, but the network-reachable, no-auth, no-interaction CVSS vector makes this a credible risk for any exposed management interface.
Denial of service in the Tenda O3 Wireless Router (firmware v1.0.0.5(4180)) allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the ip parameter of the fromNetToolGet function. Publicly available exploit code exists in a GitHub research repository, though EPSS rates exploitation probability at only 0.02% and the issue is not on CISA KEV. Impact is limited to availability (the CVSS A:H, C:N, I:N profile), making this primarily a device-crash bug rather than a code-execution vector based on the reported analysis.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack-based buffer overflows in the formwrlSSIDset handler. The flaw is reachable without authentication or user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but EPSS is only 0.01% and no public exploit identified at time of analysis suggests low near-term mass-exploitation likelihood despite the trivial attack surface.
Denial of service in GPAC MP4Box v2.4 allows remote attackers to crash the application by supplying a crafted MP4 file that triggers a stack buffer overflow in the filein_process function. The flaw resides in in_file.c and impacts availability only, with no confirmed code-execution path; no public exploit identified at time of analysis, though POC details may surface via the linked infosec.exchange post.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the webAuthUserPwd parameter of the formModifyWebAuthUser function. No public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.01% (2nd percentile), suggesting low near-term mass-exploitation likelihood despite the network-reachable attack surface. The flaw is not listed in CISA KEV.
Denial of service in Tenda O3v3 firmware v1.0.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the formSetCfm handler. No public exploit identified at time of analysis, and EPSS is very low (0.01%), but the network-reachable, no-authentication attack surface on a CPE/router device makes this relevant for exposed deployments.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request containing a malicious wl_radio parameter to the formWifiRadioSet function. EPSS scoring (0.01%, 2nd percentile) indicates very low real-world exploitation probability, and no public exploit identified at time of analysis beyond a research repository referencing the vulnerable function.
Denial of service in Tenda W15E router firmware version 15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. No public exploit identified at time of analysis, and EPSS scoring of 0.01% indicates very low predicted exploitation probability, though a research repository hosting analysis artifacts exists on GitHub.
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers stack-based buffer overflows in the Saveqqlist function via the qqStr and markStr parameters. CVSS 7.5 reflects the network-reachable, no-privilege availability impact, while EPSS sits at 0.01% (2nd percentile) and no public exploit identified at time of analysis indicates limited near-term opportunistic exploitation despite the easy attack profile.
Denial of service in Tenda O3 Wireless Router firmware v1.0.0.5(4180) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack buffer overflows in the fromVirtualSer function. Five distinct overflow sinks (puVar2, puVar1, __s2, __s1_00, puVar3) are reachable via the same handler. No public exploit identified at time of analysis, and EPSS rates exploitation likelihood at 0.01%, but a research repository with vulnerability artifacts is referenced.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows unauthenticated remote attackers to crash the device by sending crafted HTTP requests with oversized username or password parameters that overflow stack buffers in the R7WebsSecurityHandler function. The flaw affects the router's web management interface and carries a CVSS 7.5 (availability-only impact); no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device by supplying an oversized wl_radio parameter to the formwrlSSIDget function. Impact is limited strictly to Denial of Service (availability loss); no confidentiality or integrity impact is possible per CVSS vector analysis. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02% (5th percentile), placing this firmly in the lower-priority tier despite the High availability impact rating.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the bindMACAddr parameter of the fromSetDhcpRules function. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-based exploitation with high availability impact but no confidentiality or integrity loss, and no public exploit identified at time of analysis beyond a research repository reference.
Multiple stack-based buffer overflows in Tenda G0 router firmware v15.11.0.5 allow network-adjacent or remote attackers to crash the device by sending crafted HTTP requests to the `formSetDebugCfgr` debug configuration endpoint, with three independent overflow vectors (`enable`, `level`, `module` parameters) each capable of triggering a denial-of-service condition. The official CVSS vector includes UI:R, suggesting a possible CSRF-style delivery mechanism requiring an authenticated administrator to be tricked into issuing the malicious request, which meaningfully constrains exploitation compared to a purely unauthenticated remote attack. No public exploit confirmed in CISA KEV; an associated GitHub repository referenced in the CVE may contain proof-of-concept material, though EPSS remains extremely low at 0.01% (2nd percentile).
Remote denial of service in Tenda US_W3V1.0BR router firmware v1.0.0.3 allows unauthenticated network attackers to crash the device by sending a crafted value in the 'Go' parameter to the ask_to_reboot function, triggering a stack-based buffer overflow. No public exploit identified at time of analysis, though a third-party research repository on GitHub references the vulnerable function.
Denial-of-service via stack buffer overflow affects the Tenda O3 wireless router firmware v1.0.0.5(4180), where the fromNetToolGet handler fails to bound-check the domain parameter supplied in HTTP requests. Remote attackers can crash the router's web management service by sending a crafted request, disrupting network connectivity for downstream clients. SSVC flags the issue as proof-of-concept with automatable exploitation and partial technical impact, though EPSS remains low at 0.01% and no in-the-wild exploitation has been confirmed.
Denial-of-service in the Tenda W3 Wireless Router (firmware v1.0.0.3(2204)) allows remote unauthenticated attackers to crash the device by sending crafted input to the wl_radio parameter of the formwrlSSIDset function, triggering a stack-based buffer overflow. Publicly available exploit research exists in a GitHub repository, but no public exploit identified for weaponized use at time of analysis and the issue is not listed in CISA KEV. The CVSS 7.5 score reflects high availability impact without confidentiality or integrity loss.
Stack-based buffer overflow in Tenda O3 Wireless Router firmware v1.0.0.5(4180) enables authenticated remote attackers to crash the device by submitting an oversized username value to the R7WebsSecurityHandler HTTP handler. The CVSS vector (PR:H) confirms that exploitation requires high-privilege authentication, constraining the attack surface to compromised admin credentials or insider threat scenarios. No public exploit identified at time of analysis and EPSS sits at the 2nd percentile (0.01%), reflecting low observed exploitation interest.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) allows adjacent-network unauthenticated attackers to crash the device via a crafted Go parameter submitted to the ask_to_reboot function, resulting in a complete Denial of Service condition. The vulnerability carries a CVSS 6.5 score with High availability impact but no confidentiality or integrity loss, and the attack vector is constrained to adjacent network access. No public exploit confirmation or CISA KEV listing is present, and EPSS at 0.02% (5th percentile) indicates low observed exploitation probability at time of analysis.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device via the formSetCfm HTTP endpoint. The vulnerability resides in the param_1 parameter of the formSetCfm function, where insufficient input validation allows a crafted HTTP request to overflow a stack buffer, resulting in a Denial of Service. A public GitHub repository linked in the references (xhh0124/SemVulLLM) appears to document or demonstrate the issue; no public exploit identified at time of analysis beyond that reference, and the EPSS score of 0.01% (2nd percentile) reflects very low exploitation probability.
Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sending crafted bzip2 data when the application reuses the decompressor object after catching a prior OSError. The flaw stems from libbz2's internal state being left inconsistent after a decompression error, and reuse causes out-of-bounds writes to a stack buffer. No public exploit identified at time of analysis and the issue is not in CISA KEV; the practical impact is denial of service against Python services that process untrusted bzip2 streams.
