Skip to main content

Buffer Overflow

memory HIGH

A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions.

How It Works

A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions. This overwrites whatever data or code exists there, corrupting program state and potentially giving attackers control over execution flow.

Stack-based overflows are the most common variant. When a function allocates a fixed-size buffer on the stack and then copies user-controlled input without proper bounds checking, attackers can overflow past the buffer to overwrite the function's return address. When the function completes, instead of returning to legitimate code, execution jumps to attacker-specified memory containing malicious shellcode. Heap-based overflows work differently—they corrupt heap metadata like chunk size fields or free list pointers, leading to arbitrary memory writes when the allocator processes the corrupted structures.

Modern exploitation bypasses defensive mechanisms through techniques like Return-Oriented Programming (ROP), which chains together existing code snippets to avoid non-executable memory protections. Attackers may also use heap spraying to reliably position shellcode at predictable addresses, defeating address randomization.

Impact

  • Remote code execution — attacker gains ability to run arbitrary commands with the privileges of the vulnerable process
  • Privilege escalation — exploiting kernel or setuid program overflows to gain root/SYSTEM access
  • Denial of service — crashes and memory corruption that render systems unusable
  • Information disclosure — reading sensitive data from adjacent memory regions that should be inaccessible
  • Authentication bypass — overwriting security-critical variables like permission flags or user IDs

Real-World Examples

Fortinet FortiOS suffered a critical buffer overflow (CVE-2025-32756) that allowed unauthenticated remote attackers to execute code as root on firewalls and VPN gateways. Attackers actively exploited this to compromise enterprise network perimeters before patches were available.

The Slammer worm from 2003 exploited a stack overflow in Microsoft SQL Server, spreading to 75,000 hosts in ten minutes by sending a single malformed UDP packet that overwrote the return address with shellcode. No authentication was required.

OpenSSH historically contained a heap overflow in challenge-response authentication that allowed pre-authentication remote root compromise on Unix systems, demonstrating how memory corruption in privileged network services creates maximum impact scenarios.

Mitigation

  • Memory-safe languages — Rust, Go, and modern managed languages prevent buffer overflows by design through automatic bounds checking
  • Stack canaries — random values placed before return addresses that detect corruption before control transfer
  • Address Space Layout Randomization (ASLR) — randomizes memory locations making exploitation less reliable
  • Data Execution Prevention (DEP/NX) — marks memory regions as non-executable, preventing direct shellcode execution
  • Bounds checking — validate input sizes before copying, use safe functions like strncpy instead of strcpy
  • Fuzzing and static analysis — automated testing to discover overflows before deployment

Recent CVEs (36132)

EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the Apache IoTDB C++ client (versions 1.3.5 before 1.3.8 and 2.0.5 before 2.0.10) allows a malicious or compromised IoTDB server to crash any connected client by returning malformed TsBlock response data. The client's TsBlock deserializer performs out-of-bounds reads (CWE-125) on attacker-controlled server payloads, terminating the client process. There is no public exploit identified at time of analysis, EPSS probability is low (0.14%), and impact is limited to availability of the client - no confidentiality or integrity effect is claimed.

Apache Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Apache IoTDB versions 1.0.0 up to (but not including) 2.0.10 lets an unauthenticated network attacker crash the AirGap receiver thread by exploiting unbounded recursion in its readLength method. When the pipe_air_gap_receiver_enabled=true option is set, repeated E-language prefixes in a single socket stream drive recursion arbitrarily deep until the JVM stack is exhausted and a StackOverflowError is raised. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.14%, 4th percentile), consistent with SSVC marking exploitation as 'none' though 'automatable: yes'.

Buffer Overflow Apache Apache Iotdb
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Out-of-bounds memory write in Samsung Pass prior to version 5.2.10.3 enables local privileged attackers to corrupt process memory, producing high integrity and availability impact with limited confidentiality exposure. The root cause is improper input validation - a buffer overflow class defect - confirmed by Samsung's mobile security team and catalogued under EUVD-2026-42827. No public exploit code or CISA KEV listing has been identified; Samsung has released version 5.2.10.3 as the remediation.

Samsung Buffer Overflow
NVD
EPSS 0% CVSS 8.4
HIGH This Week

Arbitrary code execution in Samsung's libpadm.so system library on Galaxy devices allows a local, low-privileged attacker to corrupt memory via an out-of-bounds write and run code in the context of the vulnerable component prior to the SMR Jul-2026 Release 1. The flaw was reported internally by Samsung Mobile Security and carries a CVSS 4.0 base score of 8.4 (high). No public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow RCE
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds write in Samsung's Quram image codec library (libimagecodec.media.quram.so) on Samsung Android devices lets remote attackers corrupt memory outside allocated bounds by delivering a malformed DNG (Adobe Digital Negative) raw image, prior to the SMR Jul-2026 Release 1 patch level. The flaw carries CVSS 4.0 8.3 (High) with a network attack vector, no privileges and no user interaction, but a present attack requirement (AT:P). No public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.3
HIGH This Week

Out-of-bounds memory write in the Quram image codec (libimagecodec.media.quram.so) used by Samsung mobile devices allows remote attackers to corrupt memory while the library parses a malformed TIFF image, affecting builds prior to SMR Jul-2026 Release 1. Reported by Samsung's own mobile security team, the flaw carries a CVSS 4.0 base score of 8.3 (High) with a network vector and no privileges or user interaction required, though an attack requirement (AT:P) indicates a specific precondition. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow
NVD VulDB
EPSS 0% CVSS 8.4
HIGH This Week

Local privilege-escalating code execution in Samsung's libsavsac.so native library (used in Galaxy devices running firmware prior to the SMR Jul-2026 Release 1) allows a low-privileged local attacker to trigger an out-of-bounds write and execute arbitrary code in the context of the affected component. The flaw was reported by Samsung's own Mobile Security team and carries a CVSS 4.0 base score of 8.4 (High). No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Buffer Overflow RCE
NVD VulDB
CVSS 5.9
MEDIUM POC PATCH This Month

Boundary validation failure in GoBGP's BGP OPEN capability parser allows a remote peer to send a malformed OPEN message that causes concrete capability decoders to read beyond the declared CapLen field, enabling attacker-controlled bytes to be interpreted as capability values - most critically, as a 4-octet AS number that influences peer AS validation and BGP session establishment decisions. Affected is GoBGP v4 (pkg:go/github.com_osrg_gobgp_v4), with the 4-octet AS capability (code 65) identified as the highest-impact case. A parser-level proof-of-concept is publicly described in GitHub Security Advisory GHSA-gjrg-jjr3-56cm; no active exploitation has been confirmed and this CVE does not appear in the CISA KEV catalog. IMPORTANT METADATA CONFLICT: The provided intelligence tags label this as 'RCE, Buffer Overflow, Information Disclosure' - all three directly contradict the CVE description, which explicitly states the issue is not arbitrary memory corruption, remote code execution, or information disclosure; security teams must disregard those tags.

