Buffer Overflow
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions.
How It Works
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions. This overwrites whatever data or code exists there, corrupting program state and potentially giving attackers control over execution flow.
Stack-based overflows are the most common variant. When a function allocates a fixed-size buffer on the stack and then copies user-controlled input without proper bounds checking, attackers can overflow past the buffer to overwrite the function's return address. When the function completes, instead of returning to legitimate code, execution jumps to attacker-specified memory containing malicious shellcode. Heap-based overflows work differently—they corrupt heap metadata like chunk size fields or free list pointers, leading to arbitrary memory writes when the allocator processes the corrupted structures.
Modern exploitation bypasses defensive mechanisms through techniques like Return-Oriented Programming (ROP), which chains together existing code snippets to avoid non-executable memory protections. Attackers may also use heap spraying to reliably position shellcode at predictable addresses, defeating address randomization.
Impact
- Remote code execution — attacker gains ability to run arbitrary commands with the privileges of the vulnerable process
- Privilege escalation — exploiting kernel or setuid program overflows to gain root/SYSTEM access
- Denial of service — crashes and memory corruption that render systems unusable
- Information disclosure — reading sensitive data from adjacent memory regions that should be inaccessible
- Authentication bypass — overwriting security-critical variables like permission flags or user IDs
Real-World Examples
Fortinet FortiOS suffered a critical buffer overflow (CVE-2025-32756) that allowed unauthenticated remote attackers to execute code as root on firewalls and VPN gateways. Attackers actively exploited this to compromise enterprise network perimeters before patches were available.
The Slammer worm from 2003 exploited a stack overflow in Microsoft SQL Server, spreading to 75,000 hosts in ten minutes by sending a single malformed UDP packet that overwrote the return address with shellcode. No authentication was required.
OpenSSH historically contained a heap overflow in challenge-response authentication that allowed pre-authentication remote root compromise on Unix systems, demonstrating how memory corruption in privileged network services creates maximum impact scenarios.
Mitigation
- Memory-safe languages — Rust, Go, and modern managed languages prevent buffer overflows by design through automatic bounds checking
- Stack canaries — random values placed before return addresses that detect corruption before control transfer
- Address Space Layout Randomization (ASLR) — randomizes memory locations making exploitation less reliable
- Data Execution Prevention (DEP/NX) — marks memory regions as non-executable, preventing direct shellcode execution
- Bounds checking — validate input sizes before copying, use safe functions like
strncpyinstead ofstrcpy - Fuzzing and static analysis — automated testing to discover overflows before deployment
Recent CVEs (36141)
Memory corruption via out-of-bounds read in NI LabVIEW's mgcore_SH_25_3!aligned_free() function enables information disclosure or arbitrary code execution when users open maliciously crafted VI files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. CVSS 8.5 severity stems from local attack vector requiring user interaction but no authentication. No public exploit identified at time of analysis, though the vendor advisory confirms the vulnerability's existence and technical details.
Memory corruption in NI LabVIEW 26.1.0 and earlier allows local attackers to execute arbitrary code or disclose sensitive information via maliciously crafted VI files. The vulnerability stems from an out-of-bounds read in sentry_transaction_context_set_operation(), requiring user interaction to open a specially crafted file. CVSS 8.5 (High) with local attack vector and low complexity. No public exploit identified at time of analysis, and EPSS data not available for this recently published CVE.
Memory corruption in NI LabVIEW's ResFileFactory::InitResourceMgr() function allows arbitrary code execution or information disclosure when users open malicious VI files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. CVSS 8.5 severity reflects high impact potential, though exploitation requires user interaction to open a crafted file. No public exploit identified at time of analysis, with EPSS data unavailable for this recently assigned CVE. Local attack vector limits remote exploitation scenarios.
Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution and information disclosure when processing maliciously crafted .lvclass files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. Attack requires local access and user interaction to open the weaponized file (CVSS AV:L/UI:P). No public exploit identified at time of analysis, though the vendor advisory confirms the vulnerability and provides remediation guidance.
Memory corruption via out-of-bounds write in NI LabVIEW allows arbitrary code execution when processing malicious LVLIB files. Affects LabVIEW 2026 Q1 (26.1.0) and all prior versions. Attack requires local access and user interaction to open a specially crafted .lvlib project library file (CVSS 8.5, AV:L/PR:N/UI:P). No public exploit identified at time of analysis. EPSS data not available, but the local attack vector and user interaction requirement significantly limit immediate mass exploitation risk despite high CVSS score.
Denial of service in Electron's clipboard.readImage() allows local authenticated attackers to crash applications by supplying malformed image data on the system clipboard. The vulnerability affects Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, but only impacts apps that explicitly call clipboard.readImage(). No code execution or memory corruption is possible; the attack results in a controlled process abort when a null bitmap is passed unchecked to image construction. Vendor-released patches are available across all supported release lines.