Stack-based buffer overflow in the Tenda F451 router (firmware 1.0.0.7 and 1.0.0.9) Web Management Interface allows remote authenticated attackers to corrupt memory by sending a crafted 'page' argument to the fromNatlimit handler at /goform/Natlimit. Publicly available exploit code exists, raising practical risk for exposed or LAN-reachable devices, though no public exploit identified as actively used in CISA KEV at time of analysis.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 XPON ONT routers (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory via the encodename parameter of the formPPPEdit handler at /boaform/formPPPEdit. Publicly available exploit code exists (hosted on GitHub by researcher xiezhihua-1127), elevating practical risk despite no confirmed active exploitation in CISA KEV. Successful exploitation yields high impact to confidentiality, integrity, and availability on the affected device.
Stack-based buffer overflow in the Tenda AC18 router (firmware 15.03.05.05) Web Management Interface allows remote attackers with low privileges to corrupt memory by manipulating the callback argument sent to /goform/getRebootStatus. The flaw, handled by the sub_45304 function, has publicly available exploit code and enables high impact to confidentiality, integrity, and availability of the device. No public exploit identified as actively exploited in CISA KEV, but POC publication raises the risk of opportunistic attacks against exposed management interfaces.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the wifiFilterListRemark parameter of the /goform/modifyWifiFilterRules endpoint in the Web Management Interface. Publicly available exploit code exists per VulDB disclosure, raising the practical risk for exposed management interfaces, though no public exploit identified at time of analysis confirms active in-the-wild exploitation. CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privileges required.
Stack-based buffer overflow in Tenda W20E firmware 15.11.0.6 allows authenticated remote attackers to corrupt memory via the gotoUrl parameter handled by the formPortalAuth function in /goform/PortalAuth of the Web Management Interface. Publicly available exploit code exists, raising the likelihood of opportunistic targeting of internet-exposed router management interfaces, though no public exploit identified as actively exploited per CISA KEV at time of analysis.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the portMirrorMirroredPorts parameter handled by formSetPortMirror in /goform/setPortMirror. Publicly available exploit code exists, raising the practical risk for exposed management interfaces, though no CISA KEV listing or EPSS data is provided to confirm widespread exploitation. The flaw enables high impact on confidentiality, integrity, and availability of the device per the CVSS 4.0 vector.
Stack-based buffer overflow in Tenda CX12L 16.03.53.12 routers allows remote attackers with low privileges to corrupt memory via the setSchedWifi function in /goform/openSchedWifi by manipulating the schedStartTime or schedEndTime parameters. Publicly available exploit code exists per VulDB, raising the practical risk despite the vulnerability not yet being listed in CISA KEV. The flaw impacts the Wi-Fi Schedule Configuration Endpoint and can lead to high confidentiality, integrity, and availability impact on the device.
Stack-based buffer overflow in the Tenda CX12L router (firmware 16.03.53.12) allows authenticated remote attackers to corrupt memory via the ssid parameter of the /goform/fast_setting_wifi_set endpoint, handled by the form_fast_setting_wifi_set function. Publicly available exploit code exists per VulDB disclosure, raising the likelihood of opportunistic exploitation against exposed management interfaces. The CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact bounded by a low-privilege requirement.
Stack-based buffer overflow in Tenda HG7HG9 and HG10 routers (firmware 300001138_en_xpon) allows remote attackers to corrupt memory via the blkDomain parameter in the formDOMAINBLK handler at /boaform/formDOMAINBLK. The CVSS 4.0 score of 9.3 reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and a public proof-of-concept repository has been published on GitHub by researcher ssaaaa1234, though no public exploit has been confirmed as active exploitation.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 ONT/router devices (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory by manipulating the funckey_transfer parameter sent to the /boaform/voip_other_set endpoint handled by the asp_voip_OtherSet function. Publicly available exploit code exists via a dedicated GitHub proof-of-concept repository, and the flaw scores CVSS 4.0 8.7 with full confidentiality, integrity, and availability impact. No public exploit identified in CISA KEV at time of analysis, but exposure of the Web Management Interface to untrusted networks materially raises real-world risk.
Denial of service in Tenda AC1206 routers (firmware v15.03.06.23) is triggered by stack-based buffer overflows in the fromGstDhcpSetSer function reachable through the username and password parameters of a crafted HTTP request. Remote attackers with network reach to the device's web management interface can crash the service without authentication, and no public exploit identified at time of analysis although proof-of-concept research material is hosted on GitHub.
Denial of service in Tenda FH451 router firmware V1.0.0.9 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the list1 parameter of the fromDhcpListClient function. Publicly available exploit code exists in a GitHub research repository, though the vulnerability is not listed in CISA KEV and no EPSS score has been published at time of analysis. Impact is limited to availability - no confidentiality or integrity loss is indicated.
Stack-based buffer overflow in JingDong JD Cloud Box AX6600 firmware 4.5.3.r4546 allows authenticated remote attackers to corrupt memory via the set_macfilter function in /sbin/jdcweb_rpc, potentially achieving arbitrary code execution on the router. Publicly available exploit code exists (archive hosted on cdn2.v50to.cc), increasing the likelihood of opportunistic abuse against exposed devices. The vendor did not respond to coordinated disclosure, so no fix is currently confirmed.
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to crash the device's ONVIF service by submitting a crafted DeleteUsers request containing an excessive number of user identifiers, causing a denial-of-service condition that disrupts camera management and monitoring functionality. The CVSS:4.0 vector (VC:N/VI:N/VA:H) confirms impact is strictly limited to availability - no confidentiality or integrity compromise is achievable. No public exploit identified at time of analysis and no active exploitation has been confirmed.
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authenticated, adjacent-network attacker to crash the ONVIF management process by sending a crafted request with an excessive number of XML user nodes. Exploitation results in a denial-of-service condition that disrupts ONVIF-based device configuration and management until the service recovers or the device is rebooted. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor (TP-Link) has released a firmware patch.
Local privilege escalation in X.Org X server and Xwayland stems from an incomplete fix for CVE-2025-26597, where CheckKeyTypes() fails to clamp non-canonical key types to XkbMaxShiftLevel, enabling stack-based buffer overflows. Authenticated local users on Red Hat Enterprise Linux 6 through 10 can crash the display server or, when X runs as root, escalate to root privileges. No public exploit identified at time of analysis, though the upstream commit reveals the vulnerable code path and the prior CVE-2025-26597 has known exploitation history.
Stack-based buffer overflow in X.Org X server and Xwayland's _XkbSetMapChecks() function allows local authenticated attackers to crash the server or potentially escalate privileges to root when the X server runs with elevated privileges. The flaw resides in CheckKeyTypes() writing to a fixed mapWidths[256] stack buffer at a client-controlled offset, affecting Red Hat Enterprise Linux versions 6 through 10. No public exploit identified at time of analysis, but an upstream fix has been merged into the xserver repository.
Local privilege escalation in the X.Org X server and Xwayland stems from a stack-based buffer overflow during font alias resolution, where a 256-byte server-side stack buffer is overrun by libXfont2 alias target names of up to 1023 bytes. An authenticated local attacker who can influence font alias files can crash the server or, when the X server runs as root, escalate to root privileges. No public exploit is identified at time of analysis and CVSS is 7.8 (Local/Low complexity/Low privileges).
Denial of service in Tenda FH451 V1.0.0.9 routers allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the page parameter handler of the fromDhcpListClient function. EPSS exploitation probability is very low (0.01%, 3rd percentile) and no public exploit identified at time of analysis, though proof-of-concept artifacts appear to be hosted in a public GitHub research repository. The flaw is not listed in CISA KEV.
