CVE & CISA-KEV Catalog

362,600 CVEs1,630 actively exploited (KEV)AboutAPI
Active:
  • CVSS 6.5 v3·EPSS -·Fix available

    A flaw was found in GLib. A buffer over-read can occur in g_io_channel_read_line_backend() in the giochannel.c file when a custom line terminator with a length greater than one is set, causing memcmp to read past the GString buffer. This vulnerability can cause a minor information disclosure of 7 bytes or a denial of service when the buffer over-read crosses a page boundary.

    Published 2026-07-01

  • CVSS 6.5 v3·EPSS -·Fix available

    A flaw was found in GLib. A buffer over-read can occur in the g_regex_replace function when used with the `G_REGEX_RAW` compile flag and case-change replacement escapes because the string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This vulnerability can cause a minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.

    Published 2026-07-01

  • CVSS 6.5 v3·EPSS -·Fix available

    A flaw was found in GLib. An off-by-one error can occur in the gvs_tuple_is_normal function in the glib/gvariant-serialiser.c file when doing an alignment padding check because the bounds check uses > instead of >=, causing an out-of-bounds read of only 1 byte. This issue can cause a minor information disclosure of 1 byte and a denial of service when the out-of-bounds read crosses a page boundary.

    Published 2026-07-01

  • CVSS 6.9 v4·EPSS 0.1%·No fix yet

    GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781d

    Published 2026-06-30

  • CVSS 4.8 v3·EPSS 0.3%·Fix available

    An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.

    Published 2026-06-25

  • CVSS 7.3 v3·EPSS 0.6%·Fix available

    Buffer Over-read vulnerability in Apache HTTP Server via outbound OCSP requests to an attacker controlled OCSP server This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67. Users are recommended to upgrade to version 2.4.68, which fixes the issue.

    Published 2026-06-23

  • CVSS 5.0 v3·EPSS 0.2%·No fix yet

    A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior.

    Published 2026-06-09

  • CVSS 4.7 v3·EPSS 0.4%·No fix yet

    Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.

    Published 2026-06-09

  • CVSS 7.8 v3·EPSS 0.3%·Fix available

    Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.

    Published 2026-06-09

  • CVSS 4.9 v3·EPSS 0.2%·Fix available

    OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment. This issue has been patched in version 0.9.0.

    Published 2026-06-02

  • CVSS 5.5 v3·EPSS 0.1%·No fix yet

    Information Disclosure when processing advertisement frames with malformed MBSSID elements of insufficient length.

    Published 2026-06-01

  • CVSS 8.2 v3·EPSS 0.7%·Fix available

    A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.

    Published 2026-06-01

  • CVSS 4.3 v3·EPSS 0.2%·Fix available

    Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

    Published 2026-05-14

  • CVSS 5.3 v3·EPSS 0.3%·Fix available

    Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the size_t subtraction underflows to SIZE_MAX and memchr scans adjacent heap memory looking for a '$' separator byte. A caller that invokes argon2_verify against a stored hash that may legitimately be empty (for example a placeholder row or a NULL column materialised as an empty string) reads out-of-bounds heap memory, which can crash the process or leak the position of an adjacent '$' byte into subsequent parsing.

    Published 2026-05-13

  • CVSS 7.5 v3·EPSS 0.4%·Fix available

    Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

    Published 2026-05-07

  • CVSS 6.1 v3·EPSS 0.1%·No fix yet

    Information Disclosure while processing IOCTL handler callbacks without verifying buffer size.

    Published 2026-05-04

  • CVSS 6.5 v3·EPSS 0.2%·No fix yet

    Transient DOS when processing a malformed Fast Transition response frame with an invalid header structure during wireless roaming.

    Published 2026-05-04

  • CVSS 6.5 v3·EPSS 0.2%·No fix yet

    Transient DOS when processing target power rate tables during channel configuration.

    Published 2026-05-04

  • CVSS 7.1 v3·EPSS 0.2%·No fix yet

    AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer.

    Published 2026-05-01

  • CVSS 6.5 v3·EPSS 0.3%·Fix available

    The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.0.1 to version 2.43 fail to validate the RDATA content against the RDATA length in a DNS response when processing A6, CERT, LOC, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

    Published 2026-05-01

  • CVSS 5.5 v3·EPSS 0.2%·Fix available

    Kismet protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service

    Published 2026-04-30

  • CVSS 9.8 v3·EPSS 0.4%·Fix available

    rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences. This vulnerability is fixed in 0.10.78.

    Published 2026-04-29

  • CVSS 4.3 v3·EPSS 0.2%·Fix available

    Potential read out of bounds case with wolfSSHd on Windows while handling a terminal resize request. An authenticated user could trigger the out of bounds read after establishing a connection which would leak the adjacent stack memory to the pseudo-console output.

    Published 2026-04-20

  • CVSS 3.5 v3·EPSS 0.2%·No fix yet

    libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out of bound read in ptp_unpack_EOS_FocusInfoEx could be used to crash libgphoto2 when processing input from untrusted USB devices. Commit c385b34af260595dfbb5f9329526be5158985987 contains a patch. No known workarounds are available.