RCE Buffer Overflow Information Disclosure
NVD GitHub
MEDIUM POC PATCH This Month

Path traversal in psd-tools through v1.17.0 exposes any application processing untrusted PSD files to arbitrary file write and secondary arbitrary file read via the SmartObject API. SmartObject.save() consumes the embedded smart-object filename verbatim from the PSD binary - without basename stripping, absolute-path rejection, or directory-escape filtering - allowing a crafted PSD to write attacker-supplied bytes to any path the process can reach. A secondary issue in SmartObject.open() for external-kind objects uses the attacker-controlled fullPath descriptor as a read source, enabling file exfiltration to the write destination. A standalone proof-of-concept is publicly confirmed in the advisory; the fix is vendor-confirmed in v1.17.1 (PR #657). No public exploit identified at time of analysis beyond the advisory-embedded POC, and no CISA KEV listing was found.

Python Path Traversal Buffer Overflow +3
NVD GitHub
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Stack buffer overflow in Vim's SAL sound-folding spell engine prior to version 9.2.0725 crashes the editor by writing a null byte one position past the end of a MAXWLEN-element stack buffer in spell_soundfold_sal(). Exploitation requires a user to open Vim with a SAL-based spell file active under a non-multibyte 8-bit encoding and trigger sound-based spell suggestions on a boundary-length word, corrupting the eval_soundfold() stack frame. No public exploit has been identified at time of analysis, and the impact is limited to availability (editor crash) with no confidentiality or integrity consequences.

Memory Corruption Buffer Overflow Vim
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory exhaustion in Juniper Networks Junos OS and Junos OS Evolved snmpd allows an authenticated network attacker to crash SNMP monitoring by sending specific valid SNMPv3 queries that trigger an out-of-bounds write and progressive memory leak. The snmpd process will exhaust available memory over time, crash, and restart, rendering SNMP-based network monitoring unavailable for the duration of each crash cycle. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV; however, the CVSS 4.0 supplemental metric AU:Y indicates the attack is automatable.

Memory Corruption Juniper Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 5.7
MEDIUM This Month

Stack-based buffer overflow in the Mercusys MW302R (EU) V1 1.4.10 Build 231023 administrative web interface allows an authenticated attacker with administrative access on the same network segment to crash the device by sending a specially crafted HTTP request. The crash results from control flow being redirected to an arbitrary instruction address - a classic CWE-121 stack overflow pattern that produces denial of service. No public exploit is confirmed in CISA KEV, though a researcher GitHub gist (BarrYPL/13dcd071673866cbbfaaa05085b98cf3) appears to document the finding and may constitute a proof-of-concept write-up. EPSS probability is very low at 0.16% (6th percentile), consistent with a niche consumer router model.

Buffer Overflow Denial Of Service Stack Overflow
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Out-of-bounds write in the Juniper Networks Junos OS http-gatekeeper (http-gk) process on SRX Series firewalls crashes the process when handling crafted network requests, taking down all web-management-dependent services including J-Web, remote-access VPN, and firewall authentication until automatic process recovery. Exploitation is gated on a specific non-default configuration - remote-access VPN with pre-logon compliance check enabled - limiting the exposed population to SRX deployments that actively use this feature. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the official CVSS 5.3 score reflects the limited, reversible availability-only impact.

Memory Corruption Juniper Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial-of-service in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series routers lets an unauthenticated, Layer-2 adjacent attacker crash a line card by sending a single crafted packet within the same broadcast domain. The affected system miscalculates the packet size (CWE-1284, improper validation of specified quantity in input), which fails downstream processing and raises an MQSS major CMError that forces an automatic FPC reset, interrupting all traffic on that FPC until it recovers. Only deployments handling MAP-T or non-IP-over-IP traffic (e.g. MPLS over GRE) are exposed; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Juniper Buffer Overflow Junos Os
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the RTSP service by sending a crafted second SETUP request after a valid RTSP handshake, knocking the camera offline for every client on the network. The flaw is a stack-based buffer overflow (CWE-121) in the RTSP second-stage URL routing parser; publicly available exploit code exists via a GitHub write-up, though no active exploitation is confirmed and the CVSS availability-only impact means it is a crash, not code execution, at time of analysis.

Buffer Overflow Tenda Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the RTSP service of Tenda CP3 V3.0 IP cameras (firmware V31.1.9.91) allows an unauthenticated remote attacker on the local network to crash the streaming service with a single crafted SETUP request. Because the second-stage URL routing parser does not validate the URL field length, a request whose URL is exactly four repetitions of a valid RTSP URL overflows a stack buffer and terminates the RTSP process, cutting off all clients. Publicly available exploit code exists (researcher write-up on GitHub); this is not listed in CISA KEV and no active exploitation is confirmed.

Buffer Overflow Tenda Denial Of Service +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) lets an unauthenticated remote attacker crash the onboard RTSP service by sending a PLAY request whose Range header carries an over-long clock= value, triggering a stack-based buffer overflow (CWE-121). The flaw affects only availability - a successful attack knocks the camera's video streaming offline until it recovers or is restarted, with no confirmed path to code execution or data disclosure. There is a public research write-up on GitHub, but no active exploitation is recorded in CISA KEV and EPSS rates exploitation likelihood as low (0.19%, 9th percentile).

Buffer Overflow Tenda Stack Overflow
NVD GitHub
EPSS 0% CVSS 1.9
LOW Monitor

Use-after-free in Open5GS 2.7.7's AMF component allows a local low-privileged user to access freed memory within the `amf_context_final` function in `src/amf/context.c`, producing a low-severity confidentiality exposure. Exploitation is strictly local - no network vector exists - and a public proof-of-concept is confirmed by the CVSS 4.0 E:P supplemental modifier. This vulnerability is not listed in the CISA KEV catalog and carries a CVSS 4.0 base score of 1.9, reflecting its constrained real-world impact on what is a niche, telecom-research-oriented software stack.

