CWE-787
Allowed-with-ReviewOut-of-bounds Write
Abstraction: Base · Status: Draft
The product writes data past the end, or before the beginning, of the intended buffer.
15107 vulnerabilities reference this CWE, most recent first.
GHSA-W6V6-C9PM-2P53
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2023-06-20 15:31An attacker could send crafted SMTP packets to cause a denial-of-service condition where the controller enters a major non-recoverable faulted state (MNRF) in CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 to 30.014 and earlier.
{
"affected": [],
"aliases": [
"CVE-2019-10954"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-01T19:29:00Z",
"severity": "HIGH"
},
"details": "An attacker could send crafted SMTP packets to cause a denial-of-service condition where the controller enters a major non-recoverable faulted state (MNRF) in CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 to 30.014 and earlier.",
"id": "GHSA-w6v6-c9pm-2p53",
"modified": "2023-06-20T15:31:07Z",
"published": "2022-05-24T16:45:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10954"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-120-01"
},
{
"type": "WEB",
"url": "https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1075979"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/108118"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W6V7-RP96-JC74
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44In the Citadel chip firmware, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117047
{
"affected": [],
"aliases": [
"CVE-2021-0454"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-10T17:15:00Z",
"severity": "HIGH"
},
"details": "In the Citadel chip firmware, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-175117047",
"id": "GHSA-w6v7-rp96-jc74",
"modified": "2022-05-24T17:44:10Z",
"published": "2022-05-24T17:44:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0454"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-03-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-W6VV-H4QP-W4MM
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-10-24 19:00Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a stack-based overflow vulnerability. A remote authenticated attacker could potentially exploit this vulnerability to overwrite configuration information by injecting arbitrarily large payload.
{
"affected": [],
"aliases": [
"CVE-2021-21540"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-30T21:15:00Z",
"severity": "HIGH"
},
"details": "Dell EMC iDRAC9 versions prior to 4.40.00.00 contain a stack-based overflow vulnerability. A remote authenticated attacker could potentially exploit this vulnerability to overwrite configuration information by injecting arbitrarily large payload.",
"id": "GHSA-w6vv-h4qp-w4mm",
"modified": "2022-10-24T19:00:17Z",
"published": "2022-05-24T17:49:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21540"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/000185293"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W6WH-QR7X-H932
Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.
{
"affected": [],
"aliases": [
"CVE-2022-2639"
],
"database_specific": {
"cwe_ids": [
"CWE-192",
"CWE-681",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-01T21:15:00Z",
"severity": "HIGH"
},
"details": "An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.",
"id": "GHSA-w6wh-qr7x-h932",
"modified": "2022-09-08T00:00:29Z",
"published": "2022-09-02T00:01:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2639"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/cefa91b2332d7009bc0be5d951d6cbbf349f90f8"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2084479"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W6XC-89XR-622V
Vulnerability from github – Published: 2025-05-07 09:31 – Updated: 2025-05-07 09:31An Out-of-bounds Write in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to induce a crash in IO devices that use the library by sending a malicious RPC packet.
{
"affected": [],
"aliases": [
"CVE-2025-32405"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-07T07:15:51Z",
"severity": "HIGH"
},
"details": "An Out-of-bounds Write in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to induce a crash in IO devices that use the library by sending a malicious RPC packet.",
"id": "GHSA-w6xc-89xr-622v",
"modified": "2025-05-07T09:31:18Z",
"published": "2025-05-07T09:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32405"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-32405"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W6XC-JCFF-G3VG
Vulnerability from github – Published: 2022-05-14 03:30 – Updated: 2025-04-12 13:04Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.
{
"affected": [],
"aliases": [
"CVE-2016-6303"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-16T05:59:00Z",
"severity": "CRITICAL"
},
"details": "Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.",
"id": "GHSA-w6xc-jcff-g3vg",
"modified": "2025-04-12T13:04:15Z",
"published": "2022-05-14T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6303"
},
{
"type": "WEB",
"url": "https://bto.bluecoat.com/security-advisory/sa132"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1370146"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"
},
{
"type": "WEB",
"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=55d83bf7c10c7b205fffa23fa7c3977491e56c07"
},
{
"type": "WEB",
"url": "https://git.openssl.org/?p=openssl.git;a=commit;h=55d83bf7c10c7b205fffa23fa7c3977491e56c07"
},
{
"type": "WEB",
"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40312"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:26.openssl.asc"
},
{
"type": "WEB",
"url": "https://www.openssl.org/news/secadv/20160922.txt"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2016-16"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2016-20"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2016-21"
},
{
"type": "WEB",
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10759"
},
{
"type": "WEB",
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21995039"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92984"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1036885"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W759-3HJ5-QW74
Vulnerability from github – Published: 2024-02-05 06:30 – Updated: 2024-02-09 03:33In keyInstall, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08471742; Issue ID: ALPS08308608.
