CWE-123
AllowedWrite-what-where Condition
Abstraction: Base · Status: Draft
Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
82 vulnerabilities reference this CWE, most recent first.
GHSA-JJPM-Q6JH-V8GJ
Vulnerability from github – Published: 2022-09-21 00:00 – Updated: 2025-05-28 21:30A potential attacker can write one byte by arbitrary address at the time of the PEI phase (only during S3 resume boot mode) and influence the subsequent boot stages. This can lead to the mitigations bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory. This issue affects: Module name: SbPei SHA256: d827182e5f9b7a9ff0b9d3e232f7cfac43b5237e2681e11f005be627a49283a9 Module GUID: c1fbd624-27ea-40d1-aa48-94c3dc5c7e0d
{
"affected": [],
"aliases": [
"CVE-2022-40246"
],
"database_specific": {
"cwe_ids": [
"CWE-123",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-20T18:15:00Z",
"severity": "HIGH"
},
"details": "A potential attacker can write one byte by arbitrary address at the time of the PEI phase (only during S3 resume boot mode) and influence the subsequent boot stages. This can lead to the mitigations bypassing, physical memory contents disclosure, discovery of any secrets from any Virtual Machines (VMs) and bypassing memory isolation and confidential computing boundaries. Additionally, an attacker can build a payload which can be injected into the SMRAM memory. This issue affects: Module name: SbPei SHA256: d827182e5f9b7a9ff0b9d3e232f7cfac43b5237e2681e11f005be627a49283a9 Module GUID: c1fbd624-27ea-40d1-aa48-94c3dc5c7e0d",
"id": "GHSA-jjpm-q6jh-v8gj",
"modified": "2025-05-28T21:30:26Z",
"published": "2022-09-21T00:00:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40246"
},
{
"type": "WEB",
"url": "https://www.ami.com/security-center"
},
{
"type": "WEB",
"url": "https://www.binarly.io/advisories/BRLY-2022-014"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MCMC-2M55-J8JJ
Vulnerability from github – Published: 2026-01-08 21:47 – Updated: 2026-01-08 21:47Summary
The fix here for CVE-2025-62164 is not sufficient. The fix only disables prompt embeds by default rather than addressing the root cause, so the DoS vulnerability remains when the feature is enabled.
Details
vLLM's pending change attempts to fix the root cause, which is the missing sparse tensor validation. PyTorch (~v2.0) disables sparse tensor validation (specifically, sparse tensor invariants checks) by default for performance reasons. vLLM is adding the sparse tensor validation to ensure indices are valid, non-negative, and within bounds. These checks help catch malformed tensors.
PoC
NA
Impact
Current fix only added a flag to disable/enable prompt embeds, so by default, prompt embeds feature is disabled in vLLM, which stops DoS attacks through the embeddings. However, It doesn’t address the problem when the flag is enabled and there is still potential for DoS attacks.
Changes
- https://github.com/vllm-project/vllm/pull/30649
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 0.11.1"
},
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.2"
},
{
"fixed": "0.13.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-123",
"CWE-20",
"CWE-502",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-08T21:47:43Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nThe fix [here](https://github.com/vllm-project/vllm/pull/27204) for CVE-2025-62164 is not sufficient. The fix only disables prompt embeds by default rather than addressing the root cause, so the DoS vulnerability remains when the feature is enabled.\n\n### Details\nvLLM\u0027s pending change attempts to fix the root cause, which is the missing sparse tensor validation. PyTorch (~v2.0) disables sparse tensor validation (specifically, sparse tensor invariants checks) by default for performance reasons. vLLM is adding the sparse tensor validation to ensure indices are valid, non-negative, and within bounds. These checks help catch malformed tensors.\n\n### PoC\nNA\n\n### Impact\nCurrent fix only added a flag to disable/enable prompt embeds, so by default, prompt embeds feature is disabled in vLLM, which stops DoS attacks through the embeddings. However, It doesn\u2019t address the problem when the flag is enabled and there is still potential for DoS attacks.\n\n### Changes\n\n* https://github.com/vllm-project/vllm/pull/30649",
"id": "GHSA-mcmc-2m55-j8jj",
"modified": "2026-01-08T21:47:43Z",
"published": "2026-01-08T21:47:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-mcmc-2m55-j8jj"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/30649"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM introduced enhanced protection for CVE-2025-62164"
}
GHSA-MMW8-MXMC-8W2R
Vulnerability from github – Published: 2026-05-08 09:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths that may modify packet data can first make a private copy. The IPv4/IPv6 datagram append paths did not set this flag when splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW fast path for uncloned skbs without a frag_list and decrypts in place over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching TCP. Also make ESP input fall back to skb_cow_data() when the flag is present, so ESP does not decrypt externally backed frags in place. Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(), the path that appends the ESP trailer to existing skb tailroom without calling skb_cow_data() is not reachable for nonlinear skbs: skb_tailroom() returns zero when skb->data_len is nonzero, while ESP tailen is positive. Thus ESP output will either use the separate destination-frag path or fall back to skb_cow_data().
