Buffer Overflow

Stack buffer overflow in iccDEV library versions prior to 2.3.1.6 allows local attackers to trigger a denial of service by crafting a malicious ICC color profile that overflows a 4-byte stack buffer in the CIccCalculatorFunc::Apply() function during profile processing. The vulnerability requires local access and no user interaction, with CVSS 6.2 reflecting high availability impact but no direct code execution path; vendor-released patch is available in version 2.3.1.6.

Heap buffer overflow in iccDEV prior to version 2.3.1.6 allows denial of service via a crafted ICC color profile that triggers out-of-bounds heap read in icMemDump() when iccDumpProfile processes malformed tag contents. The vulnerability affects local attackers without authentication or user interaction, though the practical attack surface depends on how iccDumpProfile is invoked in consuming applications. No public exploit code or active exploitation has been identified; the issue was discovered through code analysis and AddressSanitizer instrumentation.

Heap buffer overflow in iccDEV's CTiffImg::WriteLine() function allows local attackers to crash the iccSpecSepToTiff tool via specially crafted ICC color profile and TIFF file pairs. Versions prior to 2.3.1.6 are vulnerable; the attack requires no authentication or user interaction beyond processing a malicious file. While the current impact is limited to denial of service, heap overflows can potentially enable memory corruption exploitation depending on heap layout and attacker sophistication.

Malformed ICC color profile files trigger a heap buffer overflow in iccDEV versions prior to 2.3.1.6, causing denial of service through segmentation fault in the CIccTagArray::Cleanup() function. Local attackers can exploit this vulnerability by crafting a malicious ICC profile that, when processed by iccRoundTrip or similar tools, crashes the application due to misaligned pointer access. No public exploit code has been identified, and this vulnerability is not confirmed as actively exploited in the wild.

Heap buffer overflow in iccDEV prior to version 2.3.1.6 allows local attackers to trigger a denial of service via a malicious ICC color profile, causing out-of-bounds heap reads in the CIccMpeSpectralMatrix::Describe() function when processing profiles with iccDumpProfile. The vulnerability requires local file access but no user interaction or authentication, with confirmed patch availability in version 2.3.1.6.

Heap-based buffer overflow in Axiomatic Bento4 up to version 1.6.0-641 affects the AP4_BitReader::ReadCache function in the MP4 file parser component, allowing local attackers with limited privileges to cause information disclosure, integrity violation, and denial of service. Publicly available exploit code exists, and the vendor has not yet responded to the early disclosure despite project notification through GitHub issue tracking.

Stack-based buffer overflow in D-Link NAS device management interfaces allows authenticated remote attackers to execute arbitrary code with high impact across 21 product models. The vulnerability resides in the cgi_addgroup_get_group_quota_minsize function within /cgi-bin/account_mgr.cgi, exploitable via malicious Name parameter input. Public exploit code exists on GitHub, significantly lowering the technical barrier for attacks. Authentication is required (PR:L), but once authenticated, attackers achieve full confidentiality, integrity, and availability compromise. EPSS and KEV status not provided, but the combination of public POC, network accessibility (AV:N), low complexity (AC:L), and widespread device deployment represents material risk to organizations using affected D-Link NAS products.

Stack-based buffer overflow in D-Link NAS devices allows authenticated remote attackers to achieve complete system compromise with high-confidence exploitation. Affects 20+ D-Link DNS and DNR series network storage products through firmware versions released until February 5, 2026. Publicly available exploit code exists targeting the account_mgr.cgi component, enabling remote code execution with low attack complexity once authenticated. CVSS 8.8 (High) with confirmed proof-of-concept demonstrates practical exploitability despite requiring low-privilege authentication.

Stack-based buffer overflow in D-Link NAS devices enables authenticated remote attackers to execute arbitrary code with full system privileges. Affecting 20+ end-of-life D-Link DNS and DNR network storage models through firmware version 20260205, the flaw resides in the Webdav_Upload_File function within /cgi-bin/webdav_mgr.cgi. Publicly available exploit code exists, significantly lowering the barrier to exploitation. CVSS 8.8 (High) reflects network-accessible attack requiring only low-privilege authentication with no user interaction. Organizations using these legacy devices face immediate risk of complete confidentiality, integrity, and availability compromise.

Stack-based buffer overflow in D-Link NAS devices enables remote code execution with high integrity impact for authenticated users. The vulnerability resides in the UPnP_AV_Server_Path_Del function within /cgi-bin/app_mgr.cgi, exploitable via manipulation of the f_dir parameter. With CVSS 8.8 (High), low attack complexity (AC:L), network accessibility (AV:N), and publicly available exploit code, this represents an elevated threat to approximately 20 legacy D-Link NAS models through firmware versions up to 20260205. No vendor-released patch identified at time of analysis, and many affected models appear to be end-of-life products.

Memory corruption leading to arbitrary code execution affects AWS C Event Stream library versions before 0.6.0 when clients process malicious event-stream messages from attacker-controlled servers. The out-of-bounds write vulnerability in the streaming decoder requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), but grants complete control over confidentiality, integrity, and availability if successfully exploited. No public exploit identified at time of analysis, with EPSS data unavailable for this 2026-dated CVE. Vendor-released patch version 0.6.0 addresses the issue.

Stack-based buffer overflow in Tenda CH22 router version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution via the webSiteId parameter in the formWebTypeLibrary function. Public exploit code exists on GitHub, significantly lowering the barrier to exploitation. While requiring low-privilege authentication (PR:L), the vulnerability enables complete compromise of router confidentiality, integrity, and availability with low attack complexity.

Heap out-of-bounds read in PJSIP's VP9 RTP unpacketizer allows remote attackers to read memory beyond allocated buffer boundaries by sending crafted VP9 Scalability Structure data, potentially disclosing sensitive information. PJSIP versions prior to 2.17 are affected. The vulnerability requires network access but no authentication, authentication complexity, or user interaction, with CVSS score of 6.9 indicating moderate severity driven by availability impact. Vendor-released patch available in version 2.17.

Integer overflow in RAUC versions prior to 1.15.2 allows signature bypass on 'plain' format bundles exceeding 2 GiB payload size, enabling attackers with bundle modification capability to alter unverified payload portions while retaining a valid signature. This affects embedded Linux systems relying on RAUC for secure firmware updates.

Arbitrary code execution in Artifex MuPDF 1.27.0 via integer overflow in PDF image processing. A maliciously crafted PDF triggers an integer overflow in the pdf_load_image_imp function within pdf-image.c, resulting in a heap out-of-bounds write that enables remote code execution without authentication. No public exploit code or active exploitation has been confirmed at time of analysis.

DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:changeName, DNSResponse:changeName), allowing unauthenticated remote attackers to craft DNS responses that trigger out-of-bounds writes and exceed the 65535-byte DNS packet size limit, resulting in denial of service via crash. CVSS 5.9 (high availability impact); no public exploit code identified at time of analysis.

Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential information disclosure by sending a crafted DNS response packet when custom Lua code uses the newDNSPacketOverlay function to parse packets. CVSS 5.3 indicates moderate severity with network-accessible attack surface and no privilege or user interaction required.

Heap-based buffer overflow in gdk-pixbuf JPEG loader allows unauthenticated remote attackers to trigger denial of service through specially crafted JPEG images without user interaction. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and can be triggered automatically during thumbnail generation operations. With CVSS 7.5 (High) and network-accessible attack vector, this poses significant availability risk. No public exploit identified at time of analysis, though EPSS data not available for final risk quantification.

Heap-based buffer overflow in Nothings stb_image library up to version 2.30 in the stbi__gif_load_next function allows local authenticated attackers to cause memory corruption with limited confidentiality, integrity, and availability impact. Public exploit code is available; however, the vulnerability requires local access and authenticated privilege level, significantly limiting real-world exploitation scope. The vendor has not responded to early disclosure attempts.

Stack-based buffer overflow in Tenda CH22 router firmware version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution with high confidentiality, integrity, and availability impact. The vulnerability resides in the formQuickIndex function's handling of the mit_linktype parameter in the /goform/QuickIndex endpoint. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation. With a CVSS score of 8.8 and low attack complexity requiring only low-privilege authentication, this represents a critical risk to deployed Tenda CH22 devices, though CISA KEV status is not confirmed.

Stack-based buffer overflow in Tenda CH22 router (version 1.0.0.1) allows authenticated remote attackers to achieve code execution or denial of service via the wanmode parameter in the /goform/AdvSetWan endpoint. Public exploit code exists (GitHub POC), significantly lowering exploitation barriers. CVSS 7.4 reflects network-accessible attack requiring only low-privilege authentication, with high impact to confidentiality, integrity, and availability.

Stack-based buffer overflow in Tenda CH22 router (versions 1.0.0.1 and 1.If) allows authenticated remote attackers to achieve code execution via crafted 'funcname' parameter to the /goform/setcfm endpoint. Publicly available exploit code exists (GitHub POC), significantly lowering exploitation barrier. CVSS 7.4 with low attack complexity and authenticated remote vector indicates moderate risk for targeted attacks against devices with compromised credentials.

Heap buffer overflow in FreeRDP's persistent bitmap cache handling allows local attackers to corrupt memory integrity and crash the RDP client. Affecting all versions prior to 3.24.2, the vulnerability (CWE-122) occurs when memory reallocation fails but the buffer size variable is prematurely updated, creating a size/pointer mismatch. EPSS data not available, but marked medium priority by Ubuntu. No public exploit identified at time of analysis, though technical details are disclosed in the GitHub Security Advisory.

Heap buffer overflow in FreeRDP's H.264 YUV decoder (versions before 3.24.2) allows remote attackers to potentially achieve code execution via specially crafted RDP sessions. The vulnerability stems from premature dimension updates in yuv_ensure_buffer() that persist when memory reallocation fails, creating exploitable memory corruption conditions. Attack requires user interaction (connecting to malicious RDP server) and moderate complexity (CVSS AC:H). No public exploit identified at time of analysis, though CVSS 7.5 HIGH score reflects potential for complete system compromise (C:H/I:H/A:H).

FreeRDP versions prior to 3.24.2 leak sensitive heap data to the screen during pixel rendering in remote desktop sessions, allowing unauthenticated remote attackers to obtain confidential information through a man-in-the-middle position or compromised RDP server. The vulnerability requires user interaction (UI:R) and involves out-of-bounds memory read (CWE-125), with CVSS 5.9 reflecting moderate confidentiality impact and low availability degradation. No public exploit code or active exploitation has been confirmed at time of analysis.

Heap buffer overflow in FreeRDP's CLEAR codec implementation allows remote attackers to execute arbitrary code when processing malicious RDP server responses. Affects all FreeRDP versions prior to 3.24.2. Attack requires high complexity and user interaction (victim must connect to attacker-controlled RDP server), but no authentication is required. CVSS 7.5 reflects the network-accessible attack vector with potential for complete system compromise. No public exploit identified at time of analysis, though technical details are publicly disclosed via GitHub security advisory.

Heap-buffer-overflow in FreeRDP's winpr_aligned_offset_recalloc() function allows local attackers with no privileges but requiring user interaction to trigger high-severity information disclosure and denial of service in versions prior to 3.24.2. The vulnerability involves a READ operation at 24 bytes before heap allocation boundaries (CWE-125: Out-of-bounds Read). Vendor-released patch version 3.24.2 available via GitHub commit a48dbde2c8. EPSS data not provided; no public exploit identified at time of analysis. Affects all FreeRDP installations below 3.24.2, tracked across 7 Debian releases.

Heap over-read in Botan C++ cryptography library versions 2.3.0 through 3.10.x allows remote, unauthenticated attackers to trigger crashes or undefined behavior during SM2 decryption. The vulnerability stems from insufficient length validation of authentication code (C3) values in SM2 ciphertexts, enabling reads of up to 31 bytes beyond allocated heap memory. With CVSS 8.2 (AV:N/AC:L/PR:N/UI:N) and EPSS data not provided, this represents a remotely exploitable memory safety issue in a cryptographic primitive. No public exploit identified at time of analysis. Patched in version 3.11.0.

Stack-based buffer overflow in Tenda CH22 router version 1.0.0.1 allows authenticated remote attackers to achieve arbitrary code execution via the formCreateFileName function. The vulnerability resides in the /goform/createFileName endpoint where insufficient input validation of the 'fileNameMit' parameter enables memory corruption. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation. While requiring low-privilege authentication (PR:L), the attack complexity is low (AC:L) and can be executed remotely over the network.

NanoMQ MQTT Broker versions prior to 0.24.8 can be remotely crashed via MQTT-over-WebSocket by sending a packet with a maliciously inflated Remaining Length field in the fixed header while providing a shorter actual payload, triggering an out-of-bounds read that causes denial of service. Authenticated attackers can exploit this condition over the WebSocket listener with low attack complexity. Vendor-released patch available in version 0.24.8.

Stack-buffer overflow in OpenSC's card-oberthur module (versions prior to 0.27.0) allows local attackers with physical access to trigger memory corruption via specially crafted APDU responses from a malicious USB device or smart card, potentially causing denial of service or limited information disclosure. The attack requires the user or administrator to actively use a token during the compromise window, and the vulnerability has been patched in version 0.27.0. No public exploit code or active exploitation has been confirmed at the time of analysis.

Denial-of-service vulnerability in go-git v5 and earlier versions allows local attackers with write access to the repository to craft a malicious Git index file (format version 4) that triggers an out-of-bounds slice operation during parsing, causing application panic and process termination. The vulnerability requires local disk write access to the .git directory and user interaction (file opening), making it a low-severity but exploitable DoS vector for applications that do not gracefully handle panics. Patch versions v5.17.1 and v6 are available.

OpenSC before version 0.27.0 contains an out-of-bounds buffer read vulnerability in the sc_compacttlv_find_tag function that can return pointers beyond the allocated buffer bounds, leading to potential memory corruption when downstream code dereferences the returned pointer. The vulnerability affects OpenSC when processing untrusted compact-TLV data from smart cards or files, where a maliciously crafted single-byte element can claim a length exceeding the remaining buffer size without validation. While the CVSS score of 3.9 reflects the physical attack vector requirement (smartcard interaction) and high attack complexity, the memory corruption potential poses a notable risk in environments where OpenSC processes untrusted card data.

Out-of-bounds heap read in OpenSC prior to version 0.27.0 allows local attackers with physical access to smart card interfaces to trigger information disclosure and potential denial of service via crafted X.509/SPKI input to the pkcs15_reader function. The vulnerability stems from sc_pkcs15_pubkey_from_spki_fields() allocating a zero-length buffer and reading one byte beyond its bounds. No public exploit code or active exploitation has been identified; patch is available in version 0.27.0.

Cross-origin data exfiltration in Glances XML-RPC server (glances -s) allows any website to steal complete system monitoring data including hostname, OS details, process lists with command-line arguments, and network configuration through CORS misconfiguration. The server sends Access-Control-Allow-Origin: * on all responses and processes XML-RPC POST requests with Content-Type: text/plain without validation, bypassing browser CORS preflight checks. Default deployments run unauthenticated, making all network-accessible instances immediately exploitable. No public exploit identified at time of analysis, though detailed proof-of-concept code is included in the advisory.

Stack buffer overflow in OpenSC's GET RESPONSE handler prior to version 0.27.0 allows local attackers with physical access to trigger memory corruption via specially crafted smart card or USB device responses to APDUs. The vulnerability requires user interaction and physical proximity, limiting its practical exploitability; however, it could enable local privilege escalation or information disclosure when an authorized user or administrator actively uses a token. No public exploit code or active exploitation has been confirmed.

Race condition in nginx-ui web interface allows remote authenticated attackers to corrupt the primary configuration file (app.ini) through concurrent API requests, resulting in persistent denial of service and potential remote code execution. The vulnerability affects nginx-ui versions prior to 2.3.4 deployed in production environments including Docker containers. Concurrent POST requests to /api/settings trigger unsynchronized file writes that interleave at the OS level, corrupting configuration sections and creating cross-contamination between INI fields. In non-deterministic scenarios, user-controlled input can overwrite shell command fields (ReloadCmd, RestartCmd), enabling arbitrary command execution during nginx reload operations. Public exploit code demonstrates the attack path using standard HTTP testing tools. No CISA KEV listing or EPSS data available at time of analysis, but proof-of-concept with detailed reproduction steps exists in the GitHub security advisory.

Buffer overflow in virtio-win's RhelDoUnMap() function allows local privileged users to trigger a denial of service by supplying an excessive number of descriptors during unmap operations, causing system crashes. Affects Red Hat Enterprise Linux 8, 9, and 10 across multiple architectures. The vulnerability requires high-level privilege (PR:H) but offers no confidentiality or integrity protections beyond the immediate DoS impact, with a CVSS score of 6.7 reflecting the local attack requirement and high-privilege barrier.

Out-of-bounds read in BlueKitchen BTstack AVRCP Browsing Target GET_FOLDER_ITEMS handler allows paired Bluetooth Classic attackers to cause denial of service and corrupt attribute bitmap state through insufficient bounds validation on the attr_id parameter. Attack requires proximity (Bluetooth range) and an established pairing relationship. CVSS score of 2.1 reflects limited impact (no confidentiality loss, minor integrity and availability degradation) despite low attack complexity; no active exploitation reported at time of analysis.

BlueKitchen BTstack contains an out-of-bounds read vulnerability in AVRCP Controller GET_PLAYER_APPLICATION_SETTING_ATTRIBUTE_TEXT and GET_PLAYER_APPLICATION_SETTING_VALUE_TEXT handlers that allows nearby Bluetooth Classic attackers with a paired connection to trigger information disclosure and potential denial of service. The vulnerability requires an attacker within Bluetooth range to establish a paired connection and send specially crafted VENDOR_DEPENDENT responses, resulting in reads beyond packet boundaries. No public exploit code or active exploitation has been identified; vendor-released patch v1.8.1 is available.

BlueKitchen BTstack AVRCP Controller handlers read beyond buffer boundaries when processing specially crafted VENDOR_DEPENDENT responses, allowing nearby Bluetooth Classic attackers with a paired connection to trigger an out-of-bounds read that may crash resource-constrained devices. The vulnerability affects all versions prior to v1.8.1, has a CVSS score of 2.1 (very low severity) due to limited availability impact and requirement for paired connection plus user interaction, and no public exploit code or active exploitation has been identified.

Integer overflow in libarchive's zisofs block pointer allocation on 32-bit systems allows remote code execution when processing specially crafted ISO9660 images. A remote attacker can provide a malicious ISO file that triggers a heap buffer overflow, potentially achieving arbitrary code execution on affected systems. Red Hat Enterprise Linux versions 6-10 and Red Hat OpenShift Container Platform 4 are affected; no public exploit identified at time of analysis, though an upstream fix is available via GitHub PR.

Stack-based buffer overflow in Tenda FH1201 router firmware 1.2.0.14(408) allows authenticated remote attackers to execute arbitrary code or cause denial of service via crafted 'GO' parameter to the /goform/WrlExtraSet endpoint. CVSS 8.8 reflects high impact but requires low-privilege authentication (PR:L). Publicly available exploit code exists, demonstrating concrete exploitability. EPSS data not provided, but the combination of available POC and network accessibility elevates real-world risk for internet-exposed devices with default or weak credentials.

Stack-based buffer overflow in Tenda FH1201 router (v1.2.0.14) enables remote authenticated attackers to execute arbitrary code via the WrlclientSet function. Exploitation requires only low-privilege credentials (CVSS PR:L) and has low attack complexity (AC:L), with publicly available exploit code on GitHub. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No vendor patch identified at time of analysis, creating urgent risk for deployed devices.

Stack-based buffer overflow in Belkin F9K1122 router version 1.00.33 allows authenticated remote attackers to achieve full system compromise via the formSetSystemSettings endpoint. The vulnerability resides in the Setting Handler component's webpage parameter processing. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation. With CVSS 8.8 (High) severity and low attack complexity, this represents a critical risk to affected devices, though no active exploitation has been confirmed by CISA KEV at time of analysis.

Stack-based buffer overflow in Belkin F9K1122 router (firmware 1.00.33) enables authenticated remote attackers to achieve complete system compromise via the formSetPassword endpoint. The vulnerability affects the Parameter Handler component and permits code execution with high impact to confidentiality, integrity, and availability. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation. Vendor non-responsive to disclosure, indicating no official patch is available.

Stack-based buffer overflow in Belkin F9K1122 router firmware 1.00.33 allows authenticated remote attackers to achieve arbitrary code execution via the formCrossBandSwitch parameter handler. Exploitation requires low-privilege authentication but no user interaction, with publicly available exploit code confirming proof-of-concept viability. EPSS data not available, but the combination of network attack vector, low complexity (AC:L), and public exploit represents elevated risk for internet-exposed devices. Vendor unresponsive to disclosure, indicating no official patch timeline.

Stack-based buffer overflow in mxml up to version 4.0.4 allows local authenticated attackers to cause a denial of service by manipulating the tempr argument in the index_sort function within mxmlIndexNew. The vulnerability has a low CVSS score of 3.3 due to local-only attack vector and denial-of-service impact, but publicly available exploit code exists and a vendor patch has been released.

Stack-based buffer overflow in Tenda 4G06 router firmware version 04.06.01.29 allows authenticated remote attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the fromDhcpListClient function accessible via the /goform/DhcpListClient endpoint, triggered by manipulating the 'page' parameter. Publicly available exploit code exists (GitHub PoC published), significantly lowering the barrier to exploitation. CVSS 8.8 (High) reflects network-based attack vector with low complexity, though low-privilege authentication is required. Not currently listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis.

Stack-based buffer overflow in D-Link DIR-513 1.10 router's email configuration interface allows authenticated remote attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability affects the formSetEmail function via manipulation of the curTime parameter. Publicly available exploit code exists on GitHub, significantly lowering the exploitation barrier. CRITICAL LIMITATION: This product reached end-of-life and receives no security updates from D-Link, making this a permanent risk for deployed devices. CVSS 8.8 with low attack complexity and CVSS:3.1 Exploit Maturity 'Proof-of-Concept' confirms immediate exploitability.

Stack-based buffer overflow in Tenda F453 router firmware 1.0.0.3 allows authenticated remote attackers to execute arbitrary code or crash the device via the PPTP user configuration interface. The vulnerability resides in the fromPPTPUserSetting function within the httpd component, triggered by manipulating the 'delno' parameter. Publicly available exploit code exists (GitHub), significantly lowering exploitation barriers. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability, though authentication is required (PR:L). EPSS data not provided, but public POC availability elevates real-world risk for exposed management interfaces.

Buffer overflow in Zephyr RTOS eswifi socket offload driver allows authenticated local attackers to corrupt kernel memory through oversized socket send operations. The vulnerability enables privilege escalation and denial of service via heap corruption, with high integrity and availability impact. No public exploit identified at time of analysis, though the attack vector is straightforward for users with socket API access. CVSS 7.3 reflects moderate-high severity constrained by local-only access requiring low-level privileges.

Integer overflow in dloebl CGIF up to version 0.5.2 allows remote attackers to trigger availability impact via manipulation of width/height arguments in the cgif_addframe function. The vulnerability requires user interaction (UI:P) but can be exploited over the network with no authentication. A patch is available via upstream commit b0ba830093f4317a5d1f345715d2fa3cd2dab474.

Buffer overflow in Totolink LR350 router firmware 9.3.5u.6369_B20220309 allows remote authenticated attackers to execute arbitrary code via crafted SSID input to the setWiFiGuestCfg function in /cgi-bin/cstecgi.cgi. The vulnerability has a publicly available exploit code and affects the web management interface. CVSS 7.4 (High) with low attack complexity indicates significant risk, though exploitation requires low-privilege authentication (PR:L). No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Stack-based buffer overflow in Tenda AC15 router firmware 15.03.05.19 enables remote authenticated attackers to achieve code execution via the formSetCfm function. The vulnerability is triggered through POST requests to /goform/setcfm by manipulating the funcpara1 parameter. A publicly available exploit code exists, significantly lowering the barrier to exploitation for attackers with low-privilege credentials.

Stack-based buffer overflow in Tenda AC7 router firmware 15.03.06.44 allows authenticated remote attackers to execute arbitrary code via crafted Time parameter to /goform/SetSysTimeCfg endpoint. Publicly available exploit code exists. EPSS data not available, but exploitation requires low attack complexity with network access and low privileges (CVSS:4.0 AV:N/AC:L/PR:L). This is a critical pre-authentication boundary issue in consumer router infrastructure with confirmed POC, warranting immediate patching for affected deployments.

Remote attackers with low-level authentication can execute arbitrary code on Tenda AC6 routers running firmware version 15.03.05.16 by exploiting a stack-based buffer overflow in the formQuickIndex function via crafted PPPOEPassword parameters in POST requests to /goform/QuickIndex. Publicly available exploit code exists, demonstrating practical exploitation of this critical vulnerability with CVSS 8.8 (High severity, network-accessible, low complexity). The vulnerability is tracked as CWE-121 and poses immediate risk to exposed devices.

Stack-based buffer overflow in Tenda AC6 router firmware version 15.03.05.16 enables authenticated remote attackers to achieve code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the fromWizardHandle function handling POST requests to /goform/WizardHandle, exploitable by manipulating WANT/WANS parameters. Publicly available exploit code exists, demonstrating the attack technique via a detailed proof-of-concept published on Notion. With a CVSS score of 8.8 and low attack complexity, this represents a significant risk to affected devices despite requiring low-privilege authentication.

Wazuh authd daemon contains a heap-buffer overflow vulnerability (CWE-125) triggered by specially crafted input from authenticated remote users, causing memory corruption and denial of service to the authentication daemon. The vulnerability affects all versions of Wazuh (CPE: cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*) and requires authenticated network access to exploit; no public exploit code or active exploitation has been confirmed at this time.

Grafana's OpenFeature feature toggle evaluation endpoint can be forced into an out-of-memory condition by submitting unbounded values, enabling remote denial-of-service attacks against the monitoring platform. The vulnerability is network-accessible, requires no authentication (CVSS AV:N/AC:L/PR:N), and has been assigned a CVSS score of 7.5 with high availability impact. No public exploit identified at time of analysis, and authentication requirements confirm unauthenticated access per the CVSS vector PR:N.

OCaml's Bigarray.reshape function contains an integer overflow vulnerability that permits unauthenticated local attackers to read arbitrary memory contents when processing untrusted input. Affected versions through 4.14.3 allow an attacker with local access to trigger the overflow condition, bypassing memory protections and potentially exposing sensitive data including cryptographic keys or process memory. No public exploit code or active exploitation has been confirmed at time of analysis.

Remote attackers with low-level authentication can trigger stack-based buffer overflow in Tenda AC5 router firmware version 15.03.06.47 via the WizardHandle POST request handler, potentially achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. Publicly available exploit code exists, as confirmed by multiple references including a detailed proof-of-concept document on Notion. The CVSS score of 8.8 reflects network-based attack vector with low complexity and no user interaction required, while the temporal score indicates proof-of-concept exploitation capability.

MapServer versions 4.2 through 8.6.0 are vulnerable to a heap buffer overflow in the SLD (Styled Layer Descriptor) parser that allows remote, unauthenticated attackers to crash the MapServer process by sending a crafted SLD document containing more than 100 Threshold elements within a ColorMap/Categorize structure. The vulnerability is reachable via WMS GetMap requests using the SLD_BODY parameter, requiring no authentication or user interaction. Vendor-released patch: version 8.6.1 eliminates the issue; no public exploit code or active exploitation has been identified at time of analysis.

Stack buffer overflow in LSC Indoor Camera V7.6.32 ONVIF GetStreamUri function allows unauthenticated remote attackers to cause denial of service or execute arbitrary code by sending a crafted SOAP request with an oversized Protocol parameter in the Transport element, bypassing input validation and corrupting the stack return instruction pointer.

Remote authenticated attackers can execute arbitrary code on Tenda AC5 routers (firmware version 15.03.06.47) by exploiting a stack-based buffer overflow in the WPS configuration handler. The vulnerability resides in the formWifiWpsOOB function handling POST requests to /goform/WifiWpsOOB, where insufficient validation of the 'index' parameter allows memory corruption. A publicly available exploit code exists (CVSS 8.8, EPSS data not provided), enabling authenticated attackers with low-privilege access to achieve complete device compromise with high impact on confidentiality, integrity, and availability.

Stack-based buffer overflow in Tenda AC5 router firmware version 15.03.06.47 enables remote authenticated attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the formSetCfm function's handling of the funcpara1 parameter in POST requests to /goform/setcfm. A publicly available exploit exists with proof-of-concept code disclosed through VulDB and documented in detailed technical write-ups, significantly lowering the barrier to exploitation for threat actors targeting vulnerable devices.

Remote attackers with low-level credentials can execute arbitrary code on Tenda AC5 wireless routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the formQuickIndex function via a crafted PPPOEPassword parameter in POST requests to /goform/QuickIndex. Publicly available exploit code exists, including detailed proof-of-concept documentation published on Notion, elevating immediate risk for devices exposed to authenticated network users. The CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability with network-based attack vector and low complexity.

Remote attackers with low-level authentication can achieve full system compromise on Tenda AC5 routers running firmware version 15.03.06.47 by exploiting a stack-based buffer overflow in the addressNat POST request handler. The fromAddressNat function fails to validate the 'page' parameter, enabling memory corruption that leads to high confidentiality, integrity, and availability impact (CVSS 8.8). Publicly available exploit code exists, significantly lowering the barrier to exploitation.

The node-forge npm library fails to enforce RFC 5280 basicConstraints validation in its verifyCertificateChain() function, allowing any leaf certificate without basicConstraints and keyUsage extensions to sign other certificates that node-forge accepts as valid. Attackers holding any valid leaf certificate (e.g., a standard TLS certificate) lacking these extensions can forge certificates for arbitrary domains, bypassing certificate chain validation in applications using node-forge for custom PKI implementations, S/MIME verification, or IoT device authentication. A complete proof-of-concept exploit is publicly available demonstrating successful chain verification bypass. CVSS score of 7.4 reflects network-accessible attack vector with high complexity but no authentication required.

An out-of-bounds read vulnerability in the UPnP service of TP-Link TL-WR841N v14 routers enables adjacent network attackers to crash the UPnP daemon without authentication, resulting in denial of service. Affected devices include firmware versions prior to EN_0.9.1 4.19 Build 260303 and US_0.9.1.4.19 Build 260312. Vendor patches are available. No public exploit identified at time of analysis, with CVSS:4.0 scoring 7.1 (High) reflecting adjacent network access requirements and high availability impact.

GIMP's PSD file parser crashes when processing specially crafted Photoshop documents due to improper null-termination in the fread_pascal_string function, allowing local authenticated users to trigger a denial of service. The vulnerability affects GIMP across Red Hat Enterprise Linux 7, 8, and 9, as well as multiple Debian and Ubuntu releases tracked by their respective security teams. While the CVSS score is low (2.8), the widespread distribution across major Linux vendors and confirmed advisory issuance from Red Hat, Debian, and SUSE indicates this merits coordinated patching despite limited exploitability constraints.

A security vulnerability in A flaw (CVSS 4.3). Remediation should follow standard vulnerability management procedures.

GIMP's PSP file parser fails to validate 32-bit length values in the read_creator_block() function, allowing local attackers to trigger integer overflow and heap buffer overflow via specially crafted PSP image files, resulting in application-level denial of service. Red Hat Enterprise Linux versions 6-9, Ubuntu (7 releases), Debian (9 releases), and SUSE are affected. No public exploit code or active exploitation has been identified at the time of analysis, though the vulnerability has been assigned ENISA EUVD ID EUVD-2026-16340 and tracked across major Linux distributions.

Truncated msgpack fixext format data (codes 0xd4-0xd8) decoded by shamaton/msgpack library versions across v1, v2, and v3 fail to validate input buffer boundaries, triggering out-of-bounds memory reads and runtime panics that enable denial of service. Remote attackers can craft malformed msgpack payloads to crash applications using affected library versions without requiring authentication or user interaction.

Stack buffer overflow in ImageMagick and Magick.NET due to incorrect pointer arithmetic on certain platforms allows local attackers to write one byte past allocated stack boundaries, causing denial of service. ImageMagick versions prior to 7.1.2-18 and 6.9.13-43, along with multiple Magick.NET NuGet packages, are affected. The vulnerability requires local access and specific platform conditions, but succeeds without user interaction.

The Zen C compiler (versions prior to 0.4.4) crashes or enables arbitrary code execution when processing maliciously crafted .zc source files containing excessively long identifiers for structs, functions, or traits, triggering a stack-based buffer overflow (CWE-121). A proof-of-concept exploit exists per SSVC assessment, though attack complexity remains moderate as it requires local access and user interaction (CVSS:3.1/AV:L/AC:L/PR:N/UI:R). Vendor-released patch: version 0.4.4.

X11 display interaction path contains an out-of-bounds write vulnerability that allows local attackers to crash affected applications through a single zero byte write. The medium-severity flaw (CVSS 4.0) requires no privileges or user interaction to trigger a denial of service condition. No patch is currently available for this vulnerability.

Out-of-bounds read and write in libpng's ARM/AArch64 Neon-optimized palette expansion allows remote attackers to trigger memory corruption, information disclosure, and denial of service when processing malicious PNG files. libpng versions 1.6.36 through 1.6.55 are affected on ARM platforms with Neon optimization enabled. Version 1.6.56 contains the fix. No public exploit identified at time of analysis, with SSVC framework indicating no active exploitation, non-automatable attack vector, and partial technical impact.

Concurrent access to shared memory in EVerest EV charging software (versions prior to 2026.02.0) enables remote attackers to trigger undefined behavior and potential memory corruption through unauthenticated MQTT messages. The data race condition in Charger::shared_context occurs when processing switch_three_phases_while_charging commands without proper locking, yielding CVSS 8.2 (High) with potential for availability disruption and data integrity impact. No public exploit identified at time of analysis, though the attack vector is network-accessible without authentication requirements (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).

EVerest-Core prior to version 2026.02.0 contains an out-of-bounds write vulnerability in the ISO15118_chargerImpl::handle_update_energy_transfer_modes function, where variable-length MQTT command payloads are copied into a fixed-size 6-element array without bounds checking. When schema validation is disabled by default, oversized payloads trigger memory corruption that can crash the EV charging service or corrupt adjacent EVSE (Electric Vehicle Supply Equipment) state, affecting the integrity and availability of EV charging infrastructure. No public exploit code has been identified at the time of analysis, but the vulnerability is patched in version 2026.02.0.

Out-of-bounds memory writes in EVerest charging software stack versions prior to 2026.02.0 allow local attackers to corrupt EVSE state or crash the charging process by sending oversized MQTT command payloads that bypass disabled schema validation. The ISO15118_chargerImpl::handle_session_setup function copies variable-length payment_options lists into a fixed 2-element array without bounds checking, exposing a CWE-787 buffer overflow vulnerability with availability and integrity impact. No public exploit code has been identified at time of analysis.

EVerest charging software stack versions prior to 2026.02.0 suffer from a data race condition in queue/deque handling triggered by concurrent powermeter public key updates and EV session/error events, resulting in heap corruption and potential denial of service. Unauthenticated remote attackers can exploit this via specially timed network events to crash the charging infrastructure, though successful exploitation requires precise timing due to high attack complexity. The vulnerability affects everest-core and has been patched in version 2026.02.0.

Out-of-bounds vector access in EVerest EV charging software (everest-core versions before 2026.02.0) enables remote unauthenticated attackers to crash the charging station software or corrupt memory by sending crafted UpdateAllowedEnergyTransferModes messages from a Charging Station Management System (CSMS). CVSS 7.5 severity reflects network-accessible denial of service with high availability impact. SSVC assessment indicates no current exploitation and non-automatable attack; no public exploit identified at time of analysis.

Stack-based buffer overflow in EVerest EV charging software allows unauthenticated local attackers to execute arbitrary code via overly long CAN interface names during initialization. The vulnerability (CWE-121) affects everest-core versions prior to 2026.02.0 with CVSS 8.4 (High severity). Proof-of-concept exploit code exists according to SSVC assessment, and the flaw triggers before privilege checks, enabling attack with no user privileges required. The vulnerability is tracked as EUVD-2026-16199 by ENISA.

Remote code execution vulnerability in EVerest electric vehicle charging software stack allows adjacent network attackers to execute arbitrary code by sending malformed SLAC protocol frames. EVerest-core versions prior to 2026.02.0 are affected due to a stack buffer overflow in HomeplugMessage::setup_payload that trusts an attacker-controlled length parameter in release builds. SSVC analysis indicates proof-of-concept exploit code exists, though the vulnerability is not automatable and requires adjacent network access (CVSS 8.8, AV:A).

Out-of-bounds write vulnerabilities in Siemens CPCI85 Central Processing/Communication and SICORE Base system (versions below V26.10) allow unauthenticated remote attackers to crash critical industrial control system services through maliciously crafted XML requests, resulting in denial-of-service conditions. CISA's SSVC framework marks this as automatable with partial technical impact, though no public exploit has been identified at time of analysis. The CVSS 4.0 score of 8.7 reflects high availability impact (VA:H) with network accessibility requiring no authentication (PR:N).

Stack-based buffer overflow in EVerest EV charging software stack enables local code execution when processing certificate filenames of exactly 100 characters due to off-by-one boundary check error in IsoMux component. EVerest-core versions prior to 2026.02.0 are affected (CPE cpe:2.3:a:everest:everest-core). The vulnerability has a CVSS score of 8.4 with local attack vector and no privilege requirements (AV:L/PR:N), allowing unauthenticated local attackers to achieve code execution. No public exploit identified at time of analysis, though technical details are available in GitHub security advisory GHSA-cpqf-mcqc-783m.

Linux kernel nfnetlink_osf module fails to validate TCP option lengths in OS fingerprint definitions, allowing null pointer dereference and out-of-bounds memory reads when processing packets with malformed or missing TCP options. The vulnerability affects Linux kernel versions across multiple stable branches (6.1.x through 6.19.x and 7.0-rc5), with EPSS score of 0.02% indicating low practical exploitation probability despite the memory safety issue. No public exploit code or active exploitation has been reported.

Buffer overflow in UTT HiPER 1250GW firmware versions up to 3.2.7-210907-180535 allows authenticated remote attackers to achieve code execution through a malformed GroupName parameter in the DNS filter configuration handler. Public exploit code exists for this vulnerability and no patch is currently available. Affected organizations should restrict network access to administrative interfaces until remediation is possible.

Remote attackers can exploit a stack-based buffer overflow in the /cgi-bin/nas.cgi endpoint of Wavlink WL-NU516U1 by manipulating the Content-Length parameter to achieve unauthenticated remote code execution. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. Authentication is required to trigger the flaw, limiting exposure to authenticated users or those with network access to the device.