CWE-122
AllowedHeap-based Buffer Overflow
Abstraction: Variant · Status: Draft
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
4115 vulnerabilities reference this CWE, most recent first.
CVE-2026-11610 (GCVE-0-2026-11610)
Vulnerability from cvelistv5 – Published: 2026-07-07 09:17 – Updated: 2026-07-08 21:02- CWE-122 - Heap-based Buffer Overflow
| Vendor | Product | Version | |
|---|---|---|---|
| 389ds | 389-ds-base |
Affected:
1.3.2 , ≤ 3.3.0
(semver)
|
|
| Red Hat | Red Hat Directory Server 11.5 E4S for RHEL 8 |
Unaffected:
8060020260702180044.0ca98e7e , < *
(rpm)
cpe:/a:redhat:directory_server_e4s:11.5::el8 |
|
| Red Hat | Red Hat Directory Server 11.7 E4S for RHEL 8 |
Unaffected:
8080020260702180836.f969626e , < *
(rpm)
cpe:/a:redhat:directory_server_e4s:11.7::el8 |
|
| Red Hat | Red Hat Directory Server 11.9 for RHEL 8 |
Unaffected:
8100020260702145313.37ed7c03 , < *
(rpm)
cpe:/a:redhat:directory_server:11.9::el8 |
|
| Red Hat | Red Hat Directory Server 12.2 E4S for RHEL 9 |
Unaffected:
9020020260703060155.1674d574 , < *
(rpm)
cpe:/a:redhat:directory_server_e4s:12.2::el9 |
|
| Red Hat | Red Hat Directory Server 12.4 E4S for RHEL 9 |
Unaffected:
9040020260703055735.1674d574 , < *
(rpm)
cpe:/a:redhat:directory_server_e4s:12.4::el9 |
|
| Red Hat | Red Hat Enterprise Linux 10 |
Unaffected:
0:3.2.0-8.el10_2 , < *
(rpm)
cpe:/o:redhat:enterprise_linux:10.2 |
|
| Red Hat | Red Hat Enterprise Linux 10.0 Extended Update Support |
Unaffected:
0:3.0.6-19.el10_0 , < *
(rpm)
cpe:/o:redhat:enterprise_linux_eus:10.0 |
|
| Red Hat | Red Hat Enterprise Linux 7 Extended Lifecycle Support |
Unaffected:
0:1.3.11.1-13.el7_9 , < *
(rpm)
cpe:/o:redhat:rhel_els:7 |
|
| Red Hat | Red Hat Enterprise Linux 8 |
Unaffected:
8100020260626120929.25e700aa , < *
(rpm)
cpe:/a:redhat:enterprise_linux:8::appstream |
|
| Red Hat | Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support |
Unaffected:
8040020260629123121.96015a92 , < *
(rpm)
cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_eus_long_life:8.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On |
Unaffected:
8040020260629123121.96015a92 , < *
(rpm)
cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_eus_long_life:8.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support |
Unaffected:
8060020260626130540.824efc52 , < *
(rpm)
cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_eus_long_life:8.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On |
Unaffected:
8060020260626130540.824efc52 , < *
(rpm)
cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_eus_long_life:8.6::appstream |
|
| Red Hat | Red Hat Enterprise Linux 8.8 Telecommunications Update Service |
Unaffected:
8080020260630025241.6dbb3803 , < *
(rpm)
cpe:/a:redhat:rhel_e4s:8.8::appstream cpe:/a:redhat:rhel_tus:8.8::appstream |
|
| Red Hat | Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions |
Unaffected:
8080020260630025241.6dbb3803 , < *
(rpm)
cpe:/a:redhat:rhel_e4s:8.8::appstream cpe:/a:redhat:rhel_tus:8.8::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9 |
Unaffected:
0:2.8.0-8.el9_8 , < *
(rpm)
cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:enterprise_linux:9::crb |
|
| Red Hat | Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions |
Unaffected:
0:2.2.4-19.el9_2 , < *
(rpm)
cpe:/a:redhat:rhel_e4s:9.2::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions |
Unaffected:
0:2.4.5-26.el9_4 , < *
(rpm)
cpe:/a:redhat:rhel_e4s:9.4::appstream |
|
| Red Hat | Red Hat Enterprise Linux 9.6 Extended Update Support |
Unaffected:
0:2.6.1-22.el9_6 , < *
(rpm)
cpe:/a:redhat:rhel_eus:9.6::appstream cpe:/a:redhat:rhel_eus:9.6::crb |
|
| Red Hat | Red Hat Directory Server 13.2 |
Unaffected:
1783452100 , < *
(rpm)
cpe:/a:redhat:directory_server:13.2::el10 |
|
| Red Hat | Red Hat Directory Server 12 |
cpe:/a:redhat:directory_server:12 |
|
| Red Hat | Red Hat Directory Server 13 |
cpe:/a:redhat:directory_server:13 |
|
| Red Hat | Red Hat Enterprise Linux 6 |
cpe:/o:redhat:enterprise_linux:6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11610",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-08T21:02:20.457715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T21:02:28.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/389ds/389-ds-base",
"defaultStatus": "unaffected",
"packageName": "389-ds-base",
"product": "389-ds-base",
"vendor": "389ds",
"versions": [
{
"lessThanOrEqual": "3.3.0",
"status": "affected",
"version": "1.3.2",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:directory_server_e4s:11.5::el8"
],
"defaultStatus": "affected",
"packageName": "redhat-ds:11",
"product": "Red Hat Directory Server 11.5 E4S for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8060020260702180044.0ca98e7e",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:directory_server_e4s:11.7::el8"
],
"defaultStatus": "affected",
"packageName": "redhat-ds:11",
"product": "Red Hat Directory Server 11.7 E4S for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8080020260702180836.f969626e",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:directory_server:11.9::el8"
