Buffer Overflow
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions.
How It Works
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions. This overwrites whatever data or code exists there, corrupting program state and potentially giving attackers control over execution flow.
Stack-based overflows are the most common variant. When a function allocates a fixed-size buffer on the stack and then copies user-controlled input without proper bounds checking, attackers can overflow past the buffer to overwrite the function's return address. When the function completes, instead of returning to legitimate code, execution jumps to attacker-specified memory containing malicious shellcode. Heap-based overflows work differently—they corrupt heap metadata like chunk size fields or free list pointers, leading to arbitrary memory writes when the allocator processes the corrupted structures.
Modern exploitation bypasses defensive mechanisms through techniques like Return-Oriented Programming (ROP), which chains together existing code snippets to avoid non-executable memory protections. Attackers may also use heap spraying to reliably position shellcode at predictable addresses, defeating address randomization.
Impact
- Remote code execution — attacker gains ability to run arbitrary commands with the privileges of the vulnerable process
- Privilege escalation — exploiting kernel or setuid program overflows to gain root/SYSTEM access
- Denial of service — crashes and memory corruption that render systems unusable
- Information disclosure — reading sensitive data from adjacent memory regions that should be inaccessible
- Authentication bypass — overwriting security-critical variables like permission flags or user IDs
Real-World Examples
Fortinet FortiOS suffered a critical buffer overflow (CVE-2025-32756) that allowed unauthenticated remote attackers to execute code as root on firewalls and VPN gateways. Attackers actively exploited this to compromise enterprise network perimeters before patches were available.
The Slammer worm from 2003 exploited a stack overflow in Microsoft SQL Server, spreading to 75,000 hosts in ten minutes by sending a single malformed UDP packet that overwrote the return address with shellcode. No authentication was required.
OpenSSH historically contained a heap overflow in challenge-response authentication that allowed pre-authentication remote root compromise on Unix systems, demonstrating how memory corruption in privileged network services creates maximum impact scenarios.
Mitigation
- Memory-safe languages — Rust, Go, and modern managed languages prevent buffer overflows by design through automatic bounds checking
- Stack canaries — random values placed before return addresses that detect corruption before control transfer
- Address Space Layout Randomization (ASLR) — randomizes memory locations making exploitation less reliable
- Data Execution Prevention (DEP/NX) — marks memory regions as non-executable, preventing direct shellcode execution
- Bounds checking — validate input sizes before copying, use safe functions like
strncpyinstead ofstrcpy - Fuzzing and static analysis — automated testing to discover overflows before deployment
Recent CVEs (36126)
Denial of service in Wazuh's analysis engine (wazuh-analysisd) lets an unauthenticated remote attacker permanently halt SIEM alert processing on Wazuh manager versions 1.0.0 through 4.14.4. Because the official wazuh/wazuh-docker deployment ships with password-less agent enrollment enabled by default, an attacker can register as an agent and send a crafted rootcheck event that overflows a fixed 30-byte heap buffer, crashing the daemon while the dashboard and API keep showing stale data - silently blinding the SIEM. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Remote denial-of-service and potential heap corruption in the Wazuh manager's wazuh-remoted daemon allows any enrolled agent to crash the manager's agent-communication process, instantly severing all agent connections across the entire deployment. Affected versions span 3.0.0 through 4.14.4; a secondary code path triggered by the same underflow may permit heap memory write primitives beyond pure DoS. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low exploitation barrier - any enrolled agent suffices - makes it a meaningful insider or supply-chain risk for Wazuh-dependent SOC environments.
Heap-based buffer overflow in the Wazuh agent for Windows (versions 4.6.0 through 4.14.4) allows a low-privileged local attacker to corrupt heap memory by placing a maximum-length registry subkey name under a syscheck-monitored wildcard path, exploiting a fixed 256-byte allocation in the wildcard expansion routine. Because wazuh-agent.exe runs as NT AUTHORITY\SYSTEM, successful exploitation can silently crash the security agent - creating a detection blind spot - or potentially escalate attacker privileges to SYSTEM level. No public exploit has been identified at time of analysis; the vendor released a fix in version 4.14.5.
Denial-of-service via malformed TLS/QUIC ClientHello in h2o HTTP server allows remote unauthenticated attackers to crash the server process by sending a zero-length SNI extension. The hostname-copy routine assumes NULL-termination on the empty SNI buffer (CWE-125 out-of-bounds read), reading beyond the allocation boundary and triggering a segmentation fault. No public exploit or active exploitation (CISA KEV) has been identified; the fix is available as an upstream commit but no confirmed tagged release exists at time of analysis.
Denial of service in Quicly, the QUIC protocol library embedded in the H2O HTTP server, allows remote attackers to corrupt connection state and crash the process prior to commit 8b178e6. Quicly's packet decoder accepts Connection IDs up to 255 bytes (permitted for unknown QUIC versions) but its version-1 CID buffers are only 20 bytes, and the library - unlike its bundled CLI - never rejected over-length CIDs, letting an oversized CID overrun the buffer within its allocated chunk and trigger assertion failures. No public exploit is identified at time of analysis, and the flaw is not listed in CISA KEV.
