Skip to main content

Buffer Overflow

memory HIGH

A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions.

How It Works

A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions. This overwrites whatever data or code exists there, corrupting program state and potentially giving attackers control over execution flow.

Stack-based overflows are the most common variant. When a function allocates a fixed-size buffer on the stack and then copies user-controlled input without proper bounds checking, attackers can overflow past the buffer to overwrite the function's return address. When the function completes, instead of returning to legitimate code, execution jumps to attacker-specified memory containing malicious shellcode. Heap-based overflows work differently—they corrupt heap metadata like chunk size fields or free list pointers, leading to arbitrary memory writes when the allocator processes the corrupted structures.

Modern exploitation bypasses defensive mechanisms through techniques like Return-Oriented Programming (ROP), which chains together existing code snippets to avoid non-executable memory protections. Attackers may also use heap spraying to reliably position shellcode at predictable addresses, defeating address randomization.

Impact

  • Remote code execution — attacker gains ability to run arbitrary commands with the privileges of the vulnerable process
  • Privilege escalation — exploiting kernel or setuid program overflows to gain root/SYSTEM access
  • Denial of service — crashes and memory corruption that render systems unusable
  • Information disclosure — reading sensitive data from adjacent memory regions that should be inaccessible
  • Authentication bypass — overwriting security-critical variables like permission flags or user IDs

Real-World Examples

Fortinet FortiOS suffered a critical buffer overflow (CVE-2025-32756) that allowed unauthenticated remote attackers to execute code as root on firewalls and VPN gateways. Attackers actively exploited this to compromise enterprise network perimeters before patches were available.

The Slammer worm from 2003 exploited a stack overflow in Microsoft SQL Server, spreading to 75,000 hosts in ten minutes by sending a single malformed UDP packet that overwrote the return address with shellcode. No authentication was required.

OpenSSH historically contained a heap overflow in challenge-response authentication that allowed pre-authentication remote root compromise on Unix systems, demonstrating how memory corruption in privileged network services creates maximum impact scenarios.

Mitigation

  • Memory-safe languages — Rust, Go, and modern managed languages prevent buffer overflows by design through automatic bounds checking
  • Stack canaries — random values placed before return addresses that detect corruption before control transfer
  • Address Space Layout Randomization (ASLR) — randomizes memory locations making exploitation less reliable
  • Data Execution Prevention (DEP/NX) — marks memory regions as non-executable, preventing direct shellcode execution
  • Bounds checking — validate input sizes before copying, use safe functions like strncpy instead of strcpy
  • Fuzzing and static analysis — automated testing to discover overflows before deployment

Recent CVEs (36131)

EPSS 1% CVSS 9.3
CRITICAL Act Now

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reach the built-in HTTP administration port (default TCP 80) to overflow a fixed 1000-byte global buffer and corrupt adjacent .bss globals, leading to arbitrary code execution on the host. The flaw lives in wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c, where the request URI is copied via unchecked sprintf before any authentication check runs. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 combined with pre-auth network reachability makes this a high-priority issue.

Memory Corruption Buffer Overflow RCE +1
NVD GitHub VulDB
EPSS 1% CVSS 8.7
HIGH This Week

Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB failure-response parser: a malicious or man-in-the-middle VNC server can send a reasonLen of 0xFFFFFFFF that wraps to 0 during buffer sizing, then stream 4 GiB into a 256-byte heap allocation. The flaw is reachable pre-authentication through connection-failure and auth-failure messages, so merely connecting a viewer to an attacker-controlled endpoint can corrupt the heap and potentially execute code as the user running the viewer. No public exploit identified at time of analysis, though the researcher confirmed a reliable heap-buffer-overflow write with AddressSanitizer.

Integer Overflow Buffer Overflow RCE +1
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in the RFB ServerInit message handler, where a malicious VNC server advertising a desktop name of exactly 2024 bytes forces ReadString to write a NUL terminator at _dn[2024], one byte past a 2024-byte stack buffer. A rogue or compromised server can crash victims who connect to it (reliable process termination on /GS-hardened builds) and potentially corrupt adjacent stack data on canary-less release builds. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; exploitation requires the victim to initiate a connection to the attacker-controlled server.

Denial Of Service Buffer Overflow Ultravnc
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrupt stack memory via the web GUI allow/deny rule parser, ultimately achieving code execution on the repeater host. The flaw (CWE-787, out-of-bounds write) is reachable only after admin login, but that barrier is significantly weakened when chained with CVE-2026-7839 (default password), which can hand an attacker the required credentials. There is no public exploit identified at time of analysis and no EPSS/KEV data supplied, so this is currently a credentialed, chainable RCE rather than a confirmed mass-exploited threat.

Memory Corruption Buffer Overflow RCE +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging function win_log(), where a malloc size calculation wraps around on 32-bit builds when processing oversized URIs, producing an undersized heap allocation followed by an unchecked strcpy. Remote unauthenticated attackers can trigger this path by sending a maximally-sized URI to the repeater HTTP port, with practical impact bounded by the 153,600-byte HTTP receive buffer and currently assessed at availability disruption rather than reliable code execution. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV.

Integer Overflow Buffer Overflow Ultravnc
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM This Month

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the VNC server process or leak adjacent memory content via the vncWc2Mb() wide-string conversion helper in rfb/dh.cpp at line 204. The flaw is triggered when wcslen() is called on a caller-supplied WCHAR pointer without a preceding bounds check, enabling memory over-reads if the buffer lacks proper NUL termination. No public exploit code or active exploitation has been identified at time of analysis; the vendor's CVSS 4.3 (Medium) rating reflects the constrained and largely denial-of-service-oriented impact.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 3.7
LOW Monitor

UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authentication Base64 decoder, where a strict greater-than comparison at `repeater/webgui/webutils.c:817` fails to block an input whose length exactly equals the 1024-byte output buffer. Under current code, the outer HTTP request parser incidentally caps Authorization header length before the defect can produce an out-of-bounds write, making this vulnerability practically unexploitable in its present form - but the flaw is real and would become a one-byte stack write if upstream buffering constraints change. No public exploit code exists and the vulnerability is not listed in CISA KEV; this is a latent memory-safety defect requiring patch application as hygiene rather than urgent incident response.