{
"affected": [],
"aliases": [
"CVE-2026-43284"
],
"database_specific": {
"cwe_ids": [
"CWE-123"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T08:16:43Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: esp: avoid in-place decrypt on shared skb frags\n\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP\nmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),\nso later paths that may modify packet data can first make a private\ncopy. The IPv4/IPv6 datagram append paths did not set this flag when\nsplicing pages into UDP skbs.\n\nThat leaves an ESP-in-UDP packet made from shared pipe pages looking\nlike an ordinary uncloned nonlinear skb. ESP input then takes the no-COW\nfast path for uncloned skbs without a frag_list and decrypts in place\nover data that is not owned privately by the skb.\n\nMark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching\nTCP. Also make ESP input fall back to skb_cow_data() when the flag is\npresent, so ESP does not decrypt externally backed frags in place.\nPrivate nonlinear skb frags still use the existing fast path.\n\nThis intentionally does not change ESP output. In esp_output_head(),\nthe path that appends the ESP trailer to existing skb tailroom without\ncalling skb_cow_data() is not reachable for nonlinear skbs:\nskb_tailroom() returns zero when skb-\u003edata_len is nonzero, while ESP\ntailen is positive. Thus ESP output will either use the separate\ndestination-frag path or fall back to skb_cow_data().",
"id": "GHSA-mmw8-mxmc-8w2r",
"modified": "2026-07-14T15:31:58Z",
"published": "2026-05-08T09:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43284"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16061"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19573"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19574"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19575"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19577"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21695"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23233"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34098"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-43284"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467771"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/50ed1e7873100f77abad20fd31c51029bc49cd03"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52646cbd00e765a6db9c3afe9535f26218276034"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d55c7336f8032d434adcc5fab987ccc93a44aec"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/71a1d9d985d26716f74d21f18ee8cac821b06e97"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8253aab4659ca16116b522203c2a6b18dccacea7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a6cb440f274a22456ef3e86b457344f1678f38f9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ab8b995323e5237041472d07e5055f5f7dcdf15b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b54edf1e9a3fd3491bdcb82a21f8d21315271e0d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fe785bb3a8096dffcc4048a85cd0c83337eeecad"
},
{
"type": "WEB",
"url": "https://github.com/V4bel/dirtyfrag"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43284.json"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-43284-detection-script-dirty-frag-linux-kernel-local-privilege-escalation"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/cve-2026-43284-mitigation-script-dirty-frag-linux-kernel-local-privilege-escalation"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16100"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16155"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16157"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16160"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16161"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16171"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16176"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16180"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16195"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16196"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16201"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16202"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16203"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16204"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16206"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16254"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16312"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16314"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16328"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17795"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:18025"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19074"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19225"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19564"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19568"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19569"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19572"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/08/7"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/13/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/14/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MRW7-HF4F-83PF
Vulnerability from github – Published: 2025-11-20 20:59 – Updated: 2026-01-08 21:20Summary
A memory corruption vulnerability that leading to a crash (denial-of-service) and potentially remote code execution (RCE) exists in vLLM versions 0.10.2 and later, in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation.
Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM.
Details
A vulnerability that can lead to RCE from the completions API endpoint exists in vllm, where due to missing checks when loading user-provided tensors, an out-of-bounds write can be triggered. This happens because the default behavior of torch.load(tensor, weights_only=True) since pytorch 2.8.0 is to not perform validity checks for sparse tensors, and this needs to be enabled explicitly using the torch.sparse.check_sparse_tensor_invariants context manager.
The vulnerability is in the following code in vllm/entrypoints/renderer.py:148
def _load_and_validate_embed(embed: bytes) -> EngineEmbedsPrompt:
tensor = torch.load(
io.BytesIO(pybase64.b64decode(embed, validate=True)),
weights_only=True,
map_location=torch.device("cpu"),
)
assert isinstance(tensor, torch.Tensor) and tensor.dtype in (
torch.float32,
torch.bfloat16,
torch.float16,
)
tensor = tensor.to_dense()
Because of the missing checks, loading invalid prompt embedding tensors provided by the user can cause an out-of-bounds write in the call to to_dense .
Impact
All users with access to this API are able to exploit this vulnerability. Unsafe deserialization of untrusted input can be abused to achieve DoS and potentially remote code execution (RCE) in the vLLM server process. This impacts deployments running vLLM as a server or any instance that deserializes untrusted/model-provided payloads.
Fix
https://github.com/vllm-project/vllm/pull/27204
Acknowledgements
Finder: AXION Security Research Team (Omri Fainaro, Bary Levy): discovery and coordinated disclosure.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vllm"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.2"
},
{
"fixed": "0.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62164"
],
"database_specific": {
"cwe_ids": [
"CWE-123",
"CWE-20",
"CWE-502",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-20T20:59:34Z",
"nvd_published_at": "2025-11-21T02:15:43Z",
"severity": "HIGH"
},
"details": "### Summary\nA memory corruption vulnerability that leading to a crash (denial-of-service) and potentially remote code execution (RCE) exists in vLLM versions 0.10.2 and later, in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation.\n\nDue to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM.\n\n### Details\nA vulnerability that can lead to RCE from the completions API endpoint exists in vllm, where due to missing checks when loading user-provided tensors, an out-of-bounds write can be triggered. This happens because the default behavior of `torch.load(tensor, weights_only=True)` since pytorch 2.8.0 is to not perform validity checks for sparse tensors, and this needs to be enabled explicitly using the [torch.sparse.check_sparse_tensor_invariants](https://docs.pytorch.org/docs/stable/generated/torch.sparse.check_sparse_tensor_invariants.html) context manager.\n\nThe vulnerability is in the following code in [vllm/entrypoints/renderer.py:148](https://github.com/vllm-project/vllm/blob/a332b84578cdc0706e040f6a765954c8a289904f/vllm/entrypoints/renderer.py#L148)\n\n```python\n def _load_and_validate_embed(embed: bytes) -\u003e EngineEmbedsPrompt:\n tensor = torch.load(\n io.BytesIO(pybase64.b64decode(embed, validate=True)),\n weights_only=True,\n map_location=torch.device(\"cpu\"),\n )\n assert isinstance(tensor, torch.Tensor) and tensor.dtype in (\n torch.float32,\n torch.bfloat16,\n torch.float16,\n )\n tensor = tensor.to_dense()\n```\n\nBecause of the missing checks, loading invalid prompt embedding tensors provided by the user can cause an out-of-bounds write in the call to `to_dense` .\n\n### Impact\nAll users with access to this API are able to exploit this vulnerability. Unsafe deserialization of untrusted input can be abused to achieve DoS and potentially remote code execution (RCE) in the vLLM server process. This impacts deployments running vLLM as a server or any instance that deserializes untrusted/model-provided payloads.\n\n## Fix\n\nhttps://github.com/vllm-project/vllm/pull/27204\n\n## Acknowledgements\n\nFinder: AXION Security Research Team (Omri Fainaro, Bary Levy): discovery and coordinated disclosure.",
"id": "GHSA-mrw7-hf4f-83pf",
"modified": "2026-01-08T21:20:58Z",
"published": "2025-11-20T20:59:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-mrw7-hf4f-83pf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62164"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/pull/27204"
},
{
"type": "WEB",
"url": "https://github.com/vllm-project/vllm/commit/58fab50d82838d5014f4a14d991fdb9352c9c84b"
},
{
"type": "PACKAGE",
"url": "https://github.com/vllm-project/vllm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vLLM deserialization vulnerability leading to DoS and potential RCE"
}
GHSA-PFV7-GRCX-8GCC
Vulnerability from github – Published: 2022-05-17 00:28 – Updated: 2025-04-20 03:36The AMF3CD_AddProp function in amf.c in RTMPDump 2.4 allows remote RTMP Media servers to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2015-8271"
],
"database_specific": {
"cwe_ids": [
"CWE-123"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-13T14:59:00Z",
"severity": "CRITICAL"
},
"details": "The AMF3CD_AddProp function in amf.c in RTMPDump 2.4 allows remote RTMP Media servers to execute arbitrary code.",
"id": "GHSA-pfv7-grcx-8gcc",
"modified": "2025-04-20T03:36:02Z",
"published": "2022-05-17T00:28:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8271"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3850"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/95125"
},
{
"type": "WEB",
"url": "http://www.talosintelligence.com/reports/TALOS-2016-0067"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PVFH-QXVG-VG95
Vulnerability from github – Published: 2026-03-16 21:34 – Updated: 2026-03-16 21:34A write-what-where condition in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to write arbitrary values to memory, enabling arbitrary code execution via a crafted packet.
{
"affected": [],
"aliases": [
"CVE-2025-69809"
],
"database_specific": {
"cwe_ids": [
"CWE-123"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T19:16:14Z",
"severity": "CRITICAL"
},
"details": "A write-what-where condition in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to write arbitrary values to memory, enabling arbitrary code execution via a crafted packet.",
"id": "GHSA-pvfh-qxvg-vg95",
"modified": "2026-03-16T21:34:32Z",
"published": "2026-03-16T21:34:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69809"
},
{
"type": "WEB",
"url": "https://github.com/p2r3/bareiron"
},
{
"type": "WEB",
"url": "https://github.com/vmpr0be/bareiron-vr/blob/main/CVE-2025-69809.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PXCM-W3R6-W362
Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2022-12-14 21:30Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.
{
"affected": [],
"aliases": [
"CVE-2022-37904"
],
"database_specific": {
"cwe_ids": [
"CWE-123",
"CWE-94"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T13:15:00Z",
"severity": "HIGH"
},
"details": "Vulnerabilities in ArubaOS running on 7xxx series controllers exist that allows an attacker to execute arbitrary code during the boot sequence. Successful exploitation could allow an attacker to achieve permanent modification of the underlying operating system.",
"id": "GHSA-pxcm-w3r6-w362",
"modified": "2022-12-14T21:30:17Z",
"published": "2022-12-12T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37904"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q39Q-7726-RG48
Vulnerability from github – Published: 2022-12-23 00:30 – Updated: 2022-12-30 03:30A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-38143"
],
"database_specific": {
"cwe_ids": [
"CWE-123",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-22T22:15:00Z",
"severity": "CRITICAL"
},
"details": "A heap out-of-bounds write vulnerability exists in the way OpenImageIO v2.3.19.0 processes RLE encoded BMP images. A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-q39q-7726-rg48",
"modified": "2022-12-30T03:30:19Z",
"published": "2022-12-23T00:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38143"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3LET4MEPBSBJZK4EMLEBY4FUXKU5BMN"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-33"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1630"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC8J-WVJF-7JFJ
Vulnerability from github – Published: 2025-09-23 18:30 – Updated: 2026-04-21 00:32A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.
By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
{
"affected": [],
"aliases": [
"CVE-2025-9900"
],
"database_specific": {
"cwe_ids": [
"CWE-123"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-23T17:15:38Z",
"severity": "HIGH"
},
"details": "A flaw was found in Libtiff. This vulnerability is a \"write-what-where\" condition, triggered when the library processes a specially crafted TIFF image file.\n\nBy providing an abnormally large image height value in the file\u0027s metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.",
"id": "GHSA-qc8j-wvjf-7jfj",
"modified": "2026-04-21T00:32:14Z",
"published": "2025-09-23T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9900"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17651"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21994"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23078"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23079"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23080"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0001"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0076"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0077"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:0078"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3461"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:3462"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:7504"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-9900"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392784"
},
{
"type": "WEB",
"url": "https://github.com/SexyShoelessGodofWar/LibTiff-4.7.0-Write-What-Where?tab=readme-ov-file"
},
{
"type": "WEB",
"url": "https://gitlab.com/libtiff/libtiff/-/issues/704"
},
{
"type": "WEB",
"url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/732"
},
{
"type": "WEB",
"url": "https://libtiff.gitlab.io/libtiff/releases/v4.7.1.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00031.html"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17675"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17710"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17738"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17739"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:17740"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19113"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19156"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19276"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19906"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:19947"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:20956"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:20998"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21060"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21061"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21407"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21506"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21507"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21508"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/09/26/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W9P5-XQXF-XVX7
Vulnerability from github – Published: 2024-11-04 03:30 – Updated: 2024-11-04 12:32In mms, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09062392; Issue ID: MSV-1621.
{
"affected": [],
"aliases": [
"CVE-2024-20118"
],
"database_specific": {
"cwe_ids": [
"CWE-123",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T02:15:17Z",
"severity": "MODERATE"
},
"details": "In mms, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09062392; Issue ID: MSV-1621.",
"id": "GHSA-w9p5-xqxf-xvx7",
"modified": "2024-11-04T12:32:56Z",
"published": "2024-11-04T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20118"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/November-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
Mitigation
Use OS-level preventative functionality integrated after the fact. Not a complete solution.
No CAPEC attack patterns related to this CWE.