Stack-based buffer overflow in the Skia graphics library shipped with Google Chrome versions prior to 149.0.7827.53 lets a remote attacker corrupt the renderer process stack by serving a crafted HTML page, with potential for arbitrary code execution within the sandbox. The flaw carries a CVSS 3.1 base score of 8.8 (network vector, user interaction required) and no public exploit identified at time of analysis, while a very low EPSS score of 0.03% (10th percentile) suggests no current mass-exploitation pressure despite the high impact rating.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to potentially break out of the sandbox via a stack buffer overflow in the GPU component triggered by a crafted HTML page. Chromium rates this as Critical severity, and while no public exploit has been identified at time of analysis, the vendor has released a patched stable channel build addressing the issue.
Stack-based buffer overflow in Samsung Open Source rlottie's FreeType-derived cubic Bezier rasterizer allows a local attacker, via a crafted Lottie animation file, to crash the embedding application or potentially corrupt stack memory. The vulnerable code in `gray_render_cubic` (`src/vector/freetype/v_ft_raster.cpp`) subdivides Bezier curves onto a fixed-size `bez_stack` (capacity 32×3+1 vectors) without a depth guard, so a pathologically complex curve exhausts the buffer. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows authenticated remote attackers to corrupt stack memory in the gdv-serverconfig service and seize full system control. The flaw, reported by CERT@VDE and tracked as CVE-2026-35085 with a CVSS 4.0 score of 8.7 (High), affects multiple fieldbus variants (Profibus, Profinet, KNX, LON, DALI, M-Bus, CAN, X-Link). No public exploit identified at time of analysis, and EPSS data was not supplied for this advisory.
Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A, Single-X, and the Double-A/Double-X family (Profibus, X-Link, CAN, DALI, KNX, LON, M-Bus, Profinet). A remote attacker holding low-level user credentials can exploit the flaw to gain full system access, with CVSS 4.0 scoring it 8.7 (High). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines covering Profibus, Profinet, KNX, DALI, LON, M-Bus, CAN, and X-Link variants) is achievable by an authenticated remote user via a stack buffer overflow. The CVSS 4.0 base score of 8.7 reflects network-reachable exploitation with low complexity and only user-level privileges required, leading to full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE (advisory VDE-2026-039), indicating responsible disclosure rather than in-the-wild abuse.
Denial of service in FreeIPMI versions before 1.16.18 allows remote attackers to crash the ipmi-oem client by sending malformed IPMI response messages that trigger stack-based buffer overflows in the 'dell get-active-directory-config' and 'fujitsu get-sel-entry-long-text' subcommands. The flaw is client-side: a victim must invoke the affected subcommand against an attacker-controlled or compromised IPMI endpoint. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Stack-based buffer overflow in CZ.NIC BIRD Internet Routing Daemon through 2.19.0 allows an established BGP peer to crash the daemon by sending a crafted AS_PATH exceeding 2048 expanded ASNs when RFC 8654 Extended Messages are enabled and an AS path mask filter is active. The as_path_match() function in nest/a-path.c uses a fixed 2049-entry stack array while parse_path() expands AS_PATH segments without enforcing a corresponding capacity limit, causing a write beyond the stack buffer boundary and a daemon crash. No public exploit identified at time of analysis; notably, the vendor has explicitly declined to prioritize a fix, instead citing operator best-practice filtering as the expected mitigation.
Denial of service in TP-Link Tapo C200 v5 IP cameras allows adjacent network attackers to crash the RTSP service and force a device reboot by sending a crafted Authorization header in an RTSP authentication request. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP authentication handler; no public exploit identified at time of analysis, but vendor-acknowledged and patched firmware is available from TP-Link.
Stack-based buffer overflow in VIVOTEK FD8136 network camera firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root by sending a crafted POST request to the export_language.cgi administrative endpoint. The CGI handler passes an attacker-controlled Content-Length HTTP header value directly to fread() with no bounds validation, overflowing a 0x60-byte stack buffer and overwriting the saved link register; the binary's lack of stack canaries eliminates the primary runtime defense against this class of attack. A researcher-published proof-of-concept exists on GitHub, though EPSS stands at 0.05% (17th percentile) and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at time of analysis.
Remote code execution in VIVOTEK FD8136 network camera (firmware VVTK-0300a) is possible via a stack-based buffer overflow in the set_getparam.cgi component, reachable over the network without authentication. CVSS 7.3 reflects partial CIA impact, but the presence of public vulnerability-research artifacts on GitHub indicates publicly available exploit code exists, while EPSS remains low at 0.05% (17th percentile) and the issue is not currently listed in CISA KEV.
Stack-based buffer overflow in VIVOTEK FD8136 firmware FD8136-VVTK-0300a grants authenticated remote attackers root-level code execution by supplying an oversized POST parameter to any of three symlinked CGI admin endpoints. The vulnerable `motion_privacy.cgi` binary copies the `n1` parameter into a fixed 164-byte (0xa4) stack buffer with no bounds check and no stack canary protection, overwriting the saved link register and diverting execution to attacker-controlled code. A public proof-of-concept is available on GitHub; no active exploitation has been confirmed in CISA KEV at time of analysis.
Local privilege escalation in Qualcomm Snapdragon platforms stems from a stack-based memory corruption triggered while processing display command line information with an uninitialized variable. With CVSS 7.2 and a physical attack vector requiring high privileges, the flaw allows a privileged local attacker to corrupt memory and impact confidentiality, integrity, and availability across a changed security scope. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stack-based buffer overflow in Qualcomm Snapdragon corrupts memory during a data copy operation when the output buffer is sized smaller than the input buffer, enabling a high-privileged local attacker to achieve full compromise of confidentiality, integrity, and availability on affected devices. Rooted in CWE-121, this vulnerability can allow control-flow hijacking via stack memory overwrite on Snapdragon-based platforms. No public exploit identified at time of analysis and no CISA KEV listing, but the high-impact triad (C:H/I:H/A:H) warrants prompt patching in environments where privileged access is shared or contested.
Stack-based buffer overflow in Qualcomm Snapdragon Windows drivers allows a locally authenticated high-privilege attacker to cause memory corruption by sending a malformed trusted application request. The vulnerability affects Snapdragon-based systems running Windows drivers and can result in complete compromise of confidentiality, integrity, and availability. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Stack-based buffer overflow in UTT HiPER 1200GW routers (firmware up to 2.5.3-170306) allows authenticated remote attackers to corrupt memory via the Profile parameter in the /goform/formFireWall endpoint, where unsafe strcpy usage processes the input. Publicly available exploit code exists, increasing the realistic risk of attempted compromise against exposed management interfaces. No CISA KEV listing has been published, so exploitation is not yet confirmed active in the wild.
Arm Whois 3.11 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by supplying oversized input to the IP address or domain field. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stack-based buffer overflow in UTT HiPER 1200GW routers (firmware versions up to 2.5.3-170306) allows remote authenticated attackers to corrupt memory via the strcpy function in the /goform/formTaskEdit endpoint. Publicly available exploit code exists, raising the practical risk despite the requirement for low-level privileges. No KEV listing or EPSS data is provided in the input, so widespread automated exploitation has not been confirmed.
Stack-based buffer overflow in microtar through 0.1.0 allows remote attackers to corrupt stack memory and potentially achieve code execution when an application using the library parses a malicious TAR archive. The flaw in raw_to_header() uses strcpy() on non-null-terminated 100-byte ustar fields, enabling writes of up to 355 bytes into a 100-byte buffer. Publicly available exploit code exists and the issue was reported by VulnCheck, raising the practical risk despite no current CISA KEV listing.
Stack-based buffer overflow in rrdcached (the caching daemon for rrdtool) allows a local attacker with socket access to crash the daemon or potentially execute arbitrary code by sending an oversized CREATE request. The flaw is tracked under CWE-121 with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L), reported by Red Hat against RHEL 6 through 10, and there is no public exploit identified at time of analysis.