Buffer Overflow Ultravnc
NVD GitHub
EPSS 0% CVSS 6.7
MEDIUM This Month

Heap buffer overflow in the Telephony subsystem of MediaTek chipsets enables local privilege escalation on affected Android devices, delivering full confidentiality, integrity, and availability impact. Twenty-two specific MediaTek SoC variants are confirmed affected, spanning the MT6xxx and MT8xxx mid-range and budget families. No public exploit has been identified at time of analysis; MediaTek has issued patch ALPS11006447 via their July 2026 security bulletin, but exploitation requires a pre-existing System-level privilege on the device, making this a chaining vulnerability rather than a standalone entry vector.

Privilege Escalation Heap Overflow Buffer Overflow +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Out-of-bounds write in MediaTek modem firmware allows a network-adjacent attacker controlling a rogue cellular base station to remotely crash affected User Equipment (UE), resulting in denial of service. Thirty-three distinct MediaTek chipsets - spanning flagship mobile SoCs (MT6991, MT6989, MT6985) to tablet and IoT chipsets (MT8795T, MT8893) - contain the vulnerable modem component identified under Patch IDs MOLY01267281 and MOLY01318201. No public exploit code has been identified at time of analysis, and the attack is non-trivial due to the requirement for attacker-controlled cellular infrastructure, but the sheer deployment scale of affected chipsets across Android devices makes the aggregate exposure significant.

Memory Corruption Denial Of Service Buffer Overflow +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Remote privilege escalation in the baseband modem firmware of dozens of MediaTek chipsets allows an attacker operating a rogue base station to corrupt modem memory via a missing bounds check (out-of-bounds write, CWE-787). Once a target UE camps on the attacker-controlled cell, exploitation requires no user interaction and no pre-existing privileges, potentially yielding privilege escalation within the modem subsystem. Tracked in MediaTek's July 2026 Product Security Bulletin (Patch ID MOLY01402160); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Memory Corruption Privilege Escalation Buffer Overflow +1
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Out-of-bounds heap write in the RAR5 recovery-volume (.rev) parser of WinRAR, RAR, UnRAR, and unrar.dll (versions before 7.23) lets an attacker corrupt heap memory when a victim runs a recovery, test, or repair operation on a crafted multi-file .rev set. Because subsequent .rev files supply a RecNum value validated only against their own TotalCount and never against the actual RecItems allocation, an attacker-controlled 32-bit value can be written far past the buffer, enabling memory corruption and potential code execution. There is no public exploit identified at time of analysis, but this is the RAR5-path sibling of the previously exploited CVE-2023-40477, and CWE-787 flaws in WinRAR have historically led to reliable RCE.

Memory Corruption Buffer Overflow Winrar +3
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

An access violation in the BaseSplitterFile::Read function of Aleksoid1978 MPC-BE before commit 4341cb3 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.

Denial Of Service N A Buffer Overflow
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Buffer Overflow vulnerability in UTT nv518G nv518GV3v3.2.7-210919-161313 allows a remote attacker to cause a denial of service via the gohead/sub_425994 component

Denial Of Service Buffer Overflow
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the UTT nv518G gateway/router (firmware nv518GV3v3.2.7-210919-161313) allows a remote attacker to crash the device by triggering a buffer overflow in the gohead/sub_447CAC web-server routine. Publicly available exploit code exists (referenced GitHub CVEreport analysis) but it is not listed in CISA KEV; EPSS is low at 0.22% (13th percentile), indicating no observed widespread exploitation. Note a data conflict: the description and tags describe a DoS, yet the supplied CVSS vector encodes a confidentiality impact (C:H/A:N) rather than availability.

Denial Of Service Buffer Overflow
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's ANGLE graphics layer (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the renderer sandbox via a crafted HTML page. The flaw is a CWE-787 out-of-bounds read and write; Google's own Chromium team rated the security severity as Low, and there is no public exploit identified at time of analysis. EPSS estimates only a 0.17% (7th percentile) chance of exploitation, and the vulnerability is not listed in CISA KEV.

Memory Corruption Buffer Overflow Google +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds memory read in the CameraCapture component of Google Chrome on ChromeOS (versions prior to 150.0.7871.47) lets a remote attacker leak adjacent process memory when a victim opens a crafted HTML page. No public exploit identified at time of analysis, and EPSS is low (0.17%), but the flaw is marked automatable by CISA SSVC. Note a signal conflict: the NVD CVSS is 8.1 (high) while Google rates the Chromium security severity as Low.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap corruption in Google Chrome's WebNN (Web Neural Network API) implementation on Windows, fixed in 150.0.7871.47, lets an attacker who has already compromised the renderer process trigger a heap buffer overflow via a crafted HTML page and potentially escalate beyond the sandbox. Chromium's own security team rated this Low severity, while NVD scores it 8.8; EPSS is low at 0.19% (9th percentile) and there is no public exploit identified at time of analysis. It is not listed in CISA KEV and SSVC records exploitation status as none.

