Buffer Overflow
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions.
How It Works
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions. This overwrites whatever data or code exists there, corrupting program state and potentially giving attackers control over execution flow.
Stack-based overflows are the most common variant. When a function allocates a fixed-size buffer on the stack and then copies user-controlled input without proper bounds checking, attackers can overflow past the buffer to overwrite the function's return address. When the function completes, instead of returning to legitimate code, execution jumps to attacker-specified memory containing malicious shellcode. Heap-based overflows work differently—they corrupt heap metadata like chunk size fields or free list pointers, leading to arbitrary memory writes when the allocator processes the corrupted structures.
Modern exploitation bypasses defensive mechanisms through techniques like Return-Oriented Programming (ROP), which chains together existing code snippets to avoid non-executable memory protections. Attackers may also use heap spraying to reliably position shellcode at predictable addresses, defeating address randomization.
Impact
- Remote code execution — attacker gains ability to run arbitrary commands with the privileges of the vulnerable process
- Privilege escalation — exploiting kernel or setuid program overflows to gain root/SYSTEM access
- Denial of service — crashes and memory corruption that render systems unusable
- Information disclosure — reading sensitive data from adjacent memory regions that should be inaccessible
- Authentication bypass — overwriting security-critical variables like permission flags or user IDs
Real-World Examples
Fortinet FortiOS suffered a critical buffer overflow (CVE-2025-32756) that allowed unauthenticated remote attackers to execute code as root on firewalls and VPN gateways. Attackers actively exploited this to compromise enterprise network perimeters before patches were available.
The Slammer worm from 2003 exploited a stack overflow in Microsoft SQL Server, spreading to 75,000 hosts in ten minutes by sending a single malformed UDP packet that overwrote the return address with shellcode. No authentication was required.
OpenSSH historically contained a heap overflow in challenge-response authentication that allowed pre-authentication remote root compromise on Unix systems, demonstrating how memory corruption in privileged network services creates maximum impact scenarios.
Mitigation
- Memory-safe languages — Rust, Go, and modern managed languages prevent buffer overflows by design through automatic bounds checking
- Stack canaries — random values placed before return addresses that detect corruption before control transfer
- Address Space Layout Randomization (ASLR) — randomizes memory locations making exploitation less reliable
- Data Execution Prevention (DEP/NX) — marks memory regions as non-executable, preventing direct shellcode execution
- Bounds checking — validate input sizes before copying, use safe functions like
strncpyinstead ofstrcpy - Fuzzing and static analysis — automated testing to discover overflows before deployment
Recent CVEs (36138)
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers to crash the application by parsing malformed K12 RF5 files with user interaction. The vulnerability stems from a buffer overflow in the K12 RF5 file parser, requiring an attacker to trick a user into opening a crafted file. No public exploit code or active exploitation has been identified at time of analysis.
Heap buffer overflow in Wireshark's SBC codec handler enables local code execution when processing malicious capture files. Affects Wireshark versions 4.4.0-4.4.14 and 4.6.0-4.6.4. The vulnerability requires user interaction (opening a crafted packet capture file) but no authentication, posing significant risk to network analysts who routinely process captures from untrusted sources. Wireshark Foundation has published security advisory WNPA-sec-2026-16 with remediation details. EPSS probability data not available; no evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.
Heap-based buffer overflow in Wireshark's RDP protocol dissector allows local attackers to cause denial of service or execute arbitrary code via maliciously crafted capture files. Affects Wireshark versions 4.6.0-4.6.4 and 4.4.0-4.4.14. The vulnerability requires user interaction (opening a malicious .pcap file) but no authentication, making it effective for social engineering attacks against network analysts. No active exploitation confirmed in CISA KEV, but proof-of-concept details available via GitLab issue tracker. EPSS data not available for risk prioritization.
Buffer overflow in TOTOLINK A800R router firmware 4.1.2cu.5137 enables authenticated remote attackers to achieve arbitrary code execution with high privileges. The vulnerability exists in the setWiFiMultipleConfig function of the wireless configuration module (wireless.so) within the cstecgi.cgi web interface, exploitable via malformed wepkey2 parameter. Public proof-of-concept exploit code is available on GitHub. EPSS data not provided, CISA KEV status not listed, indicating exploitation is demonstrated but not yet observed in widespread campaigns.