Denial Of Service Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Cesanta Mongoose before 7.22 lets a remote, unauthenticated attacker crash any TLS service (HTTPS, MQTTS, or WSS) built on the MG_TLS_BUILTIN stack by sending a single crafted TLS ClientHello whose session_id_len byte is used as an unvalidated buffer index, triggering an out-of-bounds read. The flaw sits in the built-in TLS server handshake function mg_tls_server_recv_hello() and requires no authentication or user interaction. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the trigger is trivial and the issue was disclosed by VulnCheck.

Buffer Overflow Information Disclosure Mongoose
NVD GitHub
MEDIUM PATCH This Month

Heap buffer overflow in pymonocypher's argon2i_32 function allows memory corruption when callers supply an undersized nb_blocks buffer, violating the library's API contract without triggering any bounds check. Applications using pymonocypher prior to version 4.0.2.8 that invoke the Argon2i password-hashing interface are at risk of heap corruption, which can produce crashes or potentially enable controlled memory writes. No public exploit code has been identified at time of analysis, and no active exploitation has been confirmed.

Heap Overflow Buffer Overflow
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM This Month

Stack buffer overflow in Vinchin Backup & Recovery through 9.0.0.86562 exposes the agentlink_server service to unauthenticated remote exploitation via the ModuleHandShake function. An attacker supplying an oversized _listen_uuid value triggers unsafe strcpy() into a fixed-length stack buffer, overwriting the saved return address and enabling process crash or control flow hijack. No public exploit or active exploitation has been confirmed at time of analysis, though the CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms the attack is network-reachable without authentication or user interaction.

Buffer Overflow Stack Overflow Backup Recovery 9 0
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Heap buffer overflow in Vinchin Backup & Recovery through version 9.0.0.86562 allows unauthenticated remote attackers to crash the agentlink_server process or corrupt heap memory without any prior access or user interaction. The agentlink_server service accepts a TCP packet body_len field without bounds validation, passing the attacker-controlled value directly to recv() and enabling heap writes of up to approximately 4 GiB beyond the allocated buffer. This vulnerability is not listed in CISA KEV and no public exploit code is confirmed at time of analysis, though the heap overflow magnitude raises concern for potential code execution beyond simple denial-of-service.

Memory Corruption Buffer Overflow Backup Recovery 9 0
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Out-of-bounds read in GPAC MP4Box version 26.03-DEV allows local low-privileged attackers to cause a low-severity availability impact by supplying a crafted input that manipulates the `num_langs` argument in the `vobsub_read_idx` function of `vobsub.c`. A proof-of-concept exploit has been publicly disclosed via GitHub issue #3611 and the CVSS 4.0 E:P modifier confirms its availability. Two upstream commits have been applied to address the flaw, though no standalone patched release version has been independently confirmed.

Buffer Overflow Information Disclosure Gpac
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC PATCH Monitor

Heap-based buffer overflow in GNU LibreDWG up to version 0.13.4 allows local low-privileged attackers to corrupt heap memory via a specially crafted DWG file containing malicious BMP image data processed by the dwg_bmp function in src/dwg.c. A public proof-of-concept exploit (a crafted R13/R2000 .dwg file) has been disclosed on GitHub, raising the urgency for affected deployments that process untrusted DWG input. No confirmed active exploitation (CISA KEV) has been recorded, and a vendor-released patch in version 0.14 fully resolves the issue.

Heap Overflow Buffer Overflow Libredwg
NVD VulDB GitHub
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Out-of-bounds read and reachable assertion vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause a denial of service and limited data manipulation by supplying crafted JavaScript input. All versions prior to commit 2dee22f5c7b8bf31cb7252d7731fae8c07f2842c are affected, with the primary real-world impact being an availability loss (crash) and low-confidence integrity effect. No public exploit code or CISA KEV listing has been identified at time of analysis.

Samsung Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Heap-based buffer overflow in Samsung's open-source Escargot JavaScript engine corrupts heap memory when processing maliciously crafted input, leading to a high-severity availability impact and a limited integrity impact. The vulnerability affects all Escargot releases before commit ef525f337fafddecde77a3c426212a84bb20cb98, targeting embedded and IoT contexts where the engine is deployed - most notably Samsung TV appliances. No public exploit identified at time of analysis, and no CISA KEV listing, but the local-vector, low-complexity nature of heap overflows makes this reliably triggerable once an attacker can supply crafted input to the engine.

Heap Overflow Samsung Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Out-of-bounds read and write vulnerabilities in Samsung's open-source Escargot JavaScript engine allow a local attacker to cause memory corruption leading to high availability impact and limited integrity compromise. All Escargot versions prior to commit 779f6bedf58f334dec64b0a51ebb724b4708b84a are affected, with the engine's primary deployment in Samsung TV appliance and IoT platforms. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the CVSS-assigned high availability impact and the buffer overflow primitive make crash-based denial-of-service the primary realistic threat.

Samsung Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM This Month

Stack-based buffer overflow in Samsung's Escargot JavaScript engine enables local attackers to crash the engine or corrupt stack memory by supplying malicious JavaScript input, requiring user interaction to trigger. All Escargot releases prior to commit b30b63fc63b403907d8137da1c65aaa4521fe74e are affected, with impacts including high availability loss and limited integrity compromise. No public exploit identified at time of analysis and this vulnerability has not been added to CISA KEV, though the local-vector, user-interaction requirement meaningfully constrains real-world exploitation surface.

Buffer Overflow Samsung Stack Overflow +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in GStreamer's DTLS plugin allows a remote unauthenticated attacker to crash any application that performs a DTLS handshake (notably WebRTC/webrtcbin pipelines) by presenting a TLS certificate with an oversized Subject Distinguished Name. The Subject DN is written into a fixed 2048-byte stack buffer with no bounds checking (CWE-121), and overflowing it corrupts the stack and terminates the process. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; impact is limited to availability (process crash), with no code execution or data exposure claimed.

