Common Weakness Enumeration

CWE-122

Allowed

Heap-based Buffer Overflow

Abstraction: Variant · Status: Draft

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

4096 vulnerabilities reference this CWE, most recent first.

GHSA-96FH-9Q43-RMJH

Vulnerability from github – Published: 2023-12-30 00:30 – Updated: 2025-11-04 21:30
VLAI
Details

A vulnerability was found in perl. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47038"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-18T14:15:08Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability was found in perl. This issue occurs when a crafted regular expression is compiled by perl, which can allow an attacker controlled byte buffer overflow in a heap allocated buffer.",
  "id": "GHSA-96fh-9q43-rmjh",
  "modified": "2025-11-04T21:30:52Z",
  "published": "2023-12-30T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47038"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Perl/perl5/commit/ff1f9f59360afeebd6f75ca1502f5c3ebf077da3"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:2228"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2024:3128"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-47038"
    },
    {
      "type": "WEB",
      "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056746"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2249523"
    },
    {
      "type": "WEB",
      "url": "https://github.com/aquasecurity/trivy/discussions/8400"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNEEWAACXQCEEAKSG7XX2D5YDRWLCIZJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UMDZZ4SCEW6FRWZDMXGAKZ35THTAWFG6"
    },
    {
      "type": "WEB",
      "url": "https://perldoc.perl.org/perl5382delta#CVE-2023-47038-Write-past-buffer-end-via-illegal-user-defined-Unicode-property"
    },
    {
      "type": "WEB",
      "url": "https://ubuntu.com/security/CVE-2023-47100"
    },
    {
      "type": "WEB",
      "url": "https://www.suse.com/security/cve/CVE-2023-47100.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-96V6-28QX-CR4Q

Vulnerability from github – Published: 2026-01-09 18:31 – Updated: 2026-01-09 18:31
VLAI
Details

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain a Heap-based Buffer Overflow vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-46643"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-09T16:16:06Z",
    "severity": "LOW"
  },
  "details": "Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS 2023 release versions 7.10.1.0 through 7.10.1.70, contain a Heap-based Buffer Overflow vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service.",
  "id": "GHSA-96v6-28qx-cr4q",
  "modified": "2026-01-09T18:31:35Z",
  "published": "2026-01-09T18:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46643"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000405813/dsa-2025-415-security-update-for-dell-powerprotect-data-domain-multiple-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9726-XP73-4P4Q

Vulnerability from github – Published: 2024-04-19 18:31 – Updated: 2025-06-09 18:32
VLAI
Details

Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the ff_gaussian_blur_8 function in libavfilter/edge_template.c:116:5 component.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-50009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-19T17:15:52Z",
    "severity": "HIGH"
  },
  "details": "Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the ff_gaussian_blur_8 function in libavfilter/edge_template.c:116:5 component.",
  "id": "GHSA-9726-xp73-4p4q",
  "modified": "2025-06-09T18:32:06Z",
  "published": "2024-04-19T18:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50009"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/162b4c60c8f72be2e93b759f3b1e14652b70b3ba"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg/commit/c443658d26d2b8e19901f9507a890e0efca79056"
    },
    {
      "type": "WEB",
      "url": "https://ffmpeg.org"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FFmpeg/FFmpeg"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IPETICRXUOGRIM4U3BCRTIKE3IZWCSBT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE3ASLH6QF2E5OVJI5VA3JSEPJFFFMNY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6G7EYH2JAK5OJPVNC6AXYQ5K7YGYNCDN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IPETICRXUOGRIM4U3BCRTIKE3IZWCSBT"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE3ASLH6QF2E5OVJI5VA3JSEPJFFFMNY"
    },
    {
      "type": "WEB",
      "url": "https://trac.ffmpeg.org/ticket/10699"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9758-J9JF-94JR

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Heap-based buffer overflow in Desktop Window Manager allows an authorized attacker to elevate privileges locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50692"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:18:05Z",
    "severity": "HIGH"
  },
  "details": "Heap-based buffer overflow in Desktop Window Manager allows an authorized attacker to elevate privileges locally.",
  "id": "GHSA-9758-j9jf-94jr",
  "modified": "2026-07-14T18:32:30Z",
  "published": "2026-07-14T18:32:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50692"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50692"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97M2-WMVC-CRMH

Vulnerability from github – Published: 2025-12-29 18:30 – Updated: 2025-12-30 18:30
VLAI
Details

Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66869"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-29T17:15:46Z",
    "severity": "HIGH"
  },
  "details": "Buffer overflow vulnerability in function strcat in asan_interceptors.cpp in libming 0.4.8.",
  "id": "GHSA-97m2-wmvc-crmh",
  "modified": "2025-12-30T18:30:16Z",
  "published": "2025-12-29T18:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66869"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libming/libming/issues/366"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97M4-RPJ6-88C7

