CWE-122
AllowedHeap-based Buffer Overflow
Abstraction: Variant · Status: Draft
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
4093 vulnerabilities reference this CWE, most recent first.
GHSA-JGW6-7HRC-742J
Vulnerability from github – Published: 2024-11-12 18:30 – Updated: 2024-11-12 18:30SQL Server Native Client Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-48994"
],
"database_specific": {
"cwe_ids": [
"CWE-122"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T18:15:36Z",
"severity": "HIGH"
},
"details": "SQL Server Native Client Remote Code Execution Vulnerability",
"id": "GHSA-jgw6-7hrc-742j",
"modified": "2024-11-12T18:30:59Z",
"published": "2024-11-12T18:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48994"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-48994"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JH49-99Q5-MWF2
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-42980"
],
"database_specific": {
"cwe_ids": [
"CWE-122"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:13Z",
"severity": "HIGH"
},
"details": "Integer underflow (wrap or wraparound) in Windows NT OS Kernel allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-jh49-99q5-mwf2",
"modified": "2026-06-09T18:30:45Z",
"published": "2026-06-09T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42980"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42980"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHF6-432Q-GP6X
Vulnerability from github – Published: 2025-03-25 15:31 – Updated: 2025-03-25 15:31Luxion KeyShot DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of dae files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23704.
{
"affected": [],
"aliases": [
"CVE-2025-2531"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-25T15:15:25Z",
"severity": "HIGH"
},
"details": "Luxion KeyShot DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of dae files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23704.",
"id": "GHSA-jhf6-432q-gp6x",
"modified": "2025-03-25T15:31:29Z",
"published": "2025-03-25T15:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2531"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-174"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHV5-3WC2-F8JM
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2026-55043"
],
"database_specific": {
"cwe_ids": [
"CWE-122"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:15Z",
"severity": "HIGH"
},
"details": "Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.",
"id": "GHSA-jhv5-3wc2-f8jm",
"modified": "2026-07-14T18:32:33Z",
"published": "2026-07-14T18:32:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55043"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55043"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJ28-P98R-MWQJ
Vulnerability from github – Published: 2026-04-13 15:31 – Updated: 2026-04-13 21:30A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
{
"affected": [],
"aliases": [
"CVE-2026-30999"
],
"database_specific": {
"cwe_ids": [
"CWE-122"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-13T15:17:32Z",
"severity": "HIGH"
},
"details": "A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.",
"id": "GHSA-jj28-p98r-mwqj",
"modified": "2026-04-13T21:30:42Z",
"published": "2026-04-13T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30999"
},
{
"type": "WEB",
"url": "https://excellent-oatmeal-319.notion.site/CVE-2026-30999-Memory-Leak-e0d88ac53e2e42c1b5ef9aa3497e27b6"
},
{
"type": "WEB",
"url": "https://ffmpeg.org/doxygen/7.0/zmqsend_8c_source.html"
},
{
"type": "WEB",
"url": "https://github.com/FFmpeg/FFmpeg/blob/master/tools/zmqsend.c"
},
{
"type": "WEB",
"url": "https://www.ffmpeg.org/download.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJ2C-679G-WVQH
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Heap-based buffer overflow in Windows Kernel allows an unauthorized attacker to elevate privileges with a physical attack.
{
"affected": [],
"aliases": [
"CVE-2026-54132"
],
"database_specific": {
"cwe_ids": [
"CWE-122"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:17:05Z",
"severity": "MODERATE"
},
"details": "Heap-based buffer overflow in Windows Kernel allows an unauthorized attacker to elevate privileges with a physical attack.",
"id": "GHSA-jj2c-679g-wvqh",
"modified": "2026-07-14T18:32:07Z",
"published": "2026-07-14T18:32:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54132"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54132"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJ2V-35PF-65RW
Vulnerability from github – Published: 2026-05-26 15:32 – Updated: 2026-05-26 15:32A heap-based buffer overflow vulnerability exists in XML parser functionality in the HiDraw. An authenticated malicious user with local access can exploit this vulnerability using a specially crafted XML file which may lead to memory corruption and potential arbitrary code execution. Successful exploitation could result in application crashes (denial of service) and compromise the confidentiality and integrity of the affected system.
{
"affected": [],
"aliases": [
"CVE-2026-7310"
],
"database_specific": {
"cwe_ids": [
"CWE-122"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T14:16:40Z",
"severity": "MODERATE"
},
"details": "A heap-based buffer overflow vulnerability exists in XML\nparser functionality in the HiDraw. An authenticated\nmalicious user with local access can exploit this\nvulnerability using a specially crafted XML file which may\nlead to memory corruption and potential arbitrary code\nexecution. Successful exploitation could result in\napplication crashes (denial of service) and compromise the\nconfidentiality and integrity of the affected system.",
"id": "GHSA-jj2v-35pf-65rw",
"modified": "2026-05-26T15:32:10Z",
"published": "2026-05-26T15:32:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7310"
},
{
"type": "WEB",
"url": "https://publisher.hitachienergy.com/preview?DocumentID=8DBD000248\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JJ47-X69X-MXRM
Vulnerability from github – Published: 2022-04-05 15:55 – Updated: 2022-05-26 18:54NOTE: A previous patch, 1.4.2, fixed the heap memory issue, but could still lead to a DoS infinite loop. Please update to version 1.4.3
The 1.x branch and the 2.x branch of yajl contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs.
Details
The reallocation logic at yajl_buf.c#L64 may result in the need 32bit integer wrapping to 0 when need approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk.
These integers are declared as size_t in the 2.x branch of yajl, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which size_t is a 32bit integer.
Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption.
Impact
We rate this as a moderate severity vulnerability which mostly impacts process availability as we believe exploitation for arbitrary code execution to be unlikely.
Patches
Patched in yajl-ruby 1.4.3
Workarounds
Avoid passing large inputs to YAJL
References
https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64
For more information
If you have any questions or comments about this advisory: * Open an issue in yajl-ruby
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.2"
},
"package": {
"ecosystem": "RubyGems",
"name": "yajl-ruby"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24795"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2022-04-05T15:55:51Z",
"nvd_published_at": "2022-04-05T16:15:00Z",
"severity": "MODERATE"
},
"details": "_NOTE: A previous patch, 1.4.2, fixed the heap memory issue, but could still lead to a DoS infinite loop. Please update to version 1.4.3_\n\nThe 1.x branch and the 2.x branch of [yajl](https://github.com/lloyd/yajl) contain an integer overflow which leads to subsequent heap memory corruption when dealing with large (~2GB) inputs.\n\n### Details\n\nThe [reallocation logic at yajl_buf.c#L64](https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64) may result in the `need` 32bit integer wrapping to 0 when `need` approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf-\u003ealloc into a small heap chunk.\n\nThese integers are declared as `size_t` in the 2.x branch of `yajl`, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which `size_t` is a 32bit integer.\n\nSubsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption.\n\n### Impact\n\nWe rate this as a moderate severity vulnerability which mostly impacts process availability as we believe exploitation for arbitrary code execution to be unlikely.\n\n### Patches\n\nPatched in yajl-ruby 1.4.3\n\n### Workarounds\n\nAvoid passing large inputs to YAJL\n\n### References\nhttps://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [yajl-ruby](https://github.com/brianmario/yajl-ruby/issues)\n",
"id": "GHSA-jj47-x69x-mxrm",
"modified": "2022-05-26T18:54:24Z",
"published": "2022-04-05T15:55:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24795"
},
{
"type": "WEB",
"url": "https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6"
},
{
"type": "PACKAGE",
"url": "https://github.com/brianmario/yajl-ruby"
},
{
"type": "WEB",
"url": "https://github.com/brianmario/yajl-ruby/blob/7168bd79b888900aa94523301126f968a93eb3a6/ext/yajl/yajl_buf.c#L64"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yajl-ruby/CVE-2022-24795.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00013.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00003.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KLE3C4CECEJ4EUYI56KXI6OWACWXX7WN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YO32YDJ74DADC7CMJNLSLBVWN5EXGF5J"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Buffer Overflow in yajl-ruby"
}
GHSA-JJ6M-8486-6RG2
Vulnerability from github – Published: 2022-02-15 00:02 – Updated: 2025-11-03 21:30Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.
{
"affected": [],
"aliases": [
"CVE-2022-0572"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-14T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.",
"id": "GHSA-jj6m-8486-6rg2",
"modified": "2025-11-03T21:30:38Z",
"published": "2022-02-15T00:02:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0572"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/6e28703a8e41f775f64e442c5d11ce1ff599aa3f"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/bf3e0643-03e9-4436-a1c8-74e7111c32bf"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00023.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4GOY5YWTP5QUY2EFLCL7AUWA2CV57C37"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GOY5YWTP5QUY2EFLCL7AUWA2CV57C37"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213488"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Oct/28"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Oct/41"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJ77-6H6H-GH59
Vulnerability from github – Published: 2023-01-31 00:30 – Updated: 2023-02-07 15:30Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior are vulnerable to a heap-based buffer overflow, which could allow an attacker to execute arbitrary code or crash the device remotely.
{
"affected": [],
"aliases": [
"CVE-2023-23582"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T23:15:00Z",
"severity": "CRITICAL"
},
"details": "Snap One Wattbox WB-300-IP-3 versions WB10.9a17 and prior are vulnerable to a heap-based buffer overflow, which could allow an attacker to execute arbitrary code or crash the device remotely.",
"id": "GHSA-jj77-6h6h-gh59",
"modified": "2023-02-07T15:30:26Z",
"published": "2023-01-31T00:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23582"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Pre-design: Use a language or compiler that performs automatic bounds checking.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation
Implement and perform bounds checking on input.
Mitigation
Strategy: Libraries or Frameworks
Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
Mitigation
Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.