Memory corruption in Absolute Secure Access Windows clients prior to version 14.50 allows local authenticated attackers to trigger denial of service by sending malformed data to an exposed API. The vulnerability requires local system access and authenticated privileges but can completely disable the security client, creating a critical availability risk for endpoint protection.
Buffer overflow in Absolute Secure Access server (versions before 14.50) allows authenticated remote attackers with modified client software to crash the server through specially crafted messages. This denial-of-service vulnerability requires low-privilege authentication and presents moderate real-world risk given the client modification prerequisite. EPSS data not available; no confirmed active exploitation or public proof-of-concept identified at time of analysis.
Buffer overflow in Absolute Secure Access Windows client versions prior to 14.50 allows local attackers with high privileges to trigger denial of service by exploiting improper memory handling. The vulnerability requires local access and elevated administrative privileges, limiting exploitation to authenticated users already possessing administrative control of the affected system. Vendor-released patch: version 14.50 or later.
Buffer overflow in Absolute Secure Access Windows client prior to version 14.50 allows local attackers to cause denial of service by triggering a system blue screen. The vulnerability requires local access to the affected system and can be exploited without user interaction or authentication. A vendor patch is available.
Local privilege escalation in Absolute Secure Access Windows client versions prior to 14.50 allows authenticated local attackers to escalate privileges to SYSTEM level by sending malformed API data. The vulnerability stems from an arbitrary read/write flaw in the client's API handling. Vendor patch is available (version 14.50). EPSS score not available for this recent CVE; no public exploit identified at time of analysis, and not currently listed in CISA KEV.
Out-of-bounds read in Absolute Secure Access macOS client prior to version 14.50 allows remote attackers with control of a modified server to send malformed packets triggering denial of service. The vulnerability requires high attack complexity (modified server infrastructure and user interaction) and results in availability impact only, with a low CVSS score of 2.3 reflecting limited real-world severity despite network accessibility.
Buffer overflow in Absolute Secure Access prior to version 14.50 allows remote attackers to cause denial of service by sending a cryptographically valid message to the client, potentially overwriting memory. The vulnerability requires network access and user interaction (UI:P), making it a moderate-complexity attack with low availability impact. Vendor has released a patch available as of the CVE disclosure.
Buffer overflow in Secure Access message parsing prior to version 14.50 allows remote attackers with control of a modified server to send specially crafted packets that corrupt memory, potentially causing denial of service or limited information disclosure. Attack requires network access, high complexity, and user interaction; CVSS 2.3 reflects limited real-world impact despite the vulnerability class.
Buffer overflow in the authentication subsystem of Absolute Secure Access prior to version 14.50 allows remote attackers controlling a malicious server to send specially crafted packets that corrupt memory, potentially causing denial of service. The vulnerability requires high attack complexity and user interaction, resulting in low confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been identified at the time of analysis.
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an integer underflow by sending malformed handshake fragments with zero length and a non-zero offset, enabling information disclosure or denial of service against Red Hat-shipped GnuTLS (RHEL 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images). Reported by Red Hat with a vendor patch available and errata released; no public exploit identified at time of analysis, and EPSS is very low (0.04%, 11th percentile) with SSVC exploitation status 'none'. CVSS 9.1 reflects high confidentiality and availability impact over the network at low complexity without authentication.
Buffer overflow in Linux kernel Xen hypervisor interface allows local authenticated users to achieve arbitrary code execution with high privilege escalation impact. The vulnerability stems from improper handling of non-NUL-terminated build ID data from HYPERVISOR_xen_version(XENVER_build_id) in drivers/xen/sys-hypervisor.c, where sprintf reads past buffer boundaries seeking a NUL terminator. Affects Linux kernel versions from 5.10 through 7.0 series when running as Xen domain. Vendor-released patches available across all affected stable branches (5.10.254, 5.15.204, 6.1.170, 6.6.137, 6.12.85, 6.18.26, 7.0.3). EPSS score of 0.08% (23rd percentile) indicates low probability of mass exploitation despite high CVSS 7.8, reflecting specialized Xen-only attack surface. No public exploit identified at time of analysis.
Out-of-bounds read in ASR Kestrel's nr_fw power control module enables authenticated remote attackers to trigger buffer overflow conditions, potentially disclosing sensitive information and compromising system integrity with low-to-moderate impact across security boundaries. Exploitable over the network with low complexity by attackers holding low-privilege credentials. EPSS data unavailable; not currently listed in CISA KEV. Vendor advisory confirms patch released February 10, 2026.
