Common Weakness Enumeration

CWE-787

Allowed-with-Review

Out-of-bounds Write

Abstraction: Base · Status: Draft

The product writes data past the end, or before the beginning, of the intended buffer.

15109 vulnerabilities reference this CWE, most recent first.

GHSA-RXXC-45J4-GCC4

Vulnerability from github – Published: 2024-12-04 12:31 – Updated: 2024-12-04 12:31
VLAI
Details

Out-of-bounds Write vulnerability was discovered in Open Design Alliance Drawings SDK before 2025.10. Reading crafted DWF file and missing proper checks on received SectionIterator data can trigger an unhandled exception. This can allow attackers to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-04T12:15:20Z",
    "severity": "HIGH"
  },
  "details": "Out-of-bounds Write\u00a0vulnerability was discovered in Open Design Alliance Drawings SDK before 2025.10. Reading crafted DWF file and missing proper checks on received SectionIterator data can trigger an unhandled exception. This can allow attackers to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.",
  "id": "GHSA-rxxc-45j4-gcc4",
  "modified": "2024-12-04T12:31:45Z",
  "published": "2024-12-04T12:31:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8894"
    },
    {
      "type": "WEB",
      "url": "https://www.opendesign.com/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RXXM-FW4J-Q3VG

Vulnerability from github – Published: 2023-01-27 00:30 – Updated: 2025-11-04 21:30
VLAI
Details

Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the 'no vpn pptp advanced name WORD dns (yes|no) mtu <128-16384> mru <128-16384> mppe (on|off) stateful (on|off) options WORD' command template.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-41026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-26T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Several stack-based buffer overflow vulnerabilities exist in the DetranCLI command parsing functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network packet can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger these vulnerabilities.This buffer overflow is in the function that manages the \u0027no vpn pptp advanced name WORD dns (yes|no) mtu \u003c128-16384\u003e mru \u003c128-16384\u003e mppe (on|off) stateful (on|off) options WORD\u0027 command template.",
  "id": "GHSA-rxxm-fw4j-q3vg",
  "modified": "2025-11-04T21:30:31Z",
  "published": "2023-01-27T00:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41026"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1613"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1613"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V223-C39X-4WXF

Vulnerability from github – Published: 2024-03-11 21:31 – Updated: 2024-08-27 18:31
VLAI
Details

In TBD of TBD, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-27208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-11T19:15:48Z",
    "severity": "HIGH"
  },
  "details": "In TBD of TBD, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-v223-c39x-4wxf",
  "modified": "2024-08-27T18:31:34Z",
  "published": "2024-03-11T21:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-27208"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2024-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V22C-C5CC-5MV4

Vulnerability from github – Published: 2022-05-14 03:08 – Updated: 2024-10-21 15:32
VLAI
Details

An out-of-bounds write in "ClearKeyDecryptor" while decrypting some Clearkey-encrypted media content. The "ClearKeyDecryptor" code runs within the Gecko Media Plugin (GMP) sandbox. If a second mechanism is found to escape the sandbox, this vulnerability allows for the writing of arbitrary data within memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-5448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-11T21:29:00Z",
    "severity": "HIGH"
  },
  "details": "An out-of-bounds write in \"ClearKeyDecryptor\" while decrypting some Clearkey-encrypted media content. The \"ClearKeyDecryptor\" code runs within the Gecko Media Plugin (GMP) sandbox. If a second mechanism is found to escape the sandbox, this vulnerability allows for the writing of arbitrary data within memory, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR \u003c 45.9, Firefox ESR \u003c 52.1, and Firefox \u003c 53.",
  "id": "GHSA-v22c-c5cc-5mv4",
  "modified": "2024-10-21T15:32:20Z",
  "published": "2022-05-14T03:08:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5448"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1104"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1106"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1346648"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-3831"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2017-10"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2017-11"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2017-12"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97940"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1038320"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V22H-VW8W-7WR4

Vulnerability from github – Published: 2022-05-13 01:21 – Updated: 2022-05-13 01:21
VLAI
Details

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buffer overflow in the function SVGStartElement of coders/svg.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a quoted font family value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-11005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-08T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buffer overflow in the function SVGStartElement of coders/svg.c, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a quoted font family value.",
  "id": "GHSA-v22h-vw8w-7wr4",
  "modified": "2022-05-13T01:21:57Z",
  "published": "2022-05-13T01:21:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11005"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/graphicsmagick/bugs/600"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4207-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4640"
    },
    {
      "type": "WEB",
      "url": "http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00093.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00107.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V23P-5QJJ-X793

Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-05-24 17:39
VLAI
Details

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device. Cisco has not released software updates that address these vulnerabilities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-01-13T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. The vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device. Cisco has not released software updates that address these vulnerabilities.",
  "id": "GHSA-v23p-5qjj-x793",
  "modified": "2022-05-24T17:39:10Z",
  "published": "2022-05-24T17:39:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1217"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-V246-P8M5-H759

Vulnerability from github – Published: 2023-11-14 21:30 – Updated: 2023-11-14 21:30
VLAI
Details

Tenda AX1806 V1.0.0.1 contains a stack overflow vulnerability in function sub_455D4, called by function fromSetWirelessRepeat.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47456"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-121",
      "CWE-125",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-07T15:15:10Z",
    "severity": "CRITICAL"
  },
  "details": "Tenda AX1806 V1.0.0.1 contains a stack overflow vulnerability in function sub_455D4, called by function fromSetWirelessRepeat.",
  "id": "GHSA-v246-p8m5-h759",
  "modified": "2023-11-14T21:30:54Z",
  "published": "2023-11-14T21:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47456"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Anza2001/IOT_VULN/blob/main/Tenda/AX1806/fromSetWirelessRepeat.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V24H-PJJV-MCP6

Vulnerability from github – Published: 2021-05-27 18:44 – Updated: 2023-10-02 12:27
VLAI
Summary
Denial of service in Tendermint
Details

Description

Denial of Service 1

Tendermint 0.33.2 and earlier does not limit the number of P2P connection requests. For each p2p connection, Tendermint allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions.

Tendermint 0.33.3 (and 0.32.10) limits the total number of P2P incoming connection requests to to p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids).

Notes:

  • Tendermint does not rate limit P2P connection requests per IP (an attacker can saturate all the inbound slots);
  • Tendermint does not rate limit HTTP(S) requests. If you expose any RPC endpoints to the public, please make sure to put in place some protection (https://www.nginx.com/blog/rate-limiting-nginx/). We may implement this in the future (https://github.com/tendermint/tendermint/issues/1696).

Denial of Service 2

Tendermint 0.33.2 and earlier does not reclaim activeID of a peer after it's removed in Mempool reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the Peer is created and added to all reactors. RemovePeer is therefore called before AddPeer, which leads to always growing memory (activeIDs map). The activeIDs map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting Denial of Service 1), which ultimately will lead to the node panicking.

Tendermint 0.33.3 (and 0.32.10) claims activeID for a peer in InitPeer, which is executed before MConnection is started.

Notes:

  • InitPeer function was added to all reactors to combat a similar issue - https://github.com/tendermint/tendermint/issues/3338;
  • Denial of Service 2 is independent of Denial of Service 1 and can be executed without it.

Specific Go Packages Affected

github.com/tendermint/tendermint/p2p

Impact

  • All full nodes (except for validators who are behind closed networks)
  • Node's memory usage increases, then it panics either in the mempool or due to OOM.

Patches

  • v0.33.3
  • v0.32.10
  • v0.31.12

Workarounds

No workarounds.

References

  • https://hackerone.com/reports/820317 (not disclosed yet)
  • https://github.com/tendermint/tendermint/issues/3338
  • https://github.com/tendermint/tendermint/issues/1696

For more information

If you have any questions or comments about this advisory: * Open an issue in tendermint/tendermint * Email us at security@tendermint.com

More information can be found here.

Credits

  • fudongbai for discovering and reporting Denial of Service 2
  • Ethan Buchman (@ebuchman) for writing a test case for Denial of Service 2 and Tess Rinearson (@tessr) for fixing it
  • Anton Kaliaev (@melekes) for fixing Denial of Service 1
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tendermint/tendermint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.33.0"
            },
            {
              "fixed": "0.33.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tendermint/tendermint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.31.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/tendermint/tendermint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.32.0"
            },
            {
              "fixed": "0.32.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-5303"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787",
      "CWE-789"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-24T21:16:50Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Description\n\n**Denial of Service 1**\n\nTendermint 0.33.2 and earlier does not limit the number of P2P connection requests. For each p2p connection, Tendermint allocates XXX bytes. Even though this memory is garbage collected once the connection is terminated (due to duplicate IP or reaching a maximum number of inbound peers), temporary memory spikes can lead to OOM (Out-Of-Memory) exceptions. \n\nTendermint 0.33.3 (and 0.32.10) limits the total number of P2P incoming connection requests to to `p2p.max_num_inbound_peers + len(p2p.unconditional_peer_ids)`.\n\nNotes:\n\n- Tendermint does not rate limit P2P connection requests per IP (an attacker can saturate all the inbound slots);\n- Tendermint does not rate limit HTTP(S) requests. If you expose any RPC endpoints to the public, please make sure to put in place some protection (https://www.nginx.com/blog/rate-limiting-nginx/). We may implement this in the future (https://github.com/tendermint/tendermint/issues/1696).\n\n**Denial of Service 2**\n\nTendermint 0.33.2 and earlier does not reclaim `activeID` of a peer after it\u0027s removed in `Mempool` reactor. This does not happen all the time. It only happens when a connection fails (for any reason) before the `Peer` is created and added to all reactors. `RemovePeer` is therefore called before `AddPeer`, which leads to always growing memory (`activeIDs` map). The `activeIDs` map has a maximum size of 65535 and the node will panic if this map reaches the maximum. An attacker can create a lot of connection attempts (exploiting Denial of Service 1), which ultimately will lead to the node panicking.\n\nTendermint 0.33.3 (and 0.32.10) claims `activeID` for a peer in `InitPeer`, which is executed before `MConnection` is started.\n\nNotes: \n\n- `InitPeer` function was added to all reactors to combat a similar issue - https://github.com/tendermint/tendermint/issues/3338;\n- Denial of Service 2 is independent of Denial of Service 1 and can be executed without it.\n\n### Specific Go Packages Affected\ngithub.com/tendermint/tendermint/p2p\n\n### Impact\n\n- All full nodes (except for validators who are behind closed networks)\n- Node\u0027s memory usage increases, then it panics either in the mempool or due to OOM.\n\n### Patches\n\n- v0.33.3\n- v0.32.10\n- v0.31.12\n\n### Workarounds\n\nNo workarounds.\n\n### References\n\n- https://hackerone.com/reports/820317 (not disclosed yet)\n- https://github.com/tendermint/tendermint/issues/3338\n- https://github.com/tendermint/tendermint/issues/1696\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [tendermint/tendermint](https://github.com/tendermint/tendermint)\n* Email us at [security@tendermint.com](mailto:security@tendermint.com)\n\nMore information can be found [here](https://tendermint.com/security/).\n\n### Credits\n\n- [fudongbai](https://hackerone.com/fudongbai) for discovering and reporting Denial of Service 2\n- Ethan Buchman (@ebuchman) for writing a test case for Denial of Service 2 and Tess Rinearson (@tessr) for fixing it\n- Anton Kaliaev (@melekes) for fixing Denial of Service 1",
  "id": "GHSA-v24h-pjjv-mcp6",
  "modified": "2023-10-02T12:27:32Z",
  "published": "2021-05-27T18:44:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tendermint/tendermint/security/advisories/GHSA-v24h-pjjv-mcp6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5303"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendermint/tendermint/issues/1696"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendermint/tendermint/issues/3338"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendermint/tendermint/commit/e2d6859afd7dba4cf97c7f7d412e7d8fc908d1cd"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/820317"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tendermint/tendermint"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tendermint/tendermint/blob/master/CHANGELOG.md#denial-of-service-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of service in Tendermint"
}

GHSA-V24R-76XR-27X2

Vulnerability from github – Published: 2023-12-08 18:30 – Updated: 2025-05-27 18:30
VLAI
Details

In gpu_pixel_handle_buffer_liveness_update_ioctl of private/google-modules/gpu/mali_kbase/platform/pixel/pixel_gpu_slc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-48421"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-08T16:15:18Z",
    "severity": "HIGH"
  },
  "details": "In gpu_pixel_handle_buffer_liveness_update_ioctl of private/google-modules/gpu/mali_kbase/platform/pixel/pixel_gpu_slc.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-v24r-76xr-27x2",
  "modified": "2025-05-27T18:30:41Z",
  "published": "2023-12-08T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48421"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2023-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V24X-WC6G-XG5M

Vulnerability from github – Published: 2023-11-17 12:30 – Updated: 2023-11-17 12:30
VLAI
Details

Adobe After Effects version 24.0.2 (and earlier) and 23.6 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-17T11:15:08Z",
    "severity": "HIGH"
  },
  "details": "Adobe After Effects version 24.0.2 (and earlier) and 23.6 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-v24x-wc6g-xg5m",
  "modified": "2023-11-17T12:30:19Z",
  "published": "2023-11-17T12:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47070"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/after_effects/apsb23-66.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
  • Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Mitigation MIT-4.1
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-9
Implementation
  • Consider adhering to the following rules when allocating and managing an application's memory:
  • Double check that the buffer is as large as specified.
  • When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
  • Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
  • If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Operation

Strategy: Environment Hardening

  • Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
  • For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-13
Implementation

Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.

No CAPEC attack patterns related to this CWE.