Buffer Overflow
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions.
How It Works
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions. This overwrites whatever data or code exists there, corrupting program state and potentially giving attackers control over execution flow.
Stack-based overflows are the most common variant. When a function allocates a fixed-size buffer on the stack and then copies user-controlled input without proper bounds checking, attackers can overflow past the buffer to overwrite the function's return address. When the function completes, instead of returning to legitimate code, execution jumps to attacker-specified memory containing malicious shellcode. Heap-based overflows work differently—they corrupt heap metadata like chunk size fields or free list pointers, leading to arbitrary memory writes when the allocator processes the corrupted structures.
Modern exploitation bypasses defensive mechanisms through techniques like Return-Oriented Programming (ROP), which chains together existing code snippets to avoid non-executable memory protections. Attackers may also use heap spraying to reliably position shellcode at predictable addresses, defeating address randomization.
Impact
- Remote code execution — attacker gains ability to run arbitrary commands with the privileges of the vulnerable process
- Privilege escalation — exploiting kernel or setuid program overflows to gain root/SYSTEM access
- Denial of service — crashes and memory corruption that render systems unusable
- Information disclosure — reading sensitive data from adjacent memory regions that should be inaccessible
- Authentication bypass — overwriting security-critical variables like permission flags or user IDs
Real-World Examples
Fortinet FortiOS suffered a critical buffer overflow (CVE-2025-32756) that allowed unauthenticated remote attackers to execute code as root on firewalls and VPN gateways. Attackers actively exploited this to compromise enterprise network perimeters before patches were available.
The Slammer worm from 2003 exploited a stack overflow in Microsoft SQL Server, spreading to 75,000 hosts in ten minutes by sending a single malformed UDP packet that overwrote the return address with shellcode. No authentication was required.
OpenSSH historically contained a heap overflow in challenge-response authentication that allowed pre-authentication remote root compromise on Unix systems, demonstrating how memory corruption in privileged network services creates maximum impact scenarios.
Mitigation
- Memory-safe languages — Rust, Go, and modern managed languages prevent buffer overflows by design through automatic bounds checking
- Stack canaries — random values placed before return addresses that detect corruption before control transfer
- Address Space Layout Randomization (ASLR) — randomizes memory locations making exploitation less reliable
- Data Execution Prevention (DEP/NX) — marks memory regions as non-executable, preventing direct shellcode execution
- Bounds checking — validate input sizes before copying, use safe functions like
strncpyinstead ofstrcpy - Fuzzing and static analysis — automated testing to discover overflows before deployment
Recent CVEs (36133)
Out-of-bounds read in Eclipse tinydtls prior to commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 allows unauthenticated network attackers to crash memory-constrained IoT devices by sending a specially crafted Certificate handshake message during DTLS epoch 0. The vulnerable check_server_certificate() function omits buffer length validation before uint24 reads, memcmp, and memcpy operations, enabling reads beyond valid buffer boundaries on both client and server code paths. No public exploit code or active exploitation has been identified at time of analysis; however, the unauthenticated, network-reachable nature makes this straightforward to trigger against any exposed tinydtls endpoint.
Integer overflow in spice-vdagent's message parsing allows a malicious or compromised SPICE host to crash the guest VM's vdagent daemon by delivering a specially crafted message that triggers a downstream heap buffer overflow. Affected deployments span spice-vdagent as packaged in Red Hat Enterprise Linux 6 through 10, where the daemon runs inside guests handling host-to-guest SPICE protocol communications. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is structurally constrained by the requirement that the attacking SPICE host itself be untrusted or already compromised prior to the attack.
Stack-based buffer overflow in the Wavlink WL-NU516U1-A wireless range extender (firmware M16U1_V240425) lets a remote, low-privileged attacker corrupt memory by sending an oversized Guest_ssid POST parameter to the sub_407504 function in /cgi-bin/wireless.cgi. The flaw was reported by VulDB, publicly available exploit code exists, and it carries a CVSS 4.0 base score of 7.4; there is no evidence of active exploitation in CISA KEV at this time.
Out-of-bounds read in Investintech SlimPDFReader through version 2.0.14 exposes users to application crashes when processing maliciously crafted PDF files, exploitable remotely with passive user interaction. The vulnerable function `SlimPDFReader!Investintech::PCV::TeighaDo+0x25cde0` within `SlimPDFReader.exe` fails to validate buffer boundaries during PDF parsing, resulting in a low-severity availability impact (application crash/DoS) with no confirmed confidentiality or integrity effect despite the 'Information Disclosure' tag in source metadata. No public exploit identified at time of analysis beyond the CVSS 4.0 E:P maturity indicator, and no patch will ever be released as the product is confirmed end-of-life.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote attackers corrupt memory via the 'page' parameter handled by the fromNatStaticSetting function at the /goform/NatStaticSetting endpoint. Publicly available exploit code exists, and the CVSS 4.0 vector (PR:L) indicates an authenticated user on the device's web interface can trigger high confidentiality, integrity and availability impact. There is no public exploit identified as actively used in the wild - exploitation is proof-of-concept only at this time.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote, low-privileged attackers corrupt memory by supplying an oversized shareSpeed value to the fromSetWifiGusetBasic handler at /goform/WifiGuestSet, enabling denial of service and potential remote code execution on the device. Publicly available exploit code exists, though there is no public exploit identified as actively used in the wild. The EPSS-style risk is moderate per the CVSS 4.0 base score of 7.4 (HIGH), and CISA KEV does not list it.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets remote attackers corrupt memory by sending an oversized startIp argument to the formSetPPTPServer handler at /goform/SetPptpServerCfg, potentially achieving denial of service or arbitrary code execution on the device. The flaw is reachable over the network and publicly available exploit code exists, though it is not listed in CISA KEV and the CVSS 4.0 vector indicates low-privilege (authenticated) access is required. EPSS data was not provided, so widespread automated exploitation cannot be confirmed.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) lets a remote attacker corrupt memory by manipulating the 'page' parameter handled by the fromAddressNat function at the /goform/addressNat endpoint, potentially achieving code execution or device crash. Publicly available exploit code exists and the issue was disclosed by VulDB, though there is no public exploit identified as actively exploited in the wild. With a CVSS 4.0 base score of 7.4 and PR:L, exploitation requires some level of authenticated access to the web management interface.
Stack-based buffer overflow in the Tenda JD12L router (firmware 16.03.53.23) allows remote attackers to corrupt memory by manipulating the security_5g argument sent to the formWifiBasicSet handler at /goform/WifiBasicSet, potentially achieving denial of service or arbitrary code execution on the device. The flaw is network-reachable but, per the CVSS 4.0 vector, requires low-level authentication (PR:L), and publicly available exploit code exists. There is no public exploit identified as actively exploited in CISA KEV, and the EPSS score was not provided.
Denial of service in EIPStackGroup OpENer (commit 76b95c), an open-source EtherNet/IP stack, allows remote attackers to crash the device by sending a crafted Common Packet Format (CPF) packet that triggers a buffer overflow in the Get_Attribute_List handler. The flaw is network-reachable without authentication or user interaction (CVSS 7.5, availability-only impact), and SSVC indicates proof-of-concept exploit code exists and that exploitation is automatable. EPSS is low (0.17%, 7th percentile) and the CVE is not on CISA KEV, so there is no public evidence of active exploitation yet.
Heap buffer overflow in snap7 v1.4.3 crashes the embedded S7 server when processing a specially crafted write function packet targeting TS7Worker::PerformFunctionWrite() in /core/s7_server.cpp. Systems deploying snap7 as an S7-compatible communication server - common in industrial SCADA, HMI, and IoT gateway applications bridging to Siemens S7-series PLCs - can be disrupted remotely with no privileges required per the CVSS PR:N designation. No public exploit identified at time of analysis, and the EPSS score of 0.19% (8th percentile) reflects minimal current exploitation activity; however, operational impact in OT environments can exceed what the CVSS Availability score alone suggests.
A heap buffer overflow in the HighPriorityASDUQueue_hasUnconfirmedIMessages function of lib60870 v2.3.3 to v2.3.6 allows attackers to cause a Denial of Service (DoS) via a crafted payload.
Memory corruption and denial of service in Zephyr RTOS (v4.0.0 through v4.4.0) arises in the BSD-sockets getaddrinfo() implementation, where a timed-out DNS query is retried without cancelling the prior query, leaving a callback holding a pointer into a stack frame that goes out of scope after getaddrinfo() returns. A network-delivered DNS response matched by its spoofable 16-bit transaction id, or the resolver's own delayed timeout work, then writes through that stale pointer, enabling crashes or reused-stack corruption. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; exploitation is gated by a timing/race window reflected in CVSS AC:H.
Out-of-bounds write in Zephyr RTOS's Microchip SERCOM-G1 UART driver (introduced in v4.4.0) allows an adjacent attacker who can send serial data to corrupt one byte of memory immediately beyond the caller-supplied RX buffer, potentially causing a crash or denial of service. The flaw exists only when CONFIG_UART_MCHP_ASYNC is enabled (non-default on in-tree PIC32CM-JH board configs) and the consuming application calls uart_rx_enable() with a one-byte buffer - a narrow but real embedded firmware scenario. No exploit code is publicly available and this vulnerability is not listed in CISA KEV; the upstream fix has been committed but a tagged patched release version has not been independently confirmed.
Heap buffer overflow in the libssh2 SSH client library (all versions through 1.11.1) lets a malicious or compromised SSH server corrupt memory in any connecting client on 32-bit platforms. The publickey subsystem reads an attacker-supplied 32-bit attribute count and multiplies it by the attribute structure size without bounds checking, so the allocation integer-overflows to an undersized buffer that the parsing loop then writes past. Publicly available exploit code exists; this is a CWE-190 integer overflow with no public exploit identified in CISA KEV, so it is not confirmed actively exploited.
Out-of-bounds heap write in FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) allows attackers to corrupt memory when libavcodec decodes a crafted stream using the RASC FourCC. The decoder performs 32-bit reads/writes at the row cursor before the NEXT_LINE boundary check and validates DLTA regions in pixel rather than byte units, letting a DLTA run on a PAL8 frame write and read several bytes past the row allocation. Publicly available exploit code exists (reported by VulnCheck); no public active exploitation has been identified at time of analysis.
Out-of-bounds heap write in the Zephyr RTOS IP socket stack (recvmsg/insert_pktinfo) lets an unprivileged local userspace thread corrupt kernel-heap memory on builds using CONFIG_USERSPACE. Affecting Zephyr v3.6.0 through v4.4.0, the flaw is triggered when an application calls recvmsg() with an undersized ancillary (msg_control) buffer on a UDP/IP socket that has IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled and a datagram arrives. There is no public exploit identified at time of analysis and EPSS is low (0.12%), but the memory-corruption primitive gives full C/I/A impact locally.
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTORY ioctl handler, where an unvalidated history-size value undersizes a heap allocation and a subsequent buffer initialization writes past its end. Any unprivileged local user with access to a vt(4) terminal device can corrupt kernel heap memory and potentially escalate to root. Exploitation is local (PR:L) with no public exploit identified at time of analysis and a low EPSS of 0.18% (8th percentile).
Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout randomization for setuid PIE binaries. By calling procctl(2) to request ASLR disablement before execve(2), the per-process disable flag remains active when the PIE base address is computed, because the activator clears the flag too late. This is a mitigation-weakening flaw that materially eases exploitation of any separate memory-corruption bug in those privileged binaries; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile).
Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the audio buffer via an integer-overflow flaw in dsp_mmap_single(). Because /dev/dsp device nodes are world-accessible by default, any local user on a system with an audio device can read and write arbitrary kernel memory, enabling full system compromise or a kernel panic (DoS). No public exploit identified at time of analysis; EPSS is low (0.19%, 9th percentile), and FreeBSD has released errata patches.
Denial of service in the Go golang.org/x/image/tiff decoder allows remote attackers to crash any application that parses untrusted TIFF images. A maliciously crafted image with an out-of-bounds strip offset triggers a panic in the decoder, terminating the goroutine or process (CVSS 7.5, availability-only impact). There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), indicating no observed mass exploitation, but the bug is trivially triggerable wherever the library decodes attacker-supplied images.
Notepad++ versions prior to 8.9.6.1 can be crashed by any local process sharing the same interactive Windows session via a malformed WM_COPYDATA message. The COPYDATA_FULL_CMDLINE handler in NppBigSwitch.cpp dereferences COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* without validating against the COPYDATASTRUCT.cbData length field, enabling an out-of-bounds read that results in process termination. No active exploitation has been confirmed (no CISA KEV listing, no public POC), and the fix is available in the vendor-released patch 8.9.6.1.
Out-of-bounds read (CWE-125) in the Linux kernel F2FS filesystem lets a local user trigger inconsistent access to the mount extension list by racing a sysfs read against a concurrent update. The f2fs_sbi_show() handler reads extension_list, extension_count and hot_ext_count without holding sbi->sb_lock, so a simultaneous f2fs_update_extension_list() store can yield a mismatched count/array pair and drive an out-of-bounds read that leaks stale kernel data or crashes the system. No public exploit identified at time of analysis; EPSS is low (0.17%, 7th percentile) and the issue is not in CISA KEV.
Local memory corruption in the Linux kernel's NXP ENETC (enetc) network driver stems from a DMA use-after-free in the NTMP command path: when netc_xmit_ntmp_cmd() times out, the pending hardware command is not aborted yet ntmp_free_data_mem() frees the associated DMA buffer, so the device later DMA-writes its response into the freed (possibly reallocated) physical address, producing silent kernel memory corruption. Only systems running NXP ENETC networking hardware on kernels from 6.16 through the fixed stable releases are affected. There is no public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.17%, 6th percentile).
Heap buffer overflow in Envoy's TcpStatsdSink component (versions 1.34.0 through pre-fix releases) allows unauthenticated remote attackers to crash the Envoy process or potentially achieve remote code execution by submitting HTTP or gRPC requests with request paths exceeding 16KiB, provided a specific non-default dual-filter configuration is present. The root flaw is an incorrect buffer rotation in the thread-local metric flusher that allocates a new 16KiB slice but continues writing beyond its boundary via unchecked memcpy operations. No public exploit has been identified at time of analysis, though vendor-confirmed patches are available across all affected release branches (1.35.13, 1.36.9, 1.37.5, 1.38.3).
Denial of service in Envoy proxy versions prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1 allows remote unauthenticated attackers to crash the proxy by submitting deeply nested JSON (on the order of 100,000 levels). When the resulting JSON Object is torn down, its recursive destructor exhausts the thread stack, causing a stack overflow and process termination. There is no public exploit identified at time of analysis and the issue impacts availability only; the CVSS 3.1 base score is 7.5.
Remote denial of service in DragonflyDB before 1.39.0 lets an unauthenticated attacker crash the entire server with a single ~24-byte RESTORE command carrying a malformed listpack payload, triggering an out-of-bounds read (SIGSEGV). Because Dragonfly ships with no authentication enabled by default and RESTORE is an ordinary keyspace command, any client that can reach the port can repeatedly kill the process. No CISA KEV listing exists, but the fixing pull request publishes the exact crash payloads as regression tests, so working trigger data is effectively public.
A heap overflow in the FSViewer.exe process of FastStone Image Viewer v8.3 allows attackers to cause a execute arbitrary code in the context of the current process via supplying a crafted JPEG 2000 (JP2) file.
Information disclosure in Ollama's model quantization engine (confirmed affected in v0.13.5) allows remote, unauthenticated attackers to read and exfiltrate the server's heap memory, exposing sensitive in-process data such as model contents, API keys, or other secrets resident in memory. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against an exposed Ollama instance with no authentication. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds write in Imagination Technologies' Graphics DDK GPU shader compiler lets a crafted web page containing unusual or edge-case shader code (e.g. WebGL/compute shaders using a very small value) corrupt memory and crash the GPU compiler process. On platforms where that compiler process runs with system privileges, the memory corruption could be chained toward privilege escalation or further device exploitation. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; impact is integrity and availability (CVSS 7.7, CWE-823).
Remote unauthenticated stack-based buffer overflow in the vlsvr login service of GeoVision GV-LPC2011 and GV-LPC2211 license plate capture cameras (firmware V1.12 and earlier) lets a remote attacker corrupt memory by sending an over-length login field, enabling denial of service and potentially arbitrary code execution. The flaw requires no authentication and no user interaction (CVSS 9.8). No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate camera devices (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the ssvr streaming component's RTSP Digest authentication parser. A remote attacker reachable on the RTSP service can send overly long authentication field data to corrupt the stack, crashing the device or potentially executing arbitrary code with no credentials or user interaction. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.8 rating and unauthenticated network vector make it a high-priority patching target.
Remote code execution and denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (V1.12 and earlier) arise from a stack-based buffer overflow in the ssvr component's RTSP custom authentication handling. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates an unauthenticated remote attacker can trigger memory corruption with a single crafted RTSP request, yielding crash-level DoS and potential arbitrary code execution. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote code execution in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-recognition cameras (firmware V1.12 and earlier) stems from a stack-based buffer overflow in the embedded thttpd web server, where overly long parameters in a specific request path overrun a fixed-size stack buffer. An unauthenticated remote attacker (per CVSS PR:N) can send a single crafted HTTP request to corrupt memory and cause denial of service or potentially execute arbitrary code on the device. No public exploit has been identified at time of analysis, but the CVSS 9.8 rating and lack of authentication make this a high-priority embedded-device exposure.
Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote, unauthenticated attackers crash the device by sending a crafted HTTP request to onvif.cgi. The ONVIF CGI handler fails to bounds-check HTTP request body data, so oversized input triggers an out-of-bounds write and memory corruption. No public exploit identified at time of analysis, and the flaw yields availability impact only — no code execution or data disclosure is claimed by the vendor.
Denial of service in GeoVision GV-LPC2011 and GV-LPC2211 license-plate-capture devices (firmware V1.12 and earlier) allows remote unauthenticated attackers to crash the device by sending a multipart upload request with an overly long filename to IEEE8021x_upload.cgi. The flaw is a classic stack/heap buffer overflow (CWE-120) with availability-only impact and no confidentiality or integrity loss. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
A stack overflow in the AP4_StsdAtom::AP4_StsdAtom component of axiomatic-systems Bento4 before v1.8.9allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
Stack overflow in Bento4's MP4 parsing component allows an attacker to crash any application built on the library by supplying a crafted MP4 file. The flaw resides in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity, a dynamic array growth function invoked while processing Track Run (trun) atoms, and affects all Bento4 releases before v1.8.9. A public proof-of-concept exists (poc4.zip), though EPSS sits at 0.17% and CISA KEV has not listed this CVE, indicating no confirmed widespread exploitation at time of analysis.
Integer overflow in Mojo in Google Chrome prior to 149.0.7827.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)
Heap-based buffer overflow in the vtk-dicom library's vtkDICOMItem::NewDataElement routine allows remote attackers to corrupt heap memory and potentially achieve arbitrary code execution by supplying a maliciously crafted DICOM data element. The flaw affects vtk-dicom (a DICOM I/O module commonly paired with the Visualization Toolkit) and was reported by Cisco Talos (TALOS-2026-2366), carrying a CVSS 3.1 base score of 8.1 with full confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Out-of-bounds write in wolfSSL's SetSuitesHashSigAlgo function corrupts memory when an application passes an oversized signature algorithms list to the wolfSSL_CTX_set1_sigalgs_list or wolfSSL_set1_sigalgs_list APIs, writing past the end of the internal suites buffer (CWE-787). All wolfSSL versions prior to the bounds-check fix in PR #10204 are affected; the CVSS 4.0 score of 2.0 reflects a local-only vector, high complexity, and constrained impact limited to low integrity and availability degradation within the consuming process. No public exploit has been identified and this vulnerability is not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis.
wolfSSL's x86_64 Curve25519 scalar multiplication yields a non-canonical shared secret when carry propagation overflows into bit 255 during final modular reduction, producing a result in [p, 2^255) rather than the required canonical range [0, p). Both the x64 and AVX2 hand-written assembly paths in fe_x25519_asm.S are affected, and only specific edge-case scalar/point combinations trigger the flaw. wolfSSL self-reported this correctness defect and published a fix via GitHub PR #10536; no public exploit exists and the vulnerability is absent from CISA KEV.
Pre-authentication heap buffer overflow in wolfSSL 5.9.0 and earlier affects builds compiled with DTLS 1.3 support, where an integer truncation in the ACK record-number list length computation (Dtls13GetAckListLength using a word16) allocates an undersized buffer that is then overrun during ACK serialization. Because the flaw is reachable before the connecting peer is authenticated, a remote unauthenticated attacker can trigger memory corruption against a DTLS 1.3 endpoint, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.8 reflects primarily a high availability (crash/DoS) impact with limited integrity impact.
Buffer overflow in wolfSSL's PKCS#7 decoder (versions 5.9.0 and earlier) allows attackers with low-privilege account access on an adjacent network to corrupt memory by providing crafted encrypted messages to applications using undersized output buffers in wc_PKCS7_DecodeEncryptedData. Real-world exploitation is severely constrained by requirements for adjacent network access, low privilege, user interaction, and specific attack target conditions, resulting in minimal integrity impact with no availability or confidentiality effects. No public exploit code or active exploitation is known at the time of analysis.
Out-of-bounds heap read in wolfSSL's SM2/SM3 certificate parser exposes applications to remote denial of service when processing malformed certificates. During Subject Key Identifier computation in SM3wSM2 certificate verification, the library unconditionally reads 65 bytes from the public key field without first validating that the key is at least that long - a crafted certificate with a sub-65-byte public key triggers a heap over-read, crashing the process. This vulnerability is scoped exclusively to wolfSSL builds compiled with SM2 support (--enable-sm2 or --enable-all), and no public exploit or CISA KEV listing exists at time of analysis.
Remote denial of service in wolfSSL's Renesas TSIP TLS 1.3 client port (WOLFSSL_RENESAS_TSIP_TLS on Renesas MCUs with TSIP hardware) arises from an out-of-bounds heap write in tsip_StoreMessage(), where the capacity check guarding the fixed 8 KB message bag sets an error code but omits the return, letting execution fall through to an XMEMCPY that overruns the buffer once the accumulated handshake transcript exceeds 8 KB. A malicious or man-in-the-middle TLS 1.3 server (or an unusually large but legitimate certificate chain) can trigger heap corruption and crash the client. There is no public exploit identified at time of analysis, it is not on CISA KEV, and the upstream fix is available as wolfSSL PR #10705.
Denial of service in CANBoat (the open-source NMEA 2000/CAN bus analyzer) through version 6.22 allows attackers to crash the analyzer by delivering a crafted NMEA-2000 message containing an out-of-range PGN value. The flaw is an off-by-one global buffer overflow in the searchForPgn() binary-search routine in analyzer/pgn.c, where an out-of-range PGN causes a one-element read past the end of the pgnList[] table. Publicly available exploit code exists (FuzzingLabs PoC value 393216 via issue #644), and a vendor patch is available; there is no public exploit identified as actively exploited.
Denial-of-service memory corruption in RTKLIB through version 2.4.3 lets an attacker crash GNSS post-processing applications such as rnx2rtkp and RTKPOST by supplying a malicious RINEX observation file. The readrnxobsb function in src/rinex.c fails to clamp the satellite-count value read from RINEX epoch headers, so a file declaring more than 64 satellites per epoch triggers a heap buffer overflow write and out-of-bounds stack reads. Publicly available exploit code exists (VulnCheck/GitHub issue #796); there is no public exploit identified as actively exploited, and the CVSS 4.0 impact is limited to availability (VA:H).
Out-of-bounds read in RTKLIB through 2.4.3 exposes users to denial of service and potential memory disclosure when processing maliciously crafted RINEX observation files. The getcodepri function fails to validate unrecognized observation codes, performing negative array indexing into the codepris table - producing reliable crashes and leaking adjacent global data segments. A publicly available proof-of-concept exists via the upstream GitHub issue tracker; this CVE is not listed in the CISA KEV catalog, and no EPSS data was provided in available intelligence.
Off-by-one out-of-bounds read in RTKLIB's decode_ssr3 function (src/rtcm3.c:1446) allows unauthenticated remote attackers to trigger a global buffer overflow by sending crafted RTCM3 SSR correction messages with attacker-controlled signal mode fields over NTRIP or serial connections. All RTKLIB versions through 2.4.3 are affected, with the primary impact being denial of service or crash of GNSS rovers and CORS server deployments. A publicly available exploit exists per VulnCheck intelligence, though this vulnerability is not confirmed in CISA KEV at time of analysis.
Out-of-bounds write in RTKLIB's decode_type1033 function affects all versions through 2.4.3, where unclamped length counters allow up to a 191-byte overflow into fixed 64-byte descriptor fields when parsing an RTCM3 type-1033 message. An attacker who controls an NTRIP or serial RTCM3 correction stream can deliver a CRC-valid crafted message to corrupt adjacent rtcm_t members, potentially achieving arbitrary code execution or denial of service. Publicly available exploit code exists (reported by VulnCheck), though there is no public exploit identified as actively exploited in CISA KEV.
Remote code execution in THC Hydra through 9.7 allows a malicious or attacker-controlled server to compromise the machine running the Hydra brute-force client during NTLM authentication. When Hydra connects to such a server across its SMTP, POP3, IMAP, NNTP, HTTP, HTTP-Proxy, or HTTP-Proxy-Urlenum modules, a crafted NTLM Type-2 challenge with an overlong domain string causes the base64-encoded response to overflow a 500-byte stack buffer by 18 to 330 bytes, enabling code execution on hosts lacking stack protection. No public exploit identified at time of analysis, but a vendor patch (commit 9cc84c2) is available, and the issue inverts the usual threat model - the operator of the offensive tool becomes the victim.
Out-of-bounds read in Horner Automation Cscape prior to 10.2 SP3 lets an attacker who supplies a malicious CSP project file disclose memory contents and, per the advisory, achieve arbitrary code execution within the engineering workstation. Cscape is the configuration/programming environment for Horner OCS controllers, so the target is the engineer's PC rather than the PLC itself. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Heap buffer overread in wolfSSL's PKCS7 EnvelopedData parser allows network-reachable attackers to trigger a low-impact availability disruption or potential memory disclosure by supplying a crafted S/MIME or CMS message. The root cause is a missing integer-overflow-safe bounds check before XMEMCPY calls in wc_PKCS7_DecodeEnvelopedData, wc_PKCS7_DecodeAuthEnvelopedData, and wc_PKCS7_DecodeEncryptedData - all three paths lacked validation that idx + encryptedContentSz does not exceed the input buffer. No public exploit code has been identified at time of analysis, and wolfSSL's own CVSS 4.0 vector classifies attack requirements as present (AT:P), meaning exploitation is not straightforwardly reliable.
Stack out-of-bounds write in Vim's spell suggestion engine allows a crafted `.spl`/`.sug` file pair to corrupt the call stack and crash the editor when spell suggestions are invoked. All Vim releases prior to 9.2.0653 are affected, with the flaw in `tree_count_words()` and `sug_filltree()` inside `src/spellfile.c`, where three fixed-size MAXWLEN-element stack arrays are indexed by an unbounded depth counter. No public exploit identified at time of analysis (CVSS 4.0 E:U), though the upstream fix commit includes a detailed proof-of-concept test case reproducing the out-of-bounds write.
Out-of-bounds read in Vim's text property subsystem allows a crafted undo file to crash the editor and potentially disclose adjacent heap memory. All Vim releases prior to 9.2.0670 are affected; the vulnerability is reachable whenever a user loads a malicious undo file with the persistent-undo feature compiled in and enabled. No public exploit or CISA KEV listing exists at time of analysis, placing real-world risk in the low-to-medium range despite the local crash severity.
Vim crashes with an out-of-bounds read when opening a maliciously crafted file encrypted with the xchacha20poly1305 cipher (VimCrypt~04! or VimCrypt~05!) whose body is shorter than a libsodium secretstream header. An unsigned integer underflow in the length calculation inside crypt_sodium_buffer_decode() causes the subsequent crypto_secretstream_xchacha20poly1305_pull() call to read far past the end of the input buffer, resulting in a denial-of-service crash. No public exploit code and no CISA KEV listing have been identified at time of analysis; however, the fix commit includes a concrete reproducer test case confirming the crash path.
List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise() collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling (alloc <<= 2) instead of a loop. A block call that returns more than four times the current allocation in one invocation outgrows that one quadrupling, and the copy writes past the end of the buffer. Any caller of pairwise() whose block returns, for a single pair, more than four times the longer input array's length writes past the buffer and corrupts the heap.
Out-of-bounds heap read in Vim 9.2.0320-9.2.0678 allows a crafted undo or swap file to disclose adjacent heap memory or crash the editor when a victim opens it. The flaw resides in the text property (textprop) subsystem: a maliciously encoded virtual-text property with an oversized tp_text_offset is converted directly to a heap pointer without bounds validation in both the undo-restoration path (um_goto_line) and the display path (get_text_props). The CVSS 4.0 score of 6.8 (Medium) reflects local-only exploitation requiring active user interaction; no public exploit is confirmed at time of analysis, though the fix commit includes detailed test scaffolding constituting a near-complete attack blueprint.
Stack out-of-bounds write in Vim's spell_soundfold_sofo() function (src/spell.c) allows local exploitation when a SOFO-based spell language is active and the soundfold path is triggered with a word exceeding MAXWLEN (254) bytes, corrupting the call frame and crashing the editor with theoretical code execution potential. All Vim releases prior to 9.2.0698 carrying the single-byte SOFO branch are affected; the vendor has released a confirmed fix at v9.2.0698. No public exploit code exists and no CISA KEV listing is present; the CVSS 4.0 E:U supplemental metric confirms exploitation remains unproven at time of analysis.
Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a large negative integer index to bypass a 32-bit-truncated bounds check and trigger a read outside the node set's allocated memory. On CRuby (MRI Ruby), this typically crashes the process - denial of service - with ancillary potential for heap memory disclosure; on JRuby, the runtime's managed memory prevents memory corruption, but an incorrect node is silently returned. No public exploit or active exploitation has been identified; exploitation requires the target application to forward attacker-controlled integers directly to the `NodeSet#[]` or `#slice` API.
Remote denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash the target by sending a malformed Simple Metering GetProfileResponse message that triggers an out-of-bounds read while iterating interval entries, terminating the process. Exploitation requires the attacker to be an authenticated member of the Zigbee network and only affects devices implementing the Simple Metering cluster. No public exploit identified at time of analysis, and no information leakage back to the sender was observed.
Out-of-bounds memory writes in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allow an already-joined network device to corrupt Door Lock schedule state by sending malformed ClearWeekdaySchedule messages. Only devices implementing the Door Lock cluster are affected, and the corruption is bounded in size and location, primarily threatening availability/integrity rather than data disclosure. No public exploit identified at time of analysis; a vendor patch is available.
Denial of service in Silicon Labs EmberZNet (Zigbee stack) versions 9.0.2 and earlier allows an already-joined network device to crash the host process by sending malformed IAS Zone enrollment messages, which trigger an out-of-bounds write to the state table. Only nodes that support the IAS Zone (security sensor) cluster are affected, and the attacker must already hold a valid place on the Zigbee network (PR:L). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device crash the target by sending Door Lock cluster messages containing malformed or out-of-range user identifiers, which trigger an out-of-bounds table read (CWE-125) that terminates the process. Only devices that implement the Door Lock cluster are affected, and no data is leaked back to the sender. There is no public exploit identified at time of analysis, and the issue is not in CISA KEV.
Denial of service in Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) allows an already-joined network device to crash a target by sending malformed GetGroupMembership commands, which cause repeated out-of-bounds reads past the message payload and terminate the process. Only devices implementing the Groups cluster are affected, and no information leakage to the sender was observed despite the read primitive. There is no public exploit identified at time of analysis, no CISA KEV listing, and the impact is availability-only (process termination), not code execution or data disclosure.
Out-of-bounds read in the Silicon Labs EmberZNet Zigbee stack (v9.0.2 and earlier) lets an already-joined network device send malformed Over-The-Air (OTA) update requests that drive the OTA Server cluster parser past buffer boundaries, leaking a small, size- and location-limited amount of RAM back to the requester and potentially disrupting the OTA service. Only nodes that implement the OTA Server cluster are affected, and exploitation requires prior network membership (PR:L authenticated). No public exploit is identified and the CVE is not in CISA KEV; the CVSS 4.0 base score of 7.1 is driven mainly by high availability impact (VA:H) rather than data theft.
Denial of service in Silicon Labs EmberZNet (Zigbee stack) v9.0.2 and earlier allows an already-joined Zigbee device to crash the process by sending malformed global ZCL (Zigbee Cluster Library) messages that trigger out-of-bounds reads in the framework parsing logic. The flaw affects availability only - no information leakage back to the sender was observed despite the dataset's 'Information Disclosure' tag. A vendor patch is available, and there is no public exploit identified at time of analysis.
dnsdist's SetMacAddrAction handler exposes operators to uninitialized memory leakage in DNS responses and potential service crashes when the action is configured in the ruleset. The flaw is reachable over the network without authentication (AV:N/PR:N), but the high attack complexity (AC:H) constrains real-world impact to deployments that have explicitly enabled SetMacAddrAction - a non-default configuration. No public exploit code exists and no CISA KEV listing is present at time of analysis; the PowerDNS security team (Open-Xchange) reported this internally, suggesting responsible disclosure rather than observed active exploitation.
Out-of-bounds read in the Linux kernel's netfilter IRC connection-tracking helper (nf_conntrack_irc) lets remote attackers leak adjacent kernel memory or crash the host when the parser fails to bail out after matching a DCC command string. The CVSS 3.1 vector (AV:N/PR:N) describes unauthenticated remote reachability with low confidentiality impact and high availability impact, but exploitation is gated on the legacy IRC conntrack helper being loaded and assigned to traffic - a non-default condition on most modern systems. There is no public exploit identified at time of analysis, EPSS is low (0.17%, 7th percentile), and the issue is not on CISA KEV.
Stack-based out-of-bounds write in the Linux kernel netfilter nf_tables conntrack (nft_ct) module lets a local actor with rule-loading capability corrupt the kernel stack, enabling privilege escalation or denial of service. When an nftables ruleset attaches a per-CPU template conntrack (e.g. via 'ct zone set') and a subsequent 'ct original/reply' load expression runs on the same packet, nft_ct_get_eval() mistakes the zeroed template ct for a real conntrack and performs a 16-byte memcpy bounded by an untrusted field, overflowing struct nft_regs on the kernel stack. No public exploit identified at time of analysis, though a historic syzkaller report demonstrates the crash; EPSS risk is low (0.16%, 6th percentile).
Out-of-bounds read in the Linux kernel Bluetooth management (MGMT) interface lets a local user with Bluetooth privileges trigger a one-byte read past the advertising-data buffer by submitting a malformed MGMT_OP_ADD_ADVERTISING request. The flaw lives in tlv_data_is_valid(), which inspects the type octet at data[i+1] before confirming the current TLV element fits in the buffer; KASAN flags it as a vmalloc-out-of-bounds read. No public exploit identified at time of analysis and EPSS risk is low (0.17%), consistent with a local-only kernel memory-safety bug rather than a remotely weaponizable one.
Out-of-bounds read in the Linux kernel's Bluetooth RFCOMM stack allows a malicious paired or in-range remote device to leak adjacent kernel memory or crash the host by sending truncated MCC (Multiplexer Control Channel) frames. The RFCOMM MCC handlers cast skb->data to protocol structs without first checking skb->len, so short frames cause reads past the buffer; impact is confidentiality and availability loss (CVSS 8.1). There is no public exploit identified at time of analysis and EPSS estimates exploitation probability at just 0.18%.
Out-of-bounds read in the Linux kernel's Bluetooth BNEP (Bluetooth Network Encapsulation Protocol) subsystem allows an adjacent attacker to crash the kernel by sending a malformed short BNEP frame over an established PAN connection. The flaw in bnep_rx_frame()/bnep_rx_control() in net/bluetooth/bnep/core.c reads the packet-type, control-opcode, and setup UUID-size bytes before confirming they are present, producing a KASAN-confirmed slab-out-of-bounds read past a 1-byte kmalloc-8 allocation. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 8th percentile).
Out-of-bounds kernel memory access in the Linux kernel's AF_XDP (xsk) transmit path allows a local low-privileged process to bypass bounds checking on TX checksum metadata. Because csum_start/csum_offset live in a userspace-mapped UMEM buffer, a malicious application could race to overwrite them between the validation read and the assignment read in xsk_skb_metadata(), defeating the bounds check during checksum computation. No public exploit identified at time of analysis; EPSS is low (0.18%, 8th percentile), consistent with a local-only kernel race rather than a mass-exploited remote bug.
Out-of-bounds memory access in the Linux kernel's SCTP stack lets a remote peer corrupt kernel memory by sending a COOKIE_ECHO chunk whose embedded cached INIT chunk advertises an inflated length, which sctp_unpack_cookie() failed to validate against the remaining COOKIE_ECHO buffer before sctp_process_init() walked its parameters. Any host running an SCTP listening server (kernels from 2.6.12 up to the fixed stable releases) is affected, with the kernel-assigned CVSS rating it 9.8/network-unauthenticated, though EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis. Impact ranges from out-of-bounds reads to potential heap corruption during STATE_COOKIE handling and kmemdup() copies.
Out-of-bounds kernel memory read in the Linux mlx5_core driver's mlx5_query_nic_vport_mac_list() function allows a slab-out-of-bounds access when querying a VF vport whose configured MAC-list maximum exceeds the PF's log_max_current_uc/mc_list capability. The driver sizes its firmware command buffer using the PF capabilities rather than the vport's own HCA caps, so an oversized firmware response overflows the buffer during eswitch vport-change handling. This affects systems running NVIDIA/Mellanox ConnectX (mlx5) NICs in SR-IOV/switchdev mode; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 7th percentile).
Out-of-bounds memory reads in the Linux kernel SCTP stack allow remote attackers to trigger information disclosure and kernel crashes by sending a malformed COOKIE_ECHO chunk. The flaw lives in sctp_unpack_cookie(), which fails to verify that an embedded INIT chunk is large enough for a complete INIT header and does not fully validate raw_addr_list_len, so sctp_process_init() and the address parser read past the cookie payload. EPSS is low (0.21%) and there is no public exploit identified at time of analysis, but the network-reachable, unauthenticated nature (CVSS 9.1) makes it a meaningful patch priority for any host with SCTP in use.
Memory corruption in the Linux kernel Bluetooth subsystem (hci_sync) allows a local privileged user to overrun a temporary buffer when the Broadcast Announcement service data is prepended to an already-maximum-sized extended advertising payload. The flaw affects systems using Bluetooth LE Audio / Broadcast Audio Profile advertising; the upstream fix rejects the oversized combination before copying, preserving the existing advertising data. No public exploit identified at time of analysis, and the EPSS probability is very low (0.18%, 8th percentile), indicating no current evidence of widespread exploitation interest.
Out-of-bounds memory access in the Linux kernel's accel/ivpu driver (Intel NPU/VPU accelerator) occurs because firmware-supplied read and write indices for the firmware log buffer were used without bounds validation, allowing invalid offsets to drive out-of-bounds buffer reads. Affecting Intel Core Ultra-class systems running affected 6.12.x through 6.18.x and 7.x kernels, a local low-privileged actor able to influence the device's firmware log indices can disclose kernel memory or crash the host. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low (0.18%, 7th percentile).
Local privilege-context memory corruption in the Linux kernel's accel/ivpu (Intel NPU/VPU accelerator) driver allows a low-privileged user with access to the device to trigger a buffer overflow through the metric stream MS get_info ioctl. When the NPU firmware reports an info size larger than the allocated kernel buffer, the driver performs an oversized copy, corrupting kernel memory and potentially leaking sensitive data or crashing the system. No public exploit identified at time of analysis; EPSS probability is low (0.19%) and the issue is not in CISA KEV.
Local memory corruption in the Linux kernel's Intel VPU accelerator driver (accel/ivpu) lets attacker-influenced firmware data overflow a stack buffer during IPC message receive. The defect is a signed-int truncation of the firmware-supplied data_size in min_t(int, ...), so values >= 0x80000000 turn negative, bypass the size clamp, and drive an oversized memcpy. Rated CVSS 7.8 (AV:L) with a low EPSS of 0.19% (9th percentile); no public exploit identified at time of analysis and it is not in CISA KEV.
Heap buffer overflow in the Linux kernel's io_ti USB serial driver (get_manuf_info()) lets a malicious USB device overflow a 10-byte kmalloc buffer by up to ~16 KB when attached to a host using this driver. The driver trusts the EEPROM-supplied descriptor Size field (validated only against TI_MAX_I2C_SIZE, not the destination buffer), enabling kernel memory corruption with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis; EPSS is low (0.20%, 10th percentile) and the issue is not in CISA KEV.
Kernel-level heap buffer overflow (out-of-bounds write) in the Linux kernel's io_ti USB-serial driver (used by Digi Edgeport TI-based USB serial adapters) allows a local low-privileged attacker or a malicious/crafted firmware image to corrupt kernel heap memory. The flaw lives in build_i2c_fw_hdr(), which copies an attacker-influenced 16-bit Length field (up to 65535) from the firmware image into a fixed-size buffer without validating it fits the remaining space after the ti_i2c_firmware_rec header. There is no public exploit identified at time of analysis, EPSS is low (0.20%, 10th percentile), and it is not on the CISA KEV list, so exploitation is theoretical rather than observed.
Heap out-of-bounds write in the Linux kernel's USB serial driver for KL5KUSB105-based adapters (kl5kusb105) lets a write to an attached tty corrupt slab memory two bytes past a 64-byte bulk-out buffer. The flaw is in klsi_105_prepare_write_buffer(), which reserves a two-byte length header but still copies the full buffer size from the write FIFO, overrunning the allocation by KLSI_HDR_LEN (2) bytes. EPSS is low (0.19%, 9th percentile) and there is no public exploit identified at time of analysis; the issue was found via KASAN using emulated hardware (dummy_hcd/raw-gadget), not in-the-wild exploitation.
Local out-of-bounds read in the Linux kernel's RDMA/core subsystem allows a low-privileged user with access to RDMA uverbs to crash the system or leak adjacent kernel memory by supplying an unvalidated cpu_id during DMA handle (DMAH) allocation. The UVERBS_ATTR_ALLOC_DMAH_CPU_ID attribute is passed straight to cpumask_test_cpu() without a bounds check, and on CONFIG_DEBUG_PER_CPU_MAPS kernels combined with panic_on_warn it forces a reboot. There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).
Out-of-bounds kernel memory read in the Linux kernel's rtl8723bs staging Wi-Fi driver (Realtek RTL8723BS SDIO) lets a local low-privileged actor read past the intended information-element (IE) buffer. rtw_update_protection() receives a pointer already offset into the ies buffer while still being passed the full ie_length, so parsing walks beyond the valid data. There is no public exploit identified at time of analysis, EPSS risk is low (0.17%, 7th percentile), it is not in CISA KEV, and fixed kernel releases are available.
Heap out-of-bounds write in the Linux kernel's accel/ethosu DRM driver (Arm Ethos-U NPU accelerator) allows a local user with access to the device to corrupt kernel heap memory through the command-stream copy-and-validate ioctl. The flaw stems from the parser advancing its index for 64-bit (bit-14-set) command words without re-checking the buffer bound, letting a crafted command stream write four bytes past a DMA allocation of attacker-controlled size. No public exploit is identified at time of analysis, EPSS is low (0.16%), and an upstream fix has landed in the stable trees.
Heap out-of-bounds write in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) lets a local user with access to the NPU device corrupt adjacent kernel heap memory. The command-stream parser masks the IFM region index with 0x7f (max 127) instead of 0x7 (max 7) like every other region assignment, so a crafted NPU_SET_IFM_REGION opcode with param > 7 indexes far past the 8-entry region_size[]/output_region[] arrays, writing up to ~1016 bytes beyond the allocation. No public exploit identified at time of analysis, and EPSS is low (0.16%), but the bug is a classic exploitable heap-overflow primitive in privileged kernel context.
Local privilege escalation and kernel memory corruption in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) arises from unchecked arithmetic in dma_length(), allowing a local user with access to the accelerator device to submit a crafted command stream that wraps around integer math and under-reports DMA region sizes. Because region_size[] is later used by ethosu_job.c to validate command-stream accesses against GEM buffer sizes, the wraparound bypasses bounds checking and permits out-of-bounds DMA access (CVSS 3.1 8.8). No public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).