Buffer Overflow Denial Of Service Stack Overflow +5
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Heap buffer overflow in GStreamer's rfbsrc (RFB/VNC source) plugin lets a malicious VNC server crash or corrupt the memory of any client that connects to it. When the server advertises a 16bpp framebuffer and sends Hextile-encoded updates, the background-fill path writes 32-bit pixels into a 16-bit buffer, producing an out-of-bounds heap write. No public exploit identified at time of analysis; the primary confirmed impact is denial of service, with potential for further memory corruption. This is a client-side flaw requiring the victim to connect to attacker-controlled infrastructure.

Memory Corruption Denial Of Service Buffer Overflow +5
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Remote denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.991) allows an unauthenticated attacker on the network to crash the device by sending a specially crafted RTSP TEARDOWN request that overflows a stack buffer. Publicly available exploit code exists via a third-party GitHub write-up, though the flaw affects only availability (no data disclosure or code execution is claimed). No active exploitation has been reported in CISA KEV, and EPSS data was not provided.

Buffer Overflow Tenda Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the Tenda CP3 V3.0 IP camera (firmware V31.1.9.91) allows an unauthenticated remote attacker to crash the RTSP service by sending a crafted PLAY request that overflows a fixed-size stack buffer. The flaw is remotely reachable with no authentication or user interaction, but per the description and CVSS the impact is limited to availability loss (device crash/reboot), with no confirmed code execution. A public technical report with reproduction details exists on GitHub; the issue is not listed in CISA KEV and no EPSS score was provided.

Buffer Overflow Tenda Denial Of Service +2
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

CVE-2026-57157 has no published description, CVSS score, or CWE at time of analysis. The sole intelligence signal is a vendor report attributed to Ubuntu, indicating the vulnerability may affect a package in the Ubuntu ecosystem. No impact, affected versions, attack vector, or exploitation details can be determined from the available data. This analysis cannot characterize the vulnerability beyond acknowledging its existence and Ubuntu provenance.

Information Disclosure Buffer Overflow Freerdp
NVD GitHub VulDB
MEDIUM This Month

Integer overflow in the virtio-gpu driver's 2D image allocation path of the Linux kernel exposes virtualized guest systems to potential heap corruption. The flaw resides in an insufficient overflow check performed before allocating memory for a 2D image resource in the virtio-gpu paravirtualized GPU subsystem. An attacker or malicious process with access to GPU resource creation within an affected guest OS could trigger the overflow, potentially leading to out-of-bounds memory writes and kernel-level memory corruption. No public exploit or KEV listing is identified at time of analysis.

Buffer Overflow
NVD
EPSS 1% CVSS 5.1
MEDIUM PATCH This Month

Insufficient data exists to characterize CVE-2026-57158 meaningfully. The CVE description is absent, no CVSS vector or score has been published, and the only available intelligence signal is a single vendor source tag ('vendor:ubuntu'). No impact, attack vector, or affected component can be determined from the provided data. Security teams should treat this as an unresolved entry requiring direct vendor advisory lookup before any risk decision is made.

Information Disclosure Buffer Overflow Freerdp
NVD GitHub VulDB
EPSS 1% CVSS 8.6
HIGH PATCH This Week

Heap-based buffer overflow in FreeRDP (the widely used open-source RDP client library) allows a malicious or compromised RDP server to corrupt client memory and potentially achieve remote code execution in the connecting client's context. The flaw lives in the primary drawing-order parser (update_read_delta_points in libfreerdp/core/orders.c), where an inverted integer-overflow guard let an attacker-controlled point count produce an undersized heap allocation followed by an out-of-bounds write. No public exploit identified at time of analysis; the issue is fixed in FreeRDP 3.28.0 (GHSA-v5wf-j8j4-77h7).

Heap Overflow Buffer Overflow Freerdp
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's Codecs component allows a remote attacker to trigger out-of-bounds read and write operations by luring a victim to open or play a crafted video file, affecting all desktop builds prior to 150.0.7871.115. Rated High by Chromium and CVSS 8.8, it requires user interaction (viewing malicious media) but no privileges, and combines information disclosure with potential memory corruption that could lead to code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Google Buffer Overflow Information Disclosure
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Integer overflow in Extensions API in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. (Chromium security severity: High)

Integer Overflow Buffer Overflow Google
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark 4.6.0-4.6.6 and 4.4.0-4.4.16 is caused by a heap-based buffer overflow in the Catapult DCT2000 protocol dissector, crashing the application when a crafted capture file is opened. The CVSS local attack vector (AV:L) and required user interaction (UI:R) constrain exploitation to scenarios where an analyst is socially engineered into opening a malicious capture file - no remote or unauthenticated network exploitation path exists. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; vendor-released fixes are available in 4.6.7 and 4.4.17.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The pcapng file parser in Wireshark 4.6.0 through 4.6.6 contains a heap-based buffer overflow (CWE-122) that crashes the application, resulting in denial of service. An attacker must convince a user to open a specially crafted pcapng capture file, making this a social-engineering-dependent attack with no network-facing exploitation path. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV; a vendor patch is available in Wireshark 4.6.7.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Heap-based buffer overflow in Wireshark's Z39.50 protocol dissector crashes the application when processing malformed Z39.50 PDUs, resulting in denial of service. Affected versions span the 4.4.x branch (4.4.0-4.4.16) and 4.6.x branch (4.6.0-4.6.6). An attacker can trigger the crash by persuading an analyst to open a crafted packet capture file or by injecting malicious Z39.50 traffic onto a monitored network segment; no active exploitation (CISA KEV) or public exploit code has been identified at time of analysis.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Wireshark's UMTS FP protocol dissector affects the 4.6.0-4.6.6 and 4.4.0-4.4.16 release branches, where a malformed UMTS Frame Protocol packet triggers a heap-based buffer overflow (CWE-122) that crashes the application. A remote attacker who can get the crafted frame parsed - via live capture on a monitored segment or a shared capture file - can reliably terminate the analyzer, with no confidentiality or integrity impact. Publicly available exploit code exists (SSVC=poc) but it is not on CISA KEV, and EPSS is low at 0.14% (4th percentile), indicating minimal observed exploitation pressure.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark's DBS Etherwatch dissector affects release branches 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a malformed capture file or crafted packet can crash the application. The flaw is a stack-based buffer overflow (CWE-121) that manifests only as an availability impact - no confidentiality or integrity loss and no confirmed code execution - carrying a 7.5 (High) CVSS. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Buffer Overflow Denial Of Service Stack Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Stack-based buffer overflow in Wireshark's IEEE 802.11 (Wi-Fi) protocol dissector crashes the application, resulting in denial of service across versions 4.6.0-4.6.6 and 4.4.0-4.4.16. An attacker with the ability to deliver a malicious packet capture file, or inject crafted 802.11 frames into a live capture session, can crash the Wireshark process on a victim analyst's machine. No public exploit code has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog; vendor-released patches (4.6.7 and 4.4.17) are available.