Out-of-bounds write in Bouncy Castle BC-LTS bcprov-lts8on affects ARM deployments running versions 2.73.0 through 2.73.12.0, with high confidentiality impact if successfully exploited. The flaw resides in ARM-specific native C implementations of SHA3 and SHAKE algorithms and is only triggered when an application accepts memoable SHA3/SHAKE cryptographic states from potentially untrusted external sources. No public exploit code exists and no active exploitation has been confirmed at time of analysis; the CVSS 4.0 score of 1.7 reflects the very narrow exploitation conditions required to reach this code path.
Remote code execution in Microsoft Windows Terminal allows an unauthenticated attacker to run arbitrary code by tricking a user into interacting with malicious content that triggers an integer overflow (CWE-190). The flaw carries a CVSS 7.5 rating driven by high complexity and required user interaction; no public exploit has been identified at time of analysis, and it is not listed in CISA KEV. Microsoft has released a patch through the MSRC update guide.
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len. In the bundled libsyck newline_len and is_newline dereference the scan pointer, and the following byte for a "\r\n" pair, with no NUL-terminator or bounds check. During block-scalar lexing at a document boundary the scan runs one byte past the heap lexer buffer. This is an incomplete fix of CVE-2025-11683, on a lexer path the earlier fix did not cover. Any caller that runs Load or LoadFile on an untrusted document with a block scalar at a document boundary reaches the over-read.
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64dec. The base64 decoder in the bundled libsyck indexes the 256-entry static table b64_xtable with a signed char, so any !!binary byte >= 0x80 sign-extends to a negative index and reads before the table. The decoder receives the raw bytes of any !!binary node, a standard YAML type not gated by $LoadBlessed or $LoadCode, so it is reached on the default Load path. Any caller that runs Load or LoadFile on an untrusted document containing a !!binary scalar with a high-bit byte triggers the read, and the value read can surface in the decoded result.
Out-of-bounds read in AutomationDirect Productivity Suite exposes kernel memory and system stability to a physically-present, low-privileged attacker via manipulated USB data length values. Exploitation can result in disclosure of sensitive kernel memory contents or a full system crash - both significant outcomes in an OT/ICS environment where availability and data integrity are critical. Reported by ICS-CERT under advisory ICSA-26-197-04, with no public exploit code or CISA KEV listing identified at time of analysis.
Out-of-bounds read in AutomationDirect Productivity Suite enables a local low-privileged attacker to corrupt kernel memory by submitting a crafted IOCTL request, resulting in high availability impact (system or application disruption) and limited kernel memory disclosure. The vulnerability affects all documented versions per the CPE wildcard and was reported by ICS-CERT, placing it squarely in the operational technology threat landscape where availability is mission-critical. No public exploit code and no CISA KEV listing exist at time of analysis, placing current exploitation risk as low but warranting prompt patching in industrial environments.
Crash-inducing out-of-bounds panic in core-rs-albatross 1.5.1 and earlier allows a malicious state-sync peer to repeatedly restart a syncing Nimiq node without supplying a valid cryptographic proof. The panic fires in `KeyNibbles::Add` before `proof.verify()` is reached, meaning an unauthenticated network peer positioned as the victim's sync source can trigger the denial-of-service with a single crafted `TrieChunk` message. No CISA KEV listing exists and no public exploit code has been identified at time of analysis.
Out-of-bounds read in AutomationDirect Productivity Suite exposes kernel memory and enables denial-of-service on engineering workstations via a crafted IOCTL request sent by a local low-privileged attacker. Affecting all versions per CPE wildcard, the CWE-125 flaw causes the vulnerable kernel-mode driver to read memory outside intended buffer bounds, leaking sensitive kernel contents or triggering a kernel panic (BSOD). Reported by ICS-CERT under advisory ICSA-26-197-04, no public exploit code or active exploitation has been identified at time of analysis.
Local privilege escalation in AutomationDirect Productivity Suite programming software stems from an out-of-bounds write (CWE-787) reachable through a crafted IOCTL request to a privileged kernel-mode component, corrupting kernel memory. An authenticated local attacker on an engineering workstation running the software can leverage the corruption to escalate to SYSTEM/kernel privileges or crash the host. No public exploit identified at time of analysis; the flaw is documented in CISA ICS advisory ICSA-26-197-04 (reported by ICS-CERT) but is not listed in CISA KEV, and no EPSS score was supplied.
Local privilege escalation in AutomationDirect Productivity Suite lets an authenticated local attacker corrupt kernel memory by issuing a crafted IOCTL request to an out-of-bounds write flaw (CWE-787). Successful exploitation can elevate privileges to SYSTEM/kernel level or crash the host running this engineering workstation software for AutomationDirect Productivity-series PLCs. Reported through CISA ICS-CERT (ICSA-26-197-04); no public exploit identified at time of analysis and no KEV/EPSS signal is present.