],
"defaultStatus": "affected",
"packageName": "redhat-ds:11",
"product": "Red Hat Directory Server 11.9 for RHEL 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8100020260702145313.37ed7c03",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:directory_server_e4s:12.2::el9"
],
"defaultStatus": "affected",
"packageName": "redhat-ds:12",
"product": "Red Hat Directory Server 12.2 E4S for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "9020020260703060155.1674d574",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:directory_server_e4s:12.4::el9"
],
"defaultStatus": "affected",
"packageName": "redhat-ds:12",
"product": "Red Hat Directory Server 12.4 E4S for RHEL 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "9040020260703055735.1674d574",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:10.2"
],
"defaultStatus": "affected",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 10",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.2.0-8.el10_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux_eus:10.0"
],
"defaultStatus": "affected",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 10.0 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:3.0.6-19.el10_0",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:rhel_els:7"
],
"defaultStatus": "affected",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:1.3.11.1-13.el7_9",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::appstream"
],
"defaultStatus": "affected",
"packageName": "389-ds:1.4",
"product": "Red Hat Enterprise Linux 8",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8100020260626120929.25e700aa",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream",
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
],
"defaultStatus": "affected",
"packageName": "389-ds:1.4",
"product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8040020260629123121.96015a92",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.4::appstream",
"cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
],
"defaultStatus": "affected",
"packageName": "389-ds:1.4",
"product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8040020260629123121.96015a92",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream",
"cpe:/a:redhat:rhel_eus_long_life:8.6::appstream"
],
"defaultStatus": "affected",
"packageName": "389-ds:1.4",
"product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8060020260626130540.824efc52",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_aus:8.6::appstream",
"cpe:/a:redhat:rhel_eus_long_life:8.6::appstream"
],
"defaultStatus": "affected",
"packageName": "389-ds:1.4",
"product": "Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8060020260626130540.824efc52",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream",
"cpe:/a:redhat:rhel_tus:8.8::appstream"
],
"defaultStatus": "affected",
"packageName": "389-ds:1.4",
"product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8080020260630025241.6dbb3803",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:8.8::appstream",
"cpe:/a:redhat:rhel_tus:8.8::appstream"
],
"defaultStatus": "affected",
"packageName": "389-ds:1.4",
"product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "8080020260630025241.6dbb3803",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::appstream",
"cpe:/a:redhat:enterprise_linux:9::crb"
],
"defaultStatus": "affected",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 9",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.8.0-8.el9_8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.2::appstream"
],
"defaultStatus": "affected",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.2.4-19.el9_2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_e4s:9.4::appstream"
],
"defaultStatus": "affected",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.4.5-26.el9_4",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:rhel_eus:9.6::appstream",
"cpe:/a:redhat:rhel_eus:9.6::crb"
],
"defaultStatus": "affected",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 9.6 Extended Update Support",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "0:2.6.1-22.el9_6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:directory_server:13.2::el10"
],
"defaultStatus": "affected",
"packageName": "dirsrv/dirsrv-container-rhel10",
"product": "Red Hat Directory Server 13.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "1783452100",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:directory_server:12"
],
"defaultStatus": "affected",
"packageName": "redhat-ds:12/389-ds-base",
"product": "Red Hat Directory Server 12",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:directory_server:13"
],
"defaultStatus": "unaffected",
"packageName": "389-ds-base",
"product": "Red Hat Directory Server 13",
"vendor": "Red Hat"
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
],
"defaultStatus": "affected",
"packageName": "389-ds-base",
"product": "Red Hat Enterprise Linux 6",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by Ian Murphy (Red Hat)."
}
],
"datePublic": "2026-07-07T09:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server\n(389-ds-base). After a successful SASL bind with integrity protection (SSF \u003e 0),\nan authenticated attacker can send a specially crafted oversized LDAP UNBIND packet\nthat is copied into a 512-byte heap receive buffer without a bounds check in\nsasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of\nattacker-controlled data to overflow the buffer, causing a denial of service (server\ncrash). In FreeIPA and Red Hat Identity Management deployments, any domain user with\na valid Kerberos ticket, any enrolled host, or any service account can trigger this\nvulnerability over the network after authenticating via GSSAPI.\nThe vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and\nwas not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow\nin schema.c only."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-08T13:01:19.304Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:36195",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36195"
},
{
"name": "RHSA-2026:36196",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36196"
},
{
"name": "RHSA-2026:36197",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36197"
},
{
"name": "RHSA-2026:36198",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36198"
},
{
"name": "RHSA-2026:36200",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36200"
},
{
"name": "RHSA-2026:36201",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36201"
},
{
"name": "RHSA-2026:36202",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36202"
},
{
"name": "RHSA-2026:36204",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36204"
},
{
"name": "RHSA-2026:36205",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36205"
},
{
"name": "RHSA-2026:36206",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36206"
},
{
"name": "RHSA-2026:36208",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36208"
},
{
"name": "RHSA-2026:36209",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36209"
},
{
"name": "RHSA-2026:36585",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36585"
},
{
"name": "RHSA-2026:36641",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36641"
},
{
"name": "RHSA-2026:36660",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36660"
},
{
"name": "RHSA-2026:36670",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36670"
},
{
"name": "RHSA-2026:36671",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:36671"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-11610"
},
{
"name": "RHBZ#2484414",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484414"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-22T00:00:00.000Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-07-07T09:00:00.000Z",
"value": "Made public."
}
],
"title": "389-ds-base: 389-ds-base: heap buffer overflow in sasl_io_recv() via padded sasl unbind",
"workarounds": [
{
"lang": "en",
"value": "There is no complete workaround for this flaw.\nMitigations that reduce exposure:\n1. Restrict network access to LDAP ports (389/636) to trusted networks only.\n Note: In FreeIPA/IdM deployments, enrolled clients require LDAP access and\n this may not be practical.\n2. If DIGEST-MD5 is not required, disable it via nsslapd-allowed-sasl-mechanisms\n in cn=config. GSSAPI/Kerberos cannot be disabled in FreeIPA/IdM without breaking\n domain authentication.\n3. Monitor for oversized LDAP UNBIND packets (standard UNBIND is 7 bytes; alert on\n UNBIND packets exceeding ~100 bytes).\n4. Lowering nsslapd-maxbersize reduces maximum overflow size but does not eliminate\n the vulnerability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-11610",
"datePublished": "2026-07-07T09:17:36.519Z",
"dateReserved": "2026-06-08T16:13:02.502Z",
"dateUpdated": "2026-07-08T21:02:28.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11604 (GCVE-0-2026-11604)
Vulnerability from cvelistv5 – Published: 2026-06-10 21:04 – Updated: 2026-06-11 13:27| URL | Tags |
|---|---|
| https://github.com/OpenVPN/ovpn-dco-win/releases | product |
| https://community.openvpn.net/Security%20Announce… | vendor-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| OpenVPN | ovpn-dco-win |
Affected:
2.0.0 , ≤ 2.5.8
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T13:26:56.757395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T13:27:17.336Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "ovpn-dco-win",
"vendor": "OpenVPN",
"versions": [
{
"lessThanOrEqual": "2.5.8",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An incorrect buffer size calculation in the epoch key generator in OpenVPN ovpn-dco-win version 2.0.0 through 2.8.3 allows a remote authenticated peer to trigger a heap-based buffer overflow and kernel memory corruption via a crafted data packet, resulting in a system crash (denial of service)."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-131",
"description": "CWE-131 Incorrect calculation of buffer size",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787 Out-of-bounds write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T21:04:37.141Z",
"orgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e",
"shortName": "OpenVPN"
},
"references": [
{
"tags": [
"product"
],
"url": "https://github.com/OpenVPN/ovpn-dco-win/releases"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://community.openvpn.net/Security%20Announcements/CVE-2026-11604"
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e",
"assignerShortName": "OpenVPN",
"cveId": "CVE-2026-11604",
"datePublished": "2026-06-10T21:04:37.141Z",
"dateReserved": "2026-06-08T15:19:28.369Z",
"dateUpdated": "2026-06-11T13:27:17.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10231 (GCVE-0-2026-10231)
Vulnerability from cvelistv5 – Published: 2026-06-01 06:15 – Updated: 2026-06-01 11:18| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367510 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367510/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10231 | third-party-advisory |
| https://vuldb.com/submit/821191 | third-party-advisory |
| https://github.com/assimp/assimp/issues/6616 | issue-tracking |
| https://github.com/user-attachments/files/2719574… | exploit |
| https://github.com/assimp/assimp/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10231",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T11:08:41.898470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T11:18:51.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*"
],
"modules": [
"Half-Life 1 MDL Loader"
],
"product": "Assimp",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "6.0.0"
},
{
"status": "affected",
"version": "6.0.1"
},
{
"status": "affected",
"version": "6.0.2"
},
{
"status": "affected",
"version": "6.0.3"
},
{
"status": "affected",
"version": "6.0.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "TYGLS (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Assimp up to 6.0.4. Affected is the function HL1MDLLoader::extract_anim_value of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. Performing a manipulation of the argument num.total results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The project tagged the reported issue as bug."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T06:15:09.689Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367510 | Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp extract_anim_value heap-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367510"
},
{
"name": "VDB-367510 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367510/cti"
},
{
"name": "CVE-2026-10231 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10231"
},
{
"name": "Submit #821191 | Assimp commit 17c12da Heap-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/821191"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/assimp/assimp/issues/6616"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/user-attachments/files/27195744/poc.zip"
},
{
"tags": [
"product"
],
"url": "https://github.com/assimp/assimp/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T10:16:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp extract_anim_value heap-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10231",
"datePublished": "2026-06-01T06:15:09.689Z",
"dateReserved": "2026-05-31T08:10:59.414Z",
"dateUpdated": "2026-06-01T11:18:51.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10230 (GCVE-0-2026-10230)
Vulnerability from cvelistv5 – Published: 2026-06-01 06:00 – Updated: 2026-06-01 15:23| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367509 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367509/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10230 | third-party-advisory |
| https://vuldb.com/submit/821190 | third-party-advisory |
| https://github.com/assimp/assimp/issues/6615 | exploitissue-tracking |
| https://github.com/assimp/assimp/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10230",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T15:14:53.145970Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T15:23:32.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*"
],
"modules": [
"Half-Life 1 MDL Loader"
],
"product": "Assimp",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "6.0.0"
},
{
"status": "affected",
"version": "6.0.1"
},
{
"status": "affected",
"version": "6.0.2"
},
{
"status": "affected",
"version": "6.0.3"
},
{
"status": "affected",
"version": "6.0.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "TYGLS (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Assimp up to 6.0.4. This impacts the function Assimp::MDL::HalfLife::HL1MDLLoader::read_animations of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The project tagged the reported issue as bug."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T06:00:12.237Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367509 | Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp read_animations heap-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367509"
},
{
"name": "VDB-367509 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367509/cti"
},
{
"name": "CVE-2026-10230 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10230"
},
{
"name": "Submit #821190 | Assimp commit 17c12da Heap-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/821190"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/assimp/assimp/issues/6615"
},
{
"tags": [
"product"
],
"url": "https://github.com/assimp/assimp/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T10:16:12.000Z",
"value": "VulDB entry last update"
}
],
"title": "Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp read_animations heap-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10230",
"datePublished": "2026-06-01T06:00:12.237Z",
"dateReserved": "2026-05-31T08:10:56.826Z",
"dateUpdated": "2026-06-01T15:23:32.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10229 (GCVE-0-2026-10229)
Vulnerability from cvelistv5 – Published: 2026-06-01 05:45 – Updated: 2026-06-01 14:54| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367508 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367508/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10229 | third-party-advisory |
| https://vuldb.com/submit/821189 | third-party-advisory |
| https://github.com/assimp/assimp/issues/6614 | issue-tracking |
| https://github.com/user-attachments/files/2719436… | exploit |
| https://github.com/assimp/assimp/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10229",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T14:54:28.357469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T14:54:34.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*"
],
"modules": [
"Half-Life 1 MDL Loader"
],
"product": "Assimp",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "6.0.0"
},
{
"status": "affected",
"version": "6.0.1"
},
{
"status": "affected",
"version": "6.0.2"
},
{
"status": "affected",
"version": "6.0.3"
},
{
"status": "affected",
"version": "6.0.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "TYGLS (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Assimp up to 6.0.4. This affects the function HL1MDLLoader::read_meshes of the file HL1MDLLoader.cpp of the component Half-Life 1 MDL Loader. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. The project tagged the reported issue as bug."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T05:45:07.021Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367508 | Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp read_meshes heap-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367508"
},
{
"name": "VDB-367508 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367508/cti"
},
{
"name": "CVE-2026-10229 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10229"
},
{
"name": "Submit #821189 | Assimp commit 17c12da Heap-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/821189"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/assimp/assimp/issues/6614"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/user-attachments/files/27194364/poc.zip"
},
{
"tags": [
"product"
],
"url": "https://github.com/assimp/assimp/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T10:16:10.000Z",
"value": "VulDB entry last update"
}
],
"title": "Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp read_meshes heap-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10229",
"datePublished": "2026-06-01T05:45:07.021Z",
"dateReserved": "2026-05-31T08:10:54.492Z",
"dateUpdated": "2026-06-01T14:54:34.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10200 (GCVE-0-2026-10200)
Vulnerability from cvelistv5 – Published: 2026-05-31 22:45 – Updated: 2026-06-01 12:26| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367480 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367480/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10200 | third-party-advisory |
| https://vuldb.com/submit/821180 | third-party-advisory |
| https://github.com/assimp/assimp/issues/6612 | issue-tracking |
| https://github.com/user-attachments/files/2719425… | exploit |
| https://github.com/assimp/assimp/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10200",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T12:12:29.818950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T12:26:17.051Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:assimp:assimp:*:*:*:*:*:*:*:*"
],
"modules": [
"4x4 Matrix Parser"
],
"product": "Assimp",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "6.0.0"
},
{
"status": "affected",
"version": "6.0.1"
},
{
"status": "affected",
"version": "6.0.2"
},
{
"status": "affected",
"version": "6.0.3"
},
{
"status": "affected",
"version": "6.0.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "TYGLS (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Assimp up to 6.0.4. This affects the function glTFCommon::CopyValue in the library glTFCommon.h of the component 4x4 Matrix Parser. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been made public and could be used. The project tagged the reported issue as bug."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-31T22:45:10.237Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367480 | Assimp 4x4 Matrix glTFCommon.h CopyValue heap-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367480"
},
{
"name": "VDB-367480 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367480/cti"
},
{
"name": "CVE-2026-10200 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10200"
},
{
"name": "Submit #821180 | Assimp commit 17c12da Heap-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/821180"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/assimp/assimp/issues/6612"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/user-attachments/files/27194256/poc.zip"
},
{
"tags": [
"product"
],
"url": "https://github.com/assimp/assimp/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-31T08:18:58.000Z",
"value": "VulDB entry last update"
}
],
"title": "Assimp 4x4 Matrix glTFCommon.h CopyValue heap-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10200",
"datePublished": "2026-05-31T22:45:10.237Z",
"dateReserved": "2026-05-31T06:13:42.824Z",
"dateUpdated": "2026-06-01T12:26:17.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10194 (GCVE-0-2026-10194)
Vulnerability from cvelistv5 – Published: 2026-05-31 16:30 – Updated: 2026-06-03 18:02| URL | Tags |
|---|---|
| https://vuldb.com/vuln/367475 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/367475/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-10194 | third-party-advisory |
| https://vuldb.com/submit/821029 | third-party-advisory |
| https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=0f7… | broken-linkpatch |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10194",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-03T18:01:56.974568Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:02:32.989Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:offis:dcmtk:*:*:*:*:*:*:*:*"
],
"modules": [
"dcmqrscp"
],
"product": "DCMTK",
"vendor": "OFFIS",
"versions": [
{
"status": "affected",
"version": "3.7.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "elp3pinill0"
},
{
"lang": "en",
"type": "reporter",
"value": "dapickle (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in OFFIS DCMTK 3.7.0. This affects the function DcmQueryRetrieveIndexDatabaseHandle::deleteOldestImages of the file dcmqrdb/libsrc/dcmqrdbi.cc of the component dcmqrscp. Executing a manipulation can lead to heap-based buffer overflow. The attack may be launched remotely. This patch is called 0f78a4ef6f645ea5530166e445e5436a5de58e75. A patch should be applied to remediate this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-31T16:30:08.129Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-367475 | OFFIS DCMTK dcmqrscp dcmqrdbi.cc deleteOldestImages heap-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/367475"
},
{
"name": "VDB-367475 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/367475/cti"
},
{
"name": "CVE-2026-10194 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-10194"
},
{
"name": "Submit #821029 | DCMTK v3.7.0+ DEV Heap-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/821029"
},
{
"tags": [
"broken-link",
"patch"
],
"url": "https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=0f78a4ef6f645ea5530166e445e5436a5de58e75"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-30T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-30T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-30T20:11:21.000Z",
"value": "VulDB entry last update"
}
],
"title": "OFFIS DCMTK dcmqrscp dcmqrdbi.cc deleteOldestImages heap-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-10194",
"datePublished": "2026-05-31T16:30:08.129Z",
"dateReserved": "2026-05-30T18:06:04.049Z",
"dateUpdated": "2026-06-03T18:02:32.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9605 (GCVE-0-2026-9605)
Vulnerability from cvelistv5 – Published: 2026-05-26 23:15 – Updated: 2026-05-28 13:52 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365678 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/365678/cti | signaturepermissions-required |
| https://vuldb.com/submit/818197 | third-party-advisory |
| https://github.com/LibreDWG/libredwg/issues/1248 | issue-tracking |
| https://github.com/HackC0der/CVE-Repos/blob/main/… | exploit |
| https://github.com/LibreDWG/libredwg/commit/8f038… | patch |
| https://www.gnu.org/ | broken-linkproduct |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9605",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T13:51:50.086261Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T13:52:18.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/818197"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/LibreDWG/libredwg/issues/1248"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gnu:libredwg:*:*:*:*:*:*:*:*"
],
"modules": [
"Dwgbmp Utility"
],
"product": "libredwg",
"vendor": "GNU",
"versions": [
{
"status": "affected",
"version": "0.13.4.8160"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "r1ck9 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 8f03865f37f5d4ffd616fef802acc980be54d300. Applying a patch is the recommended action to fix this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T23:15:20.385Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365678 | GNU libredwg Dwgbmp Utility bits.c bit_read_RC heap-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/365678"
},
{
"name": "VDB-365678 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365678/cti"
},
{
"name": "Submit #818197 | LibreDWG libredwg (including the dwgbmp utility) 0.13.4.8160 Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/818197"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/LibreDWG/libredwg/issues/1248"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap_oob_write_read_2004_compressed_section.dwg"
},
{
"tags": [
"patch"
],
"url": "https://github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be54d300"
},
{
"tags": [
"broken-link",
"product"
],
"url": "https://www.gnu.org/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-26T18:20:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "GNU libredwg Dwgbmp Utility bits.c bit_read_RC heap-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9605",
"datePublished": "2026-05-26T23:15:20.385Z",
"dateReserved": "2026-05-26T16:14:39.515Z",
"dateUpdated": "2026-05-28T13:52:18.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9541 (GCVE-0-2026-9541)
Vulnerability from cvelistv5 – Published: 2026-05-26 11:45 – Updated: 2026-05-26 15:18| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365602 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/365602/cti | signaturepermissions-required |
| https://vuldb.com/submit/814826 | third-party-advisory |
| https://github.com/albertodemichelis/squirrel/iss… | issue-tracking |
| https://github.com/biniamf/pocs/tree/main/squirre… | exploit |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9541",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T15:17:48.786589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T15:18:15.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/albertodemichelis/squirrel/issues/327"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:squirrel:squirrel:*:*:*:*:*:*:*:*"
],
"modules": [
"Cnut File Handler"
],
"product": "Squirrel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "3.0"
},
{
"status": "affected",
"version": "3.1"
},
{
"status": "affected",
"version": "3.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "biniam (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in Squirrel up to 3.2. Impacted is the function ReadObject of the file squirrel/sqobject.cpp of the component Cnut File Handler. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T11:45:10.180Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365602 | Squirrel Cnut File sqobject.cpp ReadObject heap-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/365602"
},
{
"name": "VDB-365602 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365602/cti"
},
{
"name": "Submit #814826 | albertodemichelis squirrel 3.2 Heap-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/814826"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/albertodemichelis/squirrel/issues/327"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/biniamf/pocs/tree/main/squirrel-sqobject-readobject-neg-len-oob"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-26T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-26T07:56:41.000Z",
"value": "VulDB entry last update"
}
],
"title": "Squirrel Cnut File sqobject.cpp ReadObject heap-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9541",
"datePublished": "2026-05-26T11:45:10.180Z",
"dateReserved": "2026-05-26T05:51:28.774Z",
"dateUpdated": "2026-05-26T15:18:15.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9502 (GCVE-0-2026-9502)
Vulnerability from cvelistv5 – Published: 2026-05-25 20:45 – Updated: 2026-05-26 12:37 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/365484 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/365484/cti | signaturepermissions-required |
| https://vuldb.com/submit/814259 | third-party-advisory |
| https://github.com/LibreDWG/libredwg/issues/1243 | issue-tracking |
| https://github.com/HackC0der/CVE-Repos/blob/main/… | exploit |
| https://github.com/LibreDWG/libredwg/commit/e501c… | patch |
| https://www.gnu.org/ | product |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-26T12:36:51.204975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T12:37:08.356Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gnu:libredwg:*:*:*:*:*:*:*:*"
],
"modules": [
"Dwgread Utility"
],
"product": "LibreDWG",
"vendor": "GNU",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2"
},
{
"status": "affected",
"version": "0.3"
},
{
"status": "affected",
"version": "0.4"
},
{
"status": "affected",
"version": "0.5"
},
{
"status": "affected",
"version": "0.6"
},
{
"status": "affected",
"version": "0.7"
},
{
"status": "affected",
"version": "0.8"
},
{
"status": "affected",
"version": "0.9"
},
{
"status": "affected",
"version": "0.10"
},
{
"status": "affected",
"version": "0.11"
},
{
"status": "affected",
"version": "0.12"
},
{
"status": "affected",
"version": "0.13"
},
{
"status": "affected",
"version": "0.14"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "pwn3rd (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in GNU LibreDWG up to 0.14. This affects the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. To fix this issue, it is recommended to deploy a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T20:45:10.399Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-365484 | GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/365484"
},
{
"name": "VDB-365484 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/365484/cti"
},
{
"name": "Submit #814259 | LibreDWG Project LibreDWG \u003c= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Heap-based Buffer Overflow (CWE-122)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/814259"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/LibreDWG/libredwg/issues/1243"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap_overflow_decompress_R2004_section.dwg"
},
{
"tags": [
"patch"
],
"url": "https://github.com/LibreDWG/libredwg/commit/e501cb9926c1e9a07a0d1cc997f3e69e9be801c9"
},
{
"tags": [
"product"
],
"url": "https://www.gnu.org/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-05-25T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-25T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-25T12:09:58.000Z",
"value": "VulDB entry last update"
}
],
"title": "GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-9502",
"datePublished": "2026-05-25T20:45:10.399Z",
"dateReserved": "2026-05-25T10:03:54.408Z",
"dateUpdated": "2026-05-26T12:37:08.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Pre-design: Use a language or compiler that performs automatic bounds checking.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation
Implement and perform bounds checking on input.
Mitigation
Strategy: Libraries or Frameworks
Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
Mitigation
Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.