Heap buffer overflow in FreeBSD's libnv library allows remote unauthenticated attackers to achieve privilege escalation or denial of service through maliciously crafted message headers. The vulnerability affects FreeBSD versions 13.5, 14.3, 14.4, and 15.0, with patches released in security advisory FreeBSD-SA-26:17.libnv. Despite network attack vector and privilege escalation potential (CVSS 8.1), EPSS scoring indicates only 0.02% exploitation probability (5th percentile), and no active exploitation or public exploit code has been identified. SSVC classifies technical impact as partial with no confirmed exploitation.
Stack corruption in FreeBSD libnv library allows local authenticated attackers to elevate privileges to root when exploiting setuid-root applications. The vulnerability stems from libnv's select(2) implementation failing to validate socket descriptors against FD_SETSIZE limits (1024), enabling descriptor exhaustion attacks that corrupt stack memory. Confirmed by FreeBSD Security Advisory SA-26:16 with patches available across all stable branches. EPSS score of 0.02% indicates low observed exploitation probability, and no active exploitation or public POC identified at time of analysis.
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHCP packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches prior to security patches. EPSS exploitation probability is low (0.03%, 8th percentile) and no active exploitation confirmed, but SSVC classifies this as automatable with partial technical impact. The vulnerability requires network position to send crafted DHCP responses (CVSS AV:N/AC:H), making exploitation complexity high but not requiring authentication.
Remote denial-of-service in FreeBSD packet filter (pf) allows unauthenticated attackers to crash systems via malformed SCTP packets. Unbounded recursion in SCTP chunk parameter parsing triggers stack overflow, causing kernel panic on any FreeBSD system with pf enabled, regardless of firewall ruleset configuration. EPSS score of 0.06% (17th percentile) suggests low broad exploitation probability, but impact is critical for exposed FreeBSD firewalls. Official patch released by FreeBSD covering versions 13.5, 14.3, 14.4, and 15.0.
Local privilege escalation in FreeBSD kernel allows authenticated users to gain root privileges through buffer overflow in execve(2) argument handling. The vulnerability stems from an operator precedence bug causing attacker-controlled data to overwrite adjacent execution argument buffers. CISA SSVC framework indicates no active exploitation detected, though the technical impact enables complete system compromise. EPSS probability remains very low (0.02%, 5th percentile), suggesting targeted rather than widespread threat. FreeBSD has released patches across all supported release branches.
Integer overflow in Little CMS color engine versions 2.16 through 2.18 allows local attackers to trigger integer overflow in the ParseCube function when processing specially crafted color lookup table (LUT) input files, potentially resulting in buffer overflow and denial of service or information disclosure. The vulnerability affects the CGATS parser used for loading ICC color profiles and LUT data. No public exploit code identified at time of analysis, though upstream fix is available in version 2.19.
Heap overflow in Wireshark 4.6.0 through 4.6.4 TLS protocol dissector enables remote code execution when a user opens a malicious capture file or inspects crafted network traffic. The vulnerability requires user interaction (UI:R) but no authentication, making it exploitable via social engineering. No public exploit code identified at time of analysis, though the technical details are disclosed in vendor advisory wnpa-sec-2026-14 and tracked in GitLab issue #21090. CVSS 8.8 reflects the combination of network vector, low complexity, and potential for complete system compromise despite the user interaction requirement.
Denial of service in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 via stack buffer overflow in the AMR-NB codec decoder allows local attackers with user interaction to crash the application. The vulnerability requires opening a specially crafted network capture file, making it exploitable in scenarios where users are tricked into opening untrusted PCAP files or when Wireshark auto-opens recent captures.
Heap buffer overflow in the DCP-ETSI protocol dissector in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 causes denial of service when a user opens a malicious packet capture file. The vulnerability requires user interaction (opening a crafted .pcap or similar file locally) and crashes the application, preventing further packet analysis. No public exploit code or active exploitation has been confirmed at this time.
Stack buffer overflow in Wireshark's BEEP protocol dissector causes denial of service when processing malformed network packets. Versions 4.6.0-4.6.4 and 4.4.0-4.4.14 are vulnerable; a local user with the ability to interact with Wireshark or supply crafted BEEP traffic can trigger a crash via a specially crafted packet that requires user interaction to open or process. No public exploit code or active exploitation has been identified at time of analysis.
