Buffer Overflow
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions.
How It Works
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions. This overwrites whatever data or code exists there, corrupting program state and potentially giving attackers control over execution flow.
Stack-based overflows are the most common variant. When a function allocates a fixed-size buffer on the stack and then copies user-controlled input without proper bounds checking, attackers can overflow past the buffer to overwrite the function's return address. When the function completes, instead of returning to legitimate code, execution jumps to attacker-specified memory containing malicious shellcode. Heap-based overflows work differently—they corrupt heap metadata like chunk size fields or free list pointers, leading to arbitrary memory writes when the allocator processes the corrupted structures.
Modern exploitation bypasses defensive mechanisms through techniques like Return-Oriented Programming (ROP), which chains together existing code snippets to avoid non-executable memory protections. Attackers may also use heap spraying to reliably position shellcode at predictable addresses, defeating address randomization.
Impact
- Remote code execution — attacker gains ability to run arbitrary commands with the privileges of the vulnerable process
- Privilege escalation — exploiting kernel or setuid program overflows to gain root/SYSTEM access
- Denial of service — crashes and memory corruption that render systems unusable
- Information disclosure — reading sensitive data from adjacent memory regions that should be inaccessible
- Authentication bypass — overwriting security-critical variables like permission flags or user IDs
Real-World Examples
Fortinet FortiOS suffered a critical buffer overflow (CVE-2025-32756) that allowed unauthenticated remote attackers to execute code as root on firewalls and VPN gateways. Attackers actively exploited this to compromise enterprise network perimeters before patches were available.
The Slammer worm from 2003 exploited a stack overflow in Microsoft SQL Server, spreading to 75,000 hosts in ten minutes by sending a single malformed UDP packet that overwrote the return address with shellcode. No authentication was required.
OpenSSH historically contained a heap overflow in challenge-response authentication that allowed pre-authentication remote root compromise on Unix systems, demonstrating how memory corruption in privileged network services creates maximum impact scenarios.
Mitigation
- Memory-safe languages — Rust, Go, and modern managed languages prevent buffer overflows by design through automatic bounds checking
- Stack canaries — random values placed before return addresses that detect corruption before control transfer
- Address Space Layout Randomization (ASLR) — randomizes memory locations making exploitation less reliable
- Data Execution Prevention (DEP/NX) — marks memory regions as non-executable, preventing direct shellcode execution
- Bounds checking — validate input sizes before copying, use safe functions like
strncpyinstead ofstrcpy - Fuzzing and static analysis — automated testing to discover overflows before deployment
Recent CVEs (36141)
Heap out-of-bounds read in wolfSSL versions prior to 5.9.1 allows unauthenticated attackers on an adjacent network to trigger information disclosure via a crafted PKCS7 message that bypasses bounds checking in the indefinite-length end-of-content verification loop. The vulnerability has a low CVSS score of 2.3 due to restricted attack vector (adjacent network only) and limited integrity impact, with no public exploit code identified at time of analysis.
Out-of-bounds read in wolfSSL's dual-algorithm CertificateVerify processing allows remote attackers to trigger information disclosure and data integrity violations through crafted input, but only when the library is compiled with both --enable-experimental and --enable-dual-alg-certs flags. The vulnerability affects wolfSSL versions before 5.9.1 and requires network access with low attack complexity, though the attack triggering mechanism involves a passive timing or state condition (AT:P). No public exploit code or active exploitation has been identified.
Buffer overflow in D-Link DIR-605L 2.13B01 router allows authenticated remote attackers to achieve code execution via POST request manipulation. The formSetLog function in /goform/formSetLog improperly handles the curTime parameter, enabling memory corruption. Publicly available exploit code exists. This end-of-life product receives no vendor support or security updates.
Buffer overflow in D-Link DIR-605L 2.13B01 router enables remote code execution via POST request manipulation of curTime parameter in formSetDDNS function. Publicly available exploit code exists. Affected device is end-of-life with no vendor support. Authenticated attacker with low-privilege network access can achieve complete system compromise (high confidentiality, integrity, availability impact per CVSS 4.0 scoring).
Integer underflow in wolfSSL's packet sniffer (versions up to 5.9.0) allows remote attackers to crash applications during AEAD decryption by sending malformed TLS Application Data records with insufficient length for the explicit IV and authentication tag. The vulnerability wraps a 16-bit length value to an unexpectedly large integer, triggering an out-of-bounds read in decryption routines. While the CVSS score is low (2.1) due to limited practical impact (availability only), the attack requires no victim interaction beyond network exposure and affects any system passively inspecting encrypted TLS traffic through wolfSSL's ssl_DecodePacket function.