Remote kernel heap corruption in the illumos SCTP stack lets an unauthenticated attacker send a crafted INIT ACK packet with malformed address parameters to trigger an out-of-bounds access during packet classification, potentially leading to remote code execution or a kernel panic. The flaw affects illumos-gate and downstream distributions (OmniOS, SmartOS/Triton) built before commit 53a3efde, and has existed since 2010 (commit a5407c02). There is no public exploit identified at time of analysis and the CVSS 4.0 exploit-maturity metric is Unreported (E:U), but the attack requires no authentication or user interaction.
Out-of-bounds write in Lenovo BIOS firmware across dozens of consumer and gaming laptop models enables a local attacker with high OS-level privileges to execute arbitrary code in System Management Mode (SMM) - a CPU execution context operating below the operating system and hypervisor with access to all system memory. Successful exploitation allows persistent firmware-level implants that survive OS reinstallation and defeat Secure Boot and standard endpoint detection tools. No public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, SMM code execution represents one of the highest-impact firmware attack primitives available to an advanced threat actor.
Out-of-bounds write in Lenovo BIOS firmware across dozens of consumer and gaming laptop models enables a local privileged attacker to corrupt power management settings within System Management Mode, a CPU execution context operating below the OS kernel at Ring -2. Successful exploitation could allow persistent firmware-level tampering that survives OS reinstalls and reboots. No public exploit has been identified at time of analysis, and exploitation requires pre-existing high OS-level privileges, substantially limiting real-world risk to post-compromise scenarios.
Out-of-bounds read in rz-libdemangle's Rust v0 demangler leaks process memory when a caller invokes the demangling routine before the internal rust_v0_t structure is properly initialized. All builds of the library prior to commit 6bf56d3 are affected, putting security analysts and reverse engineers who process untrusted Rust binaries through the Rizin framework at risk of memory disclosure. No confirmed active exploitation (not in CISA KEV) and no public exploit code has been identified at time of analysis; the fix is available as an upstream commit but a versioned release is not independently confirmed.
XML::Bare versions through 0.53 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read.
HTML::Bare versions through 0.04 for Perl have an unbounded character lookahead. The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer. Truncated strings such as "<a/" can trigger an out-of-bounds read. Note that the latest version available on CPAN is version 0.02. Newer versions are available on the git repository.
Use-after-free in Buffa's OwnedView<V> type allows safe Rust calling code to hold field references that outlive the backing buffer, enabling read of freed heap memory and information disclosure. Affected are all Buffa releases prior to 0.7.0 (CPE: cpe:2.3:a:anthropics:buffa:*:*:*:*:*:*:*:*). The flaw is a soundness violation - no unsafe code in the caller is required - making it particularly insidious in a memory-safe language context. No public exploit identified at time of analysis and no CISA KEV listing; the CVSS 4.0 score of 5.9 reflects the high-complexity exploitation conditions acknowledged by the vendor.
Stack-based buffer overflow in HCL DFXAnalytics allows remote unauthenticated attackers to crash or render the application unresponsive by submitting excessively large input values that bypass missing server-side length validation. The vulnerability carries a CVSS 3.1 score of 5.3 (Medium) with availability as the sole impact dimension - no confidentiality or integrity exposure is present, and remote code execution has not been indicated. No public exploit code or active exploitation has been identified at time of analysis.
Denial of service in libsolv's PGP signature verification (solv_pgpvrfy) allows remote attackers to crash automated package and repository processing by supplying a crafted Ed25519 signature. The flaw is a stack-based buffer overflow (CWE-121) triggered when the EdDSA 's' MPI is copied into a fixed 64-byte stack buffer using an attacker-controlled mismatched length. It affects the libsolv dependency solver embedded in Red Hat Enterprise Linux 7/8/9/10, OpenShift, Satellite, RHUI, openSUSE/SUSE, Ubuntu and Debian; no public exploit identified at time of analysis and it is not in CISA KEV.
Out-of-bounds heap write in QEMU lets a local attacker operating inside a guest virtual machine corrupt memory in the host emulator process, enabling information disclosure, data-integrity corruption, or denial of service. The flaw stems from cpu_physical_memory_map() returning a shorter buffer length than the caller assumes, so subsequent writes spill past the allocation. Rated CVSS 7.8 (CWE-787); no public exploit identified at time of analysis, but multiple distributions (Red Hat, Ubuntu, SUSE, Debian) have shipped fixes.
Heap over-read in Cyrus IMAP through version 3.12.2 enables authenticated IMAP users to leak server heap memory by submitting a crafted email containing an RFC 822 MIME comment whose final character is a backslash. During message parsing, the server reads past the end of the message buffer into adjacent heap memory and returns the exposed content to the requesting user, resulting in partial, non-deterministic heap disclosure. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; a fix is referenced in the Cyrus IMAP 3.12.3 release notes.