Stack buffer overflow in Wireshark's ZigBee protocol dissector (versions 4.6.0-4.6.4 and 4.4.0-4.4.14) causes application crash and denial of service when processing malformed ZigBee packets. An attacker must trick a user into opening a crafted packet capture file or visiting a malicious webpage serving the packet, since the vulnerability requires local file access and user interaction. No active exploitation has been publicly reported.
Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 crash when processing malformed Kismet protocol packets due to a buffer overflow in the Kismet dissector, allowing unauthenticated remote denial of service via a crafted network capture file or live traffic. User interaction (opening a malicious capture file or capturing traffic) is required. No public exploit code or active exploitation has been identified at the time of analysis.
Heap buffer overflow in Wireshark's DCP-ETSI protocol dissector causes denial of service when processing malformed network packets in versions 4.6.0-4.6.4 and 4.4.0-4.4.14. A local user can trigger a crash by opening a crafted packet file or live network capture, rendering the packet analysis tool unresponsive. No remote exploitation or data exfiltration is possible; impact is limited to availability.
Heap buffer overflow in the iLBC audio codec dissector in Wireshark 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers with user interaction to trigger a denial of service crash by supplying a malformed iLBC packet. The vulnerability requires user interaction to open a crafted packet capture file and does not enable code execution.
Stack buffer overflow in Wireshark HTTP protocol dissector (versions 4.6.0-4.6.4 and 4.4.0-4.4.14) causes application crash when processing malformed HTTP packets, resulting in denial of service. Local attackers with ability to trigger packet analysis via user interaction can crash the application and disrupt network traffic inspection workflows.
Denial of service in Wireshark sharkd versions 4.6.0-4.6.4 and 4.4.0-4.4.14 allows local attackers with user interaction to crash the application via a heap buffer overflow. The vulnerability requires local access and user interaction (opening a malicious file or network capture), making it a low-to-moderate priority for networked analyst workstations but not a remote code execution risk.
Stack-based buffer overflow in Tenda 4G300 US_4G300V1.0Mt_V1.01.42_CN_TDC01 allows authenticated remote attackers to execute arbitrary code with elevated privileges via crafted SafeMacFilter requests. The vulnerability resides in function sub_427C3C at endpoint /goform/SafeMacFilter, where insufficient input validation of the 'page' parameter enables memory corruption. Public exploit code exists on GitHub (Axelioc/CVE), significantly lowering the barrier to exploitation for attackers with valid router credentials. CVSS 7.4 reflects high confidentiality, integrity, and availability impact requiring only low-privilege authentication.
Out-of-bounds write in Exim before 4.99.2 SPA authentication driver allows remote attackers to crash the mail server connection or leak uninitialized heap memory when processing adversarial SPA authentication resources, affecting confidentiality and availability of the mail service.
Out-of-bounds read in Exim before 4.99.2 when UTF-8 operators are enabled allows remote unauthenticated attackers to leak sensitive information through error messages by sending email with malformed UTF-8 trailing characters in headers. The vulnerability has high attack complexity due to the requirement for UTF-8 operator enablement and specific malformed input crafting, but requires no user interaction and operates over the network on default deployments.
Out-of-bounds heap write in Exim before 4.99.2 allows unauthenticated remote attackers to cause denial of service and potentially corrupt memory when the JSON lookup feature is enabled and malformed JSON is present in untrusted email headers, due to incorrect backslash escape sequence handling in the JSON operator.
A security flaw has been discovered in UTT HiPER 1250GW up to 3.2.7-210907-180535. Impacted is the function strcpy of the file route/goform/ConfigAdvideo. The manipulation of the argument Profile results in buffer overflow. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
A vulnerability was identified in UTT HiPER 1250GW up to 3.2.7-210907-180535. This issue affects the function strcpy of the file route/goform/formTaskEdit_ap. The manipulation of the argument Profile leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
A vulnerability was determined in UTT HiPER 1250GW up to 3.2.7-210907-180535. This vulnerability affects the function strcpy of the file route/goform/NTP. Executing a manipulation of the argument Profile can lead to buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.