Buffer Overflow Denial Of Service Stack Overflow +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark 4.6.0 through 4.6.6 lets a remote attacker crash the application by feeding it a malformed TLS packet using the Encrypted Client Hello (ECH) extension, triggering a heap buffer overflow in the ECH decryptor. No authentication or user interaction beyond processing the traffic is required, though impact is limited to availability (analyzer crash) with no code execution or data disclosure claimed. Publicly available exploit code exists per SSVC (POC), EPSS is low at 0.14% (4th percentile), and it is not listed in CISA KEV.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Denial of service in Wireshark's ciscodump remote capture utility (extcap) affects versions 4.6.0 through 4.6.6 and 4.4.0 through 4.4.16, where a heap-based buffer overflow (CWE-122) can crash the capture tool. An attacker able to feed crafted data to a running ciscodump session can terminate the process, disrupting live packet capture. A POC is referenced by CISA's SSVC assessment (no public exploit code independently identified), it is not in CISA KEV, and EPSS is very low at 0.10% (1st percentile), indicating minimal likelihood of widespread exploitation.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 1% CVSS 7.2
HIGH PATCH This Week

Memory corruption in the User-ID Terminal Server Agent (TSA) of Palo Alto Networks PAN-OS lets an unauthenticated network attacker crash the service (DoS) or potentially execute arbitrary code by sending crafted traffic to the TSA listener. Multiple out-of-bounds write bugs are involved; the vendor's CVSS 4.0 vector flags the exploit as unproven (E:U), and no public exploit has been identified at time of analysis. Panorama is explicitly not affected, and exposure hinges on whether the optional TSA component is deployed and reachable.

Memory Corruption Paloalto Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Server-controlled buffer overflow in Das U-Boot (bootloader) through 2026.04-rc3 lets a malicious or compromised NFS server corrupt memory in an U-Boot client built with CONFIG_CMD_NFS. The flaw lives in nfs_readlink_reply() (net/nfs-common.c), where relative symlink targets from consecutive READLINK responses are appended to the fixed 2048-byte nfs_path_buff without cumulative length checks; two responses of ~1100 bytes each overflow it and clobber adjacent BSS state (nfs_server_ip, nfs_server_mount_port, nfs_server_port, nfs_our_port, nfs_state, rpc_id), giving control over the NFS client state machine. Reported by VulnCheck with a CVSS 4.0 base score of 8.8; there is no public exploit identified at time of analysis and it is not on CISA KEV.

Buffer Overflow U Boot
NVD VulDB
EPSS 0% CVSS 8.7
HIGH This Week

Denial of service (with conditional memory corruption) in Das U-Boot bootloader versions through 2026.04-rc3 lets a network-adjacent attacker crash the device before the OS loads by returning a malformed TCP SYN+ACK to a connection U-Boot has initiated. Because the CVSS 4.0 vector (VA:H, no confidentiality/integrity impact) reflects an availability-only bug rooted in an integer underflow (CWE-191), the practical outcome is a bricked/failed boot; when CONFIG_LMB is disabled, the same underflow can corrupt memory. No public exploit identified at time of analysis; not listed in CISA KEV.

Integer Overflow Buffer Overflow U Boot
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Out-of-bounds read in U-Boot's TCP stack (net/tcp.c, tcp_rx_state_machine()) allows remote unauthenticated attackers to corrupt bootloader TCP connection state by sending a crafted packet with deliberately mismatched IP total length and TCP data offset fields. Affected builds span U-Boot through 2026.04-rc3, but only when compiled with CONFIG_PROT_TCP - a non-default option. Impact is disruption of TCP window calculations via corruption of rmt_win_scale and rmt_timestamp variables, potentially breaking network-based boot sequences. No public exploit has been identified at time of analysis, and this vulnerability is not currently listed in CISA KEV.

Buffer Overflow Information Disclosure U Boot
NVD VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Heap buffer overflow in ImageMagick's FTXT encoder exposes systems to denial of service and potential information disclosure when processing attacker-crafted image files. All ImageMagick versions before 7.1.2-19 are affected due to missing boundary checks when parsing the ftxt:format parameter, allowing an out-of-bounds read (CWE-125) in the FTXT encoder component. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though a vendor patch is available at 7.1.2-19.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Heap-buffer-overflow read in ImageMagick's GetPixelIndex function exposes limited heap memory contents and can cause partial availability impact in affected 6.x and 7.x branches before the patched releases. The root cause is a metadata-allocation race in OpenPixelCache, which updates image channel metadata before confirming successful pixel cache memory allocation, leaving GetPixelIndex to operate on stale channel counts. Exploitation requires high privilege access and the ability to induce memory or disk allocation failures, yielding only limited confidentiality and availability impact; no public exploit code and no CISA KEV listing are associated with this CVE.

Buffer Overflow Information Disclosure Imagemagick
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader allows a local attacker to crash the application and potentially expose adjacent memory contents by delivering a specially crafted PDF containing malicious JavaScript. The JavaScript manipulates page and document objects to desynchronize internal page-related state from the renderer's trusted page count; when the renderer subsequently accesses page objects using the stale index, it reads beyond valid memory bounds. No public exploit identified at time of analysis and no CISA KEV listing, but the broad affected version ranges across multiple major release branches (13.x, 14.x, and 2026.x) means a large proportion of unpatched Foxit deployments are exposed.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Foxit PDF Reader and PDF Editor crash with potential memory disclosure when processing maliciously crafted PDF documents containing JavaScript that causes reentrancy during page opening or form formatting. The reentrancy leaves the document object in an inconsistent state; when the application subsequently attempts to dereference stale page metadata, it reads from an invalid memory address (CWE-125 out-of-bounds read), resulting in application termination and limited memory content exposure. No public exploit code or active exploitation has been identified at time of analysis; exploitation requires a local user interaction to open a crafted PDF file.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Memory-corruption (buffer overflow) in Foxit PDF Reader and Foxit PDF Editor arises when the digital-signature plugin processes abnormally constructed signature objects: JavaScript triggers signature verification, but the plugin copies an anomalous string without validating its arguments, corrupting memory. A local victim who opens a crafted PDF is affected, and while the vendor describes the outcome as an application crash, the CVSS High confidentiality/integrity/availability impacts indicate potential for code execution. No public exploit identified at time of analysis.