Non-persistent denial-of-service against Absolute Secure Access servers prior to version 14.55 is achievable by an attacker who has intimate knowledge of and total control over the tunnel protocol. The attack exploits a memory management flaw in the server component, causing service disruption that does not persist after the attack ends, meaning the server recovers without administrator intervention. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the network-accessible attack surface warrants patching given Absolute Secure Access is a perimeter access product. Notably, the vendor-supplied tag includes 'Information Disclosure,' which conflicts with the DoS-only description and may indicate additional undisclosed impact.
Out-of-bounds heap write in Tencent's ncnn neural-network inference framework allows a crafted .param model file to corrupt heap memory when parsed by Net::load_param(). Because ParamDict::load_param() and load_param_bin() validated the parsed parameter id only against the upper bound (id >= NCNN_MAX_PARAM_COUNT), a negative id indexes before the params[] array, giving an attacker a write primitive below the allocated buffer. No public exploit is identified at time of analysis and the issue is not in CISA KEV; an upstream source-code fix is available.
Heap overflow in Absolute Security Secure Access client certificate parsing causes a local denial of service. Versions prior to 14.55 are affected. An attacker who already holds local administrator privileges on a managed endpoint can trigger the overflow to crash the Secure Access client, effectively disabling it on that machine. No public exploit code has been identified, and this vulnerability is not listed in the CISA KEV catalog.
Out-of-bounds read in TDengine's SQL tokenizer (versions prior to 3.4.1.14) allows an authenticated user with SQL query access to crash the database server and potentially leak one byte of adjacent heap memory. The flaw resides in tGetToken() within source/libs/parser/src/parTokenizer.c, triggered by submitting a SQL string literal ending in a bare backslash (e.g., 'abc\). No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Denial of service in TDengine time-series database versions prior to 3.4.1.15 allows unauthenticated remote attackers to crash the server by sending a malformed compressed RPC packet. The transDecompressMsg() function trusts a compression-length field without verifying the packet is large enough to contain the 8-byte STransCompMsg header, leading to an out-of-bounds read, uncontrolled/underflowed allocation, and process crash. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; a vendor fix exists in 3.4.1.15.
Stack-based buffer overflow in TDengine (open-source IoT time-series database) versions 3.4.1.6 and earlier allows an authenticated user to trigger a one-byte out-of-bounds write by submitting SQL containing crafted escape sequences (\%, \_, or \x), leading to denial of service and potentially remote code execution. The flaw sits in the SQL parser's trimString() routine, which validates only a single byte of remaining space in the tmpTokenBuf stack buffer before writing escape-processed data. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it is fixed in version 3.4.1.14.
Out-of-bounds write in the Zephyr RTOS ADIN2111/ADIN1110 single-pair Ethernet driver (eth_adin2111.c) lets an attacker on the same 10BASE-T1S/T1L segment corrupt kernel memory by sending an oversized frame in OPEN Alliance SPI mode. Because per-chunk length and chunk count (up to 255) come straight off the wire with no bounds check on the reassembly cursor, the RX offload thread writes attacker-controlled bytes-up to ~14.8 KB-past the fixed 1524-byte static buffer, enabling denial of service and potentially remote code execution. There is no public exploit identified at time of analysis; the flaw was introduced in commit 0ca8b0756b1 and shipped in v3.7.0 through v4.4.0.
Memory-corruption vulnerabilities in Cisco RoomOS Software (the operating system on Cisco/Webex collaboration room endpoints) allow remote, unauthenticated attackers to trigger buffer-boundary violations that can compromise device confidentiality, integrity, and availability (CVSS 8.1). The flaws were internally discovered by Cisco's RoomOS engineering team during a proactive security review and are grouped under the CWE-119 buffer-error pillar; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV. High attack complexity (AC:H) reduces the practical ease of exploitation despite the network-facing, no-privilege vector.
Heap buffer over-read in NGINX Plus's MQTT filter module (ngx_stream_mqtt_filter_module) allows unauthenticated remote attackers to crash the NGINX worker process, causing a brief, recoverable service disruption. The vulnerability is data-plane only - no control plane exposure exists - and exploitation depends partly on runtime conditions outside the attacker's control, reflected by the CVSS 4.0 AT:P metric. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; F5 has released a patch documented in advisory K000162101.
Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (DoS) and, on hosts with ASLR disabled or bypassed, potentially execute arbitrary code by sending crafted HTTP requests. The flaw is a data-plane-only issue triggered when a regex-based map directive references the map's regex capture variables before the map output variable in a string expression, or via a non-cacheable variable under certain conditions. F5 has released a patched version; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Out-of-bounds read in HarmonyOS's image codec module allows a local attacker to cause service availability disruption, with the vendor description also noting potential confidentiality impact - a discrepancy with the CVSS C:N metric that warrants attention. All versions of Huawei HarmonyOS across consumer devices, vision products, wearables, and laptops are identified as affected per the July 2026 Huawei Security Bulletin. No public exploit code has been identified at time of analysis, and the medium CVSS score of 4.0 with a local attack vector limits real-world exploitation to scenarios with physical or local access to the target device.
