CWE-805
AllowedBuffer Access with Incorrect Length Value
Abstraction: Base · Status: Incomplete
The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
86 vulnerabilities reference this CWE, most recent first.
CVE-2020-10774 (GCVE-0-2020-10774)
Vulnerability from cvelistv5 – Published: 2021-05-27 18:46 – Updated: 2024-08-04 11:14| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1846964 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:14:15.551Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1846964"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kernel",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "kernel-4.18.0-193.el8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory disclosure flaw was found in the Linux kernel\u0027s versions before 4.18.0-193.el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-805",
"description": "CWE-805",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-27T18:46:18.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1846964"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-10774",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "kernel",
"version": {
"version_data": [
{
"version_value": "kernel-4.18.0-193.el8"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A memory disclosure flaw was found in the Linux kernel\u0027s versions before 4.18.0-193.el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-805"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1846964",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1846964"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10774",
"datePublished": "2021-05-27T18:46:18.000Z",
"dateReserved": "2020-03-20T00:00:00.000Z",
"dateUpdated": "2024-08-04T11:14:15.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-19339 (GCVE-0-2019-19339)
Vulnerability from cvelistv5 – Published: 2020-01-17 18:08 – Updated: 2024-08-05 02:16| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:16:46.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19339"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "kpatch:",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU\u0027s local cache and system software\u0027s Paging structure entries. A privileged guest user may use this flaw to induce a hardware Machine Check Error on the host processor, resulting in a severe DoS scenario by halting the processor. System software like OS OR Virtual Machine Monitor (VMM) use virtual memory system for storing program instructions and data in memory. Virtual Memory system uses Paging structures like Page Tables and Page Directories to manage system memory. The processor\u0027s Memory Management Unit (MMU) uses Paging structure entries to translate program\u0027s virtual memory addresses to physical memory addresses. The processor stores these address translations into its local cache buffer called - Translation Lookaside Buffer (TLB). TLB has two parts, one for instructions and other for data addresses. System software can modify its Paging structure entries to change address mappings OR certain attributes like page size etc. Upon such Paging structure alterations in memory, system software must invalidate the corresponding address translations in the processor\u0027s TLB cache. But before this TLB invalidation takes place, a privileged guest user may trigger an instruction fetch operation, which could use an already cached, but now invalid, virtual to physical address translation from Instruction TLB (ITLB). Thus accessing an invalid physical memory address and resulting in halting the processor due to the Machine Check Error (MCE) on Page Size Change."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-805",
"description": "CWE-805",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-17T18:08:53.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19339"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-19339",
"datePublished": "2020-01-17T18:08:53.000Z",
"dateReserved": "2019-11-27T00:00:00.000Z",
"dateUpdated": "2024-08-05T02:16:46.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-2FCC-JC2G-Q7H3
Vulnerability from github – Published: 2025-02-05 18:34 – Updated: 2025-02-05 18:34A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.
This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.
{
"affected": [],
"aliases": [
"CVE-2025-20175"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-05T17:15:24Z",
"severity": "HIGH"
},
"details": "A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.\n\nThis vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.\u0026nbsp;\nThis vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.",
"id": "GHSA-2fcc-jc2g-q7h3",
"modified": "2025-02-05T18:34:45Z",
"published": "2025-02-05T18:34:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20175"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-dos-sdxnSUcW"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2Q6X-PG74-2276
Vulnerability from github – Published: 2026-05-05 18:33 – Updated: 2026-06-08 06:30A flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit this by sending a malformed request, which causes the server to read beyond its intended memory boundaries. This can lead to the exposure of sensitive information or cause the server to crash, resulting in a denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-34002"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-05T16:16:11Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the X.Org X server. This vulnerability, an out-of-bounds read, affects the XKB (X Keyboard Extension) modifier map handling. An attacker with access to the X11 server can exploit this by sending a malformed request, which causes the server to read beyond its intended memory boundaries. This can lead to the exposure of sensitive information or cause the server to crash, resulting in a denial of service.",
"id": "GHSA-2q6x-pg74-2276",
"modified": "2026-06-08T06:30:25Z",
"published": "2026-05-05T18:33:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34002"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451112"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-34002"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24341"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23496"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23255"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23254"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22456"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22424"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21742"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21741"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21718"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21716"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21715"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21712"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:21699"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20590"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20576"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20575"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20563"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20562"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20561"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20560"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20558"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20557"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20555"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20547"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-469R-46JX-389P
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2022-05-24 19:03A memory disclosure flaw was found in the Linux kernel's versions before 4.18.0-193.el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.
{
"affected": [],
"aliases": [
"CVE-2020-10774"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-27T19:15:00Z",
"severity": "MODERATE"
},
"details": "A memory disclosure flaw was found in the Linux kernel\u0027s versions before 4.18.0-193.el8 in the sysctl subsystem when reading the /proc/sys/kernel/rh_features file. This flaw allows a local user to read uninitialized values from the kernel memory. The highest threat from this vulnerability is to confidentiality.",
"id": "GHSA-469r-46jx-389p",
"modified": "2022-05-24T19:03:26Z",
"published": "2022-05-24T19:03:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10774"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1846964"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-4JP4-VQWC-QH78
Vulnerability from github – Published: 2025-11-18 00:30 – Updated: 2025-11-18 03:31Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a WinBioControlUnit call to the StorageAdapter with the ControlCode 3 (WBIO_USH_CREATE_CHALLENGE) and with 0 < ReceiveBuferSize < 4. Up to three null-bytes will be written past the end of the ReceiveBuffer.
{
"affected": [],
"aliases": [
"CVE-2025-36462"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-17T23:15:53Z",
"severity": "HIGH"
},
"details": "Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability.\u00a0This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 3 (`WBIO_USH_CREATE_CHALLENGE`) and with `0 \u003c ReceiveBuferSize \u003c 4`. Up to three null-bytes will be written past the end of the `ReceiveBuffer`.",
"id": "GHSA-4jp4-vqwc-qh78",
"modified": "2025-11-18T03:31:14Z",
"published": "2025-11-18T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36462"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RV8-Q9C8-6QPQ
Vulnerability from github – Published: 2026-05-01 18:31 – Updated: 2026-05-01 21:31An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a crafted packet to the MTU length field
{
"affected": [],
"aliases": [
"CVE-2025-63547"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T18:16:13Z",
"severity": "HIGH"
},
"details": "An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a crafted packet to the MTU length field",
"id": "GHSA-4rv8-q9c8-6qpq",
"modified": "2026-05-01T21:31:20Z",
"published": "2026-05-01T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63547"
},
{
"type": "WEB",
"url": "https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/390"
},
{
"type": "WEB",
"url": "https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4RX4-73JX-C5R8
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-15 03:32In the Linux kernel, the following vulnerability has been resolved:
crypto: ccp - copy IV using skcipher ivsize
AF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver.
ccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller's IV buffer while RFC3686 skciphers expose an 8-byte IV, so the restore overruns the provided buffer.
Use crypto_skcipher_ivsize() to copy only the algorithm's IV length.
{
"affected": [],
"aliases": [
"CVE-2026-53016"
],
"database_specific": {
"cwe_ids": [
"CWE-787",
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:12Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - copy IV using skcipher ivsize\n\nAF_ALG rfc3686-ctr-aes-ccp requests pass an 8-byte IV to the driver.\n\nccp_aes_complete() restores AES_BLOCK_SIZE bytes into the caller\u0027s IV\nbuffer while RFC3686 skciphers expose an 8-byte IV, so the restore\noverruns the provided buffer.\n\nUse crypto_skcipher_ivsize() to copy only the algorithm\u0027s IV length.",
"id": "GHSA-4rx4-73jx-c5r8",
"modified": "2026-07-15T03:32:51Z",
"published": "2026-06-24T18:32:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53016"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38491"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39494"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-53016"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492269"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/227c1e1d9e2aa4cfc65ba446d5690da1f546cda4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/798d409a8949f3f495f238549b86de2886b129bd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/939061b2d0f7f15114e34b4ce878ef50ff4089c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a7a1f3cdd64d8a165d9b8c9e9ad7fb46ac19dfc4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bb01d8f1f385bc9034ca114d3508c7fdea24fc9a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df9784bb5b637ac80f4a2768a58ca9a50bef28a9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dfb2cf434829819268fe50f41542aad318ad62b2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eecee15e263ccb8cd77170a56ab6c969cb54dd6a"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53016.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4X89-CJCJ-2F3M
Vulnerability from github – Published: 2026-06-16 03:30 – Updated: 2026-06-16 03:30A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 component. This heap buffer overflow vulnerability occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM (Comment) tags. An attacker could exploit this by providing a malicious MP3 file, leading to a denial of service (DoS), which causes an application crash, and potentially disclosing sensitive information from the heap memory.
{
"affected": [],
"aliases": [
"CVE-2026-1766"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T02:16:18Z",
"severity": "MODERATE"
},
"details": "A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 component. This heap buffer overflow vulnerability occurs when processing specially crafted MP3 files containing malformed ID3v2.3 COMM (Comment) tags. An attacker could exploit this by providing a malicious MP3 file, leading to a denial of service (DoS), which causes an application crash, and potentially disclosing sensitive information from the heap memory.",
"id": "GHSA-4x89-cjcj-2f3m",
"modified": "2026-06-16T03:30:35Z",
"published": "2026-06-16T03:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1766"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-1766"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2435982"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5X4M-C6G6-R2QQ
Vulnerability from github – Published: 2025-02-02 03:30 – Updated: 2025-02-02 03:30NVIDIA GPU kernel driver for Windows and Linux contains a vulnerability where a potential user-mode attacker could read a buffer with an incorrect length. A successful exploit of this vulnerability might lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-0131"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-02T01:15:24Z",
"severity": "MODERATE"
},
"details": "NVIDIA GPU kernel driver for Windows and Linux contains a vulnerability where a potential user-mode attacker could read \u00a0a buffer with an incorrect length. A successful exploit of this vulnerability might lead to denial of service.",
"id": "GHSA-5x4m-c6g6-r2qq",
"modified": "2025-02-02T03:30:37Z",
"published": "2025-02-02T03:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0131"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5614"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
- Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Mitigation MIT-4.1
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-9
- Consider adhering to the following rules when allocating and managing an application's memory:
- Double check that the buffer is as large as specified.
- When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
- Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
- If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Strategy: Environment Hardening
- Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
- For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the product or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-22
Strategy: Sandbox or Jail
- Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-100: Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.
CAPEC-256: SOAP Array Overflow
An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request. If the server processing the transmission naively trusts the specified size, then an attacker can intentionally understate the size of the array, possibly resulting in a buffer overflow if the server attempts to read the entire data set into the memory it allocated for a smaller array.