Stack-based buffer overflow in D-Link DI-7001 MINI routers (firmware up to 19.09.19A1) allows authenticated remote attackers to corrupt memory via the Time parameter passed to the sprintf function in /httpd_debug.asp. Publicly available exploit code exists on GitHub, and the CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privilege requirement and no user interaction. The vulnerability targets an embedded networking appliance commonly deployed at SMB and branch-office perimeters, increasing exposure risk where the management interface is reachable.
Remote code execution in Poly Voice products on Linux is possible through a stack-based buffer overflow reachable when administrators enable Interactive Connectivity Establishment (ICE). Unauthenticated network attackers can trigger the flaw without user interaction, and no public exploit has been identified at time of analysis. HP rates the issue at CVSS 4.0 9.2 (Critical), driven by network reachability and full confidentiality, integrity, and availability impact.
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows authenticated adjacent-network attackers to corrupt memory via the BlueToothTest handler exposed by the Web FastCGI service. Supplying crafted btMac, pin, or reserved parameters to /api/inner/bttest triggers the overflow inside mod_webd.BlueToothTest, with publicly available exploit code exists demonstrating an off-by-one write. The flaw is reachable from the LAN rather than the public internet, but the vendor has not responded to disclosure and no patched firmware has been published.
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low privileges to corrupt memory via crafted uid or start_offset parameters sent to the /api/upgrade/upgrade firmware chunk upload endpoint. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving deployed devices without an official patch. CVSS 4.0 rates this 8.6 (High) with proof-of-concept maturity (E:P).
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.86.0.118) allows adjacent-network attackers with low-privilege credentials to corrupt memory via the uid parameter of the /api/upgrade/accupgradebychunk firmware chunk upload endpoint. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, raising the practical risk despite the adjacent-only attack vector. No public exploit identified as actively exploited in the wild (not on CISA KEV).
Stack-based buffer overflow in the Yealink SIP-T46U IP phone (firmware 108.87.50.1) allows adjacent-network attackers with low-privileged access to corrupt memory via the port argument processed by the StartReportInformation function in the /api/inner/beforewifitest endpoint of the Web FastCGI Service. Publicly available exploit code exists, and the vendor was notified without response, leaving deployed devices unmitigated. No public exploit identified as active in-the-wild campaigns, but exploitation is feasible given the released PoC.
Stack-based buffer overflow in Ritlabs TinyWeb Server 1.94 and earlier on Win32 allows remote unauthenticated attackers to crash the server or potentially execute arbitrary code by sending a specially crafted HTTP Authorization header, triggering a memory corruption condition in the libeay32.dll component's Header Handler. A public proof-of-concept exploit has been disclosed at nathan2.com/posts/tinyweb/, and the vendor has not responded to responsible disclosure notifications, leaving all known versions unpatched. No active exploitation has been confirmed in CISA KEV, though the combination of a public POC, network-reachable attack surface, and no patch represents a meaningful risk for any deployment of this software.
Stack-based buffer overflow in GPAC's MP4Box tool crashes the process when parsing a crafted MP4 file containing a malformed non-self-delimited Opus packet. The function gf_opus_read_length() in media_tools/av_parsers.c performs a 2-byte out-of-bounds write into a stack-allocated pckh structure at offset 568, confirmed by AddressSanitizer at line 11140. No active exploitation is confirmed in CISA KEV, but a public proof-of-concept MP4 file is available from the reporter, and the CVSS vector (PR:N, UI:R) indicates any user or automated pipeline invoking MP4Box on untrusted Opus-bearing MP4 files is at risk of a process crash.
Stack overflow in Gen Digital's shared antivirus scanning engine crashes the AV process when it parses a malformed Office Open XML (OOXML) file, causing a Denial-of-Service condition. The flaw affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - all products that consume the same Gen Digital VPS (virus definition) update stream. No active exploitation or public exploit code has been identified at time of analysis; the impact is limited to availability (AV process crash) with no confidentiality or integrity consequences.
Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by sending a single crafted SCTP ERROR chunk to a listening SCTP port. The flaw is a stack-based buffer overflow (CWE-121) in sctp_parse_error_chunk, with the publicly disclosed advisory from the Erlang Ecosystem Foundation (EEF) and an upstream commit confirming the fix; no public exploit identified at time of analysis, and the overflow only permits writing 16-bit values interleaved with a fixed tag, limiting impact to DoS plus minor memory disclosure.
Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding Erlang terms containing very large integers, causing Denial of Service. Affected OTP releases span from 17.0 through unfixed branches of 27.x, 28.x, and 29.x, making this a wide-ranging availability risk for C-language nodes that interface with the Erlang runtime. Because overflow bytes are constrained exclusively to ASCII hex digits (0-9, A-F), arbitrary code execution is not feasible - confirmed impact is process crash only. No public exploit has been identified and this CVE is not listed in the CISA KEV catalog.
Stack-based buffer overflow in QNAP File Station 5 enables remote unauthenticated attackers to corrupt memory or destabilize processes through a network-accessible attack path requiring only passive user interaction. Affected versions are all releases prior to 5.5.6.5243; QNAP's own security team (security@qnapsecurity.com.tw) discovered and disclosed the issue via advisory QSA-26-27. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the unauthenticated network attack vector lowers the bar for opportunistic targeting of QNAP NAS deployments.
Stack-based buffer overflow in QNAP File Station 5 allows unauthenticated remote attackers to corrupt process memory or crash the file management service when a victim user passively interacts with a crafted input. Affected versions are all File Station 5 releases prior to 5.5.6.5243, running on QNAP NAS devices accessible over the network. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; QNAP has confirmed and released a fix in version 5.5.6.5243 via advisory QSA-26-32.
Stack-based buffer overflow in QNAP File Station 5 versions 5.5.0 through 5.5.6.5208 allows authenticated remote attackers to corrupt memory and crash processes on affected NAS deployments. CVSS 4.0 score of 8.7 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Stack-based buffer overflows in SimpleBLE prior to version 0.14.0 allow remote attackers within Bluetooth range to crash applications by transmitting crafted BLE advertisements containing oversized manufacturer-specific data or service data, requiring no pairing or connection. A separate local overflow exists in the dongl backend's Protocol::simpleble_write function via caller-controlled input. No public exploit identified at time of analysis, but the patch diff and acknowledgement to researcher Mr-IoT confirm three tracked issues (EVE-2026-001/002/003).
Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) occurs via a stack-based buffer overflow triggered when a victim opens a malicious PDF. Successful exploitation runs attacker code in the context of the current user, making this a viable initial-access vector through phishing or drive-by document delivery. No public exploit identified at time of analysis, but the bug class (CWE-121) and Acrobat's broad install base historically attract weaponization quickly after disclosure.
Stack-based buffer overflow in Adobe InCopy 21.3, 20.5.3 and earlier enables arbitrary code execution in the context of the logged-in user when a victim opens a maliciously crafted document. The flaw is locally exploitable via file-format parsing and requires user interaction, with no public exploit identified at time of analysis. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability but constrained reachability through the document-open vector.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously crafted document, triggering a stack-based buffer overflow (CWE-121) that runs attacker code in the context of the current user. Adobe issued advisory APSB26-58 for this issue; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a victim opens a malicious document file. Exploitation runs in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. The issue was reported by Adobe and addressed in security bulletin APSB26-58.
Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a user opens a malicious document. Successful exploitation runs attacker-controlled code in the context of the current user, but requires social engineering since the attack vector is local and user interaction is mandatory. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Microsoft Active Directory Domain Services allows an authenticated network attacker to trigger a stack-based buffer overflow (CWE-121) and execute arbitrary code on the targeted domain controller. With CVSS 8.8 (AV:N/AC:L/PR:L/UI:N) and high impact across confidentiality, integrity, and availability, successful exploitation could enable full domain compromise. There is no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.
Local code execution in Microsoft Office is possible via a heap-based buffer overflow that an unauthorized attacker can trigger without user interaction, yielding full confidentiality, integrity, and availability impact on the host. The flaw is rated 8.4 (CVSS:3.1) and was disclosed by Microsoft's Security Response Center, but no public exploit has been identified at the time of analysis. Despite the CWE-121 tagging as a stack overflow, the description and CWE-122 class indicate the corruption occurs on the heap, so defenders should treat this as a memory-corruption RCE-class issue requiring prompt patching.
Remote code execution in the Windows DHCP Client is possible when a stack-based buffer overflow (CWE-121) is triggered by a crafted DHCP server response, allowing an unauthorized network attacker to run arbitrary code with no user interaction. The flaw carries a CVSS 9.8 critical rating reflecting network reachability, low complexity, and full impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Because the DHCP client runs early in the network stack on virtually every Windows host, successful exploitation grants attacker-controlled code execution in a highly privileged context.
Stack-based buffer overflow in NETGEAR Orbi mesh router firmware (RBE, RBR, RBS series) enables authenticated administrators with local network access to submit malformed buffer input that bypasses validation and triggers unauthorized modification of router software and functionality. The attack surface is significantly constrained by the requirement for both administrative credentials (PR:H) and adjacent network positioning (AV:A), limiting realistic exposure to insider threats or scenarios where an attacker has already compromised admin credentials within the LAN. No public exploit identified at time of analysis, SSVC confirms exploitation status as none, and vendor-released patches are available across all affected model lines.
Stack buffer overflow in 389 Directory Server's pw.c checkPrefix() function allows a network-accessible Directory Manager to crash the LDAP server by storing a crafted credential with an oversized algorithm ID. The vulnerable code copies attacker-controlled input into a fixed 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. FORTIFY_SOURCE compiler hardening constrains impact to denial of service - preventing arbitrary code execution - but service disruption against a critical authentication infrastructure component remains operationally significant. No public exploit identified at time of analysis.
Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to corrupt stack memory or crash processes via a network-accessible attack path. Affected versions span QTS 5.2.x and multiple QuTS hero release trains (h5.2.x, h5.3.x, h6.0.x), with vendor-released patches dated February-May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory high-privilege prerequisite substantially limits realistic attack surface.
Unauthenticated remote memory corruption in the SAP Kernel of SAP NetWeaver Application Server ABAP and ABAP Platform allows attackers to compromise confidentiality, integrity, and availability by sending crafted RFC requests that trigger logical errors in memory management. The CVSS 9.8 score reflects network-reachable, no-privileges, no-interaction exploitation against a foundational SAP component, though no public exploit identified at time of analysis and exploitation status beyond the vendor disclosure is not confirmed in CISA KEV.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. No public exploit identified at time of analysis, though a research write-up referencing the vulnerable function exists in a public GitHub repository. The combination of network-reachable attack surface, no authentication requirement, and low complexity makes opportunistic abuse against exposed admin interfaces realistic.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the webAuthWhiteUserInfo parameter of the formAddWebAuthWhiteUser function. No public exploit identified at time of analysis, though a research repository documenting the flaw is referenced. The CVSS 7.5 (High) score reflects pure availability impact with no confidentiality or integrity loss.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request containing an oversized macAddr parameter to the formDelStaState handler. The flaw is a stack-based buffer overflow with high availability impact and no confidentiality/integrity loss per CVSS, and no public exploit identified at time of analysis beyond a research repository on GitHub.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the webAuthUserInfo parameter of the formAddWebAuthUser function. No public exploit identified at time of analysis, though a researcher-published proof-of-concept repository on GitHub documents the issue. EPSS and KEV data are not provided, but the network-reachable, no-auth, no-interaction CVSS vector makes this a credible risk for any exposed management interface.
Denial of service in the Tenda O3 Wireless Router (firmware v1.0.0.5(4180)) allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the ip parameter of the fromNetToolGet function. Publicly available exploit code exists in a GitHub research repository, though EPSS rates exploitation probability at only 0.02% and the issue is not on CISA KEV. Impact is limited to availability (the CVSS A:H, C:N, I:N profile), making this primarily a device-crash bug rather than a code-execution vector based on the reported analysis.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack-based buffer overflows in the formwrlSSIDset handler. The flaw is reachable without authentication or user interaction (CVSS 7.5, AV:N/AC:L/PR:N), but EPSS is only 0.01% and no public exploit identified at time of analysis suggests low near-term mass-exploitation likelihood despite the trivial attack surface.
Denial of service in GPAC MP4Box v2.4 allows remote attackers to crash the application by supplying a crafted MP4 file that triggers a stack buffer overflow in the filein_process function. The flaw resides in in_file.c and impacts availability only, with no confirmed code-execution path; no public exploit identified at time of analysis, though POC details may surface via the linked infosec.exchange post.
Denial of service in Tenda W15E router firmware v15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the webAuthUserPwd parameter of the formModifyWebAuthUser function. No public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.01% (2nd percentile), suggesting low near-term mass-exploitation likelihood despite the network-reachable attack surface. The flaw is not listed in CISA KEV.
Denial of service in Tenda O3v3 firmware v1.0.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the formSetCfm handler. No public exploit identified at time of analysis, and EPSS is very low (0.01%), but the network-reachable, no-authentication attack surface on a CPE/router device makes this relevant for exposed deployments.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request containing a malicious wl_radio parameter to the formWifiRadioSet function. EPSS scoring (0.01%, 2nd percentile) indicates very low real-world exploitation probability, and no public exploit identified at time of analysis beyond a research repository referencing the vulnerable function.
Denial of service in Tenda W15E router firmware version 15.11.0.10 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack-based buffer overflow in the picCropName parameter of the formCropAndSetWewifiPic function. No public exploit identified at time of analysis, and EPSS scoring of 0.01% indicates very low predicted exploitation probability, though a research repository hosting analysis artifacts exists on GitHub.
Denial of service in Tenda G0 router firmware v15.11.0.5 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers stack-based buffer overflows in the Saveqqlist function via the qqStr and markStr parameters. CVSS 7.5 reflects the network-reachable, no-privilege availability impact, while EPSS sits at 0.01% (2nd percentile) and no public exploit identified at time of analysis indicates limited near-term opportunistic exploitation despite the easy attack profile.
Denial of service in Tenda O3 Wireless Router firmware v1.0.0.5(4180) allows remote unauthenticated attackers to crash the device by sending crafted HTTP requests that trigger stack buffer overflows in the fromVirtualSer function. Five distinct overflow sinks (puVar2, puVar1, __s2, __s1_00, puVar3) are reachable via the same handler. No public exploit identified at time of analysis, and EPSS rates exploitation likelihood at 0.01%, but a research repository with vulnerability artifacts is referenced.
Denial of service in Tenda W3 Wireless Router firmware v1.0.0.3(2204) allows unauthenticated remote attackers to crash the device by sending crafted HTTP requests with oversized username or password parameters that overflow stack buffers in the R7WebsSecurityHandler function. The flaw affects the router's web management interface and carries a CVSS 7.5 (availability-only impact); no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.01%.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device by supplying an oversized wl_radio parameter to the formwrlSSIDget function. Impact is limited strictly to Denial of Service (availability loss); no confidentiality or integrity impact is possible per CVSS vector analysis. No public exploit identified at time of analysis, and EPSS exploitation probability is extremely low at 0.02% (5th percentile), placing this firmly in the lower-priority tier despite the High availability impact rating.