Out-of-bounds read in HarmonyOS's image codec module exposes partial memory contents to local attackers, affecting service confidentiality with a secondary availability impact. The CVSS vector (AV:L/PR:N) scopes exploitation to the local device - reachable by any installed application capable of submitting image data to the vulnerable codec - without requiring elevated privileges. No confirmed active exploitation (not listed in CISA KEV) and no public exploit code have been identified at time of analysis; Huawei has published remediation bulletins across four device categories in July 2026.
Out-of-bounds read in HarmonyOS's image codec module exposes limited memory content and may cause service instability, affecting confidentiality and availability at a low severity level. The flaw resides in image processing logic and is reachable by a local, unprivileged actor who can trigger image decoding - such as by supplying a crafted image file. No public exploit has been identified at time of analysis, and Huawei has disclosed patches via July 2026 security bulletins covering consumer devices, wearables, and laptops.
Out-of-bounds read in HarmonyOS's image codec module can be triggered locally, with potential impact to service confidentiality and availability. Huawei disclosed this via its July 2026 security bulletin family covering consumer devices, vision products, wearables, and laptops - indicating broad exposure across the HarmonyOS device ecosystem. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog.
Out-of-bounds read in the HarmonyOS image codec module allows a local unprivileged user to disrupt service availability on affected Huawei devices. Huawei's own bulletin language references potential confidentiality impact, but the NVD CVSS vector assigns C:N and A:L only - a discrepancy that warrants attention. No public exploit code and no CISA KEV listing have been identified at time of analysis, keeping real-world risk low despite the wide device footprint across Huawei phones, wearables, and laptops.
ImageMagick before 7.1.2-26 (7.x branch) and 6.9.13-51 (6.x branch) discloses one byte of process memory beyond a profile boundary when the `identify` command is run with debug output enabled and the embedded profile ends with a non-printable byte. The out-of-bounds read (CWE-125) is highly conditional - requiring local access, explicit debug mode activation, and a specifically crafted profile payload - keeping real-world impact extremely low despite ImageMagick's broad deployment footprint. No public exploit code or active exploitation has been identified at time of analysis.
Heap-based buffer over-write in ImageMagick's X11 import functionality exposes local systems to heap memory corruption and denial of service when processing a crafted X11 window title. Affected versions span both the 7.x branch (before 7.1.2-26) and the legacy 6.x branch (before 6.9.13-51), covering a large installed base across Linux and Unix environments. No public exploit identified at time of analysis, and the narrow exploitation conditions - requiring local privileged access with X11 in scope - significantly constrain real-world risk despite the CWE-122 heap overflow class.
Out-of-bounds memory read in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager exposes kernel and firmware memory contents to local administrators via a crafted IOCTL request that bypasses the driver's length validation. The vulnerability (CWE-125) is constrained to AV:L/PR:H, meaning exploitation requires prior establishment of local administrator access on a system where the affected ASUS software is installed. No public exploit code or active exploitation has been confirmed at time of analysis; the ASUS Security Advisory documents the remediation path.
Denial of service in BusyBox's AWK interpreter (editors/awk.c, commit 371fe9) lets an attacker crash the awk process by feeding it a crafted AWK script that overflows the stack inside the recursive evaluate() function. The impact is limited to availability (process crash) with no data exposure or code execution claimed; no public exploit identified at time of analysis and EPSS is very low (0.16%, 6th percentile). BusyBox is extremely widespread in embedded Linux, IoT firmware, and container base images, but exploitation requires the attacker to supply the script that awk executes, which materially narrows real-world reach.
Heap buffer overflow in NTFS-3G's ntfscat utility (versions through 2026.2.25) enables heap memory corruption when processing a crafted malicious NTFS image, specifically in the cat() function of cat.c. The overflow is triggered passively during file read operations, requiring no complex interaction beyond ntfscat processing an attacker-supplied image. No public exploit has been identified at time of analysis, and a vendor patch is available via Ubuntu USN-8554-1. Given NTFS-3G's near-universal deployment across Linux distributions, organizations that process untrusted disk images - forensic tools, backup pipelines, virtualization stacks - face meaningful exposure until patched.
Denial of service in BusyBox 1.38.0 lets attackers crash the bundled ash shell by supplying crafted input that triggers a heap-based buffer overflow (CWE-122) in the ifsbreakup() field-splitting routine of shell/ash.c. Only availability is impacted - there is no public exploit identified at time of analysis, and the EPSS score is low (0.16%, 6th percentile), indicating little observed exploitation interest so far. The NVD-assigned CVSS of 7.5 rests on a network attack vector that is not clearly supported by the description, which points to input being fed to a local shell.
Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt heap memory in the SUID-root ntfs-3g binary by mounting a crafted NTFS image and performing a directory-extending operation such as creating a file. Because ntfs-3g runs as root via the SUID bit on most Linux distributions, successful exploitation of the overflow in ntfs_ir_to_ib() could yield local privilege escalation to root. No public exploit code or active exploitation has been identified at time of analysis; a vendor patch is available via Ubuntu Security Notice USN-8554-1.
Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt one byte of heap memory within the SUID-root ntfs-3g binary by supplying a specially crafted NTFS image, triggering the flaw during decompression in ntfs_decompress() in compress.c. Because the binary executes with root privileges via the SUID mechanism, successful heap exploitation could yield full local privilege escalation to root from an unprivileged account. No public exploit has been identified at time of analysis, and the single-byte overflow constraint substantially raises exploitation complexity, but the SUID-root execution context makes this a high-value local privilege escalation target.
Denial of service in BusyBox 1.38.0 stems from a heap-based buffer overflow in the evalcommand() routine of the ash shell interpreter (shell/ash.c), where crafted input corrupts heap memory and crashes the process. No public exploit identified at time of analysis, and the EPSS probability is low (0.16%, 6th percentile), indicating no observed exploitation activity. Impact is limited to availability - no confidentiality or integrity loss is claimed per the CVSS vector.
Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt heap memory in the SUID-root ntfs-3g binary by supplying a crafted NTFS image, with exploitation triggered when a directory is extended (e.g., a file is created) on the mounted filesystem. Because ntfs-3g carries the SUID-root bit to operate FUSE-based NTFS mounts, successful heap corruption in this context carries privilege escalation potential to root. No public exploit code has been identified at time of analysis; a vendor-released patch is available via Ubuntu USN-8554-1.
Heap buffer overflow in NTFS-3G through 2026.2.25 allows a local attacker to corrupt heap memory in the SUID-root ntfs-3g binary by supplying a crafted NTFS filesystem image, potentially achieving privilege escalation to root. The flaw resides in the index B-tree traversal function ntfs_index_walk_down() in libntfs-3g/index.c and is triggered during parsing of crafted file metadata. No public exploit code has been identified at time of analysis, but Ubuntu has issued a security advisory (USN-8554-1) and a vendor patch is available.
Out-of-bounds memory read in NTFS-3G through 2026.2.25 exposes ntfs-3g process memory contents when a victim mounts a crafted NTFS filesystem image and invokes readlink on a corrupted reparse point file. The defect resides in ntfs_fix_file_name() within libntfs-3g/reparse.c and can disclose potentially confidential in-process data - such as recently processed file paths or runtime buffers - to the attacker who supplied the malicious image. No public exploit has been identified at time of analysis; Ubuntu has confirmed patch availability via security advisory USN-8554-1.
Out-of-bounds read in NTFS-3G through version 2026.2.25 exposes ntfs-3g process memory when a maliciously crafted NTFS image is mounted and a file with a specially crafted name is created on it. The flaw in ntfs_ir_nill() within the index-handling code allows an attacker who controls the filesystem image to read data from the running ntfs-3g process that may include confidential in-memory contents. No public exploit code and no active exploitation (CISA KEV) have been identified at time of analysis; this issue was surfaced by the Ubuntu security team.
Heap-based buffer overflow in NTFS-3G through 2026.2.25 enables a local attacker to corrupt heap memory inside the SUID-root ntfs-3g binary, creating a local privilege escalation path to root. The flaw resides in build_inherited_id() within libntfs-3g/security.c and is triggered by creating a file inside a specially crafted directory on a malicious NTFS image supplied by the attacker. No public exploit code has been identified at time of analysis; the issue was surfaced through the Ubuntu vendor security channel.
Heap buffer overflow in NTFS-3G through 2026.2.25 allows local privilege escalation to root via a crafted NTFS filesystem image. The overflow occurs in ntfs_ib_cut_tail() within the index management code when a file is created inside a specially constructed directory on a malicious NTFS image. Because the ntfs-3g binary runs as SUID-root, heap corruption in this process can yield code execution with root privileges. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis.
Remote code execution or permanent denial of service in the Tenda AC10 v3 SOHO router (firmware V03.03.16.09) stems from a classic buffer overflow reachable through the /cgi-bin/UploadCfg web endpoint. Attackers who can reach the router's management interface can send oversized crafted input to crash the device permanently or potentially run arbitrary code on it. Proof-of-concept material appears to be published on GitHub, though this is not listed in CISA KEV and carries a low EPSS score of 0.17% (7th percentile), indicating no confirmed widespread exploitation yet.
Heap out-of-bounds read/write in OpenHTJ2K (High-Throughput JPEG 2000 reference codec) v0.18.4 and earlier lets an attacker corrupt heap memory by supplying a crafted J2K/JP2 codestream, with a confirmed heap information-leak primitive and vendor-claimed arbitrary code execution. The flaw is reached through every decoder entry point (invoke, invoke_line_based, invoke_line_based_stream, invoke_line_based_predecoded) and, notably, through a JPIP server's startup codestream load, making it network-reachable without user interaction. There is no public exploit identified at time of analysis, though the vendor changelog references non-public PoC files, and the issue is not listed in CISA KEV.
