Buffer Overflow
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions.
How It Works
A buffer overflow occurs when a program writes more data to a memory buffer than it was allocated to hold, causing the excess data to spill into adjacent memory regions. This overwrites whatever data or code exists there, corrupting program state and potentially giving attackers control over execution flow.
Stack-based overflows are the most common variant. When a function allocates a fixed-size buffer on the stack and then copies user-controlled input without proper bounds checking, attackers can overflow past the buffer to overwrite the function's return address. When the function completes, instead of returning to legitimate code, execution jumps to attacker-specified memory containing malicious shellcode. Heap-based overflows work differently—they corrupt heap metadata like chunk size fields or free list pointers, leading to arbitrary memory writes when the allocator processes the corrupted structures.
Modern exploitation bypasses defensive mechanisms through techniques like Return-Oriented Programming (ROP), which chains together existing code snippets to avoid non-executable memory protections. Attackers may also use heap spraying to reliably position shellcode at predictable addresses, defeating address randomization.
Impact
- Remote code execution — attacker gains ability to run arbitrary commands with the privileges of the vulnerable process
- Privilege escalation — exploiting kernel or setuid program overflows to gain root/SYSTEM access
- Denial of service — crashes and memory corruption that render systems unusable
- Information disclosure — reading sensitive data from adjacent memory regions that should be inaccessible
- Authentication bypass — overwriting security-critical variables like permission flags or user IDs
Real-World Examples
Fortinet FortiOS suffered a critical buffer overflow (CVE-2025-32756) that allowed unauthenticated remote attackers to execute code as root on firewalls and VPN gateways. Attackers actively exploited this to compromise enterprise network perimeters before patches were available.
The Slammer worm from 2003 exploited a stack overflow in Microsoft SQL Server, spreading to 75,000 hosts in ten minutes by sending a single malformed UDP packet that overwrote the return address with shellcode. No authentication was required.
OpenSSH historically contained a heap overflow in challenge-response authentication that allowed pre-authentication remote root compromise on Unix systems, demonstrating how memory corruption in privileged network services creates maximum impact scenarios.
Mitigation
- Memory-safe languages — Rust, Go, and modern managed languages prevent buffer overflows by design through automatic bounds checking
- Stack canaries — random values placed before return addresses that detect corruption before control transfer
- Address Space Layout Randomization (ASLR) — randomizes memory locations making exploitation less reliable
- Data Execution Prevention (DEP/NX) — marks memory regions as non-executable, preventing direct shellcode execution
- Bounds checking — validate input sizes before copying, use safe functions like
strncpyinstead ofstrcpy - Fuzzing and static analysis — automated testing to discover overflows before deployment
Recent CVEs (36135)
Heap out-of-bounds write in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) lets a local user with access to the NPU device corrupt adjacent kernel heap memory. The command-stream parser masks the IFM region index with 0x7f (max 127) instead of 0x7 (max 7) like every other region assignment, so a crafted NPU_SET_IFM_REGION opcode with param > 7 indexes far past the 8-entry region_size[]/output_region[] arrays, writing up to ~1016 bytes beyond the allocation. No public exploit identified at time of analysis, and EPSS is low (0.16%), but the bug is a classic exploitable heap-overflow primitive in privileged kernel context.
Local privilege escalation and kernel memory corruption in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) arises from unchecked arithmetic in dma_length(), allowing a local user with access to the accelerator device to submit a crafted command stream that wraps around integer math and under-reports DMA region sizes. Because region_size[] is later used by ethosu_job.c to validate command-stream accesses against GEM buffer sizes, the wraparound bypasses bounds checking and permits out-of-bounds DMA access (CVSS 3.1 8.8). No public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile).
Local privilege escalation and host memory compromise is possible in the Linux kernel's Arm Ethos-U NPU accelerator driver (accel/ethosu) because DMA commands with an uninitialized length sentinel (U64_MAX) bypass the driver's bounds checks. A local user permitted to submit jobs to the NPU can omit the NPU_SET_DMA0_LEN command before NPU_OP_DMA_START, triggering an integer wrap in dma_length() that returns 0, zeroing region_size[] and letting the hardware execute DMA against stale physical addresses. There is no public exploit identified at time of analysis, EPSS is low (0.17%), and the issue is not in CISA KEV, but the rated CVSS of 8.8 reflects full host memory read/write potential via the DMA engine.
Out-of-bounds read in the Linux kernel Thunderbolt (thunderbolt) property parser lets a crafted property directory from a connected Thunderbolt/USB4 device cause the kernel to read past an allocated property block, potentially disclosing adjacent kernel memory or crashing the system. The flaw lives in __tb_property_parse_dir(), which fails to validate that content_offset + content_len stays within block_len for the root directory. It affects a broad range of stable kernel series and is fixed upstream; there is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.18% (7th percentile).
Heap out-of-bounds write in the Linux kernel Thunderbolt/USB4 XDomain driver lets a malicious connected peer device corrupt kernel memory. In tb_xdp_properties_request(), the per-packet copy length is taken from the attacker-controlled response header without validating it against the previously kcalloc-allocated data buffer, so a peer advertising a length larger than data_length forces memcpy to write past the allocation. No public exploit identified at time of analysis and EPSS is low (0.18%), but the write-primitive nature (CWE-787) in kernel space makes it a meaningful local/physical attack surface on Thunderbolt-capable hosts.
Out-of-bounds memory read in the Linux kernel's Thunderbolt (thunderbolt) XDomain driver allows an adjacent peer connected over a Thunderbolt link to leak kernel heap memory or crash the host. The flaw lives in tb_xdp_handle_request(), which casts a received XDomain packet to protocol-specific structs without confirming the kmemdup allocation is large enough, so a deliberately undersized packet that still passes the generic header-length check triggers reads past the buffer. There is no public exploit identified at time of analysis, EPSS is low (0.18%), and it is not CISA KEV-listed.
Local information disclosure and memory corruption in the Linux kernel's AMD KFD (amdkfd) driver affects GFX11/Navi3x GPUs, where the v11 MQD manager wrongly used CP-compute checkpoint/restore handlers for SDMA queues. During a CRIU checkpoint or restore of an SDMA queue, the driver treats a 512-byte v11_sdma_mqd buffer as a 2048-byte v11_compute_mqd, so it either leaks 1536 bytes of adjacent GTT memory to userspace or overwrites 1536 bytes of neighboring GTT memory (ring buffers or adjacent MQDs). Exploitation requires local access with the ability to drive CRIU checkpoint/restore of a GPU compute process; there is no public exploit identified at time of analysis and EPSS is low (0.18%).
Out-of-bounds read and unbounded-iteration denial of service in the Linux kernel's AMD Display (amdgpu DC) driver arises when the bios_parser/bios_parser2 code walks VBIOS record chains that lack a proper 0xFF terminator record. A local attacker able to supply a malformed VBIOS image can force hundreds of thousands of probe-time iterations (with record_size=1) and, near the image boundary, trigger struct casts that read past the 2-byte header validated by GET_IMAGE. There is no public exploit identified at time of analysis, and the EPSS score is low (0.17%, 6th percentile), consistent with a local, firmware-dependent memory-safety bug rather than a broadly exploited remote flaw.
Out-of-bounds kernel heap write in the AMD Display (amdgpu) driver's HDMI HDCP 2.x repeater authentication path affects Linux kernels from 5.6 through the 7.1 release candidates. When reading a downstream sink's RxStatus register, the driver in mod_hdcp_read_rx_id_list() uses an attacker-influenced 10-bit message-size field (up to 1023 bytes) as the I2C read length without bounding it to the 177-byte rx_id_list buffer, so a malicious HDMI repeater can force a write past the buffer and corrupt kernel memory. There is no public exploit identified at time of analysis and EPSS is low (0.21%, 11th percentile); it is not listed in CISA KEV.
Out-of-bounds heap write in the Linux kernel amdgpu DRM display driver (drm/amd/display) arises because the VBIOS integrated info tables (v1_11 and v2_1) expose unvalidated u8 HdmiRegNum and Hdmi6GRegNum fields that are used as loop bounds when copying retimer I2C settings into fixed-size arrays (9 and 3 elements). A malformed VBIOS can set these counts up to 255, overrunning the destination arrays during driver probe on AMD GPU systems. No public exploit has been identified and EPSS is very low (0.17%), but the memory-corruption primitive (CWE-787) carries high confidentiality, integrity, and availability impact per the CVSS 7.8 rating.
Memory corruption in the Linux kernel's RDMA/umem subsystem occurs because __rdma_block_iter_next() uses 32-bit types to reassemble scatter-gather entries, truncating DMA addresses for block sizes of 4GB or larger when an IOMMU linearizes the mapping. Affected versions span the long-lived 5.2 through 7.1 development line; a low-privileged local actor with RDMA device access can drive the kernel to compute wrong DMA addresses, yielding high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with the narrow hardware/configuration prerequisites.
Stack buffer overflow in NSD 4.14.0 (NLnet Labs authoritative DNS server) allows a party able to introduce zone data to overwrite up to 111 attacker-controlled bytes on the stack when a specially crafted APL resource record - carrying an adflength larger than the address family permits - is serialized as the zone is written to disk. Per the CVSS 4.0 vector (PR:L), exploitation requires low privileges and yields high integrity and availability impact, consistent with memory corruption leading to crash or potential code execution. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Remote denial-of-service in Apache Kvrocks via an integer overflow in the RESTORE command's IntSet deserialization path. An attacker who can send commands to a Kvrocks instance can supply a crafted RDB-serialized IntSet payload to the RESTORE command, triggering an integer overflow that crashes the server process. This vulnerability was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two other Kvrocks CVEs (CVE-2026-46751, CVE-2026-46752), suggesting a coordinated security audit of the project; no public exploit code or CISA KEV listing has been identified at time of analysis.
Memory corruption in Apache Kvrocks' embedded Lua scripting engine allows a client able to run EVAL/EVALSHA commands to trigger a stack buffer overflow in the bit.tohex() function, potentially crashing the server or corrupting process memory toward code execution. Kvrocks is a Redis-protocol-compatible distributed key-value store, and this flaw was disclosed via the oss-security mailing list on 2026-06-25 alongside three other Kvrocks issues. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Lua sandbox escape in Apache Kvrocks exposes the host environment to authenticated users who hold EVAL command privileges. The database fails to strip the `loadstring` function from its Lua scripting environment, which is a standard hardening step in Redis-protocol-compatible systems; retaining it allows a sandboxed Lua script to load and execute arbitrary Lua bytecode dynamically, effectively escaping the intended script isolation. No public exploit code or CISA KEV listing exists at time of analysis; however, sandbox escapes of this class are well-understood and exploitable by any user granted EVAL access.
Arbitrary code execution in GIMP results from a heap-based buffer overflow in the HDR file parser, where attacker-controlled length data is copied into an undersized heap buffer without bounds validation. Any user who opens a maliciously crafted HDR image (or visits a page that delivers one) can be exploited, with code running in the context of the GIMP process. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Remote code execution in Google Chrome's Blink rendering engine (InterestGroups component, part of the Privacy Sandbox/Protected Audience ad-auction API) affects all desktop versions prior to 149.0.7827.197. A crafted HTML page triggers an out-of-bounds read and write that a remote attacker can leverage to execute arbitrary code in the renderer; Chromium rates this Critical and assigns CVSS 8.8. There is no public exploit identified at time of analysis, but a vendor patch is already available, making prompt updating the priority.
Out-of-bounds kernel memory read in the Linux kernel's eBPF subsystem (pcpu_init_value) lets a local, low-privileged user with BPF access leak adjacent kernel memory and potentially crash the system. The flaw triggers when a per-CPU map is updated from a BPF_MAP_TYPE_CGROUP_STORAGE map whose value_size is not 8-byte aligned (e.g. 4 bytes), causing copy_map_value_long to read past the true source size. The issue is fixed in stable kernels; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.16%, 5th percentile).
Out-of-bounds memory access in the Linux kernel's Arm Mali 'komeda' DRM display driver allows a local low-privileged user to bypass AFBC framebuffer size validation via an integer overflow, supplying an undersized GEM buffer object that the driver treats as valid. Exploitation requires local access to the DRM device on hardware using the komeda driver, and there is no public exploit identified at time of analysis; EPSS probability is very low (0.16%, 6th percentile). The flaw was found by the Linux Verification Center using SVACE static analysis and is fixed across multiple stable kernel series.
Out-of-bounds kernel heap write in the Linux kernel's device-mapper dm-log module (dm_log) lets a privileged local actor corrupt vmalloc-allocated memory by overflowing a 32-bit region_count. In create_log_context(), dm_sector_div_up() returns a 64-bit sector_t that is truncated into an unsigned int, so a dm target with very large ti->len and small region_size under-allocates the clean_bits/sync_bits/recovering_bits bitsets while later log operations index the full untruncated region space. Tracked as CVE-2026-53059 (CWE-190) with CVSS 7.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the upstream report includes a working reproducer and a confirmed kernel crash.
In the Linux kernel, the following vulnerability has been resolved: efi/capsule-loader: fix incorrect sizeof in phys array reallocation The krealloc() call for cap_info->phys in __efi_capsule_setup_info() uses sizeof(phys_addr_t *) instead of sizeof(phys_addr_t), which might be causing an undersized allocation. The allocation is also inconsistent with the initial array allocation in efi_capsule_open() that allocates one entry with sizeof(phys_addr_t), and the efi_capsule_write() function that stores phys_addr_t values (not pointers) via page_to_phys(). On 64-bit systems where sizeof(phys_addr_t) == sizeof(phys_addr_t *), this goes unnoticed. On 32-bit systems with PAE where phys_addr_t is 64-bit but pointers are 32-bit, this allocates half the required space, which might lead to a heap buffer overflow when storing physical addresses. This is similar to the bug fixed in commit fccfa646ef36 ("efi/capsule-loader: fix incorrect allocation size") which fixed the same issue at the initial allocation site.
Out-of-bounds memory access in the Linux kernel's NVIDIA Tegra Control Backbone (CBB) driver (soc/tegra: cbb) stems from an incorrect ARRAY_SIZE calculation in the fabric lookup tables, which can be triggered during a target timeout lookup on Tegra-based systems. A local, low-privileged attacker on affected Tegra hardware could read out-of-bounds kernel memory (information disclosure) or crash the system (denial of service), with CVSS 7.1. The flaw has been fixed upstream; there is no public exploit identified at time of analysis and EPSS is low at 0.17% (6th percentile).
Out-of-bounds memory read in the Linux kernel's OCFS2 distributed lock manager (dlm_match_regions) lets a remote host send a crafted DLM_QUERY_REGION message whose attacker-controlled qr_numregions field (up to 255) drives loops past the fixed 1024-byte/32-entry qr_regions buffer. Because the o2net transport only checks message byte length and not field values, this enables disclosure of adjacent kernel memory and likely node crashes. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 7th percentile); the issue is fixed across multiple stable kernel branches.
Memory-safety failure in the Linux kernel OCFS2 filesystem's listxattr() path allows a local low-privileged user to crash the kernel (and potentially leak adjacent kernel heap memory) when an OCFS2 inode carries both inline and block-based extended attributes. Introduced by refactor commit 936b8834366e, the bug causes copy_to_user() to be invoked with a length larger than the allocated list buffer, tripping the hardened usercopy check (kernel BUG at mm/usercopy.c:102). EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not in CISA KEV.
Out-of-bounds memory read in the Linux kernel's OCFS2 filesystem driver allows a local user to leak kernel memory or crash the system by issuing the OCFS2_IOC_INFO ioctl with the OCFS2_INFO_FL_NON_COHERENT flag against a crafted or malicious OCFS2 image. The non-coherent freefrag scan path trusts the on-disk bg_bits group-descriptor field as a bitmap limit without validation, driving the bitmap walk past the end of the block buffer. No public exploit identified at time of analysis, and EPSS is low (0.18%, 7th percentile), consistent with a local, filesystem-mount-dependent kernel bug rather than a remotely scanned threat.
In the Linux kernel, the following vulnerability has been resolved: ima_fs: Correctly create securityfs files for unsupported hash algos ima_tpm_chip->allocated_banks[i].crypto_id is initialized to HASH_ALGO__LAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be valid because it is accessed by hash_algo_name[]. On 6.12.40 I observe the following read out-of-bounds in hash_algo_name: ================================================================== BUG: KASAN: global-out-of-bounds in create_securityfs_measurement_lists+0x396/0x440 Read of size 8 at addr ffffffff83e18138 by task swapper/0/1 CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3 Call Trace: <TASK> dump_stack_lvl+0x61/0x90 print_report+0xc4/0x580 ? kasan_addr_to_slab+0x26/0x80 ? create_securityfs_measurement_lists+0x396/0x440 kasan_report+0xc2/0x100 ? create_securityfs_measurement_lists+0x396/0x440 create_securityfs_measurement_lists+0x396/0x440 ima_fs_init+0xa3/0x300 ima_init+0x7d/0xd0 init_ima+0x28/0x100 do_one_initcall+0xa6/0x3e0 kernel_init_freeable+0x455/0x740 kernel_init+0x24/0x1d0 ret_from_fork+0x38/0x80 ret_from_fork_asm+0x11/0x20 </TASK> The buggy address belongs to the variable: hash_algo_name+0xb8/0x420 Memory state around the buggy address: ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9 ^ ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9 ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 ================================================================== Seems like the TPM chip supports sha3_256, which isn't yet in tpm_algorithms: tpm tpm0: TPM with unsupported bank algorithm 0x0027 That's TPM_ALG_SHA3_256 == 0x0027 from "Trusted Platform Module 2.0 Library Part 2: Structures", page 51 [1]. See also the related U-Boot algorithms update [2]. Thus solve the problem by creating a file name with "_tpm_alg_<ID>" postfix if the crypto algorithm isn't initialized. This is how it looks on the test machine (patch ported to v6.12 release): # ls -1 /sys/kernel/security/ima/ ascii_runtime_measurements ascii_runtime_measurements_tpm_alg_27 ascii_runtime_measurements_sha1 ascii_runtime_measurements_sha256 binary_runtime_measurements binary_runtime_measurements_tpm_alg_27 binary_runtime_measurements_sha1 binary_runtime_measurements_sha256 policy runtime_measurements_count violations [1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184_pub.pdf [2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html
Integer overflow in the Linux kernel SCSI target core allows a local attacker with low privileges to crash the kernel via crafted UNMAP commands. The `sbc_execute_unmap()` function performs a capacity bounds check on LBA + range but fails to guard against 64-bit wraparound, meaning an attacker can supply values that overflow to bypass the check and trigger a kernel panic. No public exploit code or CISA KEV listing exists; EPSS is 0.18% (7th percentile), reflecting the niche attack surface limited to systems actively running SCSI target daemons. Patches are confirmed available across all supported stable kernel branches.
Out-of-bounds write in the Linux kernel SCTP stack (sctp_getsockopt_peer_auth_chunks) lets a local unprivileged process trigger an 8-byte overrun past its own supplied getsockopt buffer, silently corrupting adjacent data in the caller's userspace address space. The bug is a size-check that omits the 8-byte sizeof(struct sctp_authchunks) header, so a buffer sized exactly to num_chunks passes validation but copy_to_user still writes the struct header. There is no public exploit identified at time of analysis (not in CISA KEV; EPSS 0.18%), though the kernel changelog cites a working reproducer on v7.0-13-generic, and a vendor patch is available.
Stack out-of-bounds write in the Linux kernel's netfilter connection-tracking SIP application-layer gateway (ALG) allows remote attackers to corrupt kernel stack memory by sending crafted SIP/SDP traffic through a NAT device. The flaw lives in mangle_content_len(), reached via nf_nat_sdp_session → process_sdp when rewriting the SDP Content-Length during SIP INVITE handling, where an unbounded sprintf() overflowed an undersized stack buffer (caught by KASAN). There is no public exploit identified at time of analysis and EPSS is low (0.18%), so despite the NVD 9.8 rating the practical risk is gated by whether the SIP conntrack/NAT helper is in use.
Out-of-bounds read in the Linux kernel's netfilter nfnetlink_osf (passive OS fingerprinting) module occurs when the shared nf_osf_hdr_ctx->optp pointer is not reset after a fingerprint fully matches during TCP option parsing. Affecting systems that use the osf match with NF_OSF_LOGLEVEL_ALL enabled, the flaw causes subsequent fingerprint checks to parse beyond the end of the TCP options buffer, reading garbage data and producing incorrect or missing match logs. Although carrying a 9.1 CVSS, this is a functional/correctness bug in a niche feature; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 7th percentile).
Out-of-bounds heap write in the Linux kernel's ADFS (Acorn Disc Filing System) driver allows a local attacker to corrupt kernel memory by mounting a crafted new-format ADFS disc image whose disc record declares a zone count of zero. adfs_read_map() forwards nzones==0 to kmalloc_array(0, ...), which returns ZERO_SIZE_PTR, and adfs_map_layout() then writes to dm[-1], an out-of-bounds write before the allocated buffer. The flaw was found by syzkaller; there is no public exploit identified at time of analysis and EPSS scores it at just 0.18% (8th percentile).
Memory-safety flaw in the Linux kernel's NVMe-over-TCP target driver (nvmet-tcp) lets a connected initiator drive the kernel into reading received network data through an uninitialized iov_iter. Because nvmet_tcp_build_pdu_iovec() reported out-of-bounds PDU length/offset only via a fatal-error side effect while returning void, callers such as nvmet_tcp_handle_h2c_data_pdu() continued and advanced the receive state machine over an uninitialized cmd->recv_msg.msg_iter, leading to memory corruption or denial of service. NVD rates this 9.8 (CVSS:3.1 AV:N/AC:L/PR:N/UI:N), but EPSS is low (0.17%, 7th percentile) and there is no public exploit identified at time of analysis; it is not in CISA KEV.
Integer overflow in the Linux kernel's AF_ALG socket interface (crypto/af_alg.c) lets a local user supply an oversized AEAD associated-data length that wraps during TX buffer size arithmetic, corrupting size checks; the fix caps AD length to 0x80000000. Carrying CVSS 7.0 (AV:L/AC:H/PR:L), it affects any kernel exposing the algif AEAD interface and threatens confidentiality, integrity, and availability through resulting memory corruption. There is no public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local-only, high-complexity issue.
Local privilege-relevant memory corruption in the Linux kernel's KVM subsystem (kvm_reset_dirty_gfn) lets any process holding /dev/kvm bypass a dirty-ring bounds check via a u64 integer overflow, driving a near-U64_MAX guest frame number into gfn_to_rmap() for an out-of-bounds kvm_rmap_head load and a conditional write-flag clear. Affected are kernels from 5.11 through the 7.x line running VMs on the shadow-paging (legacy/rmap) MMU path. This is a local (AV:L), low-privilege (PR:L) issue rated CVSS 7.8; there is no public exploit identified at time of analysis, EPSS is low at 0.19% (9th percentile), and it is not on CISA KEV.
Out-of-bounds memory access in the Linux kernel's KVM s390 PCI adapter-interrupt-forwarding (AIF) code allows a low-privileged local actor on IBM Z (s390x) hosts to read and corrupt kernel memory. The flaw stems from double-scaled pointer arithmetic when indexing the GAIT table in kvm_s390_pci_aif_enable(), kvm_s390_pci_aif_disable(), and aen_host_forward(), triggered when an adapter interrupt source (aisb) index reaches 32 or higher under ZPCI_NR_DEVICES=512. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.18%, 8th percentile).
Out-of-bounds read and denial-of-service in the Linux kernel SMB/CIFS client (cifs.ko) affects systems mounting SMB shares on 32-bit architectures. When parsing a malicious SMB2 error response, the symlink_data() routine mishandles a hostile ErrorDataLength value, causing either an infinite loop or a read past the buffer that can hang the client or leak adjacent kernel memory. There is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile), but the bug is reachable by any malicious or compromised SMB server a vulnerable client connects to.
Memory leak in the Linux kernel's Ceph client (CephFS) allows a local, low-privileged user to exhaust kernel buffer memory by repeatedly triggering the retry path in __ceph_setxattr(), where the old_blob holding ci->i_xattrs.prealloc_blob is never released via ceph_buffer_put(). The flaw affects systems mounting CephFS and is addressed by an upstream stable fix; there is no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.18%). Note: the CWE-787 (out-of-bounds write) classification and 'Buffer Overflow' tag conflict with the description, which describes a resource/buffer leak rather than memory corruption.
Out-of-bounds memory access in the Linux kernel's libceph client (osdmap_decode) lets a malicious or compromised Ceph monitor/OSD send a corrupted OSD map whose max_osd field exceeds the actual message length, reading past the allocated buffer. The flaw affects kernels using the in-kernel Ceph client (RBD/CephFS) and is fixed across multiple stable branches. There is no public exploit identified at time of analysis, and EPSS is low (0.18%, 8th percentile), consistent with a memory-safety bug requiring a hostile Ceph endpoint rather than broad internet exposure.
Denial of service in the Linux kernel's libceph (Ceph client) component allows a malicious or compromised Ceph peer to crash a connecting host during the CephX authentication handshake. The flaw lives in __ceph_x_decrypt(), which reads a ceph_x_encrypt_header (notably hdr->magic) from a decrypted buffer without first verifying the buffer is large enough - a FRAME_TAG_AUTH_REPLY_MORE frame carrying a ciphertext_len of 8 or fewer bytes triggers an out-of-bounds memory access. CVSS is 7.5 (availability-only); EPSS is low at 0.16% (6th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Out-of-bounds memory access in the Linux kernel's libceph CRUSH map decoder (crush_decode()) lets a malicious or compromised Ceph cluster corrupt kernel memory on a connecting client. A crafted CEPH_MSG_OSD_MAP message whose bucket carries mismatched algorithm fields (alg vs b->alg) causes memory to be allocated for one bucket type but processed and later freed as another, leading to OOB access during decode and again during crush map destruction. Despite a 9.8 CVSS, there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile); the realistic attack surface is limited to hosts mounting/connecting to attacker-controlled Ceph (RBD/CephFS) infrastructure.
Local denial of service in the Linux kernel's Intel VT-d (iommu/vt-d) driver lets a privileged user crash the host by terminating a QEMU/VFIO guest, triggering a general-protection-fault oops. The flaw lives in domain_remove_dev_pasid(), which dereferences the global static blocked domain - a dummy iommu_domain with no backing dmar_domain - during PASID teardown on device reset. No public exploit is identified at time of analysis; EPSS is low (0.17%, 7th percentile) and it is not in CISA KEV.
Out-of-bounds write in Marlin Firmware (3D printer firmware) through 2.1.2.7 lets attackers corrupt firmware memory through the M421 G-code mesh-bed-leveling handler, which fails to upper-bound the X/Y grid indices before writing a 32-bit float into the z_values array. Any actor able to feed G-code to a printer built with MESH_BED_LEVELING enabled can write an attacker-controlled value past the array, overwriting adjacent firmware state and causing denial of service or unpredictable machine behavior. Publicly available exploit code exists and the fix is committed (1f255d1), but there is no public exploit identified as actively exploited in the wild (not in CISA KEV).
Stack buffer overflow in OpenColorIO's .spi3d LUT parser allows a crafted color-lookup file to corrupt memory in any application that loads it. The flaw in FileFormatSpi3D.cpp reads attacker-controlled data from a 4096-byte line into 64-byte stack buffers via unbounded sscanf %s, permitting an overflow of roughly 4000 bytes on non-Windows platforms. It affects all OCIO 1.x and 2.x releases prior to 2.5.2 and, while no public exploit has been identified, the same unsafe pattern was found across the .spi3d, .spi1d, .cube, and .lut parsers.
Out-of-bounds read in ImageMagick's ConnectedComponentsImage() function allows local attackers to trigger access violations by supplying malformed connected-components artifact definitions via the CLI, leading to denial of service or potential arbitrary code execution. All ImageMagick releases before 7.1.2-19 are affected, as are Magick.NET NuGet packages before 14.12.0. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the RCE and information-disclosure tags warrant attention in environments that process untrusted image inputs through automated pipelines.
Out-of-bounds kernel memory read in the Linux kernel netfilter netdev logger (nf_log_syslog) lets a local low-privileged attacker leak adjacent slab memory into the kernel log and potentially crash the system. The flaw is in dump_mac_header(), whose fallback path tests skb->mac_header != skb->network_header but omits skb_mac_header_was_set(); an unset MAC header (value 0xffff) passes the check and causes a read ~64 KiB past the skb buffer. Fixed in stable kernels (e.g., 6.18.36, 6.12.94, 6.6.143, 6.1.176, 5.15.210, 7.0.13/7.1); no public exploit identified at time of analysis and EPSS is low at 0.17%.
Out-of-bounds read in the Linux kernel's xfrm espintcp (ESP-in-TCP IPsec encapsulation) send path allows a local user with a socket using espintcp to corrupt the one-message-at-a-time transmit state, leading to memory disclosure or a crash. The flaw stems from espintcp_sendmsg() reinitializing emsg->skmsg and reusing ctx->partial while a previous partial send is still in flight, attaching a stale offset to a fresh sk_msg. No public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile), reflecting a niche, configuration-dependent attack surface rather than broad exploitability.
Out-of-bounds kernel memory read in the Linux kernel ebtables 32-bit compat layer (compat_mtw_from_user) lets a local low-privileged user holding CAP_NET_ADMIN trigger KASAN-detected OOB reads by supplying an undersized match_size/target_size for an extension whose ->compat_from_user() callback assumes it can read compatsize bytes. It affects Linux from 2.6.34 through builds before the fix and is resolved upstream across all maintained stable branches; no public exploit is identified at time of analysis and EPSS is low (0.16%, 6th percentile).
Out-of-bounds kernel memory read in the Linux kernel's SCTP sock_diag subsystem allows a local attacker to disclose adjacent kernel memory and potentially crash the system by racing a diag dump against association teardown. The exact sock_diag lookup (dump_one path) can hold a transport reference, block on lock_sock(), and resume after sctp_association_free() has reaped the association and freed its bind-address list, causing inet_diag_msg_sctpasoc_fill() to dereference an emptied bind-address list as a valid sctp_sockaddr_entry. CVSS is 7.1 (local, high confidentiality and availability impact); EPSS is low (0.18%, 7th percentile), there is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Local denial of service and potential information disclosure in the Linux kernel's IPv6 netfilter Hop-by-Hop options match (ip6t_hbh) stems from an off-by-one out-of-bounds array access. A local user able to install xtables rules can supply an oversized optsnr value that the hbh_mt6_check() setup path fails to validate, reading/writing past the fixed 16-entry opts[] array (confirmed via a UBSAN array-index-out-of-bounds report at index 16). There is no public exploit identified at time of analysis and EPSS risk is low (0.18%), but a vendor fix has shipped across multiple stable kernel branches.
Denial of service in the Linux kernel's batman-adv mesh networking module arises from faulty length accounting during fragment reassembly, where the accumulated payload length can be truncated during updates, letting malformed fragment chains bypass validation and drive reassembly with inconsistent length state. The flaw affects systems running the B.A.T.M.A.N. Advanced (batman-adv) module across many stable kernel series and results in a local denial of service per the upstream description. There is no public exploit identified at time of analysis, EPSS is low (0.18%, 7th percentile), and the NVD CVSS of 9.8 conflicts with the upstream 'local denial of service' characterization.
Out-of-bounds heap read and integer underflow in libslirp's TCP urgent data handler (sosendoob) exposes gigabytes of host process heap memory to a privileged guest VM attacker. All libslirp releases before v4.9.2, as embedded in hypervisors such as QEMU, are affected when guest workloads hold root or CAP_NET_RAW privileges. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the cross-VM-boundary scope change (S:C) and high confidentiality impact make this a material risk in multi-tenant or shared virtualization environments.
Remote unauthenticated stack-based buffer overflow in GeoVision GV-I/O Box 4E smart I/O appliances allows any host on the same network to corrupt memory in the DVRSearch service (UDP/10001) by sending a crafted message that triggers an unbounded memcpy of the device's configured DNS address into a fixed-size stack buffer. The flaw is rated CVSS 10.0 with scope change and full CIA impact, and no public exploit has been identified at time of analysis. Successful exploitation can fully compromise the embedded controller used for relay/I/O automation.
Stack-based buffer overflow in the GeoVision GV-I/O Box 4E DVRSearch service allows unauthenticated network attackers to corrupt memory by sending a crafted UDP datagram to port 10001. The flaw stems from an unchecked memcpy of the device's configured gateway field into a fixed-offset reply buffer, enabling code execution on the embedded device with no public exploit identified at time of analysis.
Stack-based buffer overflow in GeoVision GV-I/O Box 4E allows unauthenticated remote attackers to overflow a fixed-size stack buffer by sending a crafted UDP packet to the DVRSearch service on port 10001. The flaw, tracked as CWE-121 with a maximum CVSS 10.0 score and scope change, can be triggered by any host able to reach the device on the network, with no public exploit identified at time of analysis.
Stack-based buffer overflow in GeoVision GV-I/O Box 4E embedded I/O controllers allows unauthenticated network attackers to corrupt memory via the DVRSearch service on UDP port 10001. The vulnerable code path uses memcpy with an attacker-influenced length derived from a stored IP address into a fixed-size stack buffer, yielding potential remote code execution at CVSS 10.0 with scope change. No public exploit identified at time of analysis, though Talos has published a vulnerability report (TALOS-2026-2377).
Stack-based buffer overflow (CWE-121) in the GV-Cloud component of GeoVision GV-VMS V20 20.0.2 enables a remote attacker with a network-intercept position to crash the video management system, causing high-impact denial of service against physical security infrastructure. Exploitation requires impersonating the legitimate GV-Cloud server - achieved via MitM techniques - and delivering a specially crafted network payload that corrupts stack memory in the GV-Cloud client handler. Reported by Cisco Talos (TALOS-2026-2411); no public exploit has been identified at time of analysis and no CISA KEV listing exists.
Heap use-after-free in GPAC MP4Box 2.5-DEV-rev1593-gfe88c3545-master crashes the application when a local authenticated user processes a specially crafted MPEG-2 TS or MP4 file. The defect resides in `gf_filter_pid_inst_swap_delete_task()` within `filter_core/filter_pid.c`, where PID instance cleanup dereferences already-freed objects during a swap/delete operation, causing a heap corruption and denial of service. No public exploit has triggered active exploitation per CISA KEV, but a proof-of-concept is publicly available; EPSS sits at 0.18% (7th percentile), consistent with limited real-world targeting.
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by supplying a crafted media file. The flaw is an out-of-bounds read of a language metadata string in gf_media_import (media_import.c), where three characters were read without verifying the string's length. Publicly available exploit code exists (sigdevel PoC), but it is not listed in CISA KEV and EPSS is low (0.19%, 8th percentile), indicating minimal observed real-world exploitation.
Heap out-of-bounds read in GStreamer's gst-plugins-bad H.264 parser allows an attacker to crash a media application or leak a single byte of heap memory by tricking a victim into opening a specially crafted H.264 video file containing malformed MVC or SVC extension slice NAL units. Affected systems span Red Hat Enterprise Linux versions 6 through 10 where gst-plugins-bad is installed. No public exploit code has been identified at time of analysis and the vulnerability is absent from CISA KEV; the narrow 1-byte read, required user interaction, and local attack vector substantially limit real-world exploitation impact.
Out-of-bounds read in the GStreamer gst-plugins-bad H.266/VVC parser allows a remote attacker to leak up to 8 bytes of application memory by delivering a crafted video file with a manipulated aspect ratio indicator value. Affected platforms include Red Hat Enterprise Linux 8, 9, and 10 wherever gst-plugins-bad processes H.266/VVC content. No public exploit code or active exploitation has been identified at time of analysis; the limited read window and user-interaction requirement constrain practical impact, but the network-reachable vector and zero-authentication requirement lower the delivery barrier.
Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier are affected by an out-of-bounds read vulnerability that could. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Out-of-bounds reads of uninitialized memory in GNU libidn before version 1.44 are triggerable through the ToUnicode IDNA APIs when malformed internationalized domain name input is processed by the vulnerable function `idna_to_unicode_internal`. Applications statically or dynamically linked against affected libidn versions that pass attacker-influenced hostname strings to these APIs are exposed to integrity and availability disruption. No public exploit has been identified at time of analysis, and the successor library libidn2 is explicitly confirmed unaffected, providing a viable migration path for defenders.
Heap use-after-free in dhcpcd through version 10.3.2 allows local unprivileged attackers to crash the DHCP client daemon by exploiting a double-free race between READ and HANGUP events on the control socket. When an attacker sends a privileged command such as -x, control_recvdata() frees the client fd_list object while the subsequent HANGUP event delivers the same stale pointer to control_hangup(), triggering memory corruption that results in denial of network service on the affected host. No public exploit code or CISA KEV listing exists at time of analysis; the upstream fix is available as commit 78ea09e.
Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacker corrupt client stack memory by replying with a malicious DHCPv6 ADVERTISE. When dhcpcd serializes an oversized RFC6603 OPTION_PD_EXCLUDE body in dhcp6_makemessage(), a one-byte value is written past a fixed 16-byte stack buffer. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV, but a vendor fix (commit 2f00c7b) is available.
Stack memory corruption in dhcpcd through 10.3.2 exposes systems running the DHCPv6 client to availability disruption from unauthenticated attackers on the same network link. The one-byte off-by-one overflow in `dhcp6_makemessage()` is triggered by a crafted DHCPv6 ADVERTISE containing an RFC6603 OPTION_PD_EXCLUDE sub-option with an exclude prefix length of /121 through /128, overflowing a 16-byte stack buffer by exactly one byte. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the upstream fix commit precisely identifies the trigger, making independent exploit development straightforward.
Heap overflow in rsyslog's contributed imhttp module allows remote unauthenticated clients to corrupt the rsyslog process heap by sending an oversized HTTP Basic Authentication header. The root cause is a one-character typo - `calloc(0, len)` instead of `calloc(1, len)` - which allocates zero or minimal bytes before the Base64 decoder writes up to `len` bytes into the buffer. The practical expected impact is denial of service (rsyslog process crash); remote code execution is theoretically possible but depends on heap allocator behavior, compiler hardening, and platform. No public exploit identified at time of analysis, and the vulnerability is not in CISA KEV.
Heap out-of-bounds read in dnsmasq's find_soa() function allows a remote attacker controlling a DNS zone to leak up to 10 bytes of stale heap memory by serving a crafted NXDOMAIN response. The flaw exists because extract_name() is invoked with extrabytes=0 when parsing NS section records, skipping the mandatory boundary check for the 10-byte fixed-length DNS record trailer fields. Confirmed affected platforms include Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4; no public exploit or CISA KEV listing has been identified at time of analysis.
Stack-based buffer overflow in the Totolink EX1200L router's login handler (cgi-bin/cstecgi.cgi) allows remote attackers on the adjacent network to crash the device or execute arbitrary code as root. Confirmed on firmware 9.3.5u.6146_B20201023 with no public exploit identified at time of analysis, but vendor contact attempts by CERT-PL were unsuccessful so no patch is available. CVSS 4.0 of 9.4 reflects unauthenticated exploitation with full impact on both the device and downstream systems.
OpenSSH's GSSAPI authentication cleanup routine contains a heap out-of-bounds read (CWE-125) triggered when the auth-indicators array lacks a trailing NULL terminator, allowing a remote unauthenticated attacker to crash the SSH authentication path and deny SSH service availability. Exploitation is constrained by high attack complexity (AC:H) due to the non-default Kerberos/GSSAPI configuration requirement, limiting real-world exposure to a minority of deployments. No active exploitation is confirmed (not in CISA KEV), no public exploit code has been identified, and the impact is restricted to partial availability loss with no confidentiality or integrity consequence.
Denial-of-service and potential out-of-bounds read in the Zephyr RTOS Bluetooth Host ISO receive path allows a malicious or compromised Bluetooth controller to crash devices using CONFIG_BT_ISO_RX by sending malformed HCI ISO packets with undersized SDU headers. The flaw resides in bt_iso_recv() within subsys/bluetooth/host/iso.c, where header bytes are pulled without prior length validation. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Denial of service in Zephyr RTOS Bluetooth Classic SDP parser allows adjacent Bluetooth attackers to crash devices via a malformed 3-byte SDP attribute that triggers a reachable kernel assertion. The flaw resides in bt_sdp_parse_attribute() in subsys/bluetooth/host/classic/sdp.c, where the parser pulls a value-type byte without first verifying buffer length, causing a kernel panic in assert-enabled builds and an out-of-bounds read with undefined behavior when assertions are disabled. No public exploit identified at time of analysis, though the GHSA advisory describes the trigger conditions in enough detail to reproduce.
Out-of-bounds read and denial-of-service in Zephyr RTOS's ext2 filesystem parser expose embedded devices to filesystem-level attacks via maliciously crafted disk images. The flaw resides in ext2_fetch_direntry() (subsys/fs/ext2/ext2_diskops.c), where insufficient validation of on-disk directory entry fields - specifically de_rec_len and de_name_len against block boundaries - allows a crafted ext2 image to trigger an oversized memcpy (out-of-bounds read) or a zero-progress infinite loop when de_rec_len equals zero. All Zephyr versions are indicated as affected per the wildcard CPE, no public exploit code has been identified at time of analysis, and this CVE is not currently listed in CISA KEV.
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host processes by sending a crafted MessagePack timestamp extension payload that triggers an uncatchable StackOverflowException. The flaw stems from a stackalloc operation using an attacker-controlled extension length before validation, enabling a tiny payload to claim a massive stack allocation. No public exploit identified at time of analysis, and CVSS 4.0 of 8.2 reflects high availability impact with attack complexity requirements.
Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash applications by sending deeply nested MessagePack payloads that trigger uncatchable StackOverflowException via MessagePackReader.TrySkip(). The flaw bypasses the library's own MaximumObjectGraphDepth safeguard because TrySkip() recurses into nested structures without incrementing the depth counter, making any application that deserializes untrusted MessagePack data exploitable. No public exploit identified at time of analysis, but the bug is straightforward to trigger and fixes are already published upstream.
Malformed HTTP Range request handling in libsoup (GNOME's HTTP client/server library, packaged across Red Hat Enterprise Linux 6-10) re-introduces a signed integer underflow originally patched in CVE-2026-2443. A rework commit replaced specific overflow guards with a general signed comparison, meaning a suffix-byte Range request whose length exceeds the resource content size now produces a negative start offset that is passed unclamped to buffer operations, generating malformed HTTP 206 responses and log flooding. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network vector makes any exposed libsoup HTTP server reachable without credentials.
Heap-based buffer overflow in dnsmasq's DNSSEC logging path enables remote denial of service against instances where both DNSSEC validation and query logging are simultaneously enabled. When dnsmasq receives a DS or DNSKEY DNS response containing an algorithm or digest type it does not recognize, its logging routine writes past the end of an internal heap-allocated buffer, corrupting memory and crashing the process. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the network-deliverable attack vector (PR:N) makes the configuration prerequisite the primary limiting factor for defenders.
Stack/heap buffer overflow in the Edimax BR-6478AC V2 wireless router (firmware 1.23) lets an authenticated attacker corrupt memory by sending an oversized selSSID parameter to the formWlSiteSurvey handler under /goform/, enabling denial of service and potentially arbitrary code execution on the device. Publicly available exploit code exists, but no public exploit identified at time of analysis as actively used in attacks (not in CISA KEV); the vendor was notified and did not respond, leaving devices unpatched. CVSS 4.0 base score is 7.4 reflecting network reachability of the management interface combined with required low-privilege authentication.
Heap-based buffer overflow in OFFIS DCMTK's XMLNode::parseFile function (ofstd/libsrc/ofxml.cc) affects all versions through 3.7.0, exploitable by any remote party who can supply a crafted or non-seekable XML input to the parser. The root cause - confirmed by the upstream patch commit - is that the original guard `if (!l)` failed to catch a -1 return from ftell(), allowing a corrupted buffer size to propagate into heap allocation and subsequent write. A public proof-of-concept exploit exists per VulDB and a published Medium writeup; no active exploitation is confirmed via CISA KEV. The CVSS 4.0 score of 2.1 reflects passive-interaction and low-impact ratings, but the presence of public exploit code elevates practical risk for any DCMTK deployment that parses externally influenced XML files.
Integer overflow in the xmlwf utility bundled with libexpat before 2.8.2 enables heap corruption via XML documents containing an excessive number of NOTATION declarations in a DOCTYPE block. The flaw in endDoctypeDecl allows a crafted XML file to wrap a signed integer counter, producing an undersized heap allocation that can be overflowed with high confidentiality and integrity impact. No confirmed active exploitation (not in CISA KEV) and no public exploit code have been identified at time of analysis; vendor-released patch is available in libexpat 2.8.2.
Integer overflow in libexpat's xmlwf tool allows an attacker supplying a crafted XML file with an excessively long DOCTYPE system identifier to trigger a heap buffer overflow via the resolveSystemId function. All libexpat versions before 2.8.2 are affected; the root cause is an unchecked size_t arithmetic operation - both the addition of string lengths and the subsequent multiplication by sizeof(XML_Char) - before a malloc call. No public exploit has been identified at time of analysis, and exploitation requires local access under high-complexity conditions per the CVSS:3.1/AV:L/AC:H vector.
Integer overflow in the `xmlwf` command-line utility bundled with libexpat before 2.8.2 allows heap buffer overflow when the `-d outputDir` flag is used with extremely long path values. The overflow occurs during malloc size calculation - `(tcslen(outputDir) + tcslen(file) + 2) * sizeof(XML_Char)` - wrapping the size_t to a near-zero value, causing an undersized allocation followed by out-of-bounds write during filename construction. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the heap overflow primitive is well-understood and could yield code execution in automated XML processing pipelines.
Integer overflow in libexpat's copyString function (xmlparse.c) allows heap buffer overflow when processing specially crafted XML input, affecting all libexpat versions before 2.8.2. The missing bounds check on a size multiplication permits an attacker-controlled string length to wrap around SIZE_MAX, producing an undersized heap allocation that is subsequently overwritten - enabling potential memory corruption, arbitrary code execution, or data disclosure in any application consuming the library. No public exploit has been identified at time of analysis; a vendor-released patch is available in libexpat 2.8.2.
Integer overflow in libexpat before 2.8.2 allows heap corruption during XML prolog parsing when accumulated entity value pool length exceeds INT_MAX, yielding high confidentiality and integrity impact per CVSS. The flaw resides in doProlog and the related storeSelfEntityValue path, where poolLength() return values are cast to signed integers without bounds validation - a gap closed in the upstream fix via explicit INT_MAX guards. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the widespread use of libexpat as a dependency across system tools, language runtimes, and XML-processing services means the blast radius of a weaponized exploit would be broad.
Integer overflow in libexpat's XML_ParseBuffer function allows potential heap corruption leading to high-confidentiality and high-integrity impact in all libexpat versions before 2.8.2. The overflow occurs because XML_ParseBuffer lacked a bounds check on the byte index accumulator that was already present in the sibling XML_Parse function - a defensive guard omitted asymmetrically between two code paths. Any application that routes XML input through XML_ParseBuffer (a common pattern in incremental parsing) is exposed. No public exploit has been identified at time of analysis and no KEV listing exists, but the high C and I CVSS impact ratings reflect the potential for code execution via heap corruption.
Integer overflow in libexpat's getAttributeId routine exposes any application embedding libexpat before version 2.8.2 to memory corruption with high confidentiality and integrity impact when parsing specially crafted XML documents. The flaw occurs when an internal counter traversing the attribute ID table reaches INT_MAX and wraps, producing an invalid index that can corrupt adjacent heap memory. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, but a vendor-released patch is available in libexpat 2.8.2 and upgrade is the recommended remediation.
Integer overflow in libexpat's addBinding function (xmlparse.c) before version 2.8.2 allows memory corruption during XML namespace binding processing, with high confidentiality and integrity impact. All libexpat releases from 0 through 2.8.2-pre are affected (CPE: cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*), encompassing a significant downstream attack surface given the library's widespread use in Python, PHP, and system utilities. No public exploit or active exploitation has been confirmed at time of analysis; the official CVSS 3.1 score of 6.9 reflects meaningful impact tempered by high attack complexity and a local attack vector.
Integer overflow in libexpat's storeAtts() function before version 2.8.2 allows heap buffer corruption during XML namespace attribute processing. When an XML document contains namespace-qualified attributes whose prefix name or local-part name approaches or exceeds INT_MAX bytes, the combined expanded-name length calculation wraps to a small integer, causing allocation of an undersized heap buffer followed by an out-of-bounds write during the memcpy phase. The vendor CVSS scores this 6.9 with High confidentiality and integrity impact; no public exploit has been identified at time of analysis and the CVE is not listed in the CISA KEV catalog.
Heap out-of-bounds read in ImageMagick's PCD image decoder (versions prior to 7.1.2-15 and 6.9.13-40) allows unauthenticated network-reachable attackers to cause denial of service and disclose a single adjacent heap byte by supplying a crafted PCD file to an image-processing endpoint. The vulnerability is rooted in the PCD coder's DecodeImage loop and requires high attack complexity (AC:H) with specific attack prerequisites (AT:P), meaning the target application must actively process attacker-supplied PCD files. No public exploit code has been identified and this vulnerability does not appear in the CISA KEV catalog at time of analysis, though .NET bindings via Magick.NET NuGet packages are also affected and carry a separate fix version.