Stack buffer over-read in wolfSSL's MatchDomainName function allows authenticated remote attackers to cause denial of service through a crafted wildcard hostname during TLS certificate validation when the LEFT_MOST_WILDCARD_ONLY flag is enabled. The vulnerability reads one byte past the allocated buffer when a wildcard character exhausts the entire hostname string, triggering a potential crash with very low real-world exploitation probability (EPSS and CVSS indicate limited practical risk).
Heap buffer overflow in wolfSSL DTLS 1.3 ACK message handler allows unauthenticated remote attackers to achieve integrity and availability impacts via crafted network packets. The vulnerability triggers memory corruption during ACK message processing in DTLS 1.3 sessions, enabling potential arbitrary code execution or denial of service. No public exploit identified at time of analysis, though low observed exploitation activity noted.
Buffer overflow in D-Link DIR-605L 2.13B01 wireless router enables remote authenticated attackers to achieve arbitrary code execution via crafted POST requests to /goform/formAdvNetwork endpoint. Exploitation manipulates the curTime parameter in the formAdvNetwork function, triggering memory corruption. This end-of-life device receives no vendor support; publicly available exploit code exists. Affected hardware presents elevated risk in legacy network environments where administrative credentials may be compromised.
Unauthenticated buffer overflow in Juniper Networks Junos OS Evolved advanced forwarding toolkit (evo-aftmand/evo-pfemand) permits adjacent attackers to crash PTX Series and QFX5000 Series devices via crafted multicast packets. Exploitation triggers line card or device restart, sustaining denial of service under continuous attack. Affects multiple Junos OS Evolved release branches before patched versions. No public exploit identified at time of analysis. Attack requires adjacent network access but no authentication, making exploitation feasible in shared network segments.
Buffer overflow in D-Link DIR-605L 2.13B01 router allows authenticated attackers to achieve remote code execution via crafted curTime parameter in formSetMACFilter POST handler. This end-of-life product receives no vendor support. Publicly available exploit code exists. Attackers with low-privilege network access can compromise device confidentiality and integrity remotely without user interaction.
Buffer overflow in D-Link DIR-605L 2.13B01 wireless router enables remote authenticated attackers to execute arbitrary code via the formAdvFirewall function in POST request handler. Exploitation occurs through manipulation of the curTime parameter in /goform/formAdvFirewall endpoint. Publicly available exploit code exists. This end-of-life product receives no vendor security support, requiring immediate device replacement for affected deployments.
Buffer overflow in D-Link DIR-605L 2.13B01 router allows authenticated remote attackers to achieve code execution through malicious curTime parameter in formVirtualServ function via POST request to /goform/formVirtualServ endpoint. Affects end-of-life product with no vendor support. Publicly available exploit code exists. Attack requires low-privilege authentication but no user interaction, enabling remote compromise of device confidentiality and integrity.
Heap buffer overflow in wolfSSL's CertFromX509 function allows remote attackers to cause information disclosure through malformed X.509 certificates containing oversized AuthorityKeyIdentifier extensions. The vulnerability requires a persistent attacker (AT:P per CVSS 4.0) but no authentication, affecting wolfSSL across all versions until patched. EPSS exploitation probability and active exploitation status cannot be determined from available data; no public exploit code has been independently confirmed.
Heap out-of-bounds write in wolfSSL's DecodeObjectId() function in wolfcrypt/src/asn.c allows authenticated remote attackers to trigger memory corruption through two distinct mechanisms: insufficient bounds checking when outSz equals 1, and confusion between buffer byte size and element count across multiple callers, permitting crafted OIDs with 33+ arcs to overflow a 32-arc buffer. CVSS 2.3 reflects low impact (data modification only, no confidentiality loss), but the vulnerability affects cryptographic certificate and message parsing across all wolfSSL versions up to 5.9.0. No public exploit identified at time of analysis.
Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 allows authenticated remote attackers to corrupt memory by providing malicious realloc return values during string transcoding between WebAssembly components, enabling writes to arbitrary memory locations up to 4GiB away from linear memory base. On default configurations with 4GiB virtual memory reservation and guard pages, exploitation typically triggers process abort via unmapped memory access; however, configurations with reduced memory reservation and disabled guard pages risk corruption of host data structures or other guest linear memories.
Wasmtime's pooling allocator leaks linear memory contents between WebAssembly instances when configured with specific non-default settings (memory_guard_size=0, memory_reservation<4GiB, max_memory_size=memory_reservation). Affected versions 28.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 allow authenticated local attackers with high attack complexity to read sensitive data from previously-mapped memory due to incorrect virtual memory permission reset logic. Vendor-released patches: 36.0.7, 42.0.2, and 43.0.1. No public exploit identified at time of analysis.
Memory sandbox escape in Wasmtime's Winch compiler (versions 25.0.0 to before 36.0.7, 42.0.2, 43.0.1) enables authenticated WebAssembly guests to access arbitrary host process memory outside linear-memory boundaries. Exploitation requires non-default Winch backend activation via -Ccompiler=winch flag. Attackers can read up to 32KiB before memory start or ~4GiB after, with theoretical potential for unlimited in-process memory access due to improper 32-bit offset handling in 64-bit registers. Consequences include host process crashes (DoS), sensitive data exfiltration, or remote code execution through memory writes. Affects aarch64 (confirmed PoC) and x86-64 (theoretical). Publicly available exploit code exists.
Arbitrary memory read/write vulnerability in Bytecode Alliance Wasmtime versions 32.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 allows authenticated remote attackers to escape WebAssembly sandbox restrictions. The Cranelift compilation backend on aarch64 architecture miscompiles specific heap access patterns, creating divergent address computations where bounds checks validate one address while loads access another, enabling sandbox escape through unrestricted host memory access. Exploitation requires 64-bit WebAssembly linear memories with Spectre mitigations and signals-based-traps disabled. No public exploit identified at time of analysis.
Wasmtime runtime versions prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1 incorrectly validate UTF-16 string byte lengths during component-model encoding transcoding, causing out-of-bounds memory reads that trigger process termination via segfault in default configurations or potentially expose host memory when guard pages are disabled. Authenticated users with UI interaction can trigger this denial-of-service vulnerability; reading beyond linear memory requires non-standard Wasmtime configuration without guard pages. No public exploit code has been identified at time of analysis.
Out-of-bounds read in osslsigncode versions 2.12 and earlier allows local attackers to crash the application via crafted PE files with malicious section headers during page-hash computation. The vulnerability exists in the pe_page_hash_calc() function, which fails to validate that section headers' PointerToRawData and SizeOfRawData values reference valid file regions. An attacker can trigger the flaw by providing a malicious PE file for signing with page hashing enabled (-ph flag) or by providing an already-signed malicious PE file for verification, where verification does not require the -ph flag. CVSS 5.5 with high availability impact; no public exploit identified at time of analysis.
Osslsigncode 2.12 and earlier contains an integer underflow in PE page-hash computation that allows local attackers to trigger an out-of-bounds heap read and crash the process via a specially crafted PE file with SizeOfHeaders larger than SectionAlignment. The vulnerability is triggered either when signing a malicious PE file with page hashing enabled (-ph flag) or when verifying an already-signed PE file containing page hashes, making verification particularly dangerous since no special flags are required. This is a denial-of-service vulnerability with no public exploit code identified at time of analysis, though the root cause (missing validation in integer subtraction) is straightforward to exploit.
Remote denial-of-service in Apache ActiveMQ 6.0.0 through 6.2.3 allows unauthenticated network attackers to crash the MQTT broker via malformed control packets. An integer overflow in the MQTT protocol handler's remaining length field validation enables resource exhaustion without authentication. This vulnerability stems from an incomplete patch - the fix for CVE-2025-66168 was applied only to 5.19.x branches but omitted from all 6.x releases until 6.2.4. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Stack buffer overflow in osslsigncode <2.12 allows local attackers to execute arbitrary code during signature verification. The vulnerability affects PE, MSI, CAB, and script file verification handlers that copy digest values from SpcIndirectDataContent structures into fixed 64-byte stack buffers without length validation. Attackers craft malicious signed files with oversized digest fields triggering memcpy overflow when users verify files via osslsigncode verify command, corrupting stack state and enabling code execution with high confidentiality, integrity, and availability impact.
Out-of-bounds read in Orthanc DICOM Server's DicomStreamReader allows remote unauthenticated attackers to trigger denial-of-service conditions via malformed DICOM meta-header structures. CVSS 7.5 (High) with network attack vector and low complexity, requiring no privileges or user interaction. EPSS score of 0.01% (3rd percentile) indicates minimal observed exploitation activity. No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis, though CERT/CC coordination (VU#536588) suggests coordinated disclosure process.
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows unauthenticated remote code execution via malformed DICOM images. Attackers exploit integer overflow during frame size calculation by submitting DICOM files with dimension fields encoded as Unsigned Long (UL) instead of Unsigned Short (US), causing out-of-bounds memory access during image decoding. CVSS 9.8 (Critical) with network-accessible attack vector requiring no authentication or user interaction. EPSS score 2% (percentile 4%) suggests low observed exploitation probability despite critical severity. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.
Heap buffer overflow in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to achieve arbitrary code execution by sending specially crafted PALETTE COLOR DICOM images. The flaw stems from integer overflow during 32-bit width×height multiplication in pixel length validation, causing bounds checks to incorrectly pass and enabling out-of-bounds memory read/write operations. CVSS 9.8 critical severity with network attack vector requiring no privileges or user interaction. EPSS exp
Out-of-bounds heap read in Orthanc DICOM Server ≤1.12.10 allows unauthenticated remote attackers to extract heap memory contents and potentially crash the server via malformed PALETTE COLOR images. The vulnerability resides in the DecodeLookupTable function, which fails to validate pixel indices against palette size boundaries. With a 9.1 CVSS score but only 0.02% EPSS (4th percentile), the theoretical severity is high but observed real-world exploitation probability remains very low. No active exploitation confirmed (not in CISA KEV), no public exploit code identified at time of analysis.
Heap buffer overflow in Orthanc DICOM Server (versions ≤1.12.10) allows local attackers to corrupt data or crash the service via maliciously crafted PAM images embedded in DICOM files. The vulnerability stems from integer overflow during buffer size calculation when multiplying image dimensions with 32-bit arithmetic, leading to undersized heap allocation followed by oversized writes during pixel processing. EPSS score of 0.02% (5th percentile) indicates very low observed exploitation probability; no public exploit code or active exploitation confirmed at time of analysis.
Out-of-bounds read in Orthanc DICOM Server's Philips PMSCT_RLE1 decompression allows local attackers to leak heap memory into rendered medical images via maliciously crafted DICOM files. Affects versions ≤1.12.10. Requires user interaction (opening crafted file). EPSS 0.02% (4th percentile) indicates minimal real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis. CERT/CC reported (VU#536588).
Stack-based buffer overflow in Tenda AC15 router firmware 15.03.05.18 websGetVar function allows authenticated remote attackers to execute arbitrary code with high impact to confidentiality, integrity, and availability. The vulnerability resides in /goform/SysToolChangePwd endpoint where manipulation of oldPwd, newPwd, or cfmPwd parameters triggers memory corruption. Publicly available exploit code exists. Exploitation requires low-privilege authenticated access but no user interaction, making it readily exploitable once credentials are obtained.
Stack-based buffer overflow in D-Link DIR-645 router (versions 1.01, 1.02, 1.03) via hedwigcgi_main function in /cgi-bin/hedwig.cgi allows authenticated remote attackers to achieve complete system compromise. Exploitation requires low-privilege credentials but no user interaction. Publicly available exploit code exists. Product is end-of-life with no vendor support, making remediation limited to device replacement or network isolation.
Out-of-bounds read in The Sleuth Kit through 4.14.0 allows local attackers with user interaction to disclose sensitive information via a crafted ISO9660 image, exploiting the parse_susp() function's failure to validate field lengths before copying SUSP extension data into stack buffers. The vulnerability can also trigger infinite parsing loops with malformed zero-length SUSP entries. Patch available from upstream repository.
Out-of-bounds read in Sleuth Kit through version 4.14.0 allows local attackers to disclose heap memory or crash the application via a malicious APFS disk image with crafted length fields in the keybag parser. The vulnerability requires user interaction to process the malicious image but affects all Sleuth Kit tools that parse APFS volumes, with a public fix available on GitHub.
Out-of-bounds read in Google Chrome's Blink rendering engine (versions prior to 147.0.7727.55) allows remote attackers to disclose sensitive memory contents and trigger denial-of-service via malicious HTML pages. Despite an 8.1 CVSS score, this is rated Chromium security severity 'Low', requires user interaction (visiting a crafted page), has minimal real-world exploitation probability (EPSS 0.03%, 10th percentile), and is not actively exploited (no KEV listing). Vendor-released patch available in Chrome 147.0.7727.55.
Integer overflow in Google Chrome's WebRTC component (versions prior to 147.0.7727.55) enables remote attackers to trigger out-of-bounds memory writes through specially crafted HTML pages. Exploitation requires user interaction (visiting malicious page) but no authentication, potentially allowing arbitrary code execution, data corruption, or information disclosure. Vendor-assigned security severity: Low; CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Integer overflow in Google Chrome's media handling (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption through specially crafted video files, achieving potential arbitrary code execution with high confidentiality, integrity, and availability impact. Attack requires user interaction to open malicious media content. Exploitation is unauthenticated (network-accessible). No public exploit identified at time of analysis. Classified as low severity by Chromium project despite CVSS 8.8 rating.
Integer overflow in Google Chrome's Media component enables remote heap corruption through malicious video files. Affects Chrome versions prior to 147.0.7727.55 on all desktop platforms. Unauthenticated attackers can achieve arbitrary code execution, data theft, or denial of service by convincing users to open specially crafted video content. CVSS 8.8 severity reflects network-based attack requiring user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
Integer overflow in Google Chrome's Media component allows remote attackers to trigger heap corruption via specially crafted video files. Affects Chrome versions prior to 147.0.7727.55. Attack requires user interaction (opening malicious video file) but no authentication. Successful exploitation enables arbitrary code execution with high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis. Chromium project rates severity as Low despite CVSS 8.8 score.
Out-of-bounds memory read in Google Chrome's media subsystem (versions prior to 147.0.7727.55) enables remote attackers to disclose sensitive information and trigger denial-of-service conditions via malicious video files. Exploitation requires user interaction (opening/playing crafted video content). Attack vector is network-based with low complexity and no authentication required. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.03%, 10th percentile).
Out-of-bounds read in Google Chrome WebAudio (Mac) prior to version 147.0.7727.55 enables remote information disclosure via crafted HTML. Unauthenticated network-based attacker can extract sensitive process memory without user interaction. CVSS 7.5 (High confidentiality impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%). Patch available from vendor.
Remote code execution in Google Chrome prior to 147.0.7727.55 allows attackers to execute arbitrary code within the browser sandbox through crafted HTML pages exploiting out-of-bounds read/write conditions in the V8 JavaScript engine. User interaction (visiting a malicious page) is required, but no authentication is needed. With CVSS 8.8 and low EPSS (0.04%, 11th percentile), this represents a high-severity browser vulnerability with limited observed real-world exploitation activity. Patch available in Chrome 147.0.7727.55. No public exploit identified at time of analysis.
Heap buffer overflow in WebML (a web markup language component) in Google Chrome prior to version 147.0.7727.55 allows remote attackers to obtain potentially sensitive information from process memory by serving a crafted HTML page. The vulnerability requires no user authentication and can be triggered through normal web browsing, though exploitation has a low probability (EPSS 0.03%) and no public exploit code has been identified.
Arbitrary code execution in Google Chrome for macOS versions prior to 147.0.7727.55 occurs via heap buffer overflow in the ANGLE graphics layer when processing malicious HTML pages. Remote attackers can achieve full compromise of confidentiality, integrity, and availability within Chrome's sandbox by exploiting this CWE-122 heap overflow with low attack complexity and no authentication. EPSS probability is low (0.03%, 10th percentile) with no public exploit identified at time of analysis, indicating limited observed exploitation activity despite the high CVSS score of 8.8.
Heap buffer overflow in WebML component of Google Chrome prior to version 147.0.7727.55 allows unauthenticated remote attackers to read sensitive information from process memory via a specially crafted HTML page. The vulnerability requires no user authentication and only user interaction (page visit), with a CVSS score of 6.5 reflecting confidentiality impact and limited availability risk. No public exploit code or active exploitation has been confirmed at time of analysis, though a vendor patch is available.
Heap buffer overflow in Google Chrome's WebAudio component prior to version 147.0.7727.55 allows unauthenticated remote attackers to read sensitive information from process memory by serving a crafted HTML page. The vulnerability has a CVSS score of 6.5 and EPSS probability of 0.03% (8th percentile), indicating low real-world exploitation likelihood despite the network attack vector and lack of user interaction requirements. Vendor-released patch is available.
Integer overflow in Google Chrome's WebML component (versions prior to 147.0.7727.55) enables remote attackers to trigger heap corruption via malicious HTML pages, requiring only user interaction to visit a crafted website. The vendor-assigned severity is Critical, though EPSS indicates only 0.03% probability of exploitation in the wild (9th percentile), and no public exploit identified at time of analysis. Patch available in Chrome 147.0.7727.55 and later.
Remote code execution in Google Chrome versions prior to 147.0.7727.55 allows unauthenticated attackers to execute arbitrary code by exploiting a heap buffer overflow in the WebML component through specially crafted HTML pages. The vulnerability requires user interaction (visiting a malicious page) but presents critical risk with high impact to confidentiality, integrity, and availability. EPSS score of 0.03% (9th percentile) indicates low probability of imminent exploitation in the wild, with no public exploit identified at time of analysis and no CISA KEV listing confirming active exploitation.
Kamailio versions prior to 6.0.5 and 5.8.7 contain an out-of-bounds read in the auth module that allows remote attackers with high privileges to trigger a denial of service via a specially crafted SIP packet when successful user authentication without a database backend is followed by additional identity checks. The vulnerability requires high privilege level and high attack complexity but can reliably crash the Kamailio process, impacting SIP service availability.
Out-of-bounds memory access in Kamailio SIP server versions before 5.8.8, 6.0.6, and 6.1.1 enables unauthenticated remote attackers to crash server processes via malformed TCP packets. Affects deployments with TCP or TLS listeners enabled. Exploits network-accessible SIP signaling infrastructure without authentication or user interaction, resulting in complete service unavailability. No public exploit identified at time of analysis.
Buffer overflow in pyca/cryptography library allows reading past allocated memory when non-contiguous Python buffers (such as reversed slices) are passed to cryptographic APIs like Hash.update() on Python 3.11+. Attackers can trigger memory disclosure or denial of service by crafting malformed buffer objects, affecting any application using the cryptography package with vulnerable buffer handling.
Stack-based buffer overflow in TP-Link Archer AX53 v1.0 tmpServer module enables authenticated adjacent attackers to execute arbitrary code via malicious configuration file. Exploitation triggers segmentation fault, permits device state modification, sensitive data exposure, and integrity compromise. Affects firmware versions before 1.7.1 Build 20260213. Requires high privileges and adjacent network access. No public exploit identified at time of analysis.
Stack-based buffer overflow in Delta Electronics ASDA-Soft allows local attackers with no privileges to execute arbitrary code by tricking users into opening a malicious file. The vulnerability achieves complete system compromise (confidentiality, integrity, availability all rated High in CVSS) through user interaction with crafted input. No public exploit identified at time of analysis, though the low attack complexity and lack of required privileges increase realistic exploitation risk once details emerge.
Integer overflow in Go compiler's loop optimization (cmd/compile 1.25.x < 1.25.9, 1.26.x < 1.26.2) allows remote code execution through crafted source code that triggers invalid array indexing at runtime. Attack vector is network-accessible (AV:N) with no authentication required (PR:N), enabling attackers to compile malicious Go programs that exploit compiler-generated memory corruption vulnerabilities. EPSS score of 0.01% (1st percentile) indicates low observed exploitation probability despite
Memory corruption in Go compiler cmd/compile versions before 1.25.9 and 1.26.0-1.26.1 allows local authenticated attackers to achieve integrity compromise and denial of service. A flaw in pointer unwrapping logic during memory move operations causes the compiler to incorrectly assess overlapping memory regions, potentially corrupting compiled binaries. EPSS score of 0.01% indicates minimal real-world exploitation probability, and no public exploit or active exploitation (non-KEV) has been identified at time of analysis.
Memory corruption in Amazon Firecracker's virtio PCI transport (versions 1.13.0-1.14.3, 1.15.0) enables guest root users to crash the host VMM process or achieve host code execution through malicious virtio queue register modifications post-device activation. Affects x86_64 and aarch64 architectures. While exploitation requires guest root privileges and high attack complexity (CVSS AC:H, PR:H), successful compromise breaches VM isolation boundaries with high impact to host confidentiality, integrity, and availability (CVSS 8.7). No public exploit identified at time of analysis; vendor-released patches available in versions 1.14.4 and 1.15.1.
Buffer overflow in D-Link DI-8300 router firmware v16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed fx parameter input to the jingx_asp function. Network-accessible exploitation requires no authentication or user interaction (CVSS AV:N/PR:N/UI:N). Impact limited to availability disruption; no data confidentiality or integrity compromise. No public exploit identified at time of analysis. EPSS 0.02% indicates low observed exploitation activity.
Buffer overflow in D-Link DI-8300 router firmware v16.07.26A1 ip_position_asp function enables unauthenticated remote attackers to trigger denial of service through crafted input to the ip parameter. Network-accessible vulnerability requires no user interaction. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects unauthenticated network attack vector with complete availability impact.
Buffer overflow in Tenda AC6 router firmware version 15.03.05.16_multi enables unauthenticated remote denial-of-service attacks via crafted HTTP requests to formSetCfm function. Attackers can trigger service disruption by sending malicious funcname, funcpara1, or funcpara2 parameters without authentication. The network-accessible attack vector with low complexity makes this exploitable from the internet. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Stack-based buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service via malformed HTTP GET request to /user_group.asp endpoint. Attacker sends crafted name, mem, pri, or attr parameters triggering memory corruption and device crash. CVSS 7.5 High severity reflects network-accessible attack requiring no privileges or user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks through crafted HTTP GET requests to /web_keyword.asp endpoint. Attackers exploit improper input validation in name, en, time, mem_gb2312, and mem_utf8 parameters to trigger memory corruption, causing device unavailability. CVSS 7.5 (High) severity reflects network-accessible attack vector requiring no user interaction or privileges. No public exploit identified at time of analysis; low observed exploitation activity.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks through malformed id parameter in /thd_member.asp endpoint. Exploiting this CWE-120 flaw requires no authentication (CVSS:PR:N) and permits network-based attackers to crash device availability with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%). Affects D-Link network infrastructure devices running vulnerable firmware version.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed vlan_name parameter submitted to /shut_set.asp endpoint. Improper input validation in VLAN configuration interface permits memory corruption leading to system availability disruption. CVSS 7.5 reflects network-accessible attack requiring no user interaction or credentials. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%).
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks via malformed routes_static parameter to /router.asp endpoint. The vulnerability permits network-accessible attackers to crash the device without credentials or user interaction. No public exploit identified at time of analysis. CVSS 7.5 (High) reflects complete availability impact with network attack vector and low complexity.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions via crafted HTTP GET requests to the /url_rule.asp endpoint. Exploitation requires no user interaction and succeeds over network access with low complexity. Eight vulnerable parameters (name, en, ips, u, time, act, rpri, log) accept unbounded input causing stack memory corruption. CVSS 7.5 HIGH severity reflects network-accessible availability impact. No public exploit identified at time of analysis. EPSS 0.01% indicates low observed exploitation activity.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks via crafted name parameter to /usb_paswd.asp endpoint. Stack-based buffer overflow (CWE-121) triggers memory corruption leading to service disruption. Affects network-accessible administrative interfaces without authentication barrier (CVSS AV:N/PR:N). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
Buffer overflow in OpenAirInterface 2.2.0 AUSF component crashes service when processing oversized NAS PDU Authentication Response via UplinkNASTransport messages. Unauthenticated remote attackers can send malformed authentication responses (e.g., 100-byte payloads exceeding expected bounds) triggering AUSF component crash, preventing legitimate user registration and verification. Affects 5G core network deployments using OpenAirInterface AUSF. No public exploit identified at time of analysis. CVSS 7.5 High severity due to network-accessible denial of service without authentication requirements.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions via malformed name and mem parameters submitted to the /time_group.asp endpoint. The vulnerability requires no user interaction and permits network-based exploitation with low attack complexity. No public exploit identified at time of analysis. EPSS score of 0.02% indicates low observed exploitation activity.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed pid parameter values in the /trace.asp endpoint. The vulnerability requires no user interaction and is exploitable over the network with low attack complexity, affecting network availability for enterprise routing infrastructure. No public exploit identified at time of analysis.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions via malformed input to the /tggl.asp endpoint. The vulnerability stems from inadequate input validation, allowing network-accessible exploitation without authentication or user interaction. Exploitation results in high-impact availability loss with no confidentiality or integrity compromise. No public exploit identified at time of analysis. EPSS score indicates low observed exploitation activity.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks through malformed input to the name parameter at /qos_type_asp.asp endpoint. Attackers can trigger service disruption without authentication or user interaction by exploiting insufficient input validation in the QoS management interface. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions via crafted HTTP GET requests to /web_post.asp endpoint. Vulnerable parameters include name, en, user_id, log, and time fields. Attack requires no user interaction and exploits improper input validation in web management interface. CVSS 7.5 (High) severity with network-accessible attack vector. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%).
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 qj.asp endpoint enables unauthenticated remote denial-of-service attacks through malformed HTTP requests. Insufficient input validation allows attackers to trigger memory corruption, crashing the device and disrupting network services. Confidentiality and integrity remain intact per CVSS scoring, but availability impact is severe. No public exploit identified at time of analysis. EPSS indicates low observed exploitation activity.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks via crafted name parameter to /url_group.asp endpoint. Attackers can trigger stack-based buffer overflow remotely over network without user interaction, causing high availability impact through service disruption or device crash. No public exploit identified at time of analysis. CVSS 7.5 severity reflects network-accessible attack vector with low complexity.
Stack-based buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 allows unauthenticated remote attackers to trigger denial-of-service conditions by sending malformed name parameter values to the /url_member.asp endpoint. The vulnerability enables network-accessible attackers to crash the device without authentication or user interaction, disrupting availability of routing services. No public exploit identified at time of analysis.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service via malformed custom_error parameter to /user.asp endpoint. Attackers can crash device remotely without credentials by exploiting stack-based buffer overflow (CWE-121). CVSS 7.5 reflects network-accessible, low-complexity attack requiring no user interaction. No public exploit identified at time of analysis; low observed exploitation activity (EPSS 0.02%).
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial-of-service attacks through malformed name parameter in /thd_group.asp endpoint. Improper input validation triggers stack-based buffer overflow, causing device crashes or service disruption without requiring user interaction. Attack vector is network-accessible with low complexity. No public exploit identified at time of analysis.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed id parameter input to /saveparm_usb.asp endpoint. Exploitation requires network access to administrative interface without authentication. CWE-120 classification indicates classic buffer overflow allowing memory corruption. CVSS vector confirms network-exploitable, unauthenticated attack path with high availability impact but no data confidentiality or integrity compromise. No public exploit identified at time of analysis.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed wans parameter input to the qos.asp Quality-of-Service configuration endpoint. Exploitation requires no user interaction and achieves complete availability impact against network infrastructure device. Low observed exploitation activity (EPSS 0.02%, 5th percentile); no public exploit identified at time of analysis.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial of service attacks. Attackers can trigger memory corruption by submitting oversized 's' parameter values to the pppoe_list_opt.asp endpoint without authentication, causing device unavailability. CVSS 7.5 severity reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Buffer overflow in D-Link DI-8300 router firmware v16.07.26A1 enables unauthenticated remote attackers to trigger denial of service conditions via malformed input to the fn parameter in tgfile_htm function. Network-accessible attack vector requires no privileges or user interaction. CVSS 7.5 (High) reflects availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Buffer overflow in D-Link enterprise VPN router series (DI-8003, DI-8500, DI-8003G, DI-8200G, DI-8200, DI-8400, DI-8004w, DI-8100, DI-8100G) firmware versions 16.07.26A1 and 17.12.20A1/17.12.21A1 allows unauthenticated remote attackers to trigger denial of service via crafted HTTP requests exploiting rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip parameters in radius_asp function. Attack requires no user interaction or authentication (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial of service via malicious iface parameter to /wan_line_detection.asp endpoint. Attack requires no user interaction and exploits improper input validation in network-accessible web management interface. CVSS 7.5 (High) severity reflects availability impact; no public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions through malformed 's' parameter input to the /web_list_opt.asp endpoint. The vulnerability requires no user interaction and is exploitable over the network with low attack complexity. CVSS 7.5 (High) reflects network-accessible DoS impact. No public exploit identified at time of analysis; low observed exploitation activity (EPSS <1%).
Buffer overflow in D-Link DI-8003 (16.07.26A1) and DI-8003G (19.12.10A1) routers enables unauthenticated remote denial-of-service through improper handling of the wan_ping parameter at the /wan_ping.asp endpoint. Network-accessible attack requires no user interaction or privileges. CVSS:3.1 score 7.5 (High) reflects availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote attackers to trigger denial-of-service conditions via crafted HTTP GET requests to /xwgl_bwr.asp endpoint. Exploitation occurs through oversized name, qq, or time parameters causing memory corruption. CVSS score 7.5 reflects high availability impact without confidentiality or integrity compromise. No public exploit identified at time of analysis, with low observed exploitation activity (EPSS <1%).
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 enables unauthenticated remote denial of service through the /xwgl_ref.asp endpoint. Attackers exploit improper input validation by sending HTTP GET requests with excessively long strings in eight parameters (name, en, user_id, shibie_name, time, act, log, rpri), causing stack buffer overflow and device crash. Low observed exploitation activity (EPSS <1%). No public exploit identified at time of analysis. Affects network-accessible management interface without authentication requirements.
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 via /yyxz_dlink.asp endpoint enables unauthenticated network-based denial of service attacks. Improper parameter validation allows remote attackers to crash the device or trigger service interruption without authentication, user interaction, or elevated privileges. CVSS 7.5 (High) severity reflects network accessibility and availability impact. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Buffer overflow in D-Link DI-8003 router firmware 16.07.26A1 allows unauthenticated remote attackers to trigger denial-of-service conditions by sending malformed http_lanport parameter values to the /webgl.asp endpoint. Network-accessible attack requires no user interaction or privileges. Exploitation causes availability impact only with no confidentiality or integrity compromise. Low observed exploitation activity (EPSS <1%). No public exploit identified at time of analysis.
Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.
Out-of-bounds read in OpenSSL 3.6.0-3.6.1 allows denial of service when AES-CFB128 encryption or decryption processes partial cipher blocks on x86-64 systems with AVX-512 and VAES support. Vulnerability triggers when input buffer ends at a memory page boundary with subsequent unmapped page, causing crashes. Exploitation requires unauthenticated network access but demands specific architectural conditions (AVX-512/VAES) and partial block handling. No public exploit identified at time of analysis. EPSS percentile 5% indicates low observed exploitation activity.