Buffer Overflow Foxit Pdf Editor Foxit Pdf Reader
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Out-of-bounds read in Foxit PDF Reader and PDF Editor allows a local attacker to crash the application and potentially disclose limited memory contents by delivering a specially crafted PDF containing a malformed image object. The vulnerability triggers when the renderer encounters an abnormal image object, causes it to enter an incorrect processing branch, and subsequently dereferences an invalid buffer pointer during scan line conversion. No public exploit code has been identified and no CISA KEV listing exists, but the CVSS availability impact is rated High, meaning successful exploitation reliably causes application termination.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader crashes the application and exposes limited memory contents when a victim opens a specially crafted PDF embedding a semantically malformed color space function. Affected versions span multiple branches across both Editor and Reader products, confirmed through EUVD-2026-42198. No public exploit code or active exploitation has been identified at time of analysis; however, the low attack complexity and file-based delivery mechanism make this a plausible phishing lure in targeted campaigns against organizations relying on Foxit products.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and PDF Reader during PRC (Product Representation Compact) 3D content parsing crashes the application and leaks limited memory content. Affects multiple concurrent release trains including versions 2026.1.1, 14.0.4, and 13.2.4 and earlier. Exploitation requires a victim to open a specially crafted PDF containing a malicious PRC entity - no public exploit has been identified at time of analysis.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Out-of-bounds read in Foxit PDF Editor and Foxit PDF Reader's PRC 3D file header parser crashes the application and may leak process memory when a victim opens a specially crafted PDF. Affected version ranges span Foxit PDF Reader through 2026.1.1 and multiple Foxit PDF Editor release branches through 13.2.4, 14.0.4, and 2026.1.1. No public exploit code or confirmed active exploitation has been identified at time of analysis; the CVSS availability impact is rated High due to a reliable application crash on trigger, with a minor confidentiality component from out-of-bounds memory exposure.

Buffer Overflow Information Disclosure Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Out-of-bounds memory access in Foxit PDF Editor and Foxit PDF Reader occurs when the application parses a malformed Unity 3D object embedded in a PDF, resolving attacker-influenced data as a pointer and dereferencing it as a valid address. A victim who opens a crafted PDF triggers the flaw (CVSS 7.8, UI:R), which manifests as a crash but, given the CWE-787 out-of-bounds write classification and High confidentiality/integrity/availability impact, carries potential for memory corruption and code execution in the context of the current user. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Memory Corruption Buffer Overflow Foxit Pdf Editor +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation via heap buffer overflow in the X.Org Server (versions before 21.1.24) and Xwayland (before 24.1.13) allows a local user holding an X connection to corrupt heap memory by supplying a malicious PCX font. The flaw lives in the SetFont code path, where missing glyph boundary checks let an oversized or malformed glyph write past its heap allocation, yielding full confidentiality, integrity, and availability impact (CVSS 7.8). There is no public exploit identified at time of analysis; EPSS is low at 0.28% and CISA SSVC rates exploitation as none.

Buffer Overflow Heap Overflow X Server +1
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Heap-based code execution in libXfont2 before 2.0.8 allows an authenticated X client to run arbitrary code inside the X server by supplying a malformed PCF font that trips missing glyph bounds checking in pcfReadFont(). Because X servers frequently run with elevated (often root) privileges, a successful exploit can escalate from a low-privileged client to full host compromise. No public exploit is identified at time of analysis and CISA SSVC rates current exploitation as none, but the technical impact is rated total.

Buffer Overflow Heap Overflow Libxfont
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in libXfont2 before 2.0.8 lets an authenticated X client corrupt heap memory inside the X server via a maliciously crafted PCF bitmap font. The flaw sits in ComputeScaledProperties(), where a missing bounds check on the property buffer allows a heap overflow (CWE-122) that runs in the X server's security context - typically root on traditional Linux desktops. There is no public exploit identified at time of analysis; EPSS is modest at 0.58% and CISA SSVC rates exploitation as 'none' with 'total' technical impact.

Buffer Overflow Heap Overflow Libxfont
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in the X.Org libXfont2 library (versions before 2.0.8) stems from a heap buffer overflow in the BitmapScaleBitmaps routine, where a 32-bit size calculation overflows during bitmap font scaling. Any client able to connect to the X Server and request scaled bitmap fonts can corrupt heap memory and run code within the X server's process context, which is frequently privileged. No public exploit has been identified at time of analysis and it is not listed in CISA KEV; EPSS is low at 0.37% (29th percentile), consistent with the SSVC finding of no observed exploitation despite total technical impact.

Buffer Overflow Heap Overflow Libxfont
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Session Extension information disclosure in SQLite before Fossil check-in 869a51ae84df exposes sensitive process memory when adversarially crafted changesets are processed through the changeset concat or changegroup merge code paths. A local attacker who can deliver a malicious changeset to an application using the Session Extension API can leak heap memory contents and likely crash the process, yielding both low confidentiality and high availability impact consistent with an out-of-bounds read pattern. No active exploitation has been confirmed by CISA KEV, though a researcher gist is referenced that may represent proof-of-concept material; no public exploit is independently confirmed at time of analysis.

N A Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 8.4
HIGH Act Now

Local arbitrary code execution affects an unspecified industrial control system (ICS) product reported through CISA ICS-CERT (advisory ICSA-26-188-06). A stack-based buffer overflow (CWE-121) lets an attacker who can supply crafted input trigger memory corruption and run arbitrary code once a local user interacts with the malicious data, fully compromising confidentiality, integrity, and availability. No public exploit identified at time of analysis and the affected vendor/product is not disclosed in the available data.

Buffer Overflow Stack Overflow RCE
NVD VulDB
EPSS 0% CVSS 8.4
HIGH Act Now

Arbitrary code execution in an unnamed ICS/OT application arises from a use-after-free (CWE-416) triggered when the software parses a specially crafted file, letting an attacker run code in the context of the current process. The flaw was reported through CISA's ICS-CERT (advisory ICSA-26-188-06) and carries a CVSS 4.0 base score of 8.4; exploitation is local and requires a user to open the malicious file. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV.

Memory Corruption Buffer Overflow Use After Free +1
NVD VulDB
EPSS 0% CVSS 8.4
HIGH Act Now

Arbitrary code execution via an out-of-bounds write (CWE-787) affects an industrial control system product covered by CISA ICS advisory ICSA-26-188-06, where an attacker can corrupt memory past an allocated buffer to run code in the context of the affected application. The CVSS 4.0 vector (AV:L/UI:A) indicates the flaw is triggered locally and requires a victim to actively interact - consistent with opening a malicious file or project in engineering/HMI software. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the high-impact memory corruption and DHS ICS-CERT reporting warrant prompt patching in OT environments.

Memory Corruption Buffer Overflow RCE
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Out-of-bounds read in the Perl DBI module's preparse() SQL-normalisation routine allows an attacker who controls SQL passed to the method (where the statement begins with a comment line) to trigger a one-byte read past a buffer, in all DBI releases before 1.650. On memory-hardened builds this faults and crashes the process (availability impact); on normal builds it produces nondeterministic newline retention. This is a CWE-125 flaw reported by CPANSec with no public exploit identified at time of analysis; EPSS is low at 0.19% (8th percentile) and it is not in CISA KEV.

Buffer Overflow Information Disclosure Dbi
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Heap out-of-bounds write in the Perl DBI database-interface module before version 1.650 occurs when DBI preparses a SQL statement containing an extreme number of placeholders. This is a regression: the fix for CVE-2026-10879 under-allocated the placeholder buffer and could not accommodate roughly 1.2 million placeholders, so DBI 1.650 now enforces a hard cap of 99,999 placeholders. Reported by CPANSec with a vendor patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.19%, 8th percentile).

Memory Corruption Buffer Overflow Dbi
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the `html_quote_string()` function in `src/convert.c`, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the memory corruption class warrants patching, particularly in environments where wget is used to fetch content from untrusted servers.

Integer Overflow Buffer Overflow Wget
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Heap buffer overflow in GNU Wget through 1.25.0 allows network-positioned attackers to corrupt heap memory by serving a maliciously crafted filename that triggers a flawed iconv E2BIG reallocation path in convert_fname() within src/url.c. The miscalculated remaining-space offset during reallocation writes beyond the allocated heap region, producing a high-availability impact (process crash) and limited integrity exposure. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; however, the fix is confirmed via upstream commit c2640fe on the official GNU Wget GitLab repository.

Heap Overflow Buffer Overflow Wget
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sessions by supplying crafted Content-Range response headers. The parse_content_range() function in src/http.c performs signed integer arithmetic on server-supplied values without overflow guards, triggering undefined behavior under C's signed overflow rules and causing download desynchronization on the affected client. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is known at time of analysis; real-world impact is bounded to availability disruption rather than host compromise based on current data.

Integer Overflow Buffer Overflow Wget
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in GNU Wget through 1.25.0 lets a malicious or compromised HTTP(S) server crash the client by serving a Metalink document whose URL element contains only whitespace, causing clean_metalink_string() in src/metalink.c to decrement a pointer past the start of the heap buffer. The out-of-bounds read (CWE-125) produces abnormal program behavior and is reported by VulnCheck; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The fix landed upstream in GitLab commit 37a40fc.

Buffer Overflow Information Disclosure Wget
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Heap-buffer-overflow in 389 Directory Server's DN normalization routine allows an unauthenticated remote attacker to corrupt heap memory and likely crash the LDAP service. The flaw triggers when the server processes an LDAP operation - such as a search request - whose base DN contains a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), causing an out-of-bounds write during RDN attribute-value pair sorting. Per the confirmed CVSS vector (PR:N), no authentication is required; no public exploit code or CISA KEV listing has been identified at time of analysis.

Heap Overflow Denial Of Service Buffer Overflow +10
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LDAP client to crash the server by sending an oversized UNBIND packet over a SASL integrity-protected connection. The oversized data overflows a fixed 512-byte heap receive buffer in sasl_io_recv() (sasl_io.c), and in FreeIPA / Red Hat IdM any domain user, enrolled host, or service account with a valid Kerberos ticket can trigger it after GSSAPI authentication. There is no public exploit identified at time of analysis, and this flaw is distinct from the earlier CVE-2025-14905 schema.c overflow, which did not fix this code path.

Heap Overflow Denial Of Service Buffer Overflow +10
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Heap memory corruption in GIMP's PSD (Photoshop) file parser allows a malicious .psd image to overflow an integer in read_RLE_channel(), producing an undersized heap allocation for the RLE row-length table that is then overwritten row-by-row, potentially yielding denial of service or arbitrary code execution. The flaw affects GIMP as shipped across Red Hat Enterprise Linux 6 through 9 and is triggered when a victim opens or imports a crafted PSD file. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Integer Overflow Denial Of Service Buffer Overflow +5
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Out-of-bounds read in FreeType 2.14.3 exposes partial heap memory and risks process crashes when processing crafted variable fonts via the TT_Get_Var_Design code path. The CVSS vector (AV:N/AC:L/PR:N/UI:N) reflects server-side or automated font processing pipelines where untrusted font data reaches FT_Get_Var_Design_Coordinates without authentication barriers. No active exploitation is confirmed in CISA KEV; however, a researcher-published gist suggests working proof-of-concept material exists, and EPSS at 0.17% (7th percentile) indicates minimal observed exploitation activity to date.

Buffer Overflow Information Disclosure N A
NVD GitHub
EPSS 0% CVSS 7.0
HIGH This Week

Local privilege escalation via memory corruption in Qualcomm Snapdragon platforms occurs when asynchronous input parameters are validated and then re-read after modification, a time-of-check/time-of-use race that yields total compromise of confidentiality, integrity, and availability. Affecting a broad range of Snapdragon connectivity, WCD codec, WSA, and compute SoCs, a local low-privileged attacker who can win the race can corrupt memory and gain elevated code execution. No public exploit has been identified at time of analysis and EPSS is negligible (0.09%), but the CVSS 7.0 and 'total' SSVC technical impact make it a meaningful firmware/driver patch target.

Buffer Overflow Snapdragon
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Local privilege escalation and memory corruption in Qualcomm Snapdragon WLAN firmware occurs when the driver parses malformed HT40 (40 MHz channel-bonding) layouts during dynamic channel switching, allowing a low-privileged local process to trigger a stack-based buffer overflow (CWE-121) that crosses a trust boundary (CVSS scope changed). Disclosed in the July 2026 Qualcomm security bulletin, it carries a CVSS 8.8 with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Buffer Overflow Stack Overflow Snapdragon
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Memory corruption in Qualcomm Snapdragon firmware triggers an out-of-bounds write (CWE-787) when prepared commands are updated using invalid port indices supplied from user space that exceed supported read client limits. The vulnerability spans an exceptionally broad portfolio of Snapdragon chipsets covering mobile, automotive, XR/AR, and connectivity platforms. No public exploit has been identified at time of analysis, and CISA SSVC assessment rates exploitation as none and the flaw as non-automatable, though the changed scope (S:C) in the CVSS vector indicates impact can propagate beyond the directly vulnerable firmware component.

Memory Corruption Buffer Overflow Snapdragon
NVD VulDB
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation via memory corruption affects Qualcomm Snapdragon platforms, where allocating memory with sizes exceeding the maximum allowed value corrupts adjacent memory (CWE-126, buffer over-read/overflow). A local attacker with low privileges (PR:L) and no user interaction can compromise confidentiality, integrity, and availability (all High), scoring CVSS 7.8. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Buffer Overflow Snapdragon
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Memory corruption in Qualcomm Snapdragon silicon allows a local low-privileged attacker to trigger an out-of-bounds write (CWE-787) by submitting input with a buffer plane count or batch size exceeding the maximum allowed value. The scope change in the CVSS vector (S:C) indicates the corruption can escape the vulnerable component's security boundary, yielding partial confidentiality, integrity, and availability impact on an adjacent system component. No public exploit or active exploitation has been identified at time of analysis; SSVC confirms no known exploitation and non-automatable attack conditions.

Memory Corruption Buffer Overflow Snapdragon
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Out-of-bounds write in Qualcomm Snapdragon's flash command handler allows a local low-privileged attacker to corrupt memory by exploiting a race condition between userspace LED count modifications and kernel-side flash command processing. The CVSS scope change (S:C) indicates the corruption can reach components beyond the immediately vulnerable driver - raising the potential for privilege escalation on affected Snapdragon-based devices. No public exploit code or active exploitation has been identified at time of analysis.

Memory Corruption Buffer Overflow Snapdragon
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Out-of-bounds write in Qualcomm Snapdragon's JPEG command parser exposes local low-privilege users to memory corruption via crafted JPEG input. Validation checks within the parser fail to account for extra buffer writes, overwriting adjacent memory and enabling a scope change beyond the vulnerable component's boundary - consistent with Snapdragon's isolated subsystem architecture (DSP, camera ISP). Qualcomm disclosed this in its July 2026 Security Bulletin; no public exploit identified at time of analysis.

Memory Corruption Buffer Overflow Snapdragon
NVD VulDB
EPSS 0% CVSS 7.3
HIGH This Week

Local privilege escalation and memory corruption in Qualcomm Snapdragon chipset drivers allows a malicious application to trigger a use-after-free by issuing multiple IOCTL calls that reference the same buffer file descriptor. The flaw affects a broad range of Snapdragon mobile, compute, connectivity (FastConnect/WCN/WCD/WSA) and XR platforms, and successful exploitation can corrupt kernel memory to gain high impact on confidentiality, integrity and availability. There is no public exploit identified at time of analysis, EPSS risk is very low (0.09%), and CISA SSVC rates exploitation as none.

Memory Corruption Buffer Overflow Use After Free +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Use-after-free memory corruption in Qualcomm Snapdragon platform driver code allows a local low-privileged process to trigger access of already-freed memory by issuing multiple IOCTL calls that reference the same buffer file descriptor. A successful attacker gains full compromise of confidentiality, integrity, and availability on the affected device, which in practice can mean kernel-level code execution or privilege escalation from an unprivileged app. There is no public exploit identified at time of analysis, EPSS is negligible (0.09%, 1st percentile), and CISA SSVC records no known exploitation.

Memory Corruption Buffer Overflow Use After Free +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Local privilege escalation via memory corruption affects a broad range of Qualcomm Snapdragon chipsets, where a use-after-free condition in the device driver's input/output control (ioctl) path for mapping and unmapping persistent memory buffers can be triggered by an authenticated local application. Improper synchronization on these operations lets a low-privileged process corrupt kernel memory to gain full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS is very low (0.09%), consistent with CISA SSVC scoring exploitation as none.

Memory Corruption Buffer Overflow Use After Free +1
NVD
EPSS 0% CVSS 3.8
LOW PATCH Monitor

Integer overflow in OP-TEE OS's AES-GCM implementation silently corrupts authentication tag computation when a single operation processes more than 512 megabytes of payload or Additional Authenticated Data (AAD), affecting all deployments running versions 3.0.0 through 4.10.x on Arm TrustZone platforms. The overflow causes the GHASH length counters to wrap, meaning the GCM authentication tag is derived from incorrect bit-length values - defeating AES-GCM's core integrity guarantee without any runtime error or exception. No public exploit has been identified at time of analysis, but the practical impact for systems using OP-TEE for high-value integrity assurance (DRM, secure key storage, attestation) is significant when large payloads traverse the TEE boundary.

Integer Overflow Linux Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 3.3
LOW PATCH Monitor

Stack exhaustion via unbounded recursion in the OP-TEE PKCS#11 Trusted Application allows a local low-privileged user to crash the TA, causing a denial of service within the TrustZone secure world. Affected versions span 3.10.0 through 4.10.x of optee_os running on Arm Cortex-A platforms with TrustZone enabled. No active exploitation has been identified; this is a DoS-only issue with no confidentiality or integrity impact, and a patched release (4.11.0) is available.

Linux Buffer Overflow Stack Overflow +1
NVD GitHub VulDB
Prev Page 5 of 402 Next

Quick Facts

Typical Severity
HIGH
Category
memory
Total CVEs
36132

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy