Buffer Overflow

Remote code execution in UTT 520W firmware 1.7.7-180627 stems from a buffer overflow in the /goform/ConfigExceptMSN endpoint accessible to authenticated users. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can achieve complete system compromise including data theft, modification, and service disruption.

Buffer overflow in UTT 520W firmware version 1.7.7-180627 allows authenticated remote attackers to execute arbitrary code through the /goform/ConfigExceptQQ endpoint via unsafe string operations. Public exploit code is available and the vendor has not provided a patch despite early notification. This vulnerability affects confidentiality, integrity, and availability with CVSS 8.8 severity.

Remote code execution in UTT 520W firmware versions through 1.7.7-180627 stems from a buffer overflow in the /goform/formWebAuthGlobalConfig endpoint, allowing authenticated attackers to execute arbitrary code with network access. Public exploit code is available for this vulnerability, and no patches have been released despite vendor notification. The high CVSS score of 8.8 reflects full compromise of confidentiality, integrity, and availability on affected devices.

A security vulnerability has been detected in Mapnik up to 4.2.0. This issue affects the function mapnik::dbf_file::string_value of the file plugins/input/shape/dbfile.cpp. [CVSS 5.3 MEDIUM]

A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. [CVSS 5.3 MEDIUM]

Librtsp versions up to 2ec1a81ad65280568a0c7c16420d7c10fde13b04 contain a buffer overflow in the rtsp_parse_method function that allows local attackers with user-level privileges to corrupt memory and potentially execute arbitrary code. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

A vulnerability was determined in raysan5 raylib up to 909f040. Affected by this vulnerability is the function GenImageFontAtlas of the file src/rtext.c. [CVSS 5.3 MEDIUM]

Buffer overflow in cijliu librtsp's rtsp_parse_request function allows local attackers with user privileges to achieve limited confidentiality and integrity impact. Public exploit code exists for this vulnerability, though no patch is currently available and rolling releases make version tracking difficult.

Buffer overflow in the rtsp_rely_dumps function of librtsp allows local attackers with user privileges to corrupt memory and potentially execute arbitrary code. Public exploit code exists for this vulnerability, though the vendor has not provided patches despite early notification. The affected library uses rolling releases, making it difficult to determine specific vulnerable versions.

In the eap-mschapv2 plugin (client-side) in strongSwan before 6.0.3, a malicious EAP-MSCHAPv2 server can send a crafted message of size 6 through 8, and cause an integer underflow that potentially results in a heap-based buffer overflow. [CVSS 8.1 HIGH]

mmstu.c in VideoLAN VLC media player versions up to 3.0.22 is affected by out-of-bounds read (CVSS 4.8).

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. [CVSS 7.8 HIGH]

Canon printers contain a buffer overflow in XPS font parsing that allows remote code execution through crafted print jobs with malicious font data.

Canon Multifunction Printers have a buffer overflow in Address Book attribute tag processing that allows remote attackers to execute code by exploiting the printer's management interface.

Canon printers contain a buffer overflow in XPS font fpgm table processing, enabling remote code execution when processing crafted print jobs with malicious font data.

Canon printers have a buffer overflow in CPCA list processing that allows remote attackers to execute arbitrary code through the printer's network protocol handler.

Canon printers have a buffer overflow in XML processing of XPS files that allows network-adjacent attackers to execute arbitrary code by sending crafted print jobs.

Canon Small Office Multifunction Printers and Laser Printers are vulnerable to a buffer overflow in WSD print job processing that allows remote attackers to execute arbitrary code or cause denial of service.

NoteBurner 2.35 contains a buffer overflow in the license code input field that enables local attackers to crash the application or potentially execute arbitrary code by supplying an oversized activation key.

Ether MP3 CD Burner 1.3.8 has buffer overflow in registration enabling bind shell on port 3110 via SEH overwrite. PoC available.

Denial-of-service in Juniper Junos OS Packet Forwarding Engine allows authenticated attackers to crash Forwarding Processor Cards by subscribing to telemetry sensors at scale, forcing service restarts and network disruption. The vulnerability affects Junos versions before 22.4R3-S7, 23.2R2-S4, and 23.4R2, with no patch currently available. Installation of specific YANG sensor packages mitigates the issue.