Buffer Overflow Microsoft Google +1
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Out-of-bounds read in Chrome's Chromecast component allows a local attacker to leak sensitive contents from the browser's process memory by delivering malicious network traffic to the affected subsystem. Affected versions are all Chrome releases prior to 150.0.7871.47 on desktop platforms. No public exploit code or CISA KEV listing is identified at time of analysis, and Google's own severity rating is Low, though the CVSS confidentiality impact is scored High due to potential direct process memory exposure.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds memory read in the SurfaceCapture component of Google Chrome before 150.0.7871.47 lets a remote attacker leak adjacent heap memory when a victim opens a crafted HTML page. Chromium rated the flaw Medium severity, though the associated CVSS is 8.1; there is no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.17% (7th percentile), consistent with a browser bug fixed pre-disclosure. Successful exploitation could disclose sensitive in-process data or crash the renderer, and typically serves as one link in a larger sandbox-escape chain rather than standalone compromise.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Sandbox escape in Google Chrome prior to 150.0.7871.47 exploits a heap-based buffer overflow (CWE-122) in the Storage component, enabling an attacker who has already compromised the renderer process to break out of Chrome's sandbox via a crafted HTML page. This is a chained, second-stage vulnerability - renderer compromise through a separate flaw is a hard prerequisite, making standalone exploitation infeasible. EPSS sits at 0.21% (11th percentile), there is no CISA KEV listing, and no public exploit code has been identified at time of analysis; a vendor patch is confirmed available as Chrome 150.0.7871.47.

Heap Overflow Buffer Overflow Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Out-of-bounds read in ANGLE, Chrome's cross-platform graphics abstraction engine, enables sensitive process memory disclosure on macOS for attackers who have already compromised the renderer process. Affected versions are Google Chrome prior to 150.0.7871.47 on Mac; Windows and Linux are not listed as affected. This flaw is a second-stage technique in a multi-vulnerability chain - not a standalone entry point - and no public exploit code or CISA KEV listing has been identified, placing real-world exploitation risk substantially below what the C:H confidentiality impact alone might imply.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Integer overflow in Safe Browsing in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker to bypass navigation restrictions via a malicious file. (Chromium security severity: Medium)

Buffer Overflow Google Suse
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's V8 JavaScript engine (versions prior to 150.0.7871.47) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. Exploitation requires user interaction (visiting a malicious page) but no authentication, and the flaw carries a CVSS 8.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and EPSS is low (0.30%, 22nd percentile), indicating no evidence of widespread exploitation despite the high CVSS.

Memory Corruption RCE Buffer Overflow +2
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Integer overflow in Fonts in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Medium)

Buffer Overflow Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Google Chrome's Codecs component (prior to 150.0.7871.47) enables remote attackers to leak sensitive data from renderer process memory by delivering a crafted HTML page. The CVSS C:H rating reflects meaningful exposure of in-process data such as session tokens or credentials, though Chromium's own team assessed this as Medium severity, and the sandbox boundary (S:U) limits blast radius to the renderer. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Out-of-bounds read in the Chromecast component of Google Chrome prior to 150.0.7871.47 enables a remote attacker, who has already achieved renderer process compromise, to exfiltrate potentially sensitive data from process memory via a crafted HTML page. This is a second-stage, chained vulnerability - it cannot be exploited in isolation and requires a prior renderer compromise as a prerequisite. Google has released a patch in Chrome 150.0.7871.47; no public exploit code or CISA KEV listing has been identified at time of analysis.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Heap-based integer overflow in Google Chrome's Chromecast component allows an adjacent-network attacker to achieve arbitrary code execution against browsers running versions prior to 150.0.7871.47. The flaw is reachable via crafted malicious network traffic and carries a high CVSS of 8.8; Google has shipped a stable-channel fix, and no public exploit has been identified at time of analysis. Chromium rates the underlying issue as Medium severity despite the high CVSS, reflecting the adjacency and interaction constraints.

Heap Overflow RCE Buffer Overflow +2
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Chrome's Layout engine prior to 150.0.7871.47 allows remote attackers to leak potentially sensitive data from the renderer process memory by serving a crafted HTML page. User interaction is required - the victim must visit the malicious page - limiting automated mass exploitation. No public exploit code has been identified at time of analysis, and CISA SSVC rates exploitation status as none with partial technical impact, placing real-world urgency below what the CVSS 6.5 score alone might suggest.

Memory Corruption Buffer Overflow Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Chrome's bundled FFmpeg video decoding component (all versions prior to 150.0.7871.47) allows a remote attacker to leak renderer process memory contents via a crafted video file. The CVSS vector confirms network reachability with no required privileges (PR:N) but mandates user interaction (UI:R), meaning the victim must process the malicious video. SSVC assessment rates exploitation as none and the attack non-automatable, and no public exploit has been identified at time of analysis; Google has released a patched build at 150.0.7871.47.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Integer overflow in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Suse
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Google Heap Overflow Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Out-of-bounds read/write (use-after-free) in Google Chrome's GPU component lets a remote attacker who has already compromised the renderer process run arbitrary code - though still confined inside the sandbox - by serving a crafted HTML page to a Chrome build prior to 150.0.7871.47. Google rates the Chromium severity High and has shipped a fixed Stable-channel build; there is no public exploit identified at time of analysis and EPSS puts near-term exploitation probability at just 0.26%.

Memory Corruption Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out of bounds read in Skia in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out of bounds read in ANGLE in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Integer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Suse
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 stems from a heap buffer overflow in the Chromecast component, letting an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 9.6, but it is a second-stage bug requiring prior renderer control, and there is no public exploit identified at time of analysis (SSVC exploitation: none, EPSS 0.22%). No CISA KEV listing exists, indicating no confirmed active exploitation.

Heap Overflow Buffer Overflow Google +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Chromecast component before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page, escalating from renderer-level code execution to the more privileged browser process. Google rates the Chromium severity High and the CVSS is 9.6 due to the scope change; however, EPSS is only 0.21% (11th percentile) and there is no public exploit identified at time of analysis. A vendor patch is available.

Buffer Overflow Google Suse
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in the msgpack-python serialization library (versions prior to 1.2.1) lets remote attackers crash a process via an out-of-bounds read when an application reuses an Unpacker instance after a previously raised error was caught. Sending malformed MessagePack data that triggers an error, then feeding further data to the same Unpacker, can drive the process to a SEGV. No public exploit has been identified at time of analysis, and EPSS data was not provided, but the CVSS 3.1 score of 7.5 (availability-only) reflects a straightforward, unauthenticated crash condition.