Denial of service in Tenda W20E router firmware v15.11.0.6 allows unauthenticated remote attackers to crash the device by sending a crafted HTTP request that triggers a stack buffer overflow in the bindMACAddr parameter of the fromSetDhcpRules function. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects easy network-based exploitation with high availability impact but no confidentiality or integrity loss, and no public exploit identified at time of analysis beyond a research repository reference.
Multiple stack-based buffer overflows in Tenda G0 router firmware v15.11.0.5 allow network-adjacent or remote attackers to crash the device by sending crafted HTTP requests to the `formSetDebugCfgr` debug configuration endpoint, with three independent overflow vectors (`enable`, `level`, `module` parameters) each capable of triggering a denial-of-service condition. The official CVSS vector includes UI:R, suggesting a possible CSRF-style delivery mechanism requiring an authenticated administrator to be tricked into issuing the malicious request, which meaningfully constrains exploitation compared to a purely unauthenticated remote attack. No public exploit confirmed in CISA KEV; an associated GitHub repository referenced in the CVE may contain proof-of-concept material, though EPSS remains extremely low at 0.01% (2nd percentile).
Remote denial of service in Tenda US_W3V1.0BR router firmware v1.0.0.3 allows unauthenticated network attackers to crash the device by sending a crafted value in the 'Go' parameter to the ask_to_reboot function, triggering a stack-based buffer overflow. No public exploit identified at time of analysis, though a third-party research repository on GitHub references the vulnerable function.
Denial-of-service via stack buffer overflow affects the Tenda O3 wireless router firmware v1.0.0.5(4180), where the fromNetToolGet handler fails to bound-check the domain parameter supplied in HTTP requests. Remote attackers can crash the router's web management service by sending a crafted request, disrupting network connectivity for downstream clients. SSVC flags the issue as proof-of-concept with automatable exploitation and partial technical impact, though EPSS remains low at 0.01% and no in-the-wild exploitation has been confirmed.
Denial-of-service in the Tenda W3 Wireless Router (firmware v1.0.0.3(2204)) allows remote unauthenticated attackers to crash the device by sending crafted input to the wl_radio parameter of the formwrlSSIDset function, triggering a stack-based buffer overflow. Publicly available exploit research exists in a GitHub repository, but no public exploit identified for weaponized use at time of analysis and the issue is not listed in CISA KEV. The CVSS 7.5 score reflects high availability impact without confidentiality or integrity loss.
Stack-based buffer overflow in Tenda O3 Wireless Router firmware v1.0.0.5(4180) enables authenticated remote attackers to crash the device by submitting an oversized username value to the R7WebsSecurityHandler HTTP handler. The CVSS vector (PR:H) confirms that exploitation requires high-privilege authentication, constraining the attack surface to compromised admin credentials or insider threat scenarios. No public exploit identified at time of analysis and EPSS sits at the 2nd percentile (0.01%), reflecting low observed exploitation interest.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) allows adjacent-network unauthenticated attackers to crash the device via a crafted Go parameter submitted to the ask_to_reboot function, resulting in a complete Denial of Service condition. The vulnerability carries a CVSS 6.5 score with High availability impact but no confidentiality or integrity loss, and the attack vector is constrained to adjacent network access. No public exploit confirmation or CISA KEV listing is present, and EPSS at 0.02% (5th percentile) indicates low observed exploitation probability at time of analysis.
Stack-based buffer overflow in the Tenda W3 Wireless Router v1.0.0.3(2204) enables adjacent-network unauthenticated attackers to crash the device via the formSetCfm HTTP endpoint. The vulnerability resides in the param_1 parameter of the formSetCfm function, where insufficient input validation allows a crafted HTTP request to overflow a stack buffer, resulting in a Denial of Service. A public GitHub repository linked in the references (xhh0124/SemVulLLM) appears to document or demonstrate the issue; no public exploit identified at time of analysis beyond that reference, and the EPSS score of 0.01% (2nd percentile) reflects very low exploitation probability.
Stack-based buffer overflow in CPython's bz2.BZ2Decompressor allows remote attackers to crash Python applications by sending crafted bzip2 data when the application reuses the decompressor object after catching a prior OSError. The flaw stems from libbz2's internal state being left inconsistent after a decompression error, and reuse causes out-of-bounds writes to a stack buffer. No public exploit identified at time of analysis and the issue is not in CISA KEV; the practical impact is denial of service against Python services that process untrusted bzip2 streams.
Stack-based buffer overflow in the Tenda F451 router (firmware 1.0.0.7 and 1.0.0.9) Web Management Interface allows remote authenticated attackers to corrupt memory by sending a crafted 'page' argument to the fromNatlimit handler at /goform/Natlimit. Publicly available exploit code exists, raising practical risk for exposed or LAN-reachable devices, though no public exploit identified as actively used in CISA KEV at time of analysis.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 XPON ONT routers (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory via the encodename parameter of the formPPPEdit handler at /boaform/formPPPEdit. Publicly available exploit code exists (hosted on GitHub by researcher xiezhihua-1127), elevating practical risk despite no confirmed active exploitation in CISA KEV. Successful exploitation yields high impact to confidentiality, integrity, and availability on the affected device.
Stack-based buffer overflow in the Tenda AC18 router (firmware 15.03.05.05) Web Management Interface allows remote attackers with low privileges to corrupt memory by manipulating the callback argument sent to /goform/getRebootStatus. The flaw, handled by the sub_45304 function, has publicly available exploit code and enables high impact to confidentiality, integrity, and availability of the device. No public exploit identified as actively exploited in CISA KEV, but POC publication raises the risk of opportunistic attacks against exposed management interfaces.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the wifiFilterListRemark parameter of the /goform/modifyWifiFilterRules endpoint in the Web Management Interface. Publicly available exploit code exists per VulDB disclosure, raising the practical risk for exposed management interfaces, though no public exploit identified at time of analysis confirms active in-the-wild exploitation. CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privileges required.
Stack-based buffer overflow in Tenda W20E firmware 15.11.0.6 allows authenticated remote attackers to corrupt memory via the gotoUrl parameter handled by the formPortalAuth function in /goform/PortalAuth of the Web Management Interface. Publicly available exploit code exists, raising the likelihood of opportunistic targeting of internet-exposed router management interfaces, though no public exploit identified as actively exploited per CISA KEV at time of analysis.
Stack-based buffer overflow in the Tenda W20E router (firmware 15.11.0.6) allows remote authenticated attackers to corrupt memory via the portMirrorMirroredPorts parameter handled by formSetPortMirror in /goform/setPortMirror. Publicly available exploit code exists, raising the practical risk for exposed management interfaces, though no CISA KEV listing or EPSS data is provided to confirm widespread exploitation. The flaw enables high impact on confidentiality, integrity, and availability of the device per the CVSS 4.0 vector.
Stack-based buffer overflow in Tenda CX12L 16.03.53.12 routers allows remote attackers with low privileges to corrupt memory via the setSchedWifi function in /goform/openSchedWifi by manipulating the schedStartTime or schedEndTime parameters. Publicly available exploit code exists per VulDB, raising the practical risk despite the vulnerability not yet being listed in CISA KEV. The flaw impacts the Wi-Fi Schedule Configuration Endpoint and can lead to high confidentiality, integrity, and availability impact on the device.