Alloksoft Video joiner 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized string in the License. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SysGauge 4.5.18 contains a buffer overflow vulnerability in the proxy configuration handler that allows local attackers to cause a denial of service by supplying an oversized string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SysGauge Pro 4.6.12 contains a local buffer overflow vulnerability in the Register function that allows local attackers to overwrite the structured exception handler by supplying a crafted unlock. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PDFunite 0.41.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by processing malformed PDF files during merge operations. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
librsvg2-bin 2.40.13 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service by processing malformed SVG files. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Free Download Manager 2.0 Built 417 contains a local buffer overflow vulnerability in the URL import functionality that allows attackers to trigger a structured exception handler (SEH) chain. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Allok Video to DVD Burner 2.6.1217 contains a stack-based buffer overflow vulnerability in the License Name field that allows local attackers to execute arbitrary code by triggering a structured. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a structured exception handling (SEH) based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Easy MPEG to DVD Burner 1.7.11 contains a structured exception handling (SEH) local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Prime95 29.4b8 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling (SEH) mechanisms. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted. To mitigate this issue, users should upgrade to the fixed version when available.
Insufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size. To mitigate this issue, users should upgrade to the fixed version when available.
Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB. To mitigate this issue, users should upgrade to the fixed version when available.
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agents and contains a dangerous code pattern that appears in 4 locations within the same function: writing to strlen(ptr) - 1 without checking for empty strings. When the string is empty, strlen() returns 0, and 0 - 1 wraps to SIZE_MAX due to unsigned integer underflow. Due to pointer arithmetic wrapping, SIZE_MAX effectively becomes -1, causing a write exactly 1 byte before the allocated buffer. This corrupts heap metadata (e.g., the chunk size field in glibc malloc), leading to heap corruption. This issue has been patched in version 4.14.4.
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.8.0 to before version 4.14.4, a stack-based buffer overflow exists in print_hex_string() in wazuh-remoted. The bug is triggered when formatting attacker-controlled bytes using sprintf(dst_buf + 2*i, "%.2x", src_buf[i]) on platforms where char is treated as signed and the compiled code sign-extends bytes before the variadic call. For input bytes such as 0xFF, the formatting can emit "ffffffff" (8 chars) instead of "ff" (2 chars), causing an out-of-bounds write past a fixed 2049-byte stack buffer. The vulnerable path is reachable remotely prior to any agent authentication/registration logic via TCP/1514 when an oversized length prefix causes the “unexpected message (hex)” diagnostic path to run. Additionally, the same unauthenticated oversized-message diagnostic path logs an attacker-controlled hex dump to /var/ossec/logs/ossec.log for each trigger, allowing remote log amplification that can degrade monitoring fidelity and consume disk/I/O. This log amplification is reachable even without triggering the sign-extension overflow (e.g., using bytes < 0x80). This issue has been patched in version 4.14.4.
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4.
A post-authentication Stack-based Buffer Overflow vulnerabilities in SonicOS allows a remote attacker to crash a firewall.
An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065.
Netskope was notified about a potential gap in the Endpoint DLP Module for Netskope Client on Windows systems. The successful exploitation of the gap can potentially allow an unprivileged user to trigger an out-of-bounds read within a driver, leading to a Blue-Screen-of-Death (BSOD). Successful exploitation would require the Endpoint DLP module to be enabled in the client configuration. A successful exploit can potentially result in a denial-of-service for the local machine.
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption. The Parse, print, getline, and getline_all methods invoke registered callbacks (for example after_parse, before_print, or on_error) and cache the Perl argument stack pointer across the call. If a callback extends the argument stack enough to trigger a reallocation, the return value is written through the stale pointer into the freed buffer, and the caller reads the original $self argument as the return value instead. Calling code that expects parsed data from getline_all receives the Text::CSV_XS object in its place, leading to logic errors or crashes. Text::CSV_XS objects used without any registered callbacks are not affected.
Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.
TOTOLINK A3002RU V3 <= V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the hostname parameter in the formMapDelDevice function.
Integer overflow in ANGLE in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
Heap buffer overflow in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
Inappropriate implementation in Tint in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
Out of bounds read and write in Angle in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.
Remote authenticated attackers can execute arbitrary code on D-Link DIR-825M routers (firmware 1.1.12) by sending specially crafted requests to the /boafrm/formWanConfigSetup endpoint with malicious submit-url parameters, triggering a buffer overflow in function sub_414BA8. Public proof-of-concept exploit code exists on GitHub (Kiciot/cve#3), significantly lowering exploitation barriers. While requiring authentication (PR:L), the network attack vector (AV:N) and low complexity (AC:L) enable remote compromise of affected devices with potential for complete device control (VC:H/VI:H/VA:H). No CISA KEV listing or EPSS data available at time of analysis.
Buffer overflow in D-Link DIR-825M 1.1.12 router allows authenticated remote attackers to achieve high-severity code execution via crafted submit-url parameter in VPN configuration interface. Public exploit code exists (CVSS 4.0 E:P) with technical details disclosed on GitHub, enabling remote compromise of router administrative functions by low-privileged authenticated users. CVSS 7.4 HIGH severity with network attack vector and low complexity indicates significant risk for internet-facing devices with default or weak credentials.
Sandbox escape in Mozilla Firefox's WebRTC networking component allows remote attackers to break out of browser process isolation and execute code outside the sandbox with high integrity and confidentiality impact. Firefox ESR 140.10.1 fixes this critical boundary condition flaw (CWE-120). User interaction is required (visiting a malicious site), but no authentication is needed. EPSS data not provided. Not listed in CISA KEV at time of analysis, indicating no confirmed widespread active exploitation.
Multiple memory corruption vulnerabilities in Firefox 150.0.0 and Thunderbird 150.0.0 enable remote code execution through memory safety bugs. Mozilla's security advisory confirms these flaws could allow arbitrary code execution with sufficient exploit development. No active exploitation confirmed at time of analysis, but SSVC framework rates this as automatable with partial technical impact. Vendor-released patch available in Firefox 150.0.1.
Memory safety bugs present in Firefox ESR 140.10.0, Thunderbird ESR 140.10.0, Firefox 150.0.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1 and Firefox ESR 140.10.1.
Memory safety bugs present in Firefox ESR 115.35.0, Firefox ESR 140.10.0, Thunderbird ESR 140.10.0, Firefox 150.0.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, and Firefox ESR 115.35.1.
Information disclosure in Mozilla Firefox, Firefox ESR 140, and Firefox ESR 115 allows remote unauthenticated attackers to extract sensitive data via incorrect boundary conditions in the Audio/Video component. The vulnerability permits network-based exploitation with low complexity and no user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N), enabling unauthorized access to high-confidentiality information. Mozilla released patches in Firefox 150.0.1, Firefox ESR 140.10.1, and Firefox ESR 115.35.1 (confirmed by vendor advisories MFSA2026-35/36/37). SSVC indicates automatable exploitation with partial technical impact, though no public exploit or active exploitation is identified at time of analysis.
Out-of-bounds write in GNU C Library 2.2+ allows remote unauthenticated attackers to corrupt memory and potentially execute arbitrary code through specially crafted TSIG DNS records processed by deprecated ns_printrrf, ns_printrr, or fp_nquery functions. While these functions are deprecated, any application still using them for DNS record printing remains vulnerable to network-based attacks with low complexity and no authentication barriers. No public exploit identified at time of analysis, but the deprecated status suggests limited real-world exposure despite the network attack vector.
Remote code execution in D-Link DI-8100 router firmware 16.07.26A1 allows unauthenticated attackers to compromise the device via buffer overflow in the CGI endpoint. The vulnerability resides in the tgfile.htm CGI handler where inadequate input validation of the 'fn' parameter enables attackers to overflow a stack or heap buffer. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation against internet-exposed devices. CVSS 8.9 (Critical) with network vector, low complexity, and no privileges required indicates high real-world risk for exposed D-Link DI-8100 routers.
Buffer overflow in D-Link DI-8100 router firmware 16.07.26A1 allows authenticated administrators to execute arbitrary code remotely via crafted file extension names. The vulnerability affects the file_exten.asp File Extension Handler component, with a publicly available exploit (E:P in CVSS vector). While requiring high-privilege access (PR:H), successful exploitation grants complete system control (VC:H/VI:H/VA:H), and the attack complexity is low (AC:L). No CISA KEV listing indicates targeted rather than widespread exploitation despite public POC availability.
Out-of-bounds read in Artifex MuPDF up to version 1.28.0 within the CFF Index Handler's fz_subset_cff_for_gids function allows local attackers with low privileges to disclose sensitive information from application memory. The vulnerability requires local access and low privilege level but can be triggered without user interaction; publicly available exploit code exists and the vulnerability remains unpatched as of the last vendor response.