Memory Corruption Python Use After Free +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the UTT nv518G gateway/router (firmware nv518GV3v3.2.7-210919-161313) lets a remote, unauthenticated attacker crash the device by triggering a buffer overflow in the gohead web-service function sub_416f28 (FUN_00416f28). Publicly available exploit code exists (referenced PoC on GitHub), though the flaw is not listed in CISA KEV and EPSS scores it at just 0.22% (13th percentile), indicating low observed exploitation activity. Impact is limited to availability - no code execution or data exposure is claimed in the source data.

Denial Of Service Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Heap buffer out-of-bounds read in ImageMagick before 7.1.2-19 via off-by-one error in morphology validation allows local attackers with user interaction to trigger denial of service. The vulnerability stems from incorrect morphology parameters causing single pixel memory access violations within heap buffers, potentially leading to application crashes or information disclosure through controlled reads of adjacent heap memory.

Buffer Overflow Information Disclosure Imagemagick
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW Monitor

Heap buffer overflow in the Ruby JSON gem's streaming generator (versions 2.9.0-2.19.8) enables reliable process crash via attacker-controlled serialized data. When applications invoke `JSON.dump(obj, io)` or `JSON::State#generate(obj, io)` to stream JSON to an IO object, the C-level generator can write past its internal buffer if the serialized object contains a string near 16 KB in size. Impact is confined to denial of service - reliable process termination - with no evidence of confidentiality or integrity impact. No public exploit code and no CISA KEV listing are identified at time of analysis; the CVSS score of 3.7 (Low) appropriately reflects the constrained attack conditions.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Use-after-free in Zephyr's asynchronous SNTP client (sntp_close_async, v4.2.0-v4.4.0) can be triggered remotely by any network peer or off-path attacker capable of dropping or delaying UDP NTP responses, exploiting a race between the system workqueue thread and the socket-service poll thread. The most probable outcome is a crash of the networking subsystem thread (denial of service); where the freed net_context pool slot is rapidly reallocated, memory corruption is possible. The vulnerability is on the normal SNTP timeout path, making it reliably and periodically triggerable when NET_CONFIG_SNTP_INIT_RESYNC is enabled. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Memory Corruption Buffer Overflow Denial Of Service +2
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out-of-bounds read in the Zephyr RTOS Bluetooth controller's ISO Adaptation Layer (isoal.c) lets an adjacent attacker leak controller memory to the HCI host and potentially crash the device. A malicious CIS peer or a broadcaster the device is BIS-synced to sends a framed ISO PDU whose start-segment length field is 0-2, causing a uint8_t underflow (len-3 → 253-255) that copies up to ~255 bytes past the received PDU into an HCI ISO packet. Publicly available exploit code exists (SSVC: poc); it is not listed in CISA KEV, and EPSS is low at 0.17%, indicating no evidence of widespread active exploitation.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Out-of-bounds read in the Zephyr RTOS DNS resolver (subsys/net/lib/dns) lets a malicious, spoofed, or on-path DNS server - or any LAN node when mDNS/LLMNR is enabled - return crafted truncated TXT or SRV records that leak residual receive-pool memory to the application, and in some configurations crash the device. It affects Zephyr v4.3.0 and v4.4.0; the SSVC framework records a proof-of-concept, so publicly available exploit code exists, though EPSS is low (0.20%, 10th percentile) and there is no public evidence of active exploitation. The disclosed data is bounded (~64 bytes for TXT, ~6 for SRV) and read-only, but can expose stale contents of prior DNS packets.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Memory-corruption weaknesses in Mozilla Firefox 152.0.3 could allow remote attackers to potentially execute arbitrary code within the browser process. Mozilla graded the collected memory-safety bugs as critical (MFSA2026-62) and states some showed evidence of memory corruption that, with sufficient effort, could be exploited for code execution; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile). The issue is resolved in Firefox 152.0.4.

Memory Corruption Mozilla Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Denial of service in Citrix NetScaler ADC and NetScaler Gateway stems from multiple memory overflow conditions that produce unpredictable or erroneous behavior when the appliance is configured for specific DNS or load-balancing roles. Remote unauthenticated attackers can send crafted traffic to a vulnerable appliance to crash or destabilize it, with the CVSS 4.0 score of 8.8 driven primarily by high availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Citrix Oracle Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Denial of service and memory corruption in Citrix NetScaler ADC and NetScaler Gateway allows remote unauthenticated attackers to trigger unpredictable or erroneous appliance behavior when the device is deployed as a Gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity exploitation with no authentication, and the high confidentiality impact suggests memory contents may be exposed alongside the DoS condition. There is no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Citrix Denial Of Service Buffer Overflow +2
NVD VulDB
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Memory overread in Citrix NetScaler ADC and NetScaler Gateway lets remote attackers read out-of-bounds memory when the appliance is configured as a SAML identity provider (IDP), enabling disclosure of sensitive in-memory data such as tokens, session material, or other process memory. The CVSS 4.0 score of 8.8 reflects network-reachable, unauthenticated exploitation (PR:N) with high confidentiality and availability impact; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. The flaw belongs to the same class of NetScaler appliance vulnerabilities (e.g., Citrix Bleed-style memory disclosure) that have historically drawn aggressive exploitation, making prompt patching advisable.

Citrix Information Disclosure Buffer Overflow +2
NVD VulDB GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in hostapd 2.11 through pre-2.12 development snapshots (built with CONFIG_IEEE80211BE) lets an unauthenticated attacker within wireless range crash the access-point daemon by sending a crafted Wi-Fi 7 (802.11be) Multi-Link association request. A malformed Multi-Link Element or Per-STA Profile subelement supplies a link_id of 15 that overruns the 15-entry (0-14) links[] array, causing an out-of-bounds write before the 4-way handshake. No public exploit identified at time of analysis; EPSS is low (0.29%, 20th percentile) and CISA SSVC rates exploitation as none.