Stack-based buffer overflow in the Tenda CX12L router (firmware 16.03.53.12) allows authenticated remote attackers to corrupt memory via the ssid parameter of the /goform/fast_setting_wifi_set endpoint, handled by the form_fast_setting_wifi_set function. Publicly available exploit code exists per VulDB disclosure, raising the likelihood of opportunistic exploitation against exposed management interfaces. The CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact bounded by a low-privilege requirement.
Stack-based buffer overflow in Tenda HG7HG9 and HG10 routers (firmware 300001138_en_xpon) allows remote attackers to corrupt memory via the blkDomain parameter in the formDOMAINBLK handler at /boaform/formDOMAINBLK. The CVSS 4.0 score of 9.3 reflects network-reachable, unauthenticated exploitation with high impact to confidentiality, integrity, and availability, and a public proof-of-concept repository has been published on GitHub by researcher ssaaaa1234, though no public exploit has been confirmed as active exploitation.
Stack-based buffer overflow in Tenda HG7, HG9, and HG10 ONT/router devices (firmware 300001138_en_xpon) allows authenticated remote attackers to corrupt memory by manipulating the funckey_transfer parameter sent to the /boaform/voip_other_set endpoint handled by the asp_voip_OtherSet function. Publicly available exploit code exists via a dedicated GitHub proof-of-concept repository, and the flaw scores CVSS 4.0 8.7 with full confidentiality, integrity, and availability impact. No public exploit identified in CISA KEV at time of analysis, but exposure of the Web Management Interface to untrusted networks materially raises real-world risk.
Denial of service in Tenda AC1206 routers (firmware v15.03.06.23) is triggered by stack-based buffer overflows in the fromGstDhcpSetSer function reachable through the username and password parameters of a crafted HTTP request. Remote attackers with network reach to the device's web management interface can crash the service without authentication, and no public exploit identified at time of analysis although proof-of-concept research material is hosted on GitHub.
Denial of service in Tenda FH451 router firmware V1.0.0.9 allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the list1 parameter of the fromDhcpListClient function. Publicly available exploit code exists in a GitHub research repository, though the vulnerability is not listed in CISA KEV and no EPSS score has been published at time of analysis. Impact is limited to availability - no confidentiality or integrity loss is indicated.
Stack-based buffer overflow in JingDong JD Cloud Box AX6600 firmware 4.5.3.r4546 allows authenticated remote attackers to corrupt memory via the set_macfilter function in /sbin/jdcweb_rpc, potentially achieving arbitrary code execution on the router. Publicly available exploit code exists (archive hosted on cdn2.v50to.cc), increasing the likelihood of opportunistic abuse against exposed devices. The vendor did not respond to coordinated disclosure, so no fix is currently confirmed.
Stack-based buffer overflow in TP-Link Tapo C520WS v2 allows an authenticated attacker with adjacent network access to crash the device's ONVIF service by submitting a crafted DeleteUsers request containing an excessive number of user identifiers, causing a denial-of-service condition that disrupts camera management and monitoring functionality. The CVSS:4.0 vector (VC:N/VI:N/VA:H) confirms impact is strictly limited to availability - no confidentiality or integrity compromise is achievable. No public exploit identified at time of analysis and no active exploitation has been confirmed.
Stack-based buffer overflow in the ONVIF CreateUsers service of the TP-Link Tapo C520WS v2 IP camera allows an authenticated, adjacent-network attacker to crash the ONVIF management process by sending a crafted request with an excessive number of XML user nodes. Exploitation results in a denial-of-service condition that disrupts ONVIF-based device configuration and management until the service recovers or the device is rebooted. No public exploit code or CISA KEV listing has been identified at time of analysis; the vendor (TP-Link) has released a firmware patch.
Local privilege escalation in X.Org X server and Xwayland stems from an incomplete fix for CVE-2025-26597, where CheckKeyTypes() fails to clamp non-canonical key types to XkbMaxShiftLevel, enabling stack-based buffer overflows. Authenticated local users on Red Hat Enterprise Linux 6 through 10 can crash the display server or, when X runs as root, escalate to root privileges. No public exploit identified at time of analysis, though the upstream commit reveals the vulnerable code path and the prior CVE-2025-26597 has known exploitation history.
Stack-based buffer overflow in X.Org X server and Xwayland's _XkbSetMapChecks() function allows local authenticated attackers to crash the server or potentially escalate privileges to root when the X server runs with elevated privileges. The flaw resides in CheckKeyTypes() writing to a fixed mapWidths[256] stack buffer at a client-controlled offset, affecting Red Hat Enterprise Linux versions 6 through 10. No public exploit identified at time of analysis, but an upstream fix has been merged into the xserver repository.
Local privilege escalation in the X.Org X server and Xwayland stems from a stack-based buffer overflow during font alias resolution, where a 256-byte server-side stack buffer is overrun by libXfont2 alias target names of up to 1023 bytes. An authenticated local attacker who can influence font alias files can crash the server or, when the X server runs as root, escalate to root privileges. No public exploit is identified at time of analysis and CVSS is 7.8 (Local/Low complexity/Low privileges).
Denial of service in Tenda FH451 V1.0.0.9 routers allows remote unauthenticated attackers to crash the device by sending a crafted HTTP request that triggers a stack overflow in the page parameter handler of the fromDhcpListClient function. EPSS exploitation probability is very low (0.01%, 3rd percentile) and no public exploit identified at time of analysis, though proof-of-concept artifacts appear to be hosted in a public GitHub research repository. The flaw is not listed in CISA KEV.
Stack-based buffer overflow in the Skia graphics library shipped with Google Chrome versions prior to 149.0.7827.53 lets a remote attacker corrupt the renderer process stack by serving a crafted HTML page, with potential for arbitrary code execution within the sandbox. The flaw carries a CVSS 3.1 base score of 8.8 (network vector, user interaction required) and no public exploit identified at time of analysis, while a very low EPSS score of 0.03% (10th percentile) suggests no current mass-exploitation pressure despite the high impact rating.
Sandbox escape in Google Chrome versions prior to 149.0.7827.53 allows remote attackers who have already compromised the renderer process to potentially break out of the sandbox via a stack buffer overflow in the GPU component triggered by a crafted HTML page. Chromium rates this as Critical severity, and while no public exploit has been identified at time of analysis, the vendor has released a patched stable channel build addressing the issue.
Stack-based buffer overflow in Samsung Open Source rlottie's FreeType-derived cubic Bezier rasterizer allows a local attacker, via a crafted Lottie animation file, to crash the embedding application or potentially corrupt stack memory. The vulnerable code in `gray_render_cubic` (`src/vector/freetype/v_ft_raster.cpp`) subdivides Bezier curves onto a fixed-size `bez_stack` (capacity 32×3+1 vectors) without a depth guard, so a pathologically complex curve exhausts the buffer. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.
Privilege escalation to root in MBS Single-A, Double-A, Single-X, and Double-X industrial gateway product lines allows authenticated remote attackers to corrupt stack memory in the gdv-serverconfig service and seize full system control. The flaw, reported by CERT@VDE and tracked as CVE-2026-35085 with a CVSS 4.0 score of 8.7 (High), affects multiple fieldbus variants (Profibus, Profinet, KNX, LON, DALI, M-Bus, CAN, X-Link). No public exploit identified at time of analysis, and EPSS data was not supplied for this advisory.
Privilege escalation to root via stack buffer overflow in dali-devconfig affects MBS gateway products including Single-A, Single-X, and the Double-A/Double-X family (Profibus, X-Link, CAN, DALI, KNX, LON, M-Bus, Profinet). A remote attacker holding low-level user credentials can exploit the flaw to gain full system access, with CVSS 4.0 scoring it 8.7 (High). No public exploit is identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation to root in MBS industrial protocol gateways (Single-A, Double-A, Single-X, Double-X product lines covering Profibus, Profinet, KNX, DALI, LON, M-Bus, CAN, and X-Link variants) is achievable by an authenticated remote user via a stack buffer overflow. The CVSS 4.0 base score of 8.7 reflects network-reachable exploitation with low complexity and only user-level privileges required, leading to full confidentiality, integrity, and availability compromise. No public exploit identified at time of analysis, and the issue was coordinated through CERT@VDE (advisory VDE-2026-039), indicating responsible disclosure rather than in-the-wild abuse.
Denial of service in FreeIPMI versions before 1.16.18 allows remote attackers to crash the ipmi-oem client by sending malformed IPMI response messages that trigger stack-based buffer overflows in the 'dell get-active-directory-config' and 'fujitsu get-sel-entry-long-text' subcommands. The flaw is client-side: a victim must invoke the affected subcommand against an attacker-controlled or compromised IPMI endpoint. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Stack-based buffer overflow in CZ.NIC BIRD Internet Routing Daemon through 2.19.0 allows an established BGP peer to crash the daemon by sending a crafted AS_PATH exceeding 2048 expanded ASNs when RFC 8654 Extended Messages are enabled and an AS path mask filter is active. The as_path_match() function in nest/a-path.c uses a fixed 2049-entry stack array while parse_path() expands AS_PATH segments without enforcing a corresponding capacity limit, causing a write beyond the stack buffer boundary and a daemon crash. No public exploit identified at time of analysis; notably, the vendor has explicitly declined to prioritize a fix, instead citing operator best-practice filtering as the expected mitigation.
Denial of service in TP-Link Tapo C200 v5 IP cameras allows adjacent network attackers to crash the RTSP service and force a device reboot by sending a crafted Authorization header in an RTSP authentication request. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP authentication handler; no public exploit identified at time of analysis, but vendor-acknowledged and patched firmware is available from TP-Link.
Stack-based buffer overflow in VIVOTEK FD8136 network camera firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root by sending a crafted POST request to the export_language.cgi administrative endpoint. The CGI handler passes an attacker-controlled Content-Length HTTP header value directly to fread() with no bounds validation, overflowing a 0x60-byte stack buffer and overwriting the saved link register; the binary's lack of stack canaries eliminates the primary runtime defense against this class of attack. A researcher-published proof-of-concept exists on GitHub, though EPSS stands at 0.05% (17th percentile) and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation at time of analysis.
Remote code execution in VIVOTEK FD8136 network camera (firmware VVTK-0300a) is possible via a stack-based buffer overflow in the set_getparam.cgi component, reachable over the network without authentication. CVSS 7.3 reflects partial CIA impact, but the presence of public vulnerability-research artifacts on GitHub indicates publicly available exploit code exists, while EPSS remains low at 0.05% (17th percentile) and the issue is not currently listed in CISA KEV.
Stack-based buffer overflow in VIVOTEK FD8136 firmware FD8136-VVTK-0300a grants authenticated remote attackers root-level code execution by supplying an oversized POST parameter to any of three symlinked CGI admin endpoints. The vulnerable `motion_privacy.cgi` binary copies the `n1` parameter into a fixed 164-byte (0xa4) stack buffer with no bounds check and no stack canary protection, overwriting the saved link register and diverting execution to attacker-controlled code. A public proof-of-concept is available on GitHub; no active exploitation has been confirmed in CISA KEV at time of analysis.
Local privilege escalation in Qualcomm Snapdragon platforms stems from a stack-based memory corruption triggered while processing display command line information with an uninitialized variable. With CVSS 7.2 and a physical attack vector requiring high privileges, the flaw allows a privileged local attacker to corrupt memory and impact confidentiality, integrity, and availability across a changed security scope. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Stack-based buffer overflow in Qualcomm Snapdragon corrupts memory during a data copy operation when the output buffer is sized smaller than the input buffer, enabling a high-privileged local attacker to achieve full compromise of confidentiality, integrity, and availability on affected devices. Rooted in CWE-121, this vulnerability can allow control-flow hijacking via stack memory overwrite on Snapdragon-based platforms. No public exploit identified at time of analysis and no CISA KEV listing, but the high-impact triad (C:H/I:H/A:H) warrants prompt patching in environments where privileged access is shared or contested.
Stack-based buffer overflow in Qualcomm Snapdragon Windows drivers allows a locally authenticated high-privilege attacker to cause memory corruption by sending a malformed trusted application request. The vulnerability affects Snapdragon-based systems running Windows drivers and can result in complete compromise of confidentiality, integrity, and availability. No public exploit code exists and no active exploitation has been confirmed at time of analysis.
Stack-based buffer overflow in UTT HiPER 1200GW routers (firmware up to 2.5.3-170306) allows authenticated remote attackers to corrupt memory via the Profile parameter in the /goform/formFireWall endpoint, where unsafe strcpy usage processes the input. Publicly available exploit code exists, increasing the realistic risk of attempted compromise against exposed management interfaces. No CISA KEV listing has been published, so exploitation is not yet confirmed active in the wild.
Arm Whois 3.11 contains a stack-based buffer overflow vulnerability that allows remote attackers to execute arbitrary code by supplying oversized input to the IP address or domain field. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stack-based buffer overflow in UTT HiPER 1200GW routers (firmware versions up to 2.5.3-170306) allows remote authenticated attackers to corrupt memory via the strcpy function in the /goform/formTaskEdit endpoint. Publicly available exploit code exists, raising the practical risk despite the requirement for low-level privileges. No KEV listing or EPSS data is provided in the input, so widespread automated exploitation has not been confirmed.
Stack-based buffer overflow in microtar through 0.1.0 allows remote attackers to corrupt stack memory and potentially achieve code execution when an application using the library parses a malicious TAR archive. The flaw in raw_to_header() uses strcpy() on non-null-terminated 100-byte ustar fields, enabling writes of up to 355 bytes into a 100-byte buffer. Publicly available exploit code exists and the issue was reported by VulnCheck, raising the practical risk despite no current CISA KEV listing.
Stack-based buffer overflow in rrdcached (the caching daemon for rrdtool) allows a local attacker with socket access to crash the daemon or potentially execute arbitrary code by sending an oversized CREATE request. The flaw is tracked under CWE-121 with a CVSS 3.1 base score of 7.8 (AV:L/AC:L/PR:L), reported by Red Hat against RHEL 6 through 10, and there is no public exploit identified at time of analysis.
Stack-based buffer overflow in D-Link DI-7001 MINI routers (firmware up to 19.09.19A1) allows authenticated remote attackers to corrupt memory via the Time parameter passed to the sprintf function in /httpd_debug.asp. Publicly available exploit code exists on GitHub, and the CVSS 4.0 score of 7.4 reflects high confidentiality, integrity, and availability impact with low privilege requirement and no user interaction. The vulnerability targets an embedded networking appliance commonly deployed at SMB and branch-office perimeters, increasing exposure risk where the management interface is reachable.
Remote code execution in Poly Voice products on Linux is possible through a stack-based buffer overflow reachable when administrators enable Interactive Connectivity Establishment (ICE). Unauthenticated network attackers can trigger the flaw without user interaction, and no public exploit has been identified at time of analysis. HP rates the issue at CVSS 4.0 9.2 (Critical), driven by network reachability and full confidentiality, integrity, and availability impact.