Memory-safety vulnerability in github.com/jackc/pgx/v5 PostgreSQL driver library allows unauthenticated remote attackers to achieve complete system compromise with high confidentiality, integrity, and availability impact. The vulnerability resides in the pgproto3 subpackage and enables network-accessible exploitation without user interaction. Attack complexity is low, requiring no special privileges. Information disclosure confirmed via source tagging. No public exploit identified at time of analysis.
Remote memory-safety vulnerability in github.com/jackc/pgx/v5 (Go PostgreSQL driver) enables unauthenticated attackers to achieve arbitrary code execution, information disclosure, and denial of service via network vectors. The flaw affects the pgproto3 protocol implementation subpackage with critical-severity CVSS 9.8 scoring. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis. Vulnerability allows complete compromise of confidentiality, integrity, and availability without user interaction or elevated privileges.
Heap-based buffer overflow in LibRaw's HuffTable::initval function allows unauthenticated remote attackers to achieve arbitrary code execution via malformed image files. Affects LibRaw commits 0b56545 and d20315b with CVSS 9.8 critical severity. Attack requires no user interaction beyond processing a malicious file. No public exploit identified at time of analysis, though technical details from Cisco Talos suggest proof-of-concept exists. EPSS data not available, but the combination of network-accessible attack vector, low complexity, and no authentication barrier represents significant risk for applications processing untrusted image files.
Heap-based buffer overflow in LibRaw's lossless JPEG processing (commits 0b56545 and d20315b) allows unauthenticated remote attackers to achieve arbitrary code execution by providing a malicious image file. The vulnerability scores CVSS 9.8 (Critical) with network attack vector, low complexity, and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, though Talos Intelligence has published detailed vulnerability research (TALOS-2026-2331).
Heap-based buffer overflow in LibRaw's x3f_thumb_loader function allows remote code execution via malformed image files. The vulnerability affects LibRaw commit d20315b, a widely-used raw image processing library integrated into applications like ImageMagick, GIMP, and numerous photo management tools. The CVSS 9.8 critical rating reflects network-exploitable conditions requiring no authentication or user interaction. With an EPSS score not yet available and no CISA KEV listing, active exploitation is not confirmed at time of analysis, though the attack complexity is low and requires only delivering a specially crafted file to vulnerable processing workflows.
Heap buffer overflow in LibRaw's x3f_load_huffman function (commit d20315b) allows remote attackers to achieve arbitrary code execution via malicious X3F image files. The vulnerability stems from an integer overflow (CWE-190) leading to heap corruption. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated high. EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Reported by Cisco Talos (TALOS-2026-2359), affecting LibRaw's Sigma X3F raw image parsing functionality.
Heap buffer overflow in LibRaw's DNG image processing (commit 8dc68e2) enables remote code execution when parsing maliciously crafted uncompressed floating-point DNG files. The vulnerability stems from an integer overflow in uncompressed_fp_dng_load_raw that miscalculates buffer sizes, allowing network-based attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). No public exploit identified at time of analysis, though Cisco Talos has published technical details. Authentication requirements not confirmed from available data, but CVSS vector indicates no privileges required (PR:N).
Integer overflow in LibRaw's deflate_dng_load_raw function (commit 8dc68e2) enables remote heap buffer overflow via crafted DNG image files, allowing potential code execution without authentication. With CVSS 8.1 and network-accessible attack vector requiring no user interaction, this represents significant risk for applications processing untrusted DNG files. EPSS data not available; no public exploit identified at time of analysis.
Remote code execution in Mozilla Firefox versions prior to 149.0.2 stems from multiple memory safety bugs allowing unauthenticated network attackers to execute arbitrary code without user interaction. Mozilla confirmed memory corruption evidence across affected versions (Firefox 149.0.1 and Thunderbird 149.0.1), though Thunderbird patch status remains unconfirmed. CVSS 9.8 reflects maximum severity due to network-accessible attack vector with no complexity barriers. No public exploit identified at time of analysis, though the CWE-787 out-of-bounds write class has high weaponization potential once technical details emerge from linked Bugzilla entries.
Multiple memory corruption vulnerabilities in Mozilla Firefox (< 149.0.2) and Firefox ESR (< 140.9.1) enable unauthenticated remote code execution with critical CVSS 9.8 severity. These memory safety bugs-including CWE-787 out-of-bounds write issues-affect both standard and Extended Support Release channels, with Mozilla confirming evidence of memory corruption exploitable for arbitrary code execution. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis, though CVSS vector indicates network-accessible attack requiring no user interaction.
Buffer overflow in Firefox WebGPU implementation allows remote code execution when users interact with malicious web content. Affects all Firefox versions prior to 149.0.2. Network-based attack requires user interaction (visiting crafted webpage) but no authentication. CVSS 8.8 reflects high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, though Mozilla's rapid patch release suggests significant risk potential.
Integer overflow in Firefox and Firefox ESR text rendering engine allows remote attackers to achieve arbitrary code execution via specially crafted web content. Affects Firefox versions prior to 149.0.2 and Firefox ESR prior to 140.9.1. Attack requires user interaction (visiting malicious webpage) but no authentication. CVSS 8.8 (High severity). No public exploit identified at time of analysis, though the vulnerability class (integer overflow leading to buffer overflow) is well-understood and exploitable.
Remote code execution in Mozilla Firefox and Thunderbird via memory corruption vulnerabilities allows unauthenticated remote attackers to execute arbitrary code without user interaction. Affects Firefox <149.0.2, Firefox ESR <115.34.1, and Firefox ESR <140.9.1 across desktop platforms. With CVSS 9.8 (critical severity, network-accessible, no privileges required) and CWE-119 buffer overflow classification, this represents multiple memory safety bugs that Mozilla assessed could be exploited for arbitrary code execution. No public exploit identified at time of analysis; EPSS data not provided but critical browser vulnerabilities historically attract rapid exploitation interest.
Buffer overflow in Hitachi JP1/IT Desktop Management suite and Job Management Partner 1 software on Windows allows local authenticated users to cause denial of service by triggering memory corruption in affected manager and client components. The vulnerability spans multiple product lines and versions, with CVSS 5.5 indicating moderate local attack surface; active exploitation status not confirmed.
Out-of-bounds write in MediaTek modem firmware enables remote privilege escalation when devices connect to attacker-controlled rogue cellular base stations. The vulnerability affects over 60 MediaTek chipset models widely deployed in smartphones and IoT devices, exploitable by adjacent network attackers without authentication (CVSS:3.1 AV:A/PR:N). While EPSS scores this at only 6% exploitation probability (18th percentile) and no active exploitation is confirmed at time of analysis, the attack s
Out-of-bounds write in MediaTek modem chipset implementations allows remote privilege escalation when user equipment connects to an attacker-controlled rogue cellular base station. Affects 57 MediaTek chipset models across MT67xx, MT68xx, MT69xx, MT87xx, and MT27xx families used in mobile devices. Authentication not required (CVSS PR:N) but requires adjacent network access and user interaction to connect to malicious base station. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis, though vendor patch MOLY01406170 has been released per April 2026 MediaTek security bulletin.
Buffer overflow in Samsung Exynos Wi-Fi drivers (980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, W1000) allows unauthenticated remote attackers to execute arbitrary code with high integrity/confidentiality impact through malformed NL80211 vendor command ioctl messages. Improper input validation enables network-accessible exploitation without user interaction. CVSS 9.8 critical severity. No public exploit identified at time of analysis.
Buffer overflow in Samsung Exynos Wi-Fi driver (980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, W1000) allows unauthenticated remote code execution via malformed NL80211 vendor command ioctl message. Incorrect handling of vendor-specific wireless configuration commands enables network-based memory corruption. CVSS 9.8 critical severity reflects network attack vector requiring no authentication or user interaction. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.01%).
Out-of-bounds write in Samsung Exynos chipsets (processors 980/990/850/1080/2100/1280/2200/1330/1380/1480/2400/1580/2500/9110, wearables W920/W930/W1000, modems 5123/5300/5400) allows unauthenticated remote attackers to achieve arbitrary code execution via malformed SMS TP-UD packets. Exploitation occurs through TP-UDHI/UDL value mismatch during SMS message parsing, enabling network-level attacks without user interaction. No public exploit identified at time of analysis.
Stack-based buffer overflow in Tenda CX12L router firmware 16.03.53.12 allows authenticated remote attackers to achieve arbitrary code execution via the 'page' parameter in the fromNatStaticSetting function at /goform/NatStaticSetting endpoint. Publicly available exploit code exists. EPSS data not provided, but CVSS 7.4 (High) with network attack vector and low complexity indicates significant risk for exposed administrative interfaces.
Remote stack-based buffer overflow in Tenda CX12L router firmware version 16.03.53.12 allows authenticated attackers to execute arbitrary code via crafted 'page' parameter to the RouteStatic configuration endpoint. CVSS 7.4 with publicly available exploit code (E:P in vector). EPSS and KEV data not provided, but public POC availability elevates immediate risk for exposed management interfaces.
Heap out-of-bounds read in SDL_image library's XCF format parser allows remote information disclosure when processing malicious GIMP files. Attackers can craft .xcf files with undersized colormaps and invalid pixel indices to leak up to 762 bytes of heap memory into rendered image data, potentially exposing sensitive process memory. The vulnerability affects both indexed color code paths (1-bit and 2-bit per pixel). No public exploit identified at time of analysis, but EPSS and exploitation likelihood are notable given the library's widespread use in gaming and multimedia applications requiring minimal user interaction (opening a file).
Remote code execution in Tenda CX12L firmware version 16.03.53.12 allows authenticated attackers to overflow stack buffers via malicious 'page' parameter values sent to the addressNat endpoint (/goform/addressNat). The fromAddressNat function fails to validate input length, enabling memory corruption with high impact to confidentiality, integrity, and availability. Publicly available exploit code exists (GitHub POC), elevating practical exploitation risk despite requiring low-privilege authentication. EPSS data not available, but CVSS 7.4 reflects network-accessible attack vector with low complexity.
Stack-based buffer overflow in Tenda CX12L wireless router firmware 16.03.53.12 allows authenticated adjacent network attackers to execute arbitrary code or crash the device via crafted 'page' parameter to the /goform/webExcptypemanFilter endpoint. Publicly available exploit code exists (GitHub POC published), enabling straightforward exploitation against unpatched routers on the same LAN segment. EPSS score of 0.03% suggests limited mass exploitation to date, though adjacent network requirement naturally constrains attack surface to local/corporate networks rather than internet-wide scanning.
Stack-based buffer overflow in Tenda CX12L firmware version 16.03.53.12 allows authenticated local network attackers to cause memory corruption via manipulation of the page parameter in the P2pListFilter function. The vulnerability requires local network access and authenticated privileges but carries publicly available exploit code, elevating practical risk despite the moderate CVSS score of 5.1.
Heap buffer overflow in ZLMediaKit's VP9 RTP payload parser allows remote unauthenticated attackers to trigger denial of service by sending a single malformed RTP packet. The vulnerability stems from insufficient buffer length validation in ext-codec/VP9Rtp.cpp, where flag bits in a 1-byte payload (0xFF) cause out-of-bounds reads. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and EPSS 0.04%, this represents a low-probability but remotely exploitable attack surface against any ZLMediaKit server processing VP9 streams. Fixed in commit 435dcbcbbf700fd63b2ca9eac6cef3b5ea75169d. No active exploitation (CISA KEV) or public POC identified at time of analysis.
Heap buffer overflow in Microsoft SymCrypt versions 103.5.0 through 103.10.x allows local authenticated attackers to cause denial of service or limited integrity compromise via silent truncation of a 64-bit leaf count parameter to 32 bits in the SymCryptXmssSign function during XMSS^MT signature operations with tree height >= 32. Real-world risk is significantly mitigated by the requirement for attacker-controlled signing parameters (uncommon in production), the private-key-operation context, and Microsoft's explicit guidance that XMSS^MT signing should only occur in Hardware Security Modules and is provided in SymCrypt for testing purposes only. No public exploit code or active exploitation has been identified.
Heap buffer overflow in openFPGALoader 1.1.1 and earlier allows local attackers to read sensitive heap memory and cause denial-of-service by supplying a maliciously crafted .pof FPGA bitstream file. The vulnerability triggers during POF file parsing without requiring physical FPGA hardware, enabling information disclosure (high confidentiality impact) and application crashes (high availability impact). EPSS data not available; no public exploit identified at time of analysis, though GitHub security advisory confirms the flaw in open-source FPGA programming utility used by hardware developers and researchers.
Heap-buffer-overflow in openFPGALoader 1.1.1 and earlier allows local attackers to trigger information disclosure and denial-of-service through maliciously crafted .bit FPGA configuration files. The vulnerability requires user interaction (opening a malicious file) but requires no authentication or FPGA hardware. CVSS base score is 7.1 (High). No public exploit identified at time of analysis, though proof-of-concept development is feasible given the specific vulnerability class and file format parsing context. EPSS data not available.
Index out-of-bounds read in go.etcd.io/bbolt allows local unauthenticated attackers to cause a denial of service by crafting a malicious database file with a branch page containing zero elements, triggering a crash during cursor traversal. The vulnerability affects all versions of the library and has been patched upstream; no public exploit code or active exploitation has been reported.
Out-of-bounds read in RDiscount's Markdown parser allows denial-of-service when processing attacker-controlled inputs exceeding 2GB. The vulnerability occurs because unsigned Ruby string lengths are truncated to signed integers before passing to the native parser, causing the parser to read past buffer boundaries and crash. Affected are RDiscount.new(input).to_html and RDiscount.new(input).toc_content methods. No public exploitation beyond proof-of-concept exists; patch version 2.2.7.4 is available.