Denial Of Service Buffer Overflow Hostapd
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Denial of service in GNOME GLib (versions before 2.88.1) arises when g_dbus_node_info_new_for_xml() parses malformed D-Bus introspection XML that nests a <node> element inside <method>, <signal>, <property>, or <arg>. This state-confusion bug triggers an unsigned integer underflow/overflow (CWE-191) and a subsequent out-of-bounds read, crashing any application or service that parses attacker-influenced introspection data. No public exploit identified at time of analysis, EPSS is low (0.34%), and CISA SSVC rates exploitation as none with only partial technical impact.

Integer Overflow Denial Of Service Buffer Overflow +2
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Buffer over-read in GLib's giochannel line-reading code (g_io_channel_read_line_backend) affects the GNOME GLib library prior to version 2.88.1, where an application that configures a multi-byte custom line terminator triggers memcmp to read past the end of the internal GString buffer. Depending on memory layout, this leaks up to 7 bytes of adjacent heap memory (minor information disclosure) or crashes the process when the over-read crosses an unmapped page boundary (denial of service). There is no public exploit identified at time of analysis, EPSS is low (0.27%), and CISA SSVC rates exploitation as none.

Denial Of Service Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Buffer over-read in GNOME GLib's g_regex_replace() lets remote attackers leak 1-5 adjacent bytes of process memory and crash applications when regex replacement is performed with the G_REGEX_RAW compile flag combined with case-change replacement escapes. The internal string_append helper applies UTF-8 aware routines to matched substrings even though G_REGEX_RAW treats the buffer as raw bytes, reading past the intended boundary. There is no public exploit identified at time of analysis and EPSS is low (0.26%, 18th percentile), but the flaw is broadly reachable because GLib underpins the GNOME stack and ships across Red Hat Enterprise Linux 6-10.

Denial Of Service Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Out-of-bounds read of two bytes in GLib's g_date_time_get_ymd() (glib/gdatetime.c) lets attackers corrupt date output and trigger logic errors that may cause denial of service when an application processes an invalid GDateTime produced by g_date_time_add_full(). It affects the GNOME GLib core utility library shipped across Red Hat Enterprise Linux 6 through 10, with fixes in GLib 2.88.1 and 2.86.5. There is publicly available exploit code exists per SSVC (proof-of-concept), no confirmed active exploitation, and EPSS is low at 0.27% (19th percentile).

Denial Of Service Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Out-of-bounds read in GNOME GLib's GVariant serialiser allows remote attackers to leak a single byte of adjacent memory and to crash applications that deserialise untrusted GVariant data. The flaw sits in gvs_tuple_is_normal() in glib/gvariant-serialiser.c, where an alignment-padding bounds check uses '>' instead of '>=', reading one byte past the buffer; when that byte falls across a page boundary the process faults, producing a denial of service. No public exploit identified at time of analysis, and EPSS is low (0.26%), but GLib's near-universal presence on Linux systems makes the exposure broad.

Denial Of Service Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Memory overread in Citrix NetScaler ADC and NetScaler Gateway exposes low-confidence partial memory contents to unauthenticated remote attackers when TCP TimeStamp processing is triggered against a misconfigured or specifically configured TCP Profile. The vulnerability is rooted in insufficient input validation (CWE-125) within the TCP TimeStamp handling code path, affecting virtual servers of type Load Balancer, Content Switching, and VPN, as well as configured services. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis, though the network-accessible, zero-privilege attack vector warrants prompt patching given NetScaler's broad enterprise deployment.

Citrix Buffer Overflow Information Disclosure +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Denial of service in the UTT nv518G gateway/router (firmware nv518GV3 v3.2.7-210919-161313) allows a remote, unauthenticated attacker to crash the device by triggering a buffer overflow in the gohead web-service handler at function sub_472f08 (FUN_00472f08). The CVSS 3.1 score of 7.5 reflects availability-only impact (A:H, C:N/I:N) over the network with no privileges or user interaction. EPSS is low (0.22%, 13th percentile) and the CVE is not in CISA KEV; a third-party technical write-up exists on GitHub, but no active exploitation is confirmed.

Denial Of Service Buffer Overflow N A
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

USB CDC-NCM network driver in Zephyr RTOS through v4.4.0 permanently deadlocks the shared network egress thread when a USB bus suspend coincides with outbound device traffic, requiring a reboot to recover. The defect in `cdc_ncm_send()` ignores the return value of `usbd_ep_enqueue()` and unconditionally blocks on a completion semaphore that only the (never-fired) bulk-IN ISR can signal - halting not just CDC-NCM traffic but all egress on other interfaces sharing the TX thread. No public exploit code or active exploitation has been identified; the trigger is routine USB host power management, making this an availability risk for any embedded Zephyr device using USB virtual Ethernet.

Buffer Overflow Information Disclosure Zephyr
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory corruption (CWE-119) in Apple Safari's web content processing engine causes an unexpected application crash when rendering maliciously crafted web content. Affected across Safari, iOS 26, iPadOS 26, and macOS Tahoe - all versions prior to 26.5.2. An unauthenticated remote attacker can trigger a denial-of-service against any user who visits a hostile page, though no code execution is indicated by current data. No public exploit code and no CISA KEV listing are identified at time of analysis; exploitation probability (EPSS) was not provided in source data.

Apple Buffer Overflow Ios And Ipados
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Processing maliciously crafted web content in Apple Safari, iOS/iPadOS, and macOS Tahoe (all versions prior to 26.5.2) triggers an improper memory handling flaw (CWE-119 buffer overflow) in the web content processing pipeline, resulting in an unexpected process crash. The attack vector is network-based requiring user interaction (UI:R per CVSS), and impact is confined to availability - no confidentiality or integrity compromise is described. No public exploit code has been identified at time of analysis, and this vulnerability does not appear in the CISA KEV catalog.