Buffer Overflow vulnerability in OpenHTJ2K v.0.18.4 and before allows an attacker to execute arbitrary code via the j2k_precinct_subband::parse_packet_header() in source/core/coding/coding_units.cpp
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Illustrator is affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Arbitrary code execution in Adobe Bridge is possible through an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted file, running attacker code in the context of the current user. All versions covered by Adobe advisory APSB26-81 are affected, and while there is no public exploit identified at time of analysis, the local user-interaction attack pattern is consistent with weaponized document/asset lures. The CVSS 7.8 (High) rating reflects full confidentiality, integrity, and availability impact once a victim is socially engineered into opening the file.
Arbitrary code execution in Adobe Bridge is possible when a victim opens a maliciously crafted file that triggers a heap-based buffer overflow (CWE-122), letting an attacker run code in the context of the current user. The flaw was reported by Adobe and disclosed in advisory APSB26-81; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is file-borne and requires user interaction, so it is not remotely triggerable without a user opening attacker-supplied content.
Arbitrary code execution in Adobe Bridge results from an out-of-bounds write (CWE-787) that a victim triggers by opening a malicious file, running attacker-supplied code with the privileges of the current user. The flaw is local (AV:L) and requires user interaction, so it is a client-side, file-borne bug rather than a remotely reachable service vulnerability. No public exploit identified at time of analysis and it is not listed in CISA KEV; Adobe patched it in advisory APSB26-81.
Arbitrary code execution in Adobe Bridge is possible when a victim opens a maliciously crafted file, triggering an out-of-bounds write (CWE-787) that executes attacker-controlled code in the context of the current user. The flaw affects Adobe Bridge as reported by Adobe (advisory APSB26-81) and is rated CVSS 7.8; no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation is local and hinges entirely on user interaction - the victim must open the malicious file.
Code execution in NVIDIA TensorRT is possible when the SDK processes a maliciously crafted input that overflows a heap-based buffer (CWE-122), corrupting adjacent heap memory. The flaw affects the TensorRT deep-learning inference library and requires a local user to load attacker-supplied content, per the AV:L/UI:R CVSS vector; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Successful exploitation yields full loss of confidentiality, integrity, and availability (C:H/I:H/A:H) in the context of the process running the inference job.
Local code execution in NVIDIA TensorRT is possible when the library parses an attacker-supplied input (such as a crafted model/engine file), triggering a heap-based buffer overflow (CWE-122) that can corrupt memory and lead to arbitrary code execution in the context of the process using TensorRT. The CVSS 3.1 vector (AV:L/UI:R) indicates the attacker needs local access and must induce a user or application to load malicious content, and there is no public exploit identified at time of analysis. TensorRT is NVIDIA's deep-learning inference SDK, so the affected population is developers, MLOps pipelines, and inference servers that load third-party or untrusted models.
Heap buffer overflow in libyuv in Google Chrome on Windows prior to 150.0.7871.125 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file. (Chromium security severity: High)
Arbitrary code execution in Adobe After Effects arises from an out-of-bounds write (CWE-787) that runs in the context of the current user when a victim opens a maliciously crafted project or media file. Adobe (via advisory APSB26-78) confirms the flaw; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The 7.8 CVSS reflects high impact tempered by the local vector and required user interaction.
Arbitrary code execution in Adobe After Effects arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted project or media file, running attacker code with the privileges of the current user. Adobe self-reported the flaw in advisory APSB26-78; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 7.8 (High) rating reflects high confidentiality, integrity, and availability impact but is gated by required user interaction and local file delivery.
Arbitrary code execution in Adobe Premiere Pro is possible via a heap-based buffer overflow (CWE-122) triggered when a victim opens a maliciously crafted project or media file, running attacker code in the context of the current user. The flaw is local and requires user interaction, with no public exploit identified at time of analysis; Adobe self-reported it in advisory APSB26-76. CVSS 7.8 reflects high confidentiality, integrity, and availability impact but a local attack vector gated by the user opening a malicious file.
Arbitrary code execution in Adobe Premiere Pro via an out-of-bounds write (CWE-787) that lets an attacker run code in the context of the current user when a victim opens a maliciously crafted project or media file. The flaw is memory-corruption based and file-driven, requiring user interaction rather than network exposure; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS data was not provided, but the local, user-interaction-gated vector places this in the file-format/client-side attack category typical of Adobe desktop products.
Arbitrary code execution in Adobe Premiere Pro is possible when a victim opens a maliciously crafted project or media file, triggering an out-of-bounds write (CWE-787) that runs attacker code in the context of the current user. The flaw was reported by Adobe (advisory APSB26-76) and carries a CVSS 3.1 base score of 7.8 (local vector, requires user interaction). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk is currently driven by the ease of social-engineering a user into opening a booby-trapped file.
Heap-based buffer overflow in NVIDIA TensorRT-LLM's tensor deserialization path lets an adjacent, unauthenticated attacker corrupt heap memory by supplying a crafted serialized tensor, potentially causing information disclosure, data tampering, or denial of service. All platforms running affected TensorRT-LLM versions are impacted. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; NVIDIA rates exploitation as high-complexity (AC:H).
Arbitrary code execution in Adobe Media Encoder arises from a stack-based buffer overflow (CWE-121) triggered when a victim opens a maliciously crafted media file, allowing an attacker to run code in the context of the current user. The CVSS 3.1 base score is 7.8 (local vector, user interaction required, no privileges needed). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so risk is file-delivery-driven rather than remotely wormable.
Arbitrary code execution in Adobe Media Encoder is possible through an out-of-bounds write triggered when a victim opens a maliciously crafted media file, running attacker code in the context of the current user. The flaw was reported by Adobe and is addressed in advisory APSB26-72; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation hinges on user interaction (opening the file) and yields high impact to confidentiality, integrity, and availability.
Arbitrary code execution in Adobe Media Encoder is possible when a victim opens a maliciously crafted media file, triggering an out-of-bounds write (CWE-787) that runs attacker code in the context of the current user. The flaw is local and requires user interaction, so it is not remotely wormable, but successful exploitation grants full compromise of the user's session. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; Adobe published advisory APSB26-72 addressing the issue.
Media Encoder is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Arbitrary code execution in Adobe Media Encoder arises from an out-of-bounds write (CWE-787) that lets a crafted media file corrupt memory and run attacker-controlled code in the context of the current user. Any user who opens a malicious file in the affected desktop application is at risk, with full loss of confidentiality, integrity, and availability on the host. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
An out-of-bounds read vulnerability was found in libsoup's multipart processing subsystem. The flaw exists in the soup_multipart_input_stream_read_headers() function inside soup-multipart-input-stream.c, which does not adequately restrict or validate the size of incoming multipart boundary strings. When processing a crafted HTTP response containing a malformed or oversized boundary parameter, the internal stream reader reads past the allocated buffer bounds. A remote, unauthenticated attacker can exploit this behavior to cause a service denial (DoS) through application failure or potentially read fragments of unauthorized memory metadata.
Denial of service in NVIDIA Triton Inference Server for Linux stems from a stack-based buffer overflow (CWE-121) reachable by remote, unauthenticated attackers over the network. Per the CVSS 3.1 vector, exploitation requires no privileges or user interaction and impacts only availability (A:H), with no confidentiality or integrity effect. There is no public exploit identified at time of analysis, and the CVE is not listed in CISA KEV; no EPSS score was provided in the input.
Denial of service in Microsoft .NET (versions 8.0, 9.0, and 10.0) and .NET Framework (3.5 through 4.8.1) allows a remote, unauthenticated attacker to crash affected applications by triggering a stack-based buffer overflow (CWE-121) over the network. The flaw impacts availability only - there is no confidentiality or integrity loss and no code execution per the CVSS vector (A:H, C:N, I:N). Microsoft has published an advisory with fixes; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Denial of service in Open5GS (open-source 5G/EPC core) through version 2.7.7 lets remote unauthenticated attackers crash the AMF by sending a malformed NAS 5GS mobile-identity information element, triggering a heap out-of-bounds read before authentication completes. Because the AMF handles mobility management for the entire network, a single crafted pre-authentication message can produce a subscriber-wide outage rather than affecting only the sender. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the pre-auth network-reachable nature makes it a high-priority availability issue for anyone running Open5GS in production.
Heap buffer over-read in libsoup's HTTP/2 GOAWAY frame parser allows remote unauthenticated attackers to crash applications or leak heap memory fragments by sending a malformed frame with a non-NUL-terminated Additional Debug Data payload. Affected deployments include applications built on libsoup running on Red Hat Enterprise Linux 10 that accept or initiate HTTP/2 connections. A proof-of-concept exists per SSVC data, though exploitation is rated non-automatable and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, allowing an attacker to run code in the context of the current user. The flaw is Adobe-reported (advisory APSB26-71) and carries a CVSS 7.8 (High) rating; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation is local and requires user interaction, weaponization depends on social engineering rather than remote automated attack.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, letting an attacker run code with the privileges of the current user. The CVSS 3.1 base score is 7.8 (local vector, requires user interaction), and no public exploit has been identified at time of analysis. Reported by Adobe via advisory APSB26-71.
Audition is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (memory corruption) that runs in the context of the current user when a victim opens a maliciously crafted media/project file. All affected versions covered by Adobe advisory APSB26-71 are impacted, and while no public exploit has been identified at time of analysis, the local attack vector with required user interaction makes it a classic file-format weaponization risk. The CVSS 7.8 (High) reflects full confidentiality, integrity, and availability impact once the file is opened.
Arbitrary code execution in Adobe Audition arises from an out-of-bounds write (CWE-787) triggered when a victim opens a maliciously crafted media/project file, letting an attacker run code in the context of the current user. The flaw was reported by Adobe and is documented in advisory APSB26-71; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Because exploitation is local and requires user interaction, it is a file-format/client-side memory-corruption issue rather than a remotely-triggerable server flaw.