Vulnerability from github – Published: 2023-08-10 03:30 – Updated: 2024-04-04 06:46
VLAI
Details

An improper input validation in IpcTxGetVerifyAkey in libsec-ril prior to SMR Aug-2023 Release 1 allows attacker to cause out-of-bounds write.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-10T02:15:12Z",
    "severity": "HIGH"
  },
  "details": "An improper input validation in IpcTxGetVerifyAkey in libsec-ril prior to SMR Aug-2023 Release 1 allows attacker to cause out-of-bounds write.",
  "id": "GHSA-97m4-rpj6-88c7",
  "modified": "2024-04-04T06:46:29Z",
  "published": "2023-08-10T03:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30696"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2023\u0026month=08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97V7-8JC6-JVPQ

Vulnerability from github – Published: 2026-06-16 21:32 – Updated: 2026-06-17 18:35
VLAI
Details

In RtpSession::rtpSendRtcpPacket, there is a possible OOB write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0149"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-16T20:16:25Z",
    "severity": "HIGH"
  },
  "details": "In RtpSession::rtpSendRtcpPacket, there is a possible OOB write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-97v7-8jc6-jvpq",
  "modified": "2026-06-17T18:35:21Z",
  "published": "2026-06-16T21:32:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0149"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/pixel/2026/2026-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-97WC-2HQC-CJGR

Vulnerability from github – Published: 2026-05-09 00:02 – Updated: 2026-06-08 23:35
VLAI
Summary
smallbitvec: Integer overflow in safe API leads to heap buffer overflow
Details

Summary

An integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring unsafe code from the caller.

Details

The issue originates from unchecked arithmetic in the internal helper function responsible for computing the required buffer size:

(cap + bits_per_storage() - 1) / bits_per_storage()

When cap is close to usize::MAX, the addition:

cap + bits_per_storage() - 1

can overflow in release builds and wrap around due to Rust’s default wrapping semantics for integer overflow in optimized builds.

As a result: - buffer_len(cap) may return a value significantly smaller than required. - The backing storage is allocated with insufficient size. - Internal metadata (logical length/capacity) reflects a much larger size than the actual allocation.

Subsequent safe API calls (e.g., set, push, reserve) rely on this corrupted metadata and perform index computations that assume sufficient backing storage. These operations eventually reach unsafe internal code paths (e.g., pointer arithmetic and unchecked indexing), leading to out-of-bounds memory access.

Summary of the issue: integer overflow → undersized allocation → inconsistent metadata (len/cap vs actual buffer) → unsafe internal access using corrupted metadata → heap buffer overflow (UB)

PoC

PoC 1: Out-of-bounds write via from_elem

#![forbid(unsafe_code)]

use smallbitvec::SmallBitVec;

fn main() {
    // Triggers overflow in buffer_len(cap)
    let mut v = SmallBitVec::from_elem(usize::MAX, false);

    // Logical length is large, but backing storage is undersized
    // This leads to out-of-bounds write in unsafe internals
    v.set(0, true);
}

PoC 2: Overflow via reserve

#![forbid(unsafe_code)]

use smallbitvec::SmallBitVec;

fn main() {
    let mut v = SmallBitVec::new();
    v.push(true);

    // Triggers overflow in capacity computation
    v.reserve(usize::MAX - 10);
}

Impact

  • Heap buffer overflow via safe API only
  • ASAN-observable heap-buffer-overflow
  • Undefined Behavior detectable with Miri (e.g., out-of-bounds indexing due to corrupted metadata)