Buffer overflow in Totolink N300RT router firmware 3.4.0-B20250430 allows authenticated remote attackers with high-privilege administrative access to execute arbitrary code via crafted input to the entry_name parameter in /boafrm/formIpQoS. Public exploit code is available on GitHub demonstrating the vulnerability. EPSS data not provided, but the requirement for high-privilege authentication significantly limits real-world exploitation surface to scenarios where administrative credentials are already compromised.
Buffer overflow in Totolink N300RT 3.4.0-B20250430 enables authenticated remote code execution via the WPS configuration handler. An attacker with administrative credentials (PR:H) can send a crafted localPin parameter to /boafrm/formWsc, overflowing a buffer in the is_cmd_string_valid function (libapmib.so) to execute arbitrary code with full system access (VC:H/VI:H/VA:H). Public proof-of-concept exploit code exists on GitHub (xiaohaiyang-ai/TOTOLINK-N300RT-Buffer-Overflow), increasing weaponization risk despite requiring privileged access. EPSS data not available; no CISA KEV listing indicates exploitation not yet widespread in wild attacks.
Out-of-bounds memory access in Milesight AIOT camera firmware enables remote attackers to achieve high-severity impacts on confidentiality, integrity, and availability when users interact with malicious content. CISA ICS-CERT has issued an advisory for this industrial IoT vulnerability. With network attack vector (AV:N) and low complexity (AC:L) but requiring user interaction (UI:A), the vulnerability presents significant risk to operational technology environments where these cameras are deployed for industrial surveillance and monitoring applications.
Uncontrolled recursion in Apache Thrift Node.js library's skip() function enables remote denial of service via crafted protocol messages. Attacker sends specially-crafted Thrift messages triggering deep recursion in the skip() deserialization routine, exhausting stack memory and crashing the Node.js process. CVSS 8.7 High severity with network attack vector requiring no authentication. Disclosed via oss-security mailing list on 2026-04-28 alongside three related Thrift vulnerabilities (C++ JSON OOB read CVE-2026-41607, c_glib dispatch stack overflow CVE-2026-41606, Swift Compact Protocol issue CVE-2026-41605), suggesting coordinated security audit results. EPSS data not yet available for 2026 CVE.
Out-of-bounds read in Apache Thrift C++ JSON deserialization allows remote attackers to leak sensitive information and trigger denial of service via malformed JSON payloads. Affects Apache Thrift versions prior to 0.23.0. The vulnerability has low exploitation probability (EPSS 0.02%) and is not currently listed in CISA KEV, suggesting limited real-world weaponization despite network-accessible attack vector.
Out-of-bounds read vulnerability in Apache Thrift Swift implementation allows remote unauthenticated attackers to trigger denial of service and disclose limited memory contents via malformed skip() operations during protocol deserialization. Affects all versions prior to 0.23.0, with publicly disclosed exploit details on oss-security mailing list. EPSS exploitation probability remains low (5th percentile) despite network-accessible attack vector, suggesting limited real-world targeting to date. Vendor patch released in version 0.23.0 addresses all six concurrently disclosed Thrift vulnerabilities (CVE-2026-41602 through CVE-2026-41607).
Remote denial of service in MIT Kerberos 5 (krb5) before 1.22.3 allows an unauthenticated network attacker to crash any application that calls gss_accept_sec_context() on a host where a NegoEx mechanism is registered in /etc/gss/mech. A crafted NegoEx token triggers an integer underflow leading to an out-of-bounds read in parse_message(), terminating the GSS-API acceptor process. No public exploit is identified at time of analysis, EPSS risk is low (0.07%), and CISA SSVC scores exploitation as 'none'.
A vulnerability was determined in Tenda HG3 2.0. Impacted is the function formUploadConfig of the file /boaform/formIPv6Routing. This manipulation of the argument destNet causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Buffer overflow in TH1520 AON firmware protocol driver allows local authenticated attackers with low privileges to execute arbitrary code and gain elevated system access. The vulnerability stems from unsafe pointer arithmetic when accessing the 'mode' field through the 'resource' pointer with unchecked offsets in the T-HEAD firmware driver. Patches available across stable kernel branches (6.18.23, 6.19.13, 7.0) with low EPSS score (0.02%) indicating minimal observed exploitation attempts, though CVSS 7.8 reflects high impact if exploited on affected T-HEAD TH1520 systems.
A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elng_box_read of the file src/isomedia/box_code_base.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is named cf6ac48c972eaaee2af270adc3f36615325deb3e. The affected component should be upgraded.
Text::Minify::XS versions from v0.3.0 before v0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minnify.