Apple Buffer Overflow Ios And Ipados
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Safari, iOS/iPadOS, and macOS Tahoe expose process memory when the browser engine processes maliciously crafted web content, rooted in a CWE-119 improper memory buffer restriction (tagged Buffer Overflow). The CVSS vector (AV:N/AC:L/PR:N/UI:R/C:H) indicates a network-reachable, low-complexity attack requiring only that the victim visit or render attacker-controlled content, resulting in high confidentiality impact through memory leakage. No active exploitation has been confirmed in CISA KEV and no public proof-of-concept has been identified at the time of analysis; Apple has released patched versions (26.5.2) across all affected platforms.

Apple Buffer Overflow Ios And Ipados
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory corruption in Apple's WebKit-based web content processing allows an unauthenticated remote attacker to crash the affected process by luring a user to visit a maliciously crafted webpage. Affected platforms include Safari, iOS, iPadOS, and macOS Tahoe, all prior to version 26.5.2. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog; impact is limited to availability (process crash) with no confirmed confidentiality or integrity exposure.

Apple Buffer Overflow Ios And Ipados
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial-of-service memory corruption in Apple's WebKit engine affects Safari, iOS/iPadOS, and macOS Tahoe before version 26.5.2, where processing maliciously crafted web content triggers an unexpected process crash. The CVSS vector scores only availability impact (A:H) with no confidentiality or integrity loss, indicating a crash rather than code execution. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.16%), consistent with a browser-rendering DoS reported internally by Apple rather than an actively exploited threat.

Apple Buffer Overflow Ios And Ipados
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Memory corruption via use-after-free in Apple's WebKit browser engine allows remote attackers to corrupt memory when a victim processes maliciously crafted web content on Safari, iOS/iPadOS, or macOS prior to 26.5.2. The CVSS 3.1 score of 8.8 reflects network-reachable exploitation requiring only that a user open a malicious page; no public exploit is identified at time of analysis and the issue is not listed in CISA KEV. Successful exploitation typically serves as the initial stage of a browser-based attack chain (often paired with a sandbox escape) to achieve code execution in the renderer.

Memory Corruption Buffer Overflow Apple +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Apple's web content processing engine (WebKit) causes a browser process crash when a user visits a maliciously crafted webpage, affecting Safari, iOS/iPadOS, and macOS Tahoe. All versions prior to the 26.5.2 releases across those platforms are affected, making this a broad-surface denial-of-service vulnerability against Apple's default browser ecosystem. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the low attack complexity and zero-authentication requirement lower the bar for opportunistic abuse once a malicious page is visited.

Apple Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Safari's web content processing engine on iOS, iPadOS, and macOS Tahoe contains an out-of-bounds write (CWE-787) that causes an unexpected crash when rendering maliciously crafted web content. All Safari versions prior to 26.5.2 - and the underlying WebKit engine shipping with iOS/iPadOS and macOS Tahoe prior to 26.5.2 - are affected. Apple has released patched versions across all three platforms; no public exploit code or CISA KEV listing has been identified at time of analysis, and available impact is limited to a denial-of-service crash with no confirmed code execution path.

Memory Corruption Apple Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Memory corruption via type confusion in Apple's WebKit browser engine allows attackers to corrupt memory by luring a victim to maliciously crafted web content, affecting Safari, iOS/iPadOS, and macOS before version 26.5.2. The flaw (CWE-843) is network-reachable but requires user interaction (visiting a page), and no public exploit has been identified at time of analysis. Apple has shipped patches across Safari 26.5.2, iOS/iPadOS 26.5.2, and macOS Tahoe 26.5.2.

Memory Corruption Apple Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Safari's web content processing engine causes an unexpected application crash when rendering maliciously crafted web content. Affected are Safari prior to 26.5.2, iOS and iPadOS prior to 26.5.2, and macOS Tahoe prior to 26.5.2. An unauthenticated remote attacker (per PR:N/AV:N in the CVSS vector) can trigger a denial-of-service condition by enticing a user to visit a crafted page; no public exploit or CISA KEV listing has been identified at time of analysis.

Apple Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Stack-based buffer overflow in Apple Safari's web content processing engine causes an unexpected application crash across Safari, iOS/iPadOS, and macOS Tahoe platforms. All versions prior to 26.5.2 are affected; an attacker can trigger the overflow by luring a victim to a maliciously crafted web page, resulting in a denial-of-service through a Safari crash. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, keeping real-world risk moderate despite the broad install base.

Buffer Overflow Apple Stack Overflow +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Apple's WebKit rendering engine crashes the browser process when parsing maliciously crafted web content, affecting Safari, iOS, iPadOS, and macOS Tahoe prior to version 26.5.2. The vulnerability requires only that a user visit or be redirected to an attacker-controlled page, making it trivially deliverable via phishing or malicious advertising. Impact is limited to a denial-of-service process crash per vendor disclosure; no public exploit or CISA KEV listing has been identified at time of analysis.

Apple Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Apple's web content processing engine crashes the rendering process across iOS, iPadOS, and macOS Tahoe when a user visits or opens maliciously crafted web content. All iOS and iPadOS versions prior to 26.5.2 and macOS Tahoe versions prior to 26.5.2 are affected per EUVD-2026-40185 and Apple's own advisories. No active exploitation is confirmed in CISA KEV and no public exploit code has been identified; however, the zero-privilege, low-complexity attack path makes denial-of-service accessible to any attacker who can deliver a malicious web page to a victim.