Tested on

  • rustc 1.96.0-nightly (9602bda1d 2026-04-05)
  • Target: x86_64-unknown-linux-gnu
  • Build: release
  • ASAN: RUSTFLAGS="-Z sanitizer=address" cargo +nightly run --release
  • Miri: cargo +nightly miri run --release
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "smallbitvec"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.1"
            },
            {
              "last_affected": "2.6.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44983"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-09T00:02:47Z",
    "nvd_published_at": "2026-05-26T22:16:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn integer overflow in the internal capacity calculation of `smallbitvec` can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs only. This allows memory corruption without requiring `unsafe` code from the caller.\n\n### Details\nThe issue originates from unchecked arithmetic in the internal helper function responsible for computing the required buffer size:\n\n```\n(cap + bits_per_storage() - 1) / bits_per_storage()\n```\n\nWhen `cap` is close to `usize::MAX`, the addition:\n\n```\ncap + bits_per_storage() - 1\n```\n\ncan overflow in release builds and wrap around due to Rust\u2019s default wrapping semantics for integer overflow in optimized builds.\n\nAs a result:\n- `buffer_len(cap)` may return a value significantly smaller than required.\n- The backing storage is allocated with insufficient size.\n- Internal metadata (logical length/capacity) reflects a much larger size than the actual allocation.\n\nSubsequent safe API calls (e.g., `set`, `push`, `reserve`) rely on this corrupted metadata and perform index computations that assume sufficient backing storage. These operations eventually reach unsafe internal code paths (e.g., pointer arithmetic and unchecked indexing), leading to out-of-bounds memory access.\n\nSummary of the issue:\ninteger overflow\n\u2192 undersized allocation\n\u2192 inconsistent metadata (len/cap vs actual buffer)\n\u2192 unsafe internal access using corrupted metadata\n\u2192 heap buffer overflow (UB)\n### PoC\n#### PoC 1: Out-of-bounds write via `from_elem`\n```rust\n#![forbid(unsafe_code)]\n\nuse smallbitvec::SmallBitVec;\n\nfn main() {\n    // Triggers overflow in buffer_len(cap)\n    let mut v = SmallBitVec::from_elem(usize::MAX, false);\n\n    // Logical length is large, but backing storage is undersized\n    // This leads to out-of-bounds write in unsafe internals\n    v.set(0, true);\n}\n```\n#### PoC 2: Overflow via `reserve`\n```rust\n#![forbid(unsafe_code)]\n\nuse smallbitvec::SmallBitVec;\n\nfn main() {\n    let mut v = SmallBitVec::new();\n    v.push(true);\n\n    // Triggers overflow in capacity computation\n    v.reserve(usize::MAX - 10);\n}\n```\n\n### Impact\n- Heap buffer overflow via safe API only\n- ASAN-observable heap-buffer-overflow\n- Undefined Behavior detectable with Miri (e.g., out-of-bounds indexing due to corrupted metadata)\n\n### Tested on\n- rustc 1.96.0-nightly (9602bda1d 2026-04-05)\n- Target: x86_64-unknown-linux-gnu\n- Build: release\n- ASAN: `RUSTFLAGS=\"-Z sanitizer=address\" cargo +nightly run --release`\n- Miri: `cargo +nightly miri run --release`",
  "id": "GHSA-97wc-2hqc-cjgr",
  "modified": "2026-06-08T23:35:08Z",
  "published": "2026-05-09T00:02:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/servo/smallbitvec/security/advisories/GHSA-97wc-2hqc-cjgr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44983"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/servo/smallbitvec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "smallbitvec: Integer overflow in safe API leads to heap buffer overflow"
}

GHSA-97XG-PX2H-JVXP

Vulnerability from github – Published: 2024-04-03 00:30 – Updated: 2024-04-20 00:31
VLAI
Details

A vulnerability was found in UPX up to 4.2.2. It has been rated as critical. This issue affects the function get_ne64 of the file bele.h. The manipulation leads to heap-based buffer overflow. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259055. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-3209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-02T23:15:55Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in UPX up to 4.2.2. It has been rated as critical. This issue affects the function get_ne64 of the file bele.h. The manipulation leads to heap-based buffer overflow. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259055. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-97xg-px2h-jvxp",
  "modified": "2024-04-20T00:31:52Z",
  "published": "2024-04-03T00:30:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3209"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/drive/folders/1qlUXvycOzGJygfkdQB9dGO6VwNRRZoih?usp=sharing"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AE5OZ7YUEVLXVVS6PFP5RELVICQ4K6QK"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J4DNK3AFPT4KIPTBKGCJ6FC3L7AWI2TN"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZHWZN2NX5W3WYA6ACJ746PAZXXNZETKD"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.259055"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.259055"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.304575"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9898-J6RC-MV8C

Vulnerability from github – Published: 2022-12-08 00:30 – Updated: 2022-12-09 21:30
VLAI
Details

GE CIMPICITY versions 2022 and prior is vulnerable to a heap-based buffer overflow, which could allow an attacker to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2948"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-07T23:15:00Z",
    "severity": "HIGH"
  },
  "details": "GE CIMPICITY versions 2022 and prior is vulnerable to a heap-based buffer overflow, which could allow an attacker to execute arbitrary code.",
  "id": "GHSA-9898-j6rc-mv8c",
  "modified": "2022-12-09T21:30:47Z",
  "published": "2022-12-08T00:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2948"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-326-04"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation

Pre-design: Use a language or compiler that performs automatic bounds checking.

Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation
Implementation

Implement and perform bounds checking on input.

Mitigation
Implementation

Strategy: Libraries or Frameworks

Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.

Mitigation
Operation

Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.

CAPEC-92: Forced Integer Overflow

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.