Buffer Overflow

Local privilege escalation in VS Revo RevoUninstaller versions 2.5.x and 2.6.x is possible through a heap-based buffer overflow in the IOCtl_Handler function within the RevoDetector.sys kernel driver. Authenticated local users sending crafted IOCTL requests can corrupt kernel pool memory, potentially achieving SYSTEM-level code execution. Publicly available exploit code exists, and a detailed write-up plus PoC repository have been published, raising the practical risk despite no active exploitation listing.

Buffer overflow in the web server component of GALAYOU Y4 version 1.0.0 allows adjacent-network attackers to compromise the device's confidentiality, integrity, and availability without authentication. Publicly available exploit code exists per VulDB disclosure, though the vendor was contacted and did not respond, leaving the issue unpatched. EPSS data was not provided and the flaw is not listed in CISA KEV, but the public PoC combined with vendor silence elevates practical risk for any deployment exposed on shared LAN/Wi-Fi segments.

Integer underflow and out-of-bounds read in driftregion iso14229 through version 0.9.0 allows remote unauthenticated attackers to crash a UDS server or read up to 65535 bytes of memory past the 4KB receive buffer by sending a single-byte 0x27 SecurityAccess diagnostic request. The Handle_0x27_SecurityAccess() function in iso14229.c at line 1447 fails to validate that recv_len is at least 2 before computing key-data length via unsigned subtraction, uniquely among all other sub-function handlers in the library. No public exploit identified at time of analysis, though the CVSS 4.0 supplemental metric E:P indicates publicly available exploit code exists, and the vulnerability is exposed across CAN bus, OBD-II, ISO-TP, and DoIP transports in the default diagnostic session on automotive ECUs, industrial controllers, and IoT devices.

Heap-based out-of-bounds read and integer underflow in LiamBindle MQTT-C (all versions through 1.1.6) allows a remote attacker who controls an MQTT broker - or who can inject packets into an unencrypted MQTT session - to crash any subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a single specially crafted PUBLISH packet. The flaw resides in mqtt_unpack_publish_response() in src/mqtt.c, where the broker-supplied 16-bit topic_name_size field is used to advance a parse pointer without validating it fits within the packet's remaining_length, and the subsequent unsigned subtraction to derive application_message_size wraps to near 2^32 and is passed directly to memmove(). No patched release has been identified at time of analysis; a proof-of-concept is indicated by the CVSS 4.0 E:P supplemental metric, and this vulnerability is not listed in the CISA KEV catalog.

Off-by-one buffer overflow in nanoMODBUS through v1.23.0 lets remote unauthenticated attackers write one attacker-controlled byte past a 260-byte receive buffer in the Modbus/TCP server's recv_msg_header() function. The corruption of the adjacent buffer-index field can cause denial of service on all targets and, on bare-metal/RTOS deployments without memory protection, leak one byte of memory and trigger unintended writes through the Write Multiple Registers (FC16) handler. No public exploit identified at time of analysis, but the bug is trivially reachable by sending a crafted MBAP frame with Length=255.

Stack-based buffer overflow in GPAC's MP4Box tool crashes the process when parsing a crafted MP4 file containing a malformed non-self-delimited Opus packet. The function gf_opus_read_length() in media_tools/av_parsers.c performs a 2-byte out-of-bounds write into a stack-allocated pckh structure at offset 568, confirmed by AddressSanitizer at line 11140. No active exploitation is confirmed in CISA KEV, but a public proof-of-concept MP4 file is available from the reporter, and the CVSS vector (PR:N, UI:R) indicates any user or automated pipeline invoking MP4Box on untrusted Opus-bearing MP4 files is at risk of a process crash.

Heap-based buffer overflow in GPAC's MP4Box Opus packet parser exposes file-processing pipelines to heap memory disclosure and application crash when handling a crafted MP4 containing a malformed Opus audio track. Processing a specially constructed file via MP4Box's XML dump mode (-dxml) triggers an out-of-bounds READ of 1 byte beyond a 3-byte heap allocation inside gf_opus_parse_packet_header() at av_parsers.c:11326, with adjacent heap memory potentially leaked as a secondary consequence. No public exploitation has been confirmed (not in CISA KEV), but a functional PoC MP4 file is publicly available on GitHub, lowering the barrier for targeted abuse in automated media-ingestion workflows.

Heap-based buffer overflow in GPAC MP4Box (all versions prior to fix commit 61bbfd2e89553373ba3449b8ec05b5f098d732a5) allows out-of-bounds heap READ when processing a crafted MP4 file containing corrupted stsz (sample-size box) data for an Opus audio track. When a user runs MP4Box with the -dxml flag against a malicious file, gf_opus_parse_packet_header() in av_parsers.c:11297 reads 1 byte beyond a 32-byte heap allocation, 1242 bytes past the base region allocated by Media_GetSample(), potentially leaking adjacent heap memory contents and crashing the process. A public proof-of-concept MP4 file is available; no active exploitation has been recorded in CISA KEV at time of analysis.

Local code execution in Avira Antivirus engine builds prior to 8.3.27.12 on Windows, macOS, and Linux occurs when the scanner parses a malformed POSIX tar archive, triggering a heap out-of-bounds write that can either crash the AV process (DoS) or execute attacker code in the scanner's context. No public exploit identified at time of analysis, but the on-access scanning model means a victim only has to write the malicious tar to disk for the engine to touch it. Reported by GEN (Gen Digital, Avira's parent).

Local code execution in Avira Antivirus engine builds before 8.3.70.104 on Windows, macOS, and Linux allows attackers to trigger a heap buffer out-of-bounds write by having the engine scan a malformed MS-DOS executable. The flaw stems from an integer overflow during parsing and can also crash the antivirus engine process, with no public exploit identified at time of analysis.

Local code execution in Avira Antivirus engine builds before 8.3.70.76 on Windows, macOS, and Linux is triggered when the scanner processes a malformed PDF file, leading to a heap out-of-bounds read that can corrupt the antivirus engine process. CVSS 7.8 reflects the high impact on confidentiality, integrity, and availability, but exploitation requires the victim to expose the engine to the attacker's file. No public exploit identified at time of analysis.

Heap out-of-bounds read in the Avira Antivirus scanning engine on Windows, macOS, and Linux (engine builds before 8.3.70.98) allows a malformed Windows PE file to trigger local code execution or crash the antivirus engine process. Because AV engines typically auto-scan files on access, simply writing or dropping a crafted PE onto disk can reach the vulnerable parser, and no public exploit identified at time of analysis. Exploitation requires the victim's AV to scan the file (UI:R), so realistic delivery is via downloads, email attachments, or removable media rather than fully remote unauthenticated execution.

Stack overflow in Gen Digital's shared antivirus scanning engine crashes the AV process when it parses a malformed Office Open XML (OOXML) file, causing a Denial-of-Service condition. The flaw affects Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux - all products that consume the same Gen Digital VPS (virus definition) update stream. No active exploitation or public exploit code has been identified at time of analysis; the impact is limited to availability (AV process crash) with no confidentiality or integrity consequences.

Local code execution or denial-of-service in Avira Antivirus engine builds prior to 8.3.70.56 occurs when the scanner parses a malformed Windows MSI installer file, triggering a heap out-of-bounds read. The flaw affects deployments on Windows, macOS, and Linux and requires user interaction to place a crafted MSI where the engine will scan it. No public exploit identified at time of analysis and CVSS scores it 7.8 High.

Local code execution and denial-of-service in Gen Digital antivirus engines (Avast, AVG, Norton, Avast One, Avast Business Antivirus) on Windows, macOS, and Linux stems from a heap out-of-bounds read in the malformed-ZIP/XML scanner across virus definition builds 25020100 through 25021207. An attacker who lures a user into letting the on-access scanner process a crafted archive can crash the antivirus process or potentially execute code in its context. No public exploit identified at time of analysis and the EPSS signal was not provided.

Stack overflow via uncontrolled recursion crashes the antivirus scanning process across all Gen Digital consumer and business products when a crafted malformed PDF is scanned. Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux are all affected through a shared Gen Digital virus definition engine (VPS builds before 25021208). An attacker who can place a specially crafted PDF on a target system - or deliver it via email or download - can force a denial-of-service of the antivirus process; no public exploit has been identified at time of analysis.

Local code execution or antivirus-process denial-of-service in Gen Digital's shared scanning engine (Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus on Windows, macOS, and Linux) is triggered when the engine parses a malformed Windows PE file and performs a heap out-of-bounds read. Mitigation ships via the VPS 25021310 virus definition update rather than a product installer, so any consumer of the Gen Digital definition stream at or above that build is no longer exposed. No public exploit identified at time of analysis, but the bug sits inside a high-privilege scanner that auto-processes attacker-controlled files.

Out-of-bounds heap read in the Gen Digital antivirus scanning engine (Avast, AVG, Norton, Avast One, Avast Business) allows a malformed Windows PE file with crafted .NET metadata to crash the AV process or potentially execute code locally on Windows, macOS, and Linux endpoints running virus definitions prior to VPS 25021310. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the bug is reachable via on-access scanning, meaning any user who receives a malicious file may trigger it without explicit action. UI:R in the CVSS vector and the local attack vector temper the urgency relative to the 7.8 base score.

Heap out-of-bounds write in Gen Digital's shared antivirus scanning engine allows local code execution or denial of service when the engine parses a malformed Windows PE file, affecting Avast Antivirus, AVG Antivirus, Norton Antivirus, Avast One, and Avast Business Antivirus across Windows, macOS, and Linux on virus definition builds prior to VPS 25040308. Because the flaw lives in the scanner that typically runs with elevated privileges, successful exploitation can escalate to code execution in a high-privilege security context. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Out-of-bounds heap read in the Avira Antivirus scanning engine triggers when the engine parses a malformed PDF, allowing local code execution or denial-of-service of the antivirus process on Windows, macOS, and Linux engine builds prior to 8.3.70.56. The CVSS 7.8 (High) rating reflects local attack vector with required user interaction (the engine must scan the attacker-supplied file), and no public exploit identified at time of analysis. Because the AV engine typically runs with elevated privileges, successful code execution would inherit those privileges.

Local code execution and denial-of-service in Avira Antivirus engine builds before 8.3.70.68 allow an attacker to compromise the scanning engine by placing a malformed PDF where the engine will scan it on Windows, macOS, or Linux. The flaw is a heap out-of-bounds read (CWE-125) triggered during PDF parsing, and no public exploit identified at time of analysis. CVSS is 7.8 (high) driven by full C/I/A impact on the local host, but exploitation requires user/scanner interaction with the malicious file.

A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger an out-of-bound write in the GPU user-space driver, leading to memory corruption and possible browser/GPU process crash. The software computes a required memory size from untrusted input, but integer overflow can produce a value smaller than needed. Subsequent write operations may then occur past the intended memory boundary, corrupting adjacent memory and causing process instability or termination.

Software installed and run as a non-privileged user may conduct intentional GPU sparse memory API calls to cause out of bounds write in the kernel. The product incorrectly indexes internal state when performing sparse allocation remapping.

Client-side memory corruption in the AWS Common Runtime aws-c-http library can be triggered by a malicious HTTP/2 server that sends a crafted sequence of HEADERS frames manipulating the HPACK dynamic table size, potentially leading to arbitrary code execution in applications that use the library as an HTTP/2 client. The CVSS 4.0 score of 8.7 (High) reflects network reachability with low complexity but requires user/client interaction (initiating a connection to the attacker server). There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Out-of-bounds memory read in Tornado's optional C extension `tornado.speedups` exposes up to 3 bytes of uninitialized memory via a missing length validation in the `websocket_mask` function. Applications running Tornado versions prior to 6.5.6 with the native extension active and `xsrf_cookies=True` are reachable from the network without authentication (CVSS AV:N/PR:N), though high attack complexity (AC:H) is indicated by the dual configuration prerequisite. No public exploit code or CISA KEV listing exists at time of analysis, and EPSS stands at 0.04% (11th percentile), consistent with the low exploitation probability for a constrained information-disclosure primitive. Vendor-released patch is Tornado 6.5.6.

Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) occurs through an out-of-bounds write triggered when a victim opens a malicious PDF file. Successful exploitation runs attacker code in the context of the current user, making this a classic client-side attack suitable for phishing campaigns. No public exploit identified at time of analysis, but Adobe Reader memory corruption flaws have a long history of being weaponized in targeted attacks.

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attackers to read up to approximately 4 GiB of heap memory or crash the application by delivering a crafted archive to a Windows user who opens it. Affected versions span 3.0.1000.0 through all releases before 6.0.1698.0, with the vulnerability rooted in an inherited integer overflow flaw in 7-Zip's upstream AvbHandler. No public exploit code or active exploitation has been identified; an EPSS score of 0.05% (15th percentile) confirms negligible current threat activity, and this CVE does not appear in the CISA KEV catalog.

Heap out-of-bounds read in NanaZip's inherited 7-Zip LvmHandler component allows an unauthenticated remote attacker to crash the application or potentially expose heap memory by tricking a user into opening a maliciously crafted LVM2 disk image. All NanaZip installations from version 3.0.1000.0 up to (but not including) 6.0.1698.0 on Windows are vulnerable. No public exploit code or active exploitation has been identified; an EPSS score of 0.04% at the 11th percentile reflects very low real-world exploitation probability.

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may leak heap memory contents when a victim opens a crafted .avb or .img file. Affected versions span 3.0.1000.0 through any release before 6.0.1698.0, covering a wide install base of Windows users. No public exploit code exists and EPSS sits at 0.05% (15th percentile), indicating low current exploitation interest, though the deterministic crash behavior lowers the bar for denial-of-service abuse.

Out-of-bounds write in Apple's SwiftNIO ByteBuffer affects all releases from 1.0.0 through 2.99.0 and is fixed in 2.100.0. The flaw stems from UInt32 truncation in internal index/capacity converters, so when an attacker can influence an index, offset, or length passed to specific ByteBuffer write methods with a value above UInt32.max (~4 GiB), safety preconditions silently pass and subsequent writes can corrupt heap memory outside the buffer. No public exploit identified at time of analysis, and the high data-size threshold makes practical exploitation narrow but severe where applicable.

Out-of-bounds heap write in QEMU's virtio-blk device allows a high-privileged guest to crash the host QEMU process. The flaw exists because the virtio-blk device omits validation of input descriptor sizes prior to writing data, enabling a malicious guest operator to submit a crafted virtio-blk SCSI request that writes beyond the allocated host heap buffer. The primary confirmed impact is a denial of service (DoS) of the QEMU process on the host; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.

Memory disclosure and denial of service in MongoDB Server's server-side JavaScript engine allow an authenticated user with read privileges and JavaScript execution rights to read freed heap memory or crash the mongod process. The flaw is triggered during BSON-to-JavaScript array conversion when operators such as $where or $function are evaluated. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was self-reported by MongoDB.

Out of bounds read in VideoCapture in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the GPU process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Sandbox escape in Google Chrome on Android prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox through a heap-based out-of-bounds write in the GPU process triggered by a crafted HTML page. Chromium rates the severity High and a vendor patch is available, but no public exploit has been identified at time of analysis. The CVSS 8.3 score reflects the chained nature of the attack (compromised renderer required) combined with full impact across confidentiality, integrity, and availability.

Out of bounds read in Video in Google Chrome on ChromeOS prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Sandbox escape in Google Chrome on Linux and ChromeOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a heap buffer overflow in the Codecs component triggered by a crafted HTML page. Google rates the underlying issue as High severity and a vendor patch is available, but no public exploit is identified at time of analysis and the bug is not listed in CISA KEV. Exploitation is conditional on chaining with a prior renderer compromise, which raises real-world complexity.

Sandbox escape in Google Chrome on Android prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a heap buffer overflow in the GPU process. Chromium rates this severity Critical, and while no public exploit identified at time of analysis, the bug is part of a classic two-stage exploitation chain typically used in browser zero-day exploits. Patch is available from vendor in Chrome 149.0.7827.115 and later.

Out-of-bounds read in Vim's built-in terminal emulator (`:terminal` feature) prior to version 9.2.0565 allows a program running inside a `:terminal` window to crash Vim by outputting crafted Unicode combining characters that exhaust all six libvterm cell slots, causing the unguarded loop in `update_snapshot()` to walk past the fixed-size array and append out-of-bounds memory into the scrollback buffer. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog and no public exploit code has been identified, placing this in the lower-urgency tier despite the CVSS 4.0 score of 6.9. Real-world exploitation is constrained by the requirement that a victim be actively using Vim's `:terminal` feature to render attacker-influenced program output.

Stack buffer overflow in GStreamer's H.265/HEVC codec parser (gst-plugins-bad) allows remote unauthenticated attackers to crash GStreamer-based applications by delivering a crafted H.265 video file or stream that a user opens. The root cause is an incorrect loop bound in the buffering period SEI message parser: the parser mistakenly uses cpb_cnt_minus1[i] (the current loop index variable) rather than cpb_cnt_minus1[0] from the referenced Sequence Parameter Set, causing the loop to iterate beyond the bounds of stack-allocated CPB delay arrays and corrupt stack memory. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, though the deterministic parser logic makes crash reproduction straightforward.

Out-of-bounds write in GStreamer's H.266/VVC PPS picture partition parser (`gst-plugins-bad`) allows an attacker to crash media-processing applications - and potentially achieve code execution - by delivering a crafted H.266/VVC media file. The flaw in `gst_h266_parser_parse_picture_partition()` (gsth266parser.c) permits unbounded slice index increments across three fixed-size arrays in `GstH266PPS` during multi-slice-in-tile processing. A proof-of-concept demonstrating at least a 4-byte write exists; no public exploit beyond that initial POC or CISA KEV listing has been identified at time of analysis, though the code structure permits larger writes across multiple iterations which elevates downstream risk above a pure DoS assessment.

Heap buffer overflow in 389 Directory Server (389-ds-base) SASL I/O layer allows authenticated remote attackers to crash the LDAP service or achieve remote code execution after a successful SASL bind with integrity protection (SSF > 0). The flaw stems from an integer overflow in sasl_io_start_packet() that bypasses the nsslapd-maxsasliosize ceiling, enabling roughly 2 MB of attacker-controlled heap corruption. No public exploit identified at time of analysis, and the impact is amplified in FreeIPA and Red Hat Identity Management deployments where any enrolled user, host, or service principal qualifies as an authenticated attacker.

Heap out-of-bounds read in MIT krb5's LDAP KDB plugin allows a compromised or malicious LDAP backend to crash the KDC or kadmind process, or leak heap memory. The flaw exists in berval2tl_data() within libkdb_ldap and is triggered when the LDAP server returns a krbExtraData attribute with bv_len less than 2, causing an unsigned integer underflow that drives a memcpy of up to 65,534 bytes from a near-zero-length source buffer. Exploitation requires prior control of the LDAP KDB backend server (PR:H, AC:H), constraining real-world risk to insider or supply-chain threat scenarios; no public exploit or CISA KEV listing exists at time of analysis.

Heap-based buffer over-write in ImageMagick's SF3 encoder prior to version 7.1.2-25 allows an attacker who can supply a crafted multi-frame image to corrupt heap memory, yielding high availability impact and potential integrity exposure. All ImageMagick installations before 7.1.2-25 are affected regardless of platform. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV; however, CWE-122 write primitives carry inherent escalation risk beyond the scored DoS impact depending on heap layout at time of trigger.

Out-of-bounds heap write in ImageMagick's ICON decoder allows remote attackers to crash the application by supplying a maliciously crafted ICON file processed by versions prior to 6.9.13-50 and 7.1.2-25. The flaw stems from an incorrect loop condition during ICON parsing, leading to memory corruption and denial of service. No public exploit identified at time of analysis, but ImageMagick's broad deployment as an image-processing backend in web applications makes drive-by exposure plausible.

Arbitrary code execution in GIMP via malicious HDR (High Dynamic Range) image files allows attackers to run code in the context of the user opening the file. The flaw is a heap-based buffer overflow (CWE-122) in the HDR parser, requiring the victim to open a crafted file or visit a malicious page that delivers one. No public exploit identified at time of analysis, but the vulnerability was reported through ZDI (ZDI-CAN-28618) indicating verified researcher analysis.

Heap-based buffer overflow in OpenVPN's ovpn-dco-win Windows kernel driver (versions 2.0.0-2.8.3) allows a remote authenticated VPN peer to crash the host system by sending a crafted data packet that exploits an incorrect buffer size calculation in the epoch key generator. Because the vulnerable code executes in kernel mode, the resulting memory corruption causes a full system crash (BSOD), not a user-space fault. No public exploit code has been identified and this CVE is not listed in CISA KEV at time of analysis, though the kernel-level availability impact is severe when conditions are met.

Memory corruption in PAN-OS tunnel traffic processing allows an authenticated, adjacent-network attacker to force the firewall into unplanned reboots or maintenance mode via a crafted packet, constituting a denial-of-service against the firewall itself. The CVSS 4.0 vector (AV:A/PR:L/VA:H) confirms the impact is purely availability - no confidentiality or integrity loss - and exploitation requires both authenticated access and adjacency to the tunnel interface. No public exploit code exists and no active exploitation has been reported; the vendor-assigned threat metric (E:U) reinforces that real-world risk is presently low.

Unauthenticated remote denial-of-service in Kanidm identity management server versions prior to 1.9.3 allows any network attacker to crash the entire kanidmd daemon by sending a single GET request to any /scim/v1/* endpoint with a deeply nested parenthesised ?filter= query string. The recursive-descent PEG parser exhausts the worker thread's 2 MiB stack, triggering Rust's std::process::abort(). No public exploit identified at time of analysis, but technical details and root cause are fully disclosed in the upstream advisory.

Denial of service in Erlang/OTP erts (inet_drv SCTP handler) lets unauthenticated remote attackers crash the BEAM VM by sending a single crafted SCTP ERROR chunk to a listening SCTP port. The flaw is a stack-based buffer overflow (CWE-121) in sctp_parse_error_chunk, with the publicly disclosed advisory from the Erlang Ecosystem Foundation (EEF) and an upstream commit confirming the fix; no public exploit identified at time of analysis, and the overflow only permits writing 16-bit values interleaved with a fixed tag, limiting impact to DoS plus minor memory disclosure.

Stack-based buffer overflow in Erlang OTP's erl_interface C library (`ei_s_print_term`) crashes processes when decoding Erlang terms containing very large integers, causing Denial of Service. Affected OTP releases span from 17.0 through unfixed branches of 27.x, 28.x, and 29.x, making this a wide-ranging availability risk for C-language nodes that interface with the Erlang runtime. Because overflow bytes are constrained exclusively to ASCII hex digits (0-9, A-F), arbitrary code execution is not feasible - confirmed impact is process crash only. No public exploit has been identified and this CVE is not listed in the CISA KEV catalog.

Local privilege escalation to System Management Mode (SMM) in Lenovo ThinkPad BIOS firmware allows a high-privileged local user to execute arbitrary code at one of the most privileged execution rings on x86 hardware. The flaw, an out-of-bounds write (CWE-787) discovered by Lenovo during an internal security assessment, affects a wide range of current-generation ThinkPad models including X1 Carbon 13th Gen, X13 Gen 6, T14s Gen 6, P14s/P16v Gen 3, L13/L14/L16 Gen 6, and E16 Gen 3. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Heap buffer overflow in Red Hat 389 Directory Server allows an authenticated Directory Manager or a compromised replication supplier to crash the server or corrupt heap memory by creating objectclass definitions with excessively long SUP (oc_superior) values. The flaw exists in schema serialization functions where the SUP field length is excluded from buffer size calculations yet still written via strcat(), producing an off-by-N heap overwrite. This is explicitly an incomplete fix variant of CVE-2025-14905, meaning organizations that patched that prior CVE may remain exposed if the SUP field code path was not remediated; no public exploit has been identified at time of analysis.

Heap memory corruption in libnfs through 6.0.2 allows a malicious NFS server to trigger an integer overflow in the client's XDR string deserializer when a victim connects to it. The flaw resides in libnfs_zdr_string in lib/libnfs-zdr.c, which failed to validate that an attacker-controlled string size fit within the remaining buffer. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application crash by supplying a crafted binary for decompilation. All Ghidra releases prior to 12.1 are affected, as is any downstream application consuming the SLEIGH library via the public Sleigh::oneInstruction C++ API. The CVSS v4.0 score of 6.9 reflects a high availability impact (VA:H) with low integrity impact (VI:L) and no confidentiality impact; no public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Stack-based buffer overflow in QNAP File Station 5 enables remote unauthenticated attackers to corrupt memory or destabilize processes through a network-accessible attack path requiring only passive user interaction. Affected versions are all releases prior to 5.5.6.5243; QNAP's own security team (security@qnapsecurity.com.tw) discovered and disclosed the issue via advisory QSA-26-27. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the unauthenticated network attack vector lowers the bar for opportunistic targeting of QNAP NAS deployments.

Stack-based buffer overflow in QNAP File Station 5 allows unauthenticated remote attackers to corrupt process memory or crash the file management service when a victim user passively interacts with a crafted input. Affected versions are all File Station 5 releases prior to 5.5.6.5243, running on QNAP NAS devices accessible over the network. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog; QNAP has confirmed and released a fix in version 5.5.6.5243 via advisory QSA-26-32.

Stack-based buffer overflow in QNAP File Station 5 versions 5.5.0 through 5.5.6.5208 allows authenticated remote attackers to corrupt memory and crash processes on affected NAS deployments. CVSS 4.0 score of 8.7 reflects high impact across confidentiality, integrity, and availability, though exploitation requires valid user credentials (PR:L). No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Integer overflow (CWE-190) in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained an administrator account to further compromise system integrity and availability. Affected versions span QTS 5.2.x and QuTS hero h5.2.x through h6.0.x; QNAP released patched builds in February and May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory prerequisite of administrator-level access materially constrains real-world exploitability.

Out-of-bounds read in ESP-IDF's BlueDroid AVRCP vendor-command parser allows adjacent Bluetooth attackers with low privileges to leak device memory and degrade availability across multiple ESP-IDF stable branches. Versions 5.2.6, 5.3.5, 5.4.4, 5.5.3, and 6.0 are confirmed affected via the Espressif GitHub security advisory. The parser's failure to validate payload length before dereferencing the buffer pointer enables a malformed AVRCP vendor command to read beyond allocated memory, yielding partial confidentiality loss and potential stack instability. No public exploit code exists and this CVE is not in CISA KEV at time of analysis.

Heap buffer overflow in Espressif ESP-IDF's protocomm component allows adjacent-network attackers to corrupt heap memory during the SRP6a (Security Scheme 2) session-setup handshake on affected IoT devices running ESP-IDF 5.2.6, 5.3.5, 5.4.4, 5.5.4, or 6.0. The flaw stems from a type-width mismatch in handle_session_command0() that trusts the client-supplied protobuf username length, enabling denial of service and potential integrity impact on provisioning interfaces. No public exploit identified at time of analysis; patches are available in 5.2.7, 5.3.6, 5.4.5, 5.5.5, and 6.0.1.

Out-of-bounds read in ESP-IDF's embedded DHCP server crashes or exposes heap memory on ESP32 devices operating in SoftAP or DHCP server mode. The `parse_options()` function in the bundled lwIP DHCP server component walks BOOTP/DHCP option TLV fields without validating that each option's declared length stays within the received packet buffer, allowing an adjacent-network unauthenticated attacker to trigger a device crash by sending a single crafted DHCP request. Five active release branches are affected (5.2.x through 6.0.x); vendor-released patches are available across all branches. No public exploit code or CISA KEV listing has been identified at time of analysis.

Stack-based buffer overflows in SimpleBLE prior to version 0.14.0 allow remote attackers within Bluetooth range to crash applications by transmitting crafted BLE advertisements containing oversized manufacturer-specific data or service data, requiring no pairing or connection. A separate local overflow exists in the dongl backend's Protocol::simpleble_write function via caller-controlled input. No public exploit identified at time of analysis, but the patch diff and acknowledgement to researcher Mr-IoT confirm three tracked issues (EVE-2026-001/002/003).

Arbitrary code execution in Adobe Format Plugins 1.1.2 and earlier occurs through a heap-based buffer overflow that executes in the current user's security context when a victim opens a maliciously crafted file. The flaw was reported by Adobe PSIRT and carries a CVSS 7.8 (high) score, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, suggesting it is currently a patching priority rather than an active incident.

Arbitrary code execution in Adobe Format Plugins versions 1.1.2 and earlier occurs via a heap-based buffer overflow triggered when a victim opens a malicious file. Exploitation runs in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. The flaw is addressed in Adobe Security Bulletin APSB26-65.

Out-of-bounds read in Adobe Acrobat Reader versions 24.001.30365 and 26.001.21651 and earlier exposes sensitive memory contents to an attacker who can deliver a malicious PDF to a victim. The CVSS vector (AV:L/AC:L/PR:N/UI:R) confirms low complexity with no privilege prerequisite, but requires local file execution - the victim must open the crafted document. Confidentiality impact is rated High (C:H) with no integrity or availability consequence, making this a targeted information disclosure risk with no public exploit identified at time of analysis and no CISA KEV listing.

Heap-based buffer overflow in Adobe Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier enables arbitrary code execution in the context of the logged-in user when a victim opens a maliciously crafted document. No public exploit has been identified at time of analysis, but the high CVSS of 7.8 reflects severe local impact, and Acrobat Reader's massive install base makes it a perennial phishing target. Exploitation requires user interaction, which moderates urgency relative to zero-click flaws but does not eliminate risk in document-heavy enterprise environments.

Out-of-bounds read in Adobe Acrobat Reader versions 24.001.30365 and 26.001.21651 and earlier enables sensitive memory disclosure when a victim opens a specially crafted file. The vulnerability (CWE-125) exposes potentially high-value in-memory data - including heap addresses or document contents - but cannot be leveraged for code execution or system modification based on available data. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog, though the vendor-confirmed advisory (APSB26-63) establishes this as a real, patched issue.

Out-of-bounds read in Adobe Acrobat Reader exposes sensitive process memory when a victim opens a specially crafted PDF file. Affected versions include 24.001.30365, 26.001.21651, and all earlier releases across both tracks. The vulnerability carries a high confidentiality impact (C:H) with no integrity or availability consequence, making it a targeted information disclosure primitive rather than a code execution path. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) occurs via a stack-based buffer overflow triggered when a victim opens a malicious PDF. Successful exploitation runs attacker code in the context of the current user, making this a viable initial-access vector through phishing or drive-by document delivery. No public exploit identified at time of analysis, but the bug class (CWE-121) and Acrobat's broad install base historically attract weaponization quickly after disclosure.

Arbitrary code execution in Adobe Acrobat Reader (versions 24.001.30365, 26.001.21651 and earlier) is possible when a victim opens a malicious PDF file that triggers an out-of-bounds write condition. The flaw executes code in the context of the logged-in user, and while no public exploit identified at time of analysis, the CVSS 7.8 rating reflects high impact across confidentiality, integrity, and availability. Adobe has published advisory APSB26-63 with a fix.

Heap-based buffer overflow in SQLite's FTS5 full-text search extension (versions before 3.53.2) allows attackers to crash the process or execute arbitrary code by supplying a malicious database file that triggers an integer underflow in fts5ChunkIterate() during MATCH query processing. The flaw affects any application compiled with SQLITE_ENABLE_FTS5 that opens an attacker-supplied database and runs an FTS5 query against it; no public exploit identified at time of analysis, though VulnCheck has published an advisory.

Arbitrary code execution in Adobe Substance3D Sampler 6.0.0 and earlier occurs when a user opens a maliciously crafted asset file that triggers an out-of-bounds write in the application's parsing logic. Exploitation runs in the context of the logged-in user and requires user interaction to open the file; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Arbitrary code execution in Adobe Substance3D Sampler versions 6.0.0 and earlier occurs through an out-of-bounds write triggered when a user opens a maliciously crafted file. The flaw executes code in the context of the current user and requires victim interaction, with no public exploit identified at time of analysis and no CISA KEV listing.

Arbitrary code execution in Adobe Substance3D Sampler versions 6.0.0 and earlier occurs when a victim opens a maliciously crafted file, triggering an out-of-bounds write (CWE-787) in the application's file parser. Exploitation runs in the context of the current user and no public exploit identified at time of analysis, though the high CVSS of 7.8 reflects the full local impact triad once a user is socially engineered into opening the file.

Arbitrary code execution in Adobe Substance3D Sampler 6.0.0 and earlier occurs when a user opens a maliciously crafted 3D asset file, triggering an out-of-bounds write that runs attacker code with the current user's privileges. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the local attack vector combined with high impact and required user interaction makes this a classic targeted-phishing/social-engineering risk against artists and 3D designers.

Memory corruption in SQLite versions before 3.53.2 enables attackers to crash processes, exhaust memory, or potentially execute arbitrary code by supplying a crafted database that triggers flaws in the FTS5 full-text search extension when a MATCH query runs. The CVSS 4.0 vector indicates local attack vector with passive user interaction required, and no public exploit identified at time of analysis. Reported by VulnCheck with patches already merged upstream.

Arbitrary code execution in Adobe InCopy versions 21.3, 20.5.3 and earlier occurs when a user opens a maliciously crafted document that triggers a heap-based buffer overflow (CWE-122). Successful exploitation runs attacker code in the security context of the current user, making this a credible vector for endpoint compromise via social engineering. No public exploit identified at time of analysis, and the CVE is not on the CISA KEV list.

Arbitrary code execution in Adobe InCopy 21.3, 20.5.3, and earlier allows attackers to run code as the current user when a victim opens a maliciously crafted file. The flaw stems from an out-of-bounds write (CWE-787) in file parsing logic, carries a CVSS 7.8 (local, user-interaction required), and has no public exploit identified at time of analysis. Adobe published advisory APSB26-59 addressing the issue.

Stack-based buffer overflow in Adobe InCopy 21.3, 20.5.3 and earlier enables arbitrary code execution in the context of the logged-in user when a victim opens a maliciously crafted document. The flaw is locally exploitable via file-format parsing and requires user interaction, with no public exploit identified at time of analysis. CVSS 7.8 reflects high impact on confidentiality, integrity, and availability but constrained reachability through the document-open vector.

Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through a heap-based buffer overflow triggered when a victim opens a maliciously crafted file. The flaw runs code in the security context of the current user and requires user interaction, with no public exploit identified at time of analysis. Adobe has published advisory APSB26-58 addressing the issue.

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs when a user opens a maliciously crafted document, triggering a stack-based buffer overflow (CWE-121) that runs attacker code in the context of the current user. Adobe issued advisory APSB26-58 for this issue; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through an out-of-bounds write triggered when a user opens a maliciously crafted document, allowing attacker code to run with the privileges of the current user. The flaw carries a CVSS 7.8 (High) rating, requires victim interaction, and no public exploit identified at time of analysis.

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs via a heap-based buffer overflow (CWE-122) triggered when a victim opens a maliciously crafted document file. The flaw runs code in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. Adobe published advisory APSB26-58 addressing the issue.

Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier is possible when a user opens a maliciously crafted document, triggering a heap-based buffer overflow. The flaw runs code in the context of the logged-in user and was reported by Adobe; no public exploit identified at time of analysis and EPSS data is not provided.

Out-of-bounds read in Adobe InDesign Desktop versions 21.3 and 20.5.3 (and earlier) exposes sensitive process memory when a victim opens a specially crafted document file. The vulnerability carries a high confidentiality impact (CVSS C:H) with no integrity or availability impact, making it a targeted information-disclosure primitive - useful for memory leak-assisted exploitation chains or direct leakage of in-memory content such as document data, credentials, or heap pointers. No public exploit code has been identified and this CVE does not appear in CISA KEV at time of analysis, but its social-engineering-friendly delivery mechanism (malicious file open) makes it a realistic phishing vector against creative industry targets who routinely handle external InDesign files.

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a victim opens a malicious document file. Exploitation runs in the context of the current user and requires user interaction, with no public exploit identified at time of analysis. The issue was reported by Adobe and addressed in security bulletin APSB26-58.

Arbitrary code execution in Adobe InDesign Desktop 21.3, 20.5.3 and earlier allows attackers to run code as the logged-in user when a victim opens a maliciously crafted document file. The flaw is an out-of-bounds write (CWE-787) memory corruption issue requiring user interaction, and no public exploit has been identified at time of analysis.

Arbitrary code execution in Adobe InDesign Desktop versions 21.3, 20.5.3 and earlier occurs through a stack-based buffer overflow triggered when a user opens a malicious document. Successful exploitation runs attacker-controlled code in the context of the current user, but requires social engineering since the attack vector is local and user interaction is mandatory. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Local code execution in Microsoft Windows Media is possible through a heap-based buffer overflow that triggers when a user opens or processes a crafted media file. The flaw (CWE-122) carries a CVSS 7.8 with local attack vector and user interaction required, and no public exploit identified at time of analysis. Successful exploitation yields high impact to confidentiality, integrity, and availability within the user's security context.

Out-of-bounds read in the Windows Desktop Window Manager (DWM) Core Library exposes sensitive memory contents to locally authenticated, low-privileged attackers on Windows 11 and Windows Server 2025. The flaw (CWE-125) allows a standard user to read beyond an allocated buffer boundary within the DWM process, resulting in high-confidence information disclosure with no integrity or availability impact. Microsoft has released patches covering all affected build ranges; no public exploit code has been identified at time of analysis.