A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). [CVSS 7.5 HIGH]

A buffer overflow in the vobsub_get_subpic_duration() function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet. [CVSS 7.5 HIGH]

GPAC v2.4.0 was discovered to contain an out-of-bounds read in the oggdmx_parse_tags function. [CVSS 8.2 HIGH]

Cmder Console Emulator 1.3.18 can be crashed via a malicious .cmd file with repeated characters, causing buffer overflow and DoS. PoC available.

YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. [CVSS 8.4 HIGH]

Kingdia CD Extractor 3.0.2 has a buffer overflow in the registration name field. PoC available.

10-Strike Network Inventory Explorer Pro 9.31 has a buffer overflow in text file import that enables RCE through crafted files. PoC available.

Glibc versions 2.30 through 2.42 contain an integer overflow in the memalign function family that allows attackers with control over both size and alignment parameters to trigger heap corruption. Public exploit code exists for this vulnerability, which requires carefully crafted inputs with alignment values between 2^62+1 and 2^63 paired with sizes near PTRDIFF_MAX. Local attackers exploiting this flaw could achieve code execution or denial of service on affected systems.

FreeRDP URBDRC USB redirect client has OOB read when processing server-supplied interface descriptors without bounds checking. Fixed in 3.20.1.

FreeRDP Base64 decoder has a global buffer overflow on ARM builds due to implementation-defined char signedness. Fixed in 3.20.1.

FreeRDP smartcard SetAttrib heap OOB read when attribute length mismatches NDR buffer. Fixed in 3.20.1.

FreeRDP drive read heap overflow when server-controlled read length exceeds IRP output buffer. Fixed in 3.20.1. PoC available.

FreeRDP RDPEAR NDR array reader has a heap overflow due to missing bounds checking on element counts. Malicious RDP server can overwrite heap memory. PoC available. Fixed in 3.20.1.

A vulnerability in the boot process of Blurams Flare Camera version 24.1114.151.929 and earlier allows a physically proximate attacker to hijack the boot mechanism and gain a bootloader shell via the UART interface. [CVSS 6.1 MEDIUM]

TinyOS versions up to and including 2.1.2 contain a global buffer overflow vulnerability in the printfUART formatted output implementation used within the ZigBee / IEEE 802.15.4 networking stack.

In the Linux kernel, the following vulnerability has been resolved: clk: samsung: exynos-clkout: Assign .num before accessing .hws Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds.

In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: fix "UBSAN: shift-out-of-bounds error" This patch ensures that the RX ring size (rx_pending) is not set below the permitted length.

In the Linux kernel, the following vulnerability has been resolved: media: adv7842: Avoid possible out-of-bounds array accesses in adv7842_cp_log_status() It's possible for cp_read() and hdmi_read() to return -EIO. Those values are further used as indexes for accessing arrays.

In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: avoid invalid read in irdma_net_event irdma_net_event() should not dereference anything from "neigh" (alias "ptr") until it has checked that the event is NETEVENT_NEIGH_UPDATE.

In the Linux kernel, the following vulnerability has been resolved: erspan: Initialize options_len before referencing options. The struct ip_tunnel_info has a flexible array member named options that is protected by a counted_by(options_len) attribute.

In the Linux kernel, the following vulnerability has been resolved: ext4: fix string copying in parse_apply_sb_mount_options() strscpy_pad() can't be used to copy a non-NUL-term string into a NUL-term string of possibly bigger size.

In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree.

In the Linux kernel, the following vulnerability has been resolved: libceph: make decode_pool() more resilient against corrupted osdmaps If the osdmap is (maliciously) corrupted such that the encoded length of ceph_pg_pool envelope is less than what is expected for a particular encoding version, out-of-bounds reads may ensue because the only bounds check that is there is based on that length value.

In the Linux kernel, the following vulnerability has been resolved: net: hns3: add VLAN id validation before using Currently, the VLAN id may be used without validation when receive a VLAN configuration mailbox from VF. The length of vlan_del_fail_bmap is BITS_TO_LONGS(VLAN_N_VID).

In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions.

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration()).