{
"affected": [],
"aliases": [
"CVE-2024-20013"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-05T06:15:47Z",
"severity": "MODERATE"
},
"details": "In keyInstall, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08471742; Issue ID: ALPS08308608.",
"id": "GHSA-w759-3hj5-qw74",
"modified": "2024-02-09T03:33:00Z",
"published": "2024-02-05T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20013"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/February-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W77H-76XC-792Q
Vulnerability from github – Published: 2026-04-12 15:30 – Updated: 2026-04-12 15:30Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets.
{
"affected": [],
"aliases": [
"CVE-2019-25691"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-12T13:16:32Z",
"severity": "HIGH"
},
"details": "Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets.",
"id": "GHSA-w77h-76xc-792q",
"modified": "2026-04-12T15:30:25Z",
"published": "2026-04-12T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25691"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46269"
},
{
"type": "WEB",
"url": "https://www.faleemi.com"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/faleemi-desktop-software-local-buffer-overflow-seh-dep-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-W77P-V2RP-VMV8
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31In the Linux kernel, the following vulnerability has been resolved:
arm64: entry: avoid kprobe recursion
The cortex_a76_erratum_1463225_debug_handler() function is called when handling debug exceptions (and synchronous exceptions from BRK instructions), and so is called when a probed function executes. If the compiler does not inline cortex_a76_erratum_1463225_debug_handler(), it can be probed.
If cortex_a76_erratum_1463225_debug_handler() is probed, any debug exception or software breakpoint exception will result in recursive exceptions leading to a stack overflow. This can be triggered with the ftrace multiple_probes selftest, and as per the example splat below.
This is a regression caused by commit:
6459b8469753e9fe ("arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround")
... which removed the NOKPROBE_SYMBOL() annotation associated with the function.
My intent was that cortex_a76_erratum_1463225_debug_handler() would be inlined into its caller, el1_dbg(), which is marked noinstr and cannot be probed. Mark cortex_a76_erratum_1463225_debug_handler() as __always_inline to ensure this.
Example splat prior to this patch (with recursive entries elided):
| # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events | # echo p do_el0_svc >> /sys/kernel/debug/tracing/kprobe_events | # echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable | Insufficient stack space to handle exception! | ESR: 0x0000000096000047 -- DABT (current EL) | FAR: 0xffff800009cefff0 | Task stack: [0xffff800009cf0000..0xffff800009cf4000] | IRQ stack: [0xffff800008000000..0xffff800008004000] | Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0] | CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2 | Hardware name: linux,dummy-virt (DT) | pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) | pc : arm64_enter_el1_dbg+0x4/0x20 | lr : el1_dbg+0x24/0x5c | sp : ffff800009cf0000 | x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000 | x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 | x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068 | x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000 | x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 | x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 | x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0 | x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000 | x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4 | x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040 | Kernel panic - not syncing: kernel stack overflow | CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2 | Hardware name: linux,dummy-virt (DT) | Call trace: | dump_backtrace+0xe4/0x104 | show_stack+0x18/0x4c | dump_stack_lvl+0x64/0x7c | dump_stack+0x18/0x38 | panic+0x14c/0x338 | test_taint+0x0/0x2c | panic_bad_stack+0x104/0x118 | handle_bad_stack+0x34/0x48 | __bad_stack+0x78/0x7c | arm64_enter_el1_dbg+0x4/0x20 | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | cortex_a76_erratum_1463225_debug_handler+0x0/0x34 ... | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | cortex_a76_erratum_1463225_debug_handler+0x0/0x34 ... | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | cortex_a76_erratum_1463225_debug_handler+0x0/0x34 | el1h_64_sync_handler+0x40/0x98 | el1h_64_sync+0x64/0x68 | do_el0_svc+0x0/0x28 | el0t_64_sync_handler+0x84/0xf0 | el0t_64_sync+0x18c/0x190 | Kernel Offset: disabled | CPU features: 0x0080,00005021,19001080 | Memory Limit: none | ---[ end Kernel panic - not syncing: kernel stack overflow ]---
With this patch, cortex_a76_erratum_1463225_debug_handler() is inlined into el1_dbg(), and el1_dbg() cannot be probed:
| # echo p cortex_a76_erratum_1463225_debug_handler > /sys/kernel/debug/tracing/kprobe_events | sh: write error: No such file or directory | # grep -w cortex_a76_errat ---truncated---
{
"affected": [],
"aliases": [
"CVE-2022-49888"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:13Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: entry: avoid kprobe recursion\n\nThe cortex_a76_erratum_1463225_debug_handler() function is called when\nhandling debug exceptions (and synchronous exceptions from BRK\ninstructions), and so is called when a probed function executes. If the\ncompiler does not inline cortex_a76_erratum_1463225_debug_handler(), it\ncan be probed.\n\nIf cortex_a76_erratum_1463225_debug_handler() is probed, any debug\nexception or software breakpoint exception will result in recursive\nexceptions leading to a stack overflow. This can be triggered with the\nftrace multiple_probes selftest, and as per the example splat below.\n\nThis is a regression caused by commit:\n\n 6459b8469753e9fe (\"arm64: entry: consolidate Cortex-A76 erratum 1463225 workaround\")\n\n... which removed the NOKPROBE_SYMBOL() annotation associated with the\nfunction.\n\nMy intent was that cortex_a76_erratum_1463225_debug_handler() would be\ninlined into its caller, el1_dbg(), which is marked noinstr and cannot\nbe probed. Mark cortex_a76_erratum_1463225_debug_handler() as\n__always_inline to ensure this.\n\nExample splat prior to this patch (with recursive entries elided):\n\n| # echo p cortex_a76_erratum_1463225_debug_handler \u003e /sys/kernel/debug/tracing/kprobe_events\n| # echo p do_el0_svc \u003e\u003e /sys/kernel/debug/tracing/kprobe_events\n| # echo 1 \u003e /sys/kernel/debug/tracing/events/kprobes/enable\n| Insufficient stack space to handle exception!\n| ESR: 0x0000000096000047 -- DABT (current EL)\n| FAR: 0xffff800009cefff0\n| Task stack: [0xffff800009cf0000..0xffff800009cf4000]\n| IRQ stack: [0xffff800008000000..0xffff800008004000]\n| Overflow stack: [0xffff00007fbc00f0..0xffff00007fbc10f0]\n| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2\n| Hardware name: linux,dummy-virt (DT)\n| pstate: 604003c5 (nZCv DAIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n| pc : arm64_enter_el1_dbg+0x4/0x20\n| lr : el1_dbg+0x24/0x5c\n| sp : ffff800009cf0000\n| x29: ffff800009cf0000 x28: ffff000002c74740 x27: 0000000000000000\n| x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n| x23: 00000000604003c5 x22: ffff80000801745c x21: 0000aaaac95ac068\n| x20: 00000000f2000004 x19: ffff800009cf0040 x18: 0000000000000000\n| x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n| x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n| x11: 0000000000000010 x10: ffff800008c87190 x9 : ffff800008ca00d0\n| x8 : 000000000000003c x7 : 0000000000000000 x6 : 0000000000000000\n| x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000000043a4\n| x2 : 00000000f2000004 x1 : 00000000f2000004 x0 : ffff800009cf0040\n| Kernel panic - not syncing: kernel stack overflow\n| CPU: 0 PID: 145 Comm: sh Not tainted 6.0.0 #2\n| Hardware name: linux,dummy-virt (DT)\n| Call trace:\n| dump_backtrace+0xe4/0x104\n| show_stack+0x18/0x4c\n| dump_stack_lvl+0x64/0x7c\n| dump_stack+0x18/0x38\n| panic+0x14c/0x338\n| test_taint+0x0/0x2c\n| panic_bad_stack+0x104/0x118\n| handle_bad_stack+0x34/0x48\n| __bad_stack+0x78/0x7c\n| arm64_enter_el1_dbg+0x4/0x20\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\n...\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\n...\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| cortex_a76_erratum_1463225_debug_handler+0x0/0x34\n| el1h_64_sync_handler+0x40/0x98\n| el1h_64_sync+0x64/0x68\n| do_el0_svc+0x0/0x28\n| el0t_64_sync_handler+0x84/0xf0\n| el0t_64_sync+0x18c/0x190\n| Kernel Offset: disabled\n| CPU features: 0x0080,00005021,19001080\n| Memory Limit: none\n| ---[ end Kernel panic - not syncing: kernel stack overflow ]---\n\nWith this patch, cortex_a76_erratum_1463225_debug_handler() is inlined\ninto el1_dbg(), and el1_dbg() cannot be probed:\n\n| # echo p cortex_a76_erratum_1463225_debug_handler \u003e /sys/kernel/debug/tracing/kprobe_events\n| sh: write error: No such file or directory\n| # grep -w cortex_a76_errat\n---truncated---",
"id": "GHSA-w77p-v2rp-vmv8",
"modified": "2025-05-07T15:31:26Z",
"published": "2025-05-01T15:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49888"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/024f4b2e1f874934943eb2d3d288ebc52c79f55c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/71d6c33fe223255f4416a01514da2c0bc3e283e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/db66629d43b2d12cb43b004a4ca6be1d03228e97"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W78F-68QF-58QW
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2022-05-13 01:01An exploitable buffer overflow vulnerability exists in the camera 'update' feature of video-core's HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2018-3904"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-27T15:29:00Z",
"severity": "CRITICAL"
},
"details": "An exploitable buffer overflow vulnerability exists in the camera \u0027update\u0027 feature of video-core\u0027s HTTP server of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The video-core process incorrectly extracts fields from a user-controlled JSON payload, leading to a buffer overflow on the stack. An attacker can send an HTTP request to trigger this vulnerability.",
"id": "GHSA-w78f-68qf-58qw",
"modified": "2022-05-13T01:01:59Z",
"published": "2022-05-13T01:01:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3904"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0574"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
- Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Mitigation MIT-4.1
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-9
- Consider adhering to the following rules when allocating and managing an application's memory:
- Double check that the buffer is as large as specified.
- When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
- Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
- If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Strategy: Environment Hardening
- Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
- For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-13
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
No CAPEC attack patterns related to this CWE.