    Published 2026-04-18

  • CVSS 5.3 v3·EPSS 0.2%·Fix available

    A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when the LEFT_MOST_WILDCARD_ONLY flag is active. If a wildcard * exhausts the entire hostname string, the function reads one byte past the buffer without a bounds check, which could cause a crash.

    Published 2026-04-15

  • CVSS 7.8 v3·EPSS 0.2%·Fix available

    Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally.

    Published 2026-04-14

  • CVSS 6.1 v3·EPSS 2.4%·Fix available

    Buffer over-read in Windows Kernel Memory allows an authorized attacker to disclose information locally.

    Published 2026-04-14

  • CVSS 6.5 v3·EPSS 0.9%·Fix available

    Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

    Published 2026-04-14

  • CVSS 7.6 v3·EPSS 0.1%·No fix yet

    Transient DOS when receiving a service data frame with excessive length during device matching over a neighborhood awareness network protocol connection.

    Published 2026-04-06

  • CVSS 7.8 v3·EPSS 0.1%·No fix yet

    Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver.

    Published 2026-04-06

  • CVSS 7.8 v3·EPSS 0.1%·No fix yet

    Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver.

    Published 2026-04-06

  • CVSS 7.8 v3·EPSS 0.1%·No fix yet

    Memory Corruption when accessing an output buffer without validating its size during IOCTL processing.

    Published 2026-04-06

  • CVSS 7.8 v3·EPSS 0.1%·No fix yet

    Memory Corruption when processing auxiliary sensor input/output control commands with insufficient buffer size validation.

    Published 2026-04-06

  • CVSS 7.8 v3·EPSS 0.1%·No fix yet

    Memory Corruption when accessing an output buffer without validating its size during IOCTL processing.

    Published 2026-04-06

  • CVSS 7.8 v3·EPSS 0.1%·No fix yet

    Memory Corruption when retrieving output buffer with insufficient size validation.

    Published 2026-04-06

  • CVSS 7.6 v3·EPSS 0.2%·No fix yet

    Transient DOS when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans.

    Published 2026-04-06

  • CVSS 7.1 v3·EPSS 0.1%·No fix yet

    Cryptographic issue while copying data to a destination buffer without validating its size.

    Published 2026-04-06

  • CVSS 7.8 v3·EPSS 0.1%·No fix yet

    Memory corruption while preprocessing IOCTL request in JPEG driver.

    Published 2026-04-06

  • CVSS 3.9 v3·EPSS 0.3%·Fix available

    OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the encoded element claims tag=0 and length=10 but no value bytes follow. Calling sc_compacttlv_find_tag with search tag 0x00 returns a pointer equal to buf+1 and outlen=10 without verifying that the claimed value length fits within the remaining buffer. In cases where the sc_compacttlv_find_tag is provided untrusted data (such as being read from cards/files), attackers may be able to influence it to return out-of-bounds pointers leading to downstream memory corruption when subsequent code tries to dereference the pointer

    Published 2026-04-02

  • CVSS 6.5 v3·EPSS 0.2%·Fix available

    Buffer Over-read vulnerability in RTI Connext Professional (Core Libraries) allows Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.2.34, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*.

    Published 2026-04-01

  • CVSS 5.3 v3·EPSS 1.0%·Fix available

    An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.

    Published 2026-03-31

  • CVSS 7.4 v3·EPSS 0.4%·Fix available

    A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9.

    Published 2026-03-24

  • CVSS 7.9 v3·EPSS 0.2%·Fix available

    In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.

    Published 2026-03-09

  • CVSS 7.8 v3·EPSS 0.1%·No fix yet

    Memory Corruption when adding user-supplied data without checking available buffer space.

    Published 2026-03-02

  • CVSS 4.0 v3·EPSS 0.1%·Fix available

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when calculating the stride (row size) for pixel buffer allocation. The stride calculation overflows a 32-bit signed integer, resulting in an out-of-bounds memory reads. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

    Published 2026-02-26

  • CVSS 4.0 v3·EPSS 0.1%·Fix available

    ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability occurs when processing an image with small dimension using the `-wavelet-denoise` operator. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

    Published 2026-02-26

  • CVSS 5.3 v3·EPSS 0.2%·Fix available

    FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, a buffer overread in `freerdp_image_copy_from_icon_data()` (libfreerdp/codec/color.c) can be triggered by crafted RDP Window Icon (TS_ICON_INFO) data. The bug is reachable over the network when a client processes icon data from an RDP server (or from a man-in-the-middle). Version 3.23.0 fixes the issue.

    Published 2026-02-25

  • CVSS 5.5 v3·EPSS 0.2%·Fix available

    RF4CE Profile protocol dissector crash in Wireshark 4.6.0 to 4.6.3 and 4.4.0 to 4.4.13 allows denial of service

    Published 2026-02-25

  • CVSS 6.6 v3·EPSS 0.2%·Fix available

    NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, NanaZip has an out-of-bounds heap read in `.NET Single File` bundle header parser due to missing bounds check. Opening a crafted file with NanaZip causes a crash or leaks heap data to the user. Version 6.0.1630.0 patches the issue.

    Published 2026-02-19

  • CVSS 8.1 v3·EPSS 1.0%·Fix available

    LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

    Published 2026-02-10

Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.