Common Weakness Enumeration

CWE-248

Allowed

Uncaught Exception

Abstraction: Base · Status: Draft

An exception is thrown from a function, but it is not caught.

420 vulnerabilities reference this CWE, most recent first.

GHSA-4RXP-72G2-FXHM

Vulnerability from github – Published: 2026-04-07 18:31 – Updated: 2026-04-07 18:31
VLAI
Details

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24175"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-07T18:16:40Z",
    "severity": "HIGH"
  },
  "details": "NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service.",
  "id": "GHSA-4rxp-72g2-fxhm",
  "modified": "2026-04-07T18:31:38Z",
  "published": "2026-04-07T18:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24175"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5816"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-24175"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4V88-6PP2-RX52

Vulnerability from github – Published: 2023-09-20 03:30 – Updated: 2024-04-04 07:44
VLAI
Details

NVIDIA Cumulus Linux contains a vulnerability in neighmgrd and nlmanager where an attacker on an adjacent network may cause an uncaught exception by injecting a crafted packet. A successful exploit may lead to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-25526"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-20T01:15:52Z",
    "severity": "MODERATE"
  },
  "details": "NVIDIA Cumulus Linux contains a vulnerability in neighmgrd and nlmanager where an attacker on an adjacent network may cause an uncaught exception by injecting a crafted packet. A successful exploit may lead to denial of service.",
  "id": "GHSA-4v88-6pp2-rx52",
  "modified": "2024-04-04T07:44:52Z",
  "published": "2023-09-20T03:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25526"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5480"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4VH4-C5MM-JQMW

Vulnerability from github – Published: 2024-04-08 03:30 – Updated: 2025-03-13 18:31
VLAI
Details

In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-08T03:15:08Z",
    "severity": "HIGH"
  },
  "details": "In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed",
  "id": "GHSA-4vh4-c5mm-jqmw",
  "modified": "2025-03-13T18:31:54Z",
  "published": "2024-04-08T03:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52342"
    },
    {
      "type": "WEB",
      "url": "https://www.unisoc.com/en_us/secy/announcementDetail/1777143682512781313"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4W56-VR39-RVQR

Vulnerability from github – Published: 2024-12-12 12:31 – Updated: 2024-12-12 12:31
VLAI
Details

Null pointer dereference vulnerability in the image decoding module Impact: Successful exploitation of this vulnerability will affect availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-54106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-476"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-12T12:15:25Z",
    "severity": "HIGH"
  },
  "details": "Null pointer dereference vulnerability in the image decoding module\nImpact: Successful exploitation of this vulnerability will affect availability.",
  "id": "GHSA-4w56-vr39-rvqr",
  "modified": "2024-12-12T12:31:16Z",
  "published": "2024-12-12T12:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54106"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2024/12"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-52XJ-VX8W-46QJ

Vulnerability from github – Published: 2026-01-20 21:31 – Updated: 2026-01-20 21:31
VLAI
Details

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-59466"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-20T21:16:04Z",
    "severity": "MODERATE"
  },
  "details": "We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
  "id": "GHSA-52xj-vx8w-46qj",
  "modified": "2026-01-20T21:31:35Z",
  "published": "2026-01-20T21:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
    },
    {
      "type": "WEB",
      "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5375-PQ7M-F5R2

Vulnerability from github – Published: 2026-06-11 13:27 – Updated: 2026-06-11 13:27
VLAI
Summary
@grpc/grpc-js: A malformed request can cause a server crash
Details

Impact

An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.

Patches

The following version have fixes for this vulnerability:

  • 1.9.16
  • 1.10.12
  • 1.11.4
  • 1.12.7
  • 1.13.5
  • 1.14.4

Workarounds

There is no workaround.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.10.0"
            },
            {
              "fixed": "1.10.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.11.0"
            },
            {
              "fixed": "1.11.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.12.0"
            },
            {
              "fixed": "1.12.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13.0"
            },
            {
              "fixed": "1.13.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@grpc/grpc-js"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.14.0"
            },
            {
              "fixed": "1.14.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-11T13:27:54Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nAn invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.\n\n### Patches\nThe following version have fixes for this vulnerability:\n\n - 1.9.16\n - 1.10.12\n - 1.11.4\n - 1.12.7\n - 1.13.5\n - 1.14.4\n\n### Workarounds\nThere is no workaround.",
  "id": "GHSA-5375-pq7m-f5r2",
  "modified": "2026-06-11T13:27:54Z",
  "published": "2026-06-11T13:27:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-5375-pq7m-f5r2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grpc/grpc-node"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@grpc/grpc-js: A malformed request can cause a server crash"
}

GHSA-56PQ-38G7-F784

Vulnerability from github – Published: 2026-07-07 06:31 – Updated: 2026-07-07 06:31
VLAI
Details

Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected:

  • 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1))
  • 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3))
  • 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5))
  • 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7))
  • all versions of 9.10 and prior.
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-27790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T05:16:50Z",
    "severity": "LOW"
  },
  "details": "Uncaught Exception (CWE-248)\u00a0in\u00a0the T20 Readers\u00a0allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service.\u00a0Version of Command Centre affected:\n\n\n\n\n\n  *  9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1))\n  *  9.40 prior to vCR9.40.260616a (distributed in\u00a09.40.3130(MR3))\n  *  9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5))\n  *  9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7))\n  *  all versions of 9.10 and prior.",
  "id": "GHSA-56pq-38g7-f784",
  "modified": "2026-07-07T06:31:23Z",
  "published": "2026-07-07T06:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27790"
    },
    {
      "type": "WEB",
      "url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-27790"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-56X4-8XCJ-44R6

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2023-12-21 03:30
VLAI
Details

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-14T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted \u2018INGEST_EVAL\u2019 parameter in a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) crashes the Splunk daemon (splunkd).",
  "id": "GHSA-56x4-8xcj-44r6",
  "modified": "2023-12-21T03:30:32Z",
  "published": "2023-07-06T19:24:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22941"
    },
    {
      "type": "WEB",
      "url": "https://advisory.splunk.com/advisories/SVD-2023-0211"
    },
    {
      "type": "WEB",
      "url": "https://research.splunk.com/application/08978eca-caff-44c1-84dc-53f17def4e14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5873-6FWQ-463F

Vulnerability from github – Published: 2023-10-25 14:09 – Updated: 2023-10-25 14:09
VLAI
Summary
stellar-strkey vulnerable to panic in SignedPayload::from_payload
Details

Impact

Panic vulnerability when a specially crafted payload is used. This is because of the following calculation:

inner_payload_len + (4 - inner_payload_len % 4) % 4

If inner_payload_len is 0xffffffff, (4 - inner_payload_len % 4) % 4 = 1 so

inner_payload_len + (4 - inner_payload_len % 4) % 4 = u32::MAX + 1

which overflow.

Patches

Check that inner_payload_len is not above 64 which should never be the case. Patched in version 0.0.8

Workarounds

Sanitize input payload before it is passed to the vulnerable function so that bytes in payload[32..32+4] and parsed as a u32 is not above 64.

References

GitHub issue #58

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "stellar-strkey"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-46135"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-25T14:09:10Z",
    "nvd_published_at": "2023-10-25T18:17:36Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nPanic vulnerability when a specially crafted payload is used. \nThis is because of the following calculation:\n```rust\ninner_payload_len + (4 - inner_payload_len % 4) % 4\n```\nIf `inner_payload_len` is `0xffffffff`, `(4 - inner_payload_len % 4) % 4 = 1` so\n```rust\ninner_payload_len + (4 - inner_payload_len % 4) % 4 = u32::MAX + 1\n```\nwhich overflow.\n\n### Patches\nCheck that `inner_payload_len` is not above 64 which should never be the case.\nPatched in version 0.0.8\n\n### Workarounds\nSanitize input payload before it is passed to the vulnerable function so that bytes in `payload[32..32+4]` and parsed as a `u32` is not above 64.\n\n### References\nGitHub issue #58\n",
  "id": "GHSA-5873-6fwq-463f",
  "modified": "2023-10-25T14:09:10Z",
  "published": "2023-10-25T14:09:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-strkey/security/advisories/GHSA-5873-6fwq-463f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46135"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-strkey/issues/58"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-strkey/pull/59"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-strkey/commit/83adad0f5b1cda693c7ba8524d395add8077865f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/stellar/rs-stellar-strkey"
    },
    {
      "type": "WEB",
      "url": "https://github.com/stellar/rs-stellar-strkey/releases/tag/v0.0.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "stellar-strkey vulnerable to panic in SignedPayload::from_payload"
}

GHSA-595H-5JVM-PM7P

Vulnerability from github – Published: 2024-04-01 03:30 – Updated: 2024-07-03 18:34
VLAI
Details

In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541769; Issue ID: ALPS08541769.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-01T03:15:08Z",
    "severity": "MODERATE"
  },
  "details": "In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541769; Issue ID: ALPS08541769.",
  "id": "GHSA-595h-5jvm-pm7p",
  "modified": "2024-07-03T18:34:01Z",
  "published": "2024-04-01T03:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20048"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/April-2024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.