The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]

The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]

The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]

The drivers in the tool packages use RTL_QUERY_REGISTRY_DIRECT flag to read a registry value to which an untrusted user-mode application may be able to cause a buffer overflow. [CVSS 7.8 HIGH]

Explorer32++ 1.3.5.531 has a buffer overflow in filename handling that corrupts the SEH chain with filenames over 396 characters. PoC available.

Inbit Messenger 4.6.0-4.9.0 has a second stack buffer overflow in the network handler. SEH overwrite leads to shellcode execution on Windows. PoC available.

AimOne Video Converter 2.04 Build 103 contains a buffer overflow vulnerability in its registration form that causes application crashes. Attackers can generate a 7000-byte payload to trigger the denial of service and potentially exploit the software's registration mechanism. [CVSS 6.5 MEDIUM]

Audio Conversion Wizard v2.01 has a buffer overflow in the registration code field that enables RCE through a crafted payload. PoC available.

Memory corruption in iccDEV library versions before 2.3.1.2 allows remote attackers to achieve code execution via maliciously crafted ICC color profiles, affecting users who process untrusted profile data. Public exploit code exists for this vulnerability. Organizations using iccDEV should upgrade to version 2.3.1.2 immediately.

Out-of-bounds memory read in Substance 3D Modeler 1.22.4 and earlier allows disclosure of sensitive information from application memory. Exploitation requires a local user to open a specially crafted malicious file. No patch is currently available for this vulnerability.

Out-of-bounds memory read in Substance 3D Modeler 1.22.4 and earlier enables disclosure of sensitive data from process memory when a user opens a crafted file. The vulnerability requires user interaction to exploit but carries no availability or integrity impact. No patch is currently available for affected versions.

Arbitrary code execution in Substance 3D Modeler 1.22.4 and earlier via out-of-bounds write vulnerability when processing malicious files. An attacker can execute code with the privileges of the user who opens a crafted file, requiring social engineering for successful exploitation. No patch is currently available for this vulnerability.

Arbitrary code execution in Substance 3D Modeler versions 1.22.4 and earlier results from an out-of-bounds write vulnerability triggered when users open malicious files. An attacker can leverage this to execute code with the privileges of the current user, with no patch currently available to remediate the issue.

Out-of-bounds memory read in Substance 3D Designer 15.0.3 and earlier allows attackers to disclose sensitive information from application memory by tricking users into opening malicious files. The vulnerability requires local access and user interaction but carries no patch availability. This medium-severity flaw affects designers and creative professionals using vulnerable versions of the software.

Arbitrary code execution in Substance 3D Designer 15.0.3 and earlier results from an out-of-bounds write vulnerability triggered when users open specially crafted files. An attacker can leverage this to execute code with the privileges of the affected user, though exploitation requires social engineering to deliver the malicious file. No patch is currently available.

Arbitrary code execution in Substance 3D Sampler 5.1.0 and earlier through an out-of-bounds write vulnerability that requires a user to open a malicious file. An attacker can execute commands with the privileges of the current user on the affected system. No patch is currently available for this vulnerability.

Arbitrary code execution in Adobe Substance 3D Painter versions 11.0.3 and earlier through an out-of-bounds write flaw allows attackers to execute commands with user privileges when a victim opens a crafted file. The vulnerability requires user interaction but carries high impact potential across confidentiality, integrity, and availability. No patch is currently available for affected users.

openCryptoki is a PKCS#11 library and tools for Linux and AIX. [CVSS 6.6 MEDIUM]

Arbitrary code execution in Adobe InDesign versions 21.0, 19.5.5 and earlier via a heap buffer overflow vulnerability when users open malicious files. The flaw requires user interaction but allows attackers to execute code with the privileges of the current user. No patch is currently available for this high-severity issue.

Heap buffer overflow in Bridge versions 15.1.2 and 16.0 and earlier enables arbitrary code execution when users open specially crafted files. The vulnerability requires user interaction but carries no patch availability, leaving affected systems exposed to local attack. With a CVSS score of 7.8, this poses significant risk to Bridge users until patching becomes available.

Arbitrary code execution in Adobe InCopy versions 21.0, 19.5.5 and earlier through a heap-based buffer overflow when users open malicious files. An attacker can execute commands with the privileges of the targeted user by crafting a specially designed document. No patch is currently available, requiring users to avoid opening untrusted InCopy files.

Arbitrary code execution in Adobe InDesign versions 21.0, 19.5.5 and earlier through a heap-based buffer overflow vulnerability triggered by opening a malicious file. Attackers can achieve code execution with the privileges of the affected user, requiring only social engineering to deliver the malicious document. No patch is currently available.

Local privilege escalation in Azure Connected Machine Agent exploits a stack-based buffer overflow, enabling authenticated users to gain elevated system privileges. The vulnerability affects Azure and Stack Overflow deployments and requires local access with valid credentials to exploit. No patch is currently available for this high-severity issue.

Windows Cloud Files Mini Filter Driver contains a heap-based buffer overflow that enables local privilege escalation on Windows 10 1809, Windows Server 2016, and Windows Server 2022. An authenticated attacker can exploit this vulnerability to gain elevated system privileges without user interaction. No patch is currently available.

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. [CVSS 7.8 HIGH]

Privilege escalation in Windows Virtualization-Based Security (VBS) Enclave affects Windows 11 and Windows Server 2022 through a heap-based buffer overflow in memory management. An authenticated local attacker with high privileges can exploit this vulnerability to gain unauthorized system-level access. No patch is currently available for this medium-severity vulnerability (CVSS 6.7).

Remote code execution in Windows RRAS affects Windows 10 21h2 and Windows Server 2022 variants through a heap-based buffer overflow triggered over the network without authentication. An attacker can exploit this vulnerability to execute arbitrary code with high privileges, though a user interaction is required to trigger the flaw. No patch is currently available, making this a critical risk for exposed systems.

Windows Server and Windows 10/11 Connected Devices Platform Service (Cdpsvc) contains a heap buffer overflow that allows authenticated local users to escalate privileges to system level. The vulnerability requires low complexity exploitation with no user interaction, affecting multiple recent Windows versions including Server 2022, Windows 10 21h2, and Windows 11 23h2. No patch is currently available for this high-severity flaw.

Information disclosure in Windows Capability Access Management Service (camsvc) enables local attackers to read sensitive data from memory without authentication on Windows 11 24h2, Windows 11 25h2, and Windows Server 2025. The out-of-bounds read vulnerability requires local access but no special privileges or user interaction to trigger. No patch is currently available for this issue.

Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally. [CVSS 7.8 HIGH]

Local code execution in Windows Media affects Windows 11 25h2, Windows Server 2019, and Windows Server 2025 through a heap buffer overflow that requires user interaction to trigger. An attacker with local access can exploit this vulnerability to achieve arbitrary code execution with full system privileges. No patch is currently available for this vulnerability.

Information disclosure in Windows Capability Access Management Service (camsvc) allows authenticated local users to read out-of-bounds memory and access sensitive data on Windows 11 24h2, Windows 11 25h2, Windows Server 2022 23h2, and Windows Server 2025. The vulnerability requires valid user credentials and local system access, posing a risk to multi-user environments where privilege escalation chains could amplify the impact. No patch is currently available.

Heap buffer overflow in Windows Common Log File System Driver (affecting Windows 10 1607, Server 2016, and Server 2022 23h2) enables authenticated local users to achieve complete system compromise through privilege escalation. The vulnerability requires valid credentials but no user interaction, making it a direct path to administrative control for insiders or attackers with initial access. No patch is currently available, leaving affected systems at elevated risk pending remediation.

A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets [CVSS 8.1 HIGH]

In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities.

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT.

In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround.

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR.

In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers.

In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down.

In the Linux kernel, the following vulnerability has been resolved: ethtool: Avoid overflowing userspace buffer on stats query The ethtool -S command operates across three ioctl calls: ETHTOOL_GSSET_INFO for the size, ETHTOOL_GSTRINGS for the names, and ETHTOOL_GSTATS for the values.

There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. [CVSS 8.8 HIGH]

Libpng versions 1.6.26 through 1.6.53 contain an integer truncation flaw in the simplified write API functions that triggers a heap buffer over-read when processing images with negative row strides or strides exceeding 65535 bytes. Local attackers can exploit this to read sensitive heap memory, potentially disclosing application data. No patch is currently available; users should avoid processing untrusted PNG images with these vulnerable libpng versions.