Apple Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Memory corruption in Apple's WebKit browser engine (Safari and the system WebView on iOS, iPadOS, and macOS before 26.5.2) allows a remote attacker to corrupt process memory when a victim loads maliciously crafted web content. The flaw is a use-after-free (CWE-416) and carries a CVSS 8.8 with required user interaction; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though Apple reported and patched it in coordinated releases on 2026 advisories.

Memory Corruption Buffer Overflow Apple +2
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Out-of-bounds write in CIPster's EtherNet/IP Message Handler exposes industrial automation devices to remote memory corruption through the BufWriter::append function. Unauthenticated remote attackers reachable on the EtherNet/IP network can send crafted protocol messages to corrupt adjacent memory, with potential for service disruption or, with further research, arbitrary code execution on embedded OT devices. A public proof-of-concept exploit (poc.zip) has been released, materially increasing risk for OT/ICS operators running this open-source CIP stack despite the moderate CVSS 4.0 score of 5.5.

Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Heap-based buffer overflow in PcapPlusPlus 25.05 allows remote, unauthenticated attackers to corrupt heap memory by sending a crafted Modbus TCP packet containing a malformed `length` field to applications using the library's `pcpp::ModbusLayer::getLength()` parser. The CVSS 4.0 score of 2.9 reflects the high attack complexity (AC:H) required to exploit the flaw reliably, with impact capped at low across confidentiality, integrity, and availability. Publicly available exploit code exists (poc.zip), though no active exploitation has been confirmed by CISA KEV at time of analysis.

Buffer Overflow
NVD GitHub VulDB
EPSS 1% CVSS 2.9
LOW POC Monitor

Heap-based buffer overflow in PcapPlusPlus 25.05's Telnet subnegotiation packet parser allows remote attackers to corrupt heap memory by sending a specially crafted Telnet subnegotiation packet to any application embedding this library. The flaw in `pcpp::TelnetLayer::getSubCommand` (Packet++/src/TelnetLayer.cpp) results in low-level confidentiality, integrity, and availability impact against the parsing process. A proof-of-concept exploit (poc.zip) is publicly available on GitHub, but no active exploitation has been confirmed via CISA KEV, and the high attack complexity (AC:H in the provided CVSS 4.0 vector) keeps the overall score at a low 2.9.

Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Heap-based buffer overflow in PcapPlusPlus 25.05's TLS Hello Handler allows remote unauthenticated attackers to trigger memory corruption via a crafted handshakeVersion argument in the SSLClientHelloMessage::getHandshakeVersion function of SSLHandshake.cpp. Successful exploitation requires high attack complexity, limiting practical impact, but a public proof-of-concept (poc.zip) has been disclosed via GitHub. This vulnerability is not confirmed in CISA KEV, and its CVSS 4.0 score of 2.9 reflects the constrained, low-impact nature of the flaw despite the public exploit availability.

Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Heap-based buffer overflow in libtiff's PixarLog codec decoder lets attackers crash or potentially execute code in any application that decodes a maliciously crafted PixarLog-compressed TIFF using the PIXARLOGDATAFMT_8BITABGR output format with a specific stride value. Any software linking libtiff for TIFF decoding is exposed, with impact ranging from denial of service to potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, so exploitation is theoretical rather than observed.

Heap Overflow Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Stack-based buffer overflow in the TP-Link TL-WR841N v14 web management interface allows an authenticated attacker on the same local network segment to crash the embedded web server via crafted HTTP requests, forcing the device to automatically reboot. The impact is limited exclusively to availability - no confidentiality or integrity exposure has been identified. No public exploit code or CISA KEV listing exists at time of analysis; the constrained attack prerequisites (adjacent network, administrative credentials) significantly bound real-world risk.

TP-Link Buffer Overflow Stack Overflow +1
NVD VulDB
EPSS 0% CVSS 2.9
LOW POC Monitor

Heap-based buffer overflow in PcapPlusPlus 25.05 allows remote attackers to crash applications that parse attacker-controlled pcapng files via a crafted `captured_packet_length` value in the `parse_by_block_type` function of the LightPcapNg Parser. A publicly available proof-of-concept exploit (poc.zip) exists, though confirmed impact is limited to availability - application crash/denial-of-service - with no confidentiality or integrity impact indicated by the CVSS 4.0 vector. No active exploitation is confirmed, and no patch has been identified at time of analysis.

Heap Overflow Buffer Overflow Pcapplusplus
NVD VulDB GitHub
EPSS 0% CVSS 7.4
HIGH POC This Week

Buffer overflow in the Edimax EW-7478APC wireless access point (firmware 1.04) lets remote attackers corrupt memory by sending an oversized ShareName or SelectName argument to the formUSBFolder handler at /goform/formUSBFolder. The flaw is reachable over the network and publicly available exploit code exists, though no active exploitation has been reported. Per the CVSS 4.0 vector it requires low-level authentication (PR:L) but yields full confidentiality, integrity, and availability impact on the device.

Buffer Overflow Ew 7478Apc
NVD VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

Remote buffer overflow in the Edimax EW-7478APC wireless access point (firmware 1.04) lets an authenticated attacker corrupt memory through the formUSBAccount handler at /goform/formUSBAccount by supplying oversized UserName or Password values in a POST request, enabling likely code execution or device crash. The flaw is remotely reachable and publicly available exploit code exists (proof-of-concept, CVSS 4.0 base 7.4), though there is no public exploit identified as actively used in the wild. The vendor was notified but did not respond, so no fix is expected.

Buffer Overflow Ew 7478Apc
NVD VulDB
EPSS 0% CVSS 7.4
HIGH POC This Week

Buffer overflow in the Edimax EW-7478APC wireless access point (firmware 1.04) lets remote attackers overflow a buffer by manipulating the selSSID parameter in a POST request to the /goform/formQoS endpoint, potentially crashing the device or executing code on it. The flaw is network-reachable and publicly available exploit code exists (disclosed via VulDB and a Notion writeup), but it is not listed in CISA KEV and no active exploitation has been confirmed. The vendor was notified but did not respond, and no patched firmware has been published.