Memory corruption in Qualcomm Snapdragon components allows local authenticated users to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability through malformed power management requests. The vulnerability stems from improper validation of input/output buffer sizes in power management handlers. EPSS data not available; no confirmed active exploitation (not listed in CISA KEV) or public exploit code identified at time of analysis. Qualcomm addressed this in their April 2026 security bulletin.
Buffer over-read (CWE-126) in Qualcomm Snapdragon devices causes denial-of-service when processing malformed Neighborhood Awareness Networking (NAN) service data frames with excessive length values. Attack requires network proximity, high attacker privileges, user interaction, and high complexity (CVSS 7.6), yielding CVSS scope change with potential high confidentiality/integrity impact beyond availability disruption. Qualcomm April 2026 bulletin addresses this transient DOS condition. No public exploit identified at time of analysis, though the specific protocol implementation flaw in NAN device discovery presents measurable risk in adjacent network scenarios where attackers have elevated Wi-Fi protocol access.
Local privilege escalation via use-after-free in Qualcomm Snapdragon video memory management allows authenticated attackers with low privileges to achieve complete system compromise. The vulnerability exists in deprecated DMABUF IOCTL interfaces used for direct memory access buffer operations. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026 CVE. Qualcomm addressed this in their April 2026 security bulletin.
Local privilege escalation in Qualcomm Snapdragon camera sensor drivers allows authenticated users to execute arbitrary code with elevated privileges through memory corruption. The vulnerability stems from unbounded buffer access during IOCTL processing, enabling attackers to corrupt memory and achieve complete system compromise (confidentiality, integrity, and availability impact). EPSS data not available; no public exploit identified at time of analysis. Affects Qualcomm Snapdragon-powered devices across mobile and IoT ecosystems.
Local privilege escalation in Qualcomm Snapdragon camera sensor drivers allows authenticated attackers with low privileges to execute arbitrary code with elevated permissions through unchecked output buffer access during IOCTL operations. This out-of-bounds read vulnerability (CWE-126) achieves complete system compromise (confidentiality, integrity, and availability impact all rated High in CVSS). No public exploit identified at time of analysis, though the local attack vector and low complexity suggest proof-of-concept development is feasible for researchers with device access.
Memory corruption in Qualcomm Snapdragon chipsets allows authenticated local attackers with low privileges to execute arbitrary code, elevate privileges, or cause system crashes through improper IOCTL buffer validation. The vulnerability achieves complete compromise of confidentiality, integrity, and availability (CVSS 7.8 HIGH). No public exploit code identified at time of analysis, though exploitation requires only low attack complexity once local access is obtained. Qualcomm addressed this in their April 2026 security bulletin.
Memory corruption in Qualcomm Snapdragon auxiliary sensor I/O control processing allows authenticated local attackers to achieve arbitrary code execution with high integrity and confidentiality impact. The vulnerability stems from insufficient buffer size validation (CWE-126: Buffer Over-read) when handling sensor control commands. With CVSS 7.8 and local attack vector requiring low privileges, this represents a moderate real-world risk for privilege escalation attacks on Android and IoT devices using affected Snapdragon chipsets. No public exploit code or CISA KEV listing identified at time of analysis, though the April 2026 bulletin date suggests recent disclosure.
Local privilege escalation in Qualcomm Snapdragon products allows authenticated attackers to gain kernel-level code execution through memory corruption during IOCTL processing. The vulnerability stems from unchecked buffer size validation when writing to output buffers, enabling high-impact compromise of confidentiality, integrity, and availability on affected mobile and embedded devices. With a CVSS score of 7.8 and low attack complexity (AC:L), this represents a significant privilege escalation vector for malicious applications or local users, though no public exploit or active exploitation has been identified at time of analysis.
Local privilege escalation in Qualcomm Snapdragon components allows authenticated local attackers to corrupt kernel memory through malformed IOCTL requests. Exploitation requires low-privilege local access but no user interaction (CVSS 7.8, AV:L/PR:L). The vulnerability enables attackers to achieve high impact across confidentiality, integrity, and availability through unsafe memcpy operations that fail to validate buffer sizes. No public exploit identified at time of analysis, though the straightforward attack complexity (AC:L) suggests exploitation development is feasible for adversaries with local access.
Memory corruption in Qualcomm Snapdragon components allows local authenticated attackers to execute arbitrary code with high privileges. A buffer overflow vulnerability (CWE-126) occurs during output buffer retrieval due to insufficient size validation, enabling complete system compromise with high confidentiality, integrity, and availability impact. EPSS risk data not available; no confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis. The local attack vector (AV:L) and low complexity (AC:L) make this exploitable by malicious apps or local users on affected Snapdragon-powered devices.
Out-of-bounds read in Qualcomm Snapdragon WiFi firmware triggers denial-of-service when processing malformed FILS Discovery frames during network scans. Remote attackers on the same wireless network can crash affected devices by broadcasting specially crafted 802.11ai Fast Initial Link Setup frames with invalid action field sizes. CVSS 7.6 (High) reflects the high attack complexity and required high privileges, though the confidentiality/integrity impacts appear overstated for a transient DOS condition. EPSS data not available; no public exploit identified at time of analysis.
Buffer overread in Qualcomm Snapdragon cryptographic implementation allows authenticated local attackers to expose sensitive memory contents and potentially manipulate cryptographic operations. The vulnerability (CWE-126) stems from copying data to a destination buffer without size validation, creating high confidentiality and integrity risk. EPSS scoring and KEV status not available at time of analysis; no public exploit identified. Affects Qualcomm Snapdragon chipsets with fix documented in April 2026 security bulletin.
Memory corruption in Qualcomm Snapdragon chipsets allows adjacent network attackers to achieve arbitrary code execution without authentication when processing malformed satellite data files containing invalid signature offsets. The vulnerability stems from an integer overflow (CWE-190) that leads to buffer overflow conditions during satellite data decoding. With a CVSS score of 8.8 and adjacent network attack vector, this represents a significant risk for devices with satellite communication capabilities in proximity-based attack scenarios. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Local privilege escalation in Qualcomm Snapdragon allows authenticated users to execute arbitrary code through memory corruption when processing frame requests. This CWE-121 stack-based buffer overflow enables complete system compromise (high confidentiality, integrity, and availability impact). No public exploit identified at time of analysis, with CVSS 7.8 indicating high severity requiring low attack complexity and low privileges. Qualcomm's April 2026 security bulletin addresses this vulnerability.
Local privilege escalation via memory corruption in Qualcomm Snapdragon JPEG driver allows authenticated local users to achieve full system compromise (high confidentiality, integrity, and availability impact). The buffer overflow vulnerability (CWE-126) occurs during IOCTL request preprocessing, a common attack surface in kernel-mode device drivers. CVSS 7.8 indicates high severity with low attack complexity. No public exploit identified at time of analysis, and EPSS data not available in provided intelligence. Qualcomm's April 2026 security bulletin addresses this issue, indicating coordinated disclosure timeframe.
Local privilege escalation in Qualcomm Snapdragon components enables authenticated users to achieve arbitrary code execution with elevated privileges through memory corruption triggered by integer overflow during attestation report generation. The vulnerability requires low attack complexity and low-level authentication (CVSS:3.1/AV:L/AC:L/PR:L), allowing complete compromise of confidentiality, integrity, and availability on affected devices. With CVSS 7.8 (High severity) and local attack vector, this represents a significant risk on multi-user Android devices where malicious apps could exploit the flaw to break out of sandboxing. No public exploit identified at time of analysis, though the buffer overflow class (CWE-120) is well-understood by exploit developers.
Memory corruption via use-after-free in Qualcomm Snapdragon SDK occurs when concurrent fence deregistration and signal handling operations access freed memory, allowing authenticated local attackers with low privileges to achieve information disclosure and integrity/availability compromise. CVSS 6.5 reflects local attack vector with high complexity; no public exploit code or active exploitation confirmed at time of analysis.
Integer overflow in OpenEXR's DWA lossy decoder (versions 3.2.0-3.2.6, 3.3.0-3.3.8, 3.4.0-3.4.8) enables local attackers to trigger out-of-bounds memory writes when processing maliciously crafted EXR image files. The vulnerability stems from signed 32-bit arithmetic overflow in block pointer calculations for large image widths, causing decoder operations to write outside allocated memory buffers. User interaction is required (victim must open a malicious EXR file), but no authentication is needed. No public exploit identified at time of analysis, though the technical details in the GitHub security advisory provide sufficient information for proof-of-concept development.
Integer overflow in OpenEXR's PIZ wavelet decompression leads to out-of-bounds memory access when processing malicious EXR image files. Affects OpenEXR 3.1.0 through 3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8. Local attackers can trigger memory corruption through crafted EXR files without authentication (CVSS:4.0 AV:L/PR:N), achieving high confidentiality, integrity, and availability impact. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patches available in versions 3.2.7, 3.3.9, and 3.4.9.
Signed integer overflow in OpenEXR's undo_pxr24_impl() function allows unauthenticated remote attackers to bypass buffer bounds checks and trigger heap buffer overflow during EXR file decoding, potentially causing denial of service or limited data corruption when processing maliciously crafted EXR files. The vulnerability affects OpenEXR versions 3.2.0 through 3.2.6, 3.3.0 through 3.3.8, and 3.4.0 through 3.4.8. No public exploit code or active exploitation has been confirmed at the time of analysis.
Integer overflow in OpenEXR 3.4.0-3.4.8 allows remote attackers to crash applications processing malicious EXR files via a negative dataWindow.min.x value in the file header, triggering a signed integer overflow in generic_unpack() that causes process termination with SIGILL. The vulnerability requires user interaction (opening a crafted file) and affects availability only, with no confirmed active exploitation at time of analysis.
Buffer overflow in UTT Aggressive HiPER 810G v3 v1.7.7-171114 formTaskEdit function allows authenticated administrators to cause denial of service through a malformed selDateType parameter. The vulnerability is a classic stack-based buffer overflow (CWE-120) requiring high-privilege local network access; no public exploitation framework has been identified, and CVSS 4.5 reflects the limited scope (DoS only, no code execution or information disclosure).
Buffer overflow in UTT Aggressive 520W v3 firmware version 1.7.7-180627 allows authenticated high-privilege attackers to cause denial of service by supplying crafted input to the addCommand parameter of the formConfigCliForEngineerOnly function. The vulnerability requires administrative-level access and local network connectivity, limiting real-world attack surface despite the buffer overflow class of vulnerability.
Buffer overflow in UTT Aggressive HiPER 1200GW v2.5.3-170306 formArpBindConfig function allows authenticated attackers with high privileges to cause denial of service by supplying a crafted input to the pools parameter. CVSS score of 4.5 reflects limited attack surface (local network access required) and high privilege requirement, though impact is complete availability loss. No public exploit code or active exploitation confirmed at time of analysis.
Buffer overflow in UTT Aggressive 520W v3 v1.7.7-180627 filename parameter of formFtpServerDirConfig function allows authenticated attackers with high privileges to cause denial of service. The vulnerability requires local network access and high-level administrative credentials; no public exploit code or active exploitation has been confirmed at time of analysis.
Buffer overflow in UTT Aggressive HiPER 810G v3 v1.7.7-171114 ConfigAdvideo function allows authenticated local attackers with high privileges to cause denial of service by crafting malicious input to the timestart parameter. The vulnerability scores low-to-moderate risk (CVSS 4.5) due to strict prerequisites: network access limited to adjacent network only, high privilege requirement, and impact restricted to availability.
Buffer overflow in UTT Aggressive HiPER 810G v3 version 1.7.7-171114 within the notes parameter of the formGroupConfig function enables authenticated administrators to trigger a denial of service condition through a crafted input. The vulnerability requires high-privilege access and cannot result in code execution, but represents a threat to device availability. No public exploit code has been independently confirmed, and this CVE does not appear on the CISA KEV catalog at time of analysis.
Buffer overflow in UTT Aggressive HiPER 1200GW v2.5.3-170306 timeRangeName parameter allows authenticated attackers with high privileges to cause denial of service through crafted input to the formConfigDnsFilterGlobal function. CVSS score of 4.5 reflects local/adjacent network attack vector and high-privilege requirement, with no confidentiality or integrity impact. No public exploit code or active exploitation confirmed at time of analysis.
Heap-based out-of-bounds read in libtheora's AVI parser allows local attackers with limited privileges to trigger application crashes or leak heap memory via specially crafted AVI files with truncated header sub-chunks. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and requires user interaction (opening a malicious file), with real-world impact limited to denial-of-service and potential information disclosure rather than code execution.
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: ... with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN.
In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded.
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 enables authenticated remote attackers to achieve complete device compromise via the formSetFirewall firewall configuration function. The vulnerability has publicly available exploit code and carries an EPSS exploitation probability that warrants attention, though no active exploitation has been confirmed by CISA KEV at time of analysis. The vendor (Belkin) was notified but did not respond, leaving legacy hardware users without an official remediation path.
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the formSetSystemSettings function within the /goform/formSetSystemSettings endpoint, exploitable via the 'webpage' parameter. Publicly available exploit code exists (GitHub POC), CVSS 8.8 indicating network-exploitable with low complexity requiring only low-privilege authentication. Vendor unresponsive to coordinated disclosure attempts.
Stack-based buffer overflow in Belkin F9K1015 v1.00.10 allows authenticated remote attackers to achieve code execution via the formSetPassword function. The vulnerability requires low-privilege credentials but no user interaction, carrying a CVSS score of 8.8 (High). Public exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no active exploitation is confirmed (not in CISA KEV). The vendor did not respond to responsible disclosure attempts.
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 allows authenticated remote attackers to achieve code execution and full system compromise via the formReboot endpoint. The vulnerability has a publicly available exploit (GitHub POC) and requires only low-privileged authentication (EPSS risk assessment recommended but data not provided). Vendor did not respond to disclosure, indicating no patch is available.
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 enables authenticated remote attackers to achieve complete system compromise via crafted 'webpage' parameter to the formWlEncrypt endpoint. Publicly available exploit code exists (GitHub POC). EPSS data not provided, but the low attack complexity (AC:L) and network attack vector (AV:N) combined with confirmed POC availability indicate moderate-to-high exploitation risk. Vendor was notified but did not respond, leaving devices potentially unpatched.
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware version 1.00.10 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the formCrossBandSwitch function accessible via /goform/formCrossBandSwitch endpoint, where unsanitized input to the 'webpage' parameter triggers memory corruption. Publicly available exploit code exists (GitHub POC), elevating practical exploitat
Stack-based buffer overflow in Belkin F9K1015 wireless router firmware 1.00.10 enables authenticated remote attackers to achieve full system compromise (code execution, denial of service, credential theft) via crafted requests to the formWISP5G endpoint. CVSS 8.8 severity with low attack complexity and publicly available exploit code. Vendor has not responded to disclosure, leaving users without an official patch. EPSS data not available, but the combination of network accessibility, low complexity, and public POC elevates real-world risk despite requiring low-privilege authentication.
Stack-based buffer overflow in Tenda i12 router firmware 1.0.0.11(3862) allows authenticated remote attackers to execute arbitrary code via the WiFi SSID configuration interface. The vulnerability is exploitable over the network with low complexity through manipulation of the 'index' or 'wl_radio' parameters in the formwrlSSIDset function. With publicly available exploit code (GitHub POC) and a CVSS score of 8.8, this presents immediate risk to exposed management interfaces. EPSS data not provided, but the combination of network accessibility, authentication bypass potential, and weaponized exploit elevates real-world risk.
Stack-based buffer overflow in Belkin F9K1122 router firmware 1.00.33 enables authenticated remote attackers to achieve full device compromise via crafted 'webpage' parameter in formWlanSetup function. Publicly available exploit code exists, and EPSS data suggests low-probability targeting despite critical CVSS 8.8 severity. Vendor non-responsive to disclosure; no patch released.
Stack-based buffer overflow in Samsung Exynos chipset SMS message processing allows remote attackers to execute arbitrary code or crash devices via malformed SMS RP-DATA messages. Affects 22 Exynos processor and modem variants across mobile, wearable, and IoT devices, requiring no user interaction. CVSS 10.0 with network-level attack vector (PR:N), scope change, and full system impact. EPSS and exploitation status not provided, but SSVC framework indicates automatable attack with total technical impact. No public exploit identified at time of analysis, though the vulnerability class (CWE-121 stack buffer overflow in SMS parsing) has high weaponization potential.
Stack-based buffer overflow in Tenda CH22 router firmware version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution via the formWrlExtraSet function. The vulnerability resides in the /goform/WrlExtraSet endpoint where manipulation of the 'GO' parameter triggers memory corruption. With CVSS 8.8 (network-accessible, low complexity, requires low-privileged authentication), this represents a critical risk to affected devices. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no confirmed active exploitation (CISA KEV) has been reported at time of analysis.
Stack-based buffer overflow in Tenda CH22 router firmware version 1.0.0.1 allows authenticated remote attackers to execute arbitrary code via crafted 'standard' parameter to the formCertLocalPrecreate function in /goform/CertLocalPrecreate endpoint. Publicly available exploit code exists (GitHub), CVSS 7.4 (High), but no active exploitation confirmed (not in CISA KEV). CVSS vector indicates low attack complexity with required authentication (PR:L), affecting all three confidentiality, integrity, and availability at high impact levels.
Xlight FTP Server 3.9.1 contains a structured exception handler (SEH) overwrite vulnerability that allows local attackers to crash the application and overwrite SEH pointers by supplying a crafted. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
RealTerm Serial Terminal 2.0.0.70 contains a structured exception handling (SEH) buffer overflow vulnerability in the Echo Port tab that allows local attackers to execute arbitrary code by supplying. Rated high severity (CVSS 8.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
River Past Video Cleaner 7.6.3 contains a structured exception handler buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
TaskInfo 8.2.0.280 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying oversized input to registration fields. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SpotAuditor 3.6.7 contains a local buffer overflow vulnerability in the Base64 Password Decoder component that allows attackers to crash the application. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
River Past Ringtone Converter 2.7.6.1601 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying oversized input to activation fields. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Remote Process Explorer 1.0.0.16 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by sending a crafted payload to the Add Computer dialog. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
LanHelper 1.74 contains a local buffer overflow vulnerability that allows attackers to crash the application by sending excessively long input strings. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
a-Mac Address Change 5.4 contains a local buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input to registration form fields. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.