Buffer Overflow Ew 7478Apc
NVD VulDB
EPSS 0% CVSS 1.9
LOW POC Monitor

Heap-based buffer overflow in LLVM llvm-project through version 22.1.6 allows a local low-privilege attacker to crash affected LLVM tooling by supplying a crafted bitcode file that triggers an out-of-bounds heap write in the GCRelocateInst::getBasePtr function within the Bitcode File Handler component. The LLVM project was notified via a GitHub issue report but has not yet responded or released a patch. A proof-of-concept exploit has been publicly disclosed, and no active exploitation is confirmed in CISA KEV.

Heap Overflow Buffer Overflow Llvm Project
NVD VulDB GitHub
EPSS 0% CVSS 1.9
LOW POC Monitor

Stack-based buffer overflow in LLVM's ValueSymbolTable module (llvm-project versions up to 22.1.6) allows a local, low-privileged attacker to crash the LLVM process by triggering a malformed invocation of llvm::StringMap::insert in /lib/IR/ValueSymbolTable.cpp, resulting in limited availability impact only - no confidentiality or integrity compromise is indicated by the CVSS 4.0 vector. A proof-of-concept exploit has been publicly released, lowering the barrier to triggering the crash in affected developer or CI/CD environments. No active exploitation has been confirmed by CISA KEV, and the LLVM project had not issued a patch or public response as of disclosure.

Buffer Overflow Stack Overflow Llvm Project
NVD VulDB GitHub
EPSS 0% CVSS 1.8
LOW PATCH Monitor

Stack-based buffer overflows in libxml2's xmlcatalog utility enable memory corruption and potential arbitrary code execution when the tool is invoked in its interactive --shell mode. The usershell() function writes user-supplied input into fixed-size stack buffers (command, arg, argv) without any length validation, allowing overflow of adjacent stack memory including return addresses. Real-world risk is very low: exploitation requires local access, deliberate user invocation of a non-default shell mode, and an attack precondition - reflected in the CVSS 4.0 score of 1.8 - with no public exploit or active exploitation identified. Notably, libxml2 maintainers disputed the security classification, treating this as a bug rather than a vulnerability.

Buffer Overflow Stack Overflow RCE +1
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Out-of-bounds read in GNU gzip's LZH decompression logic allows an unprivileged local attacker to disclose memory contents by supplying two specially crafted archives - an LZW file followed by an LZH file - in a single gzip -d invocation. The shared global decompression array, never reinitialized between files in the same process invocation, is poisoned by the LZW pass and subsequently causes the LZH decoder to read past the end of the allocated buffer, yielding high confidentiality impact per the CVSS 4.0 vector (VC:H). No public exploit or CISA KEV listing has been identified at time of analysis; the fix exists as an upstream source commit only, with no confirmed packaged release.

Buffer Overflow Gzip
NVD VulDB
EPSS 1% CVSS 7.4
HIGH This Week

Stack-based buffer overflow in the Edimax EW-7478APC wireless access point (firmware 1.04) lets remote attackers corrupt memory via an oversized pppUserName parameter sent to the formPPPoESetup handler at /goform/formPPPoESetup, potentially leading to crash or arbitrary code execution on the device. Publicly available exploit code exists, but there is no public exploit identified as actively used in the wild. The CVSS 4.0 vector indicates network reach with low privileges required (PR:L), and the vendor did not respond to disclosure, so no fix is available.

Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Stack-based buffer overflow in the Edimax EW-7478APC (firmware 1.04) wireless access point lets an authenticated remote attacker corrupt memory by sending an oversized L2TPUserName argument to the formL2TPSetup handler at /goform/formL2TPSetup. Publicly available exploit code exists, though it is not listed in CISA KEV and carries a CVSS 4.0 base score of 7.4. The vendor was notified but did not respond, leaving the flaw unpatched.

Buffer Overflow
NVD VulDB
EPSS 0% CVSS 7.4
HIGH This Week

Memory corruption in the Edimax EW-7478APC wireless access point (firmware 1.04) lets a remote, low-privileged user overflow a buffer by submitting an oversized selSSID value to the /goform/formiNICSiteSurvey POST handler. Publicly available exploit code exists, and the vendor did not respond to disclosure, leaving deployed devices without an official fix. Successful exploitation can crash the device or potentially run attacker-controlled code on the embedded firmware; there is no public exploit identified as actively exploited (not in CISA KEV) and no EPSS score was provided.

Buffer Overflow
NVD VulDB
EPSS 0% CVSS 6.9
MEDIUM This Month

Out-of-bounds read in Eclipse tinydtls prior to commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 allows unauthenticated network attackers to crash memory-constrained IoT devices by sending a specially crafted Certificate handshake message during DTLS epoch 0. The vulnerable check_server_certificate() function omits buffer length validation before uint24 reads, memcmp, and memcpy operations, enabling reads beyond valid buffer boundaries on both client and server code paths. No public exploit code or active exploitation has been identified at time of analysis; however, the unauthenticated, network-reachable nature makes this straightforward to trigger against any exposed tinydtls endpoint.

Denial Of Service Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM This Month

Integer overflow in spice-vdagent's message parsing allows a malicious or compromised SPICE host to crash the guest VM's vdagent daemon by delivering a specially crafted message that triggers a downstream heap buffer overflow. Affected deployments span spice-vdagent as packaged in Red Hat Enterprise Linux 6 through 10, where the daemon runs inside guests handling host-to-guest SPICE protocol communications. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is structurally constrained by the requirement that the attacking SPICE host itself be untrusted or already compromised prior to the attack.

Integer Overflow Denial Of Service Buffer Overflow +5
NVD VulDB
Prev Page 7 of 402 Next

Quick Facts

Typical Severity
HIGH
Category
memory
Total CVEs
36131

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy