Common Weakness Enumeration

CWE-122

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

CVE-2026-20462 (GCVE-0-2026-20462)

Vulnerability from cvelistv5 – Published: 2026-07-01 03:14 – Updated: 2026-07-02 03:55
VLAI
Summary
In Telephony, there is a possible memory corruption due to a heap buffer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS11006447; Issue ID: MSV-7871.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
MediaTek, Inc. MediaTek chipset Affected: MT6739
Affected: MT6761
Affected: MT6765
Affected: MT6768
Affected: MT6781
Affected: MT6789
Affected: MT6833
Affected: MT6853
Affected: MT6855
Affected: MT6877
Affected: MT6883
Affected: MT6885
Affected: MT6889
Affected: MT6893
Affected: MT8695
Affected: MT8696
Affected: MT8765
Affected: MT8766
Affected: MT8766R
Affected: MT8768
Affected: MT8781
Affected: MT8791
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 6.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "HIGH",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-20462",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T03:55:17.558Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MediaTek chipset",
          "vendor": "MediaTek, Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "MT6739"
            },
            {
              "status": "affected",
              "version": "MT6761"
            },
            {
              "status": "affected",
              "version": "MT6765"
            },
            {
              "status": "affected",
              "version": "MT6768"
            },
            {
              "status": "affected",
              "version": "MT6781"
            },
            {
              "status": "affected",
              "version": "MT6789"
            },
            {
              "status": "affected",
              "version": "MT6833"
            },
            {
              "status": "affected",
              "version": "MT6853"
            },
            {
              "status": "affected",
              "version": "MT6855"
            },
            {
              "status": "affected",
              "version": "MT6877"
            },
            {
              "status": "affected",
              "version": "MT6883"
            },
            {
              "status": "affected",
              "version": "MT6885"
            },
            {
              "status": "affected",
              "version": "MT6889"
            },
            {
              "status": "affected",
              "version": "MT6893"
            },
            {
              "status": "affected",
              "version": "MT8695"
            },
            {
              "status": "affected",
              "version": "MT8696"
            },
            {
              "status": "affected",
              "version": "MT8765"
            },
            {
              "status": "affected",
              "version": "MT8766"
            },
            {
              "status": "affected",
              "version": "MT8766R"
            },
            {
              "status": "affected",
              "version": "MT8768"
            },
            {
              "status": "affected",
              "version": "MT8781"
            },
            {
              "status": "affected",
              "version": "MT8791"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Telephony, there is a possible memory corruption due to a heap buffer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS11006447; Issue ID: MSV-7871."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T03:14:04.991Z",
        "orgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
        "shortName": "MediaTek"
      },
      "references": [
        {
          "url": "https://corp.mediatek.com/product-security-bulletin/July-2026"
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ee979b05-11f8-4f25-a7e0-a1fa9c190374",
    "assignerShortName": "MediaTek",
    "cveId": "CVE-2026-20462",
    "datePublished": "2026-07-01T03:14:04.991Z",
    "dateReserved": "2025-11-03T01:30:59.014Z",
    "dateUpdated": "2026-07-02T03:55:17.558Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2047 (GCVE-0-2026-2047)

Vulnerability from cvelistv5 – Published: 2026-02-20 22:23 – Updated: 2026-06-30 12:07
VLAI
Title
GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Summary
GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of ICNS files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28530.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
  • CWE-131 - Incorrect Calculation of Buffer Size
Assigner
zdi
Impacted products
Date Public
2026-02-19 14:22
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2047",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-21T04:56:38.963084Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:12.360Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-02-20T22:23:41.576Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in GIMP. This heap-based buffer overflow vulnerability in the ICNS file parsing component allows a remote attacker to execute arbitrary code. Exploitation requires user interaction, where the target must open a specially crafted malicious file or visit a malicious page. This issue stems from insufficient validation of user-supplied data length before copying it to a buffer, leading to potential arbitrary code execution in the context of the current process."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-131",
                "description": "Incorrect Calculation of Buffer Size",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:07:00.408Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-2047"
          },
          {
            "name": "RHBZ#2441517",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441517"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2047.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:4173"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:4173: Red Hat Enterprise Linux AppStream (v. 9)"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-02-20T23:01:25.090Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-02-20T22:23:41.576Z",
            "value": "Made public."
          }
        ],
        "title": "gimp: GIMP: Remote code execution via heap-based buffer overflow in ICNS file parsing",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "GIMP",
          "vendor": "GIMP",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.6"
            }
          ]
        }
      ],
      "dateAssigned": "2026-02-06T01:16:39.051Z",
      "datePublic": "2026-02-19T14:22:34.916Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of ICNS files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28530."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T22:23:41.576Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-26-120",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-120/"
        },
        {
          "name": "vendor-provided URL",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2600/diffs?commit_id=dd2faac351f1ff2588529fedc606e6a5f815577c"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Anonymous"
      },
      "title": "GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2026-2047",
    "datePublished": "2026-02-20T22:23:41.576Z",
    "dateReserved": "2026-02-06T01:16:39.038Z",
    "dateUpdated": "2026-06-30T12:07:00.408Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2049 (GCVE-0-2026-2049)

Vulnerability from cvelistv5 – Published: 2026-06-10 21:22 – Updated: 2026-06-30 12:06
VLAI
Title
GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Summary
GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28618.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
  • CWE-131 - Incorrect Calculation of Buffer Size
Assigner
zdi
Impacted products
Date Public
2026-03-16 21:37
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2049",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T13:24:54.417942Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T13:25:06.618Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-10T21:22:47.059Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in GIMP. This heap-based buffer overflow vulnerability, located in the HDR file parsing component, allows a remote attacker to execute arbitrary code. User interaction is required for exploitation, as the target must open a malicious HDR file. The flaw occurs due to a lack of proper validation of user-supplied data length before it is copied to a heap-based buffer."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-131",
                "description": "Incorrect Calculation of Buffer Size",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:06:59.723Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-2049"
          },
          {
            "name": "RHBZ#2487738",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487738"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2049.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-10T22:01:10.985Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-10T21:22:47.059Z",
            "value": "Made public."
          }
        ],
        "title": "gimp: gegl: GIMP: Remote Code Execution via HDR File Parsing Heap-based Buffer Overflow",
        "workarounds": [
          {
            "lang": "en",
            "value": "To mitigate this issue, users should avoid opening HDR files from untrusted or suspicious sources. If GIMP is not required, consider removing the `gimp` package to eliminate the attack surface. This can be achieved with `sudo dnf remove gimp`. Be aware that removing GIMP may impact other dependent graphical applications."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "GIMP",
          "vendor": "GIMP",
          "versions": [
            {
              "status": "affected",
              "version": "3.2.0-RC1"
            }
          ]
        }
      ],
      "dateAssigned": "2026-02-06T01:17:36.221Z",
      "datePublic": "2026-03-16T21:37:38.872Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28618."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T21:22:47.059Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-26-214",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-214/"
        },
        {
          "name": "vendor-provided URL",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://gitlab.gnome.org/GNOME/gegl/-/issues/450"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Anonymous"
      },
      "title": "GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2026-2049",
    "datePublished": "2026-06-10T21:22:47.059Z",
    "dateReserved": "2026-02-06T01:17:36.198Z",
    "dateUpdated": "2026-06-30T12:06:59.723Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2050 (GCVE-0-2026-2050)

Vulnerability from cvelistv5 – Published: 2026-06-24 21:43 – Updated: 2026-07-13 12:04
VLAI
Title
GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Summary
GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28266.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
  • CWE-131 - Incorrect Calculation of Buffer Size
Assigner
zdi
Date Public
2026-04-15 21:48
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2050",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T13:09:35.434172Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T13:09:47.266Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-24T21:43:46.856Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in GIMP. This vulnerability, a heap-based buffer overflow, occurs during the parsing of HDR (High Dynamic Range) files due to insufficient validation of user-supplied data length. A remote attacker could exploit this by convincing a user to open a specially crafted malicious file, leading to arbitrary code execution within the context of the current process."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-131",
                "description": "Incorrect Calculation of Buffer Size",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-13T12:04:59.899Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-2050"
          },
          {
            "name": "RHBZ#2492593",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492593"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-2050.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:38485"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:38497"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:38485: Red Hat Enterprise Linux AppStream (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:38497: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-24T23:01:09.779Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-24T21:43:46.856Z",
            "value": "Made public."
          }
        ],
        "title": "gimp: GIMP: Arbitrary code execution via heap-based buffer overflow in HDR file parsing",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "GIMP",
          "vendor": "GIMP",
          "versions": [
            {
              "status": "affected",
              "version": "3.0.6"
            }
          ]
        }
      ],
      "dateAssigned": "2026-02-06T01:17:46.282Z",
      "datePublic": "2026-04-15T21:48:29.516Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of HDR files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28266."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T21:43:46.856Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-26-282",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-282/"
        },
        {
          "name": "vendor-provided URL",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://gitlab.gnome.org/GNOME/gegl/-/merge_requests/241"
        }
      ],
      "source": {
        "lang": "en",
        "value": "MICHAEL RANDRIANANTENAINA [https://elkamika.blogspot.com/]"
      },
      "title": "GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2026-2050",
    "datePublished": "2026-06-24T21:43:46.856Z",
    "dateReserved": "2026-02-06T01:17:46.262Z",
    "dateUpdated": "2026-07-13T12:04:59.899Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20766 (GCVE-0-2026-20766)

Vulnerability from cvelistv5 – Published: 2026-04-27 23:45 – Updated: 2026-04-28 14:39
VLAI
Title
Milesight Cameras Heap-based Buffer Overflow
Summary
An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
Milesight MS-Cxx63-PD Affected: 0 , ≤ 51.7.0.77-r12 (custom)
Create a notification for this product.
Milesight MS-Cxx64-xPD Affected: 0 , ≤ 51.7.0.77-r12 (custom)
Create a notification for this product.
Milesight MS-Cxx73-xPD Affected: 0 , ≤ 51.7.0.77-r12 (custom)
Create a notification for this product.
Milesight MS-Cxx75-xxPD Affected: 0 , ≤ 51.7.0.77-r12 (custom)
Create a notification for this product.
Milesight MS-Cxx83-xPD Affected: 0 , ≤ 51.7.0.77-r12 (custom)
Create a notification for this product.
Milesight MS-Cxx74-PA Affected: 0 , ≤ 3x.8.0.3-r11 (custom)
Create a notification for this product.
Milesight MS-C8477-HPG1 Affected: 0 , ≤ 63.8.0.4-r3 (custom)
Create a notification for this product.
Milesight MS-C8477-PC Affected: 0 , ≤ 48.8.0.4-r3 (custom)
Create a notification for this product.
Milesight MS-C5321-FPE Affected: 0 , ≤ 62.8.0.4-r5 (custom)
Create a notification for this product.
Milesight MS-Cxx72-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx62-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx52-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx66-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx66-xxxGPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx61-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx67-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx71-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx41-xxxPE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx76-PE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx65-PE Affected: 0 , ≤ 61.8.0.5-r2 (custom)
Create a notification for this product.
Milesight MS-Cxx66-xxxG1 Affected: 0 , ≤ 63.8.0.5-r3 (custom)
Create a notification for this product.
Milesight MS-Cxx62-xxxG1 Affected: 0 , ≤ 63.8.0.5-r3 (custom)
Create a notification for this product.
Milesight MS-Cxx72-xxxG1 Affected: 0 , ≤ 63.8.0.5-r3 (custom)
Create a notification for this product.
Milesight MS-CQxx31-xxxG1 Affected: 0 , ≤ CQ_63.8.0.5-r1 (custom)
Create a notification for this product.
Milesight MS-CQxx68-xxxG1 Affected: 0 , ≤ CQ_63.8.0.5-r1 (custom)
Create a notification for this product.
Milesight MS-CQxx72-xxxG1 Affected: 0 , ≤ CQ_63.8.0.5-r1 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-NxE Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-xxC Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-xxE Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-xxG Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-xxH Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight MS-Nxxxx-xxT Affected: 0 , ≤ 7x.9.0.19-r5 (custom)
Create a notification for this product.
Milesight PMC8266-FPE Affected: 0 , ≤ PO_61.8.0.4_LPR (custom)
Create a notification for this product.
Milesight PMC8266-FGPE Affected: 0 , ≤ PO_61.8.0.4_LPR (custom)
Create a notification for this product.
Milesight PM3322-E Affected: 0 , ≤ PI_61.8.0.3_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RIPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS5366-X12RIPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4RIPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RIVPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-RFIVPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4RIVPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-RFIVPG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RIWG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4RIWG1 Affected: 0 , ≤ T_63.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS5510-GVH Affected: 0 , ≤ T_47.8.0.4_LPR-r7 (custom)
Create a notification for this product.
Milesight TS5510-GH Affected: 0 , ≤ T_47.8.0.4_LPR-r6 (custom)
Create a notification for this product.
Milesight TS5511-GVH Affected: 0 , ≤ T_47.8.0.4_LPR-r6 (custom)
Create a notification for this product.
Milesight TS2966-X12TPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS5366-X12PE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4PE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS2966-X12TVPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RVPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS5366-X12VPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4VPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4441-X36RPE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4441-X36RE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS4466-X4RWE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight TS8266-X4WE Affected: 0 , ≤ T_61.8.0.4_LPR-r3 (custom)
Create a notification for this product.
Milesight MS-C2964-RFLPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C2972-RFLPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C2966-RFLWPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2866-X4TPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2866-X4TVPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2866-X4TGPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2841-X36TPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2841-X36TPC/W Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2867-X5TPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS2961-X12TPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight TS8266-FPC/P Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C2966-X12RLPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C2966-X12RLVPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C5366-X12LPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C5366-X12LVPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-C5361-X12LPC Affected: 0 , ≤ T_45.8.0.3-r9 (custom)
Create a notification for this product.
Milesight MS-Cxx66-xxxxGOPC Affected: 0 , ≤ 45.8.0.2-AIoT-r4 (custom)
Create a notification for this product.
Milesight SC211 Affected: 0 , ≤ C_21.1.0.8-r4 (custom)
Create a notification for this product.
Milesight SP111 Affected: 0 , ≤ 52.8.0.4-r5 (custom)
Create a notification for this product.
Milesight MS-Cxx66-RFIPKG1 Affected: 0 , ≤ 63.8.0.4-r1-NX (custom)
Create a notification for this product.
Milesight MS-Cxx72-RFIPKG1 Affected: 0 , ≤ 63.8.0.4-r1-NX (custom)
Create a notification for this product.
Milesight MS-Cxx66-FIPKG1 Affected: 0 , ≤ 63.8.0.4-r1-NX (custom)
Create a notification for this product.
Milesight MS-Cxx72-FIPKG1 Affected: 0 , ≤ 63.8.0.4-r1-NX (custom)
Create a notification for this product.
Credits
Souvik Kandar reported these vulnerabilities to CISA
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20766",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-28T14:37:23.854997Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-28T14:39:17.799Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx63-PD",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "51.7.0.77-r12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx64-xPD",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "51.7.0.77-r12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx73-xPD",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "51.7.0.77-r12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx75-xxPD",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "51.7.0.77-r12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx83-xPD",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "51.7.0.77-r12",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx74-PA",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "3x.8.0.3-r11",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C8477-HPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.4-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C8477-PC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "48.8.0.4-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C5321-FPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "62.8.0.4-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx72-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx62-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx52-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-xxxGPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx61-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx67-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx71-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx41-xxxPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx76-PE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx65-PE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "61.8.0.5-r2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.5-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx62-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.5-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx72-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.5-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-CQxx31-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "CQ_63.8.0.5-r1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-CQxx68-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "CQ_63.8.0.5-r1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-CQxx72-xxxG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "CQ_63.8.0.5-r1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-NxE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-xxC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-xxE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-xxG",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-xxH",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Nxxxx-xxT",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "7x.9.0.19-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "PMC8266-FPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "PO_61.8.0.4_LPR",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "PMC8266-FGPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "PO_61.8.0.4_LPR",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "PM3322-E",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "PI_61.8.0.3_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RIPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5366-X12RIPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4RIPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RIVPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-RFIVPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4RIVPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-RFIVPG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RIWG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4RIWG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_63.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5510-GVH",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_47.8.0.4_LPR-r7",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5510-GH",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_47.8.0.4_LPR-r6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5511-GVH",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_47.8.0.4_LPR-r6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2966-X12TPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5366-X12PE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4PE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2966-X12TVPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RVPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS5366-X12VPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4VPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4441-X36RPE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4441-X36RE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS4466-X4RWE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-X4WE",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_61.8.0.4_LPR-r3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C2964-RFLPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C2972-RFLPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C2966-RFLWPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2866-X4TPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2866-X4TVPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2866-X4TGPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2841-X36TPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2841-X36TPC/W",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2867-X5TPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS2961-X12TPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "TS8266-FPC/P",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C2966-X12RLPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C2966-X12RLVPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C5366-X12LPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C5366-X12LVPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-C5361-X12LPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "T_45.8.0.3-r9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-xxxxGOPC",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "45.8.0.2-AIoT-r4",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "SC211",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "C_21.1.0.8-r4",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "SP111",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "52.8.0.4-r5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-RFIPKG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.4-r1-NX",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx72-RFIPKG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.4-r1-NX",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx66-FIPKG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.4-r1-NX",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "MS-Cxx72-FIPKG1",
          "vendor": "Milesight",
          "versions": [
            {
              "lessThanOrEqual": "63.8.0.4-r1-NX",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Souvik Kandar reported these vulnerabilities to CISA"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan\u003eAn out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras.\u003c/span\u003e"
            }
          ],
          "value": "An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T23:45:52.896Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03"
        },
        {
          "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json"
        },
        {
          "url": "https://www.milesight.com/support/download/firmware"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMilesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.\u0026nbsp;\u003cbr\u003e\u003ca href=\"https://www.milesight.com/support/download/firmware\" title=\"(opens in a new window)\"\u003ehttps://www.milesight.com/support/download/firmware\u003c/a\u003e\u003c/p\u003e\u003cp\u003eMS-Cxx63-PD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx64-xPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx73-xPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx75-xxPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx83-xPD: Update to 51.7.0.77-r13\u003c/p\u003e\u003cp\u003eMS-Cxx74-PA: Update to 3x.8.0.3-r13\u003c/p\u003e\u003cp\u003eMS-C8477-HPG1: Update to 63.8.0.4-r4\u003c/p\u003e\u003cp\u003e\u0026nbsp;MS-C8477-PC: Update to 48.8.0.4-r4\u003c/p\u003e\u003cp\u003eMS-C5321-FPE: Update to 62.8.0.4-r6\u003c/p\u003e\u003cp\u003eMS-Cxx72-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx62-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx52-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxGPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx61-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx67-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx71-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx41-xxxPE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx76-PE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx65-PE: Update to 61.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxG1: Update to 63.8.0.5-r4\u003c/p\u003e\u003cp\u003eMS-Cxx62-xxxG1: Update to 63.8.0.5-r4\u003c/p\u003e\u003cp\u003eMS-Cxx72-xxxG1: Update to 63.8.0.5-r4\u003c/p\u003e\u003cp\u003eMS-CQxx31-xxxG1: Update to CQ_63.8.0.5-r2\u0026nbsp;\u003c/p\u003e\u003cp\u003eMS-CQxx68-xxxG1: Update to CQ_63.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-CQxx72-xxxG1: Update to CQ_63.8.0.5-r2\u003c/p\u003e\u003cp\u003eMS-Nxxxx-NxE: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxC: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxE: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxG: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxH: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003eMS-Nxxxx-xxT: Update to 7x.9.0.19-r6\u003c/p\u003e\u003cp\u003ePMC8266-FPE: Update to PO_61.8.0.4-r1\u003c/p\u003e\u003cp\u003ePMC8266-FGPE: Update to PO_61.8.0.4-r1\u003c/p\u003e\u003cp\u003ePM3322-E: Update to PI_61.8.0.3-r5\u003c/p\u003e\u003cp\u003eTS4466-X4RIPG1: Update to T_63.8.0.4-r4\u0026nbsp;\u003c/p\u003e\u003cp\u003eTS5366-X12RIPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4RIPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-RFIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4RIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-RFIVPG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RIWG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4RIWG1: Update to T_63.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS5510-GVH: Update to T_47.8.0.4-r8\u003c/p\u003e\u003cp\u003eTS5510-GH: Update to T_47.8.0.4-r8\u003c/p\u003e\u003cp\u003eTS5511-GVH: Update to T_47.8.0.4-r8\u003c/p\u003e\u003cp\u003eTS2966-X12TPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS5366-X12PE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4PE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS2966-X12TVPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RVPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS5366-X12VPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4VPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4441-X36RPE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4441-X36RE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS4466-X4RWE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eTS8266-X4WE: Update to T_61.8.0.4-r4\u003c/p\u003e\u003cp\u003eMS-C2964-RFLPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2972-RFLPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2966-RFLWPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2866-X4TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2866-X4TVPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2866-X4TGPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2841-X36TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2841-X36TPC/W: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2867-X5TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS2961-X12TPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eTS8266-FPC/P: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2966-X12RLPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C2966-X12RLVPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C5366-X12LPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C5366-X12LVPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-C5361-X12LPC: Update to T_45.8.0.3-r10\u003c/p\u003e\u003cp\u003eMS-Cxx66-xxxxGOPC: Update to 45.8.0.2-AIoT-r5\u003c/p\u003e\u003cp\u003eSC211: Update to C_21.1.0.8-r5\u003c/p\u003e\u003cp\u003eSP111: Update to 52.8.0.4-r6\u003c/p\u003e\u003cp\u003eMS-Cxx66-RFIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e\u003cp\u003eMS-Cxx72-RFIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e\u003cp\u003eMS-Cxx66-FIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e\u003cp\u003eMS-Cxx72-FIPKG1: Update to 63.8.0.5-r2-NX\u003c/p\u003e"
            }
          ],
          "value": "Milesight advises all users to update their device to the latest firmware versions of PE/PC/PA found at https://www.milesight.com/support/download/firmware.\u00a0\n https://www.milesight.com/support/download/firmware \n\nMS-Cxx63-PD: Update to 51.7.0.77-r13\n\nMS-Cxx64-xPD: Update to 51.7.0.77-r13\n\nMS-Cxx73-xPD: Update to 51.7.0.77-r13\n\nMS-Cxx75-xxPD: Update to 51.7.0.77-r13\n\nMS-Cxx83-xPD: Update to 51.7.0.77-r13\n\nMS-Cxx74-PA: Update to 3x.8.0.3-r13\n\nMS-C8477-HPG1: Update to 63.8.0.4-r4\n\n\u00a0MS-C8477-PC: Update to 48.8.0.4-r4\n\nMS-C5321-FPE: Update to 62.8.0.4-r6\n\nMS-Cxx72-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx62-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx52-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx66-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx66-xxxGPE: Update to 61.8.0.5-r2\n\nMS-Cxx61-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx67-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx71-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx41-xxxPE: Update to 61.8.0.5-r2\n\nMS-Cxx76-PE: Update to 61.8.0.5-r2\n\nMS-Cxx65-PE: Update to 61.8.0.5-r2\n\nMS-Cxx66-xxxG1: Update to 63.8.0.5-r4\n\nMS-Cxx62-xxxG1: Update to 63.8.0.5-r4\n\nMS-Cxx72-xxxG1: Update to 63.8.0.5-r4\n\nMS-CQxx31-xxxG1: Update to CQ_63.8.0.5-r2\u00a0\n\nMS-CQxx68-xxxG1: Update to CQ_63.8.0.5-r2\n\nMS-CQxx72-xxxG1: Update to CQ_63.8.0.5-r2\n\nMS-Nxxxx-NxE: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxC: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxE: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxG: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxH: Update to 7x.9.0.19-r6\n\nMS-Nxxxx-xxT: Update to 7x.9.0.19-r6\n\nPMC8266-FPE: Update to PO_61.8.0.4-r1\n\nPMC8266-FGPE: Update to PO_61.8.0.4-r1\n\nPM3322-E: Update to PI_61.8.0.3-r5\n\nTS4466-X4RIPG1: Update to T_63.8.0.4-r4\u00a0\n\nTS5366-X12RIPG1: Update to T_63.8.0.4-r4\n\nTS8266-X4RIPG1: Update to T_63.8.0.4-r4\n\nTS4466-X4RIVPG1: Update to T_63.8.0.4-r4\n\nTS4466-RFIVPG1: Update to T_63.8.0.4-r4\n\nTS8266-X4RIVPG1: Update to T_63.8.0.4-r4\n\nTS8266-RFIVPG1: Update to T_63.8.0.4-r4\n\nTS4466-X4RIWG1: Update to T_63.8.0.4-r4\n\nTS8266-X4RIWG1: Update to T_63.8.0.4-r4\n\nTS5510-GVH: Update to T_47.8.0.4-r8\n\nTS5510-GH: Update to T_47.8.0.4-r8\n\nTS5511-GVH: Update to T_47.8.0.4-r8\n\nTS2966-X12TPE: Update to T_61.8.0.4-r4\n\nTS4466-X4RPE: Update to T_61.8.0.4-r4\n\nTS5366-X12PE: Update to T_61.8.0.4-r4\n\nTS8266-X4PE: Update to T_61.8.0.4-r4\n\nTS2966-X12TVPE: Update to T_61.8.0.4-r4\n\nTS4466-X4RVPE: Update to T_61.8.0.4-r4\n\nTS5366-X12VPE: Update to T_61.8.0.4-r4\n\nTS8266-X4VPE: Update to T_61.8.0.4-r4\n\nTS4441-X36RPE: Update to T_61.8.0.4-r4\n\nTS4441-X36RE: Update to T_61.8.0.4-r4\n\nTS4466-X4RWE: Update to T_61.8.0.4-r4\n\nTS8266-X4WE: Update to T_61.8.0.4-r4\n\nMS-C2964-RFLPC: Update to T_45.8.0.3-r10\n\nMS-C2972-RFLPC: Update to T_45.8.0.3-r10\n\nMS-C2966-RFLWPC: Update to T_45.8.0.3-r10\n\nTS2866-X4TPC: Update to T_45.8.0.3-r10\n\nTS2866-X4TVPC: Update to T_45.8.0.3-r10\n\nTS2866-X4TGPC: Update to T_45.8.0.3-r10\n\nTS2841-X36TPC: Update to T_45.8.0.3-r10\n\nTS2841-X36TPC/W: Update to T_45.8.0.3-r10\n\nTS2867-X5TPC: Update to T_45.8.0.3-r10\n\nTS2961-X12TPC: Update to T_45.8.0.3-r10\n\nTS8266-FPC/P: Update to T_45.8.0.3-r10\n\nMS-C2966-X12RLPC: Update to T_45.8.0.3-r10\n\nMS-C2966-X12RLVPC: Update to T_45.8.0.3-r10\n\nMS-C5366-X12LPC: Update to T_45.8.0.3-r10\n\nMS-C5366-X12LVPC: Update to T_45.8.0.3-r10\n\nMS-C5361-X12LPC: Update to T_45.8.0.3-r10\n\nMS-Cxx66-xxxxGOPC: Update to 45.8.0.2-AIoT-r5\n\nSC211: Update to C_21.1.0.8-r5\n\nSP111: Update to 52.8.0.4-r6\n\nMS-Cxx66-RFIPKG1: Update to 63.8.0.5-r2-NX\n\nMS-Cxx72-RFIPKG1: Update to 63.8.0.5-r2-NX\n\nMS-Cxx66-FIPKG1: Update to 63.8.0.5-r2-NX\n\nMS-Cxx72-FIPKG1: Update to 63.8.0.5-r2-NX"
        },
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eMilesight asks all users to report potential security vulnerabilities to security@milesight.com.\u003cbr\u003e\u003ca href=\"mailto:security@milesight.com\"\u003emailto:security@milesight.com\u003c/a\u003e\u003cbr\u003eLearn more: Milesight Vulnerability Reporting Policy\u003cbr\u003e\u003ca href=\"https://www.milesight.com/legal/vulnerability-report\" title=\"(opens in a new window)\"\u003ehttps://www.milesight.com/legal/vulnerability-report\u003c/a\u003e\u003c/p\u003e"
            }
          ],
          "value": "Milesight asks all users to report potential security vulnerabilities to security@milesight.com.\n mailto:security@milesight.com \nLearn more: Milesight Vulnerability Reporting Policy\n https://www.milesight.com/legal/vulnerability-report"
        }
      ],
      "source": {
        "advisory": "ICSA-26-113-03",
        "discovery": "EXTERNAL"
      },
      "title": "Milesight Cameras Heap-based Buffer Overflow",
      "x_generator": {
        "engine": "Vulnogram 1.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2026-20766",
    "datePublished": "2026-04-27T23:45:52.896Z",
    "dateReserved": "2026-03-12T17:51:09.860Z",
    "dateUpdated": "2026-04-28T14:39:17.799Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20777 (GCVE-0-2026-20777)

Vulnerability from cvelistv5 – Published: 2026-03-03 14:32 – Updated: 2026-03-03 15:17
VLAI
Summary
A heap-based buffer overflow vulnerability exists in the Nicolet WFT parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted .wft file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
Impacted products
Vendor Product Version
The Biosig Project libbiosig Affected: 3.9.2
Affected: Master Branch (db9a9a63)
Create a notification for this product.
Credits
Discovered by Mark Bereza and Lilith >_> of Cisco Talos.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20777",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-03T15:13:53.561647Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T15:14:07.474Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-03-03T15:17:02.898Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2362"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "libbiosig",
          "vendor": "The Biosig Project",
          "versions": [
            {
              "status": "affected",
              "version": "3.9.2"
            },
            {
              "status": "affected",
              "version": "Master Branch (db9a9a63)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Discovered by Mark Bereza and Lilith \u0026gt;_\u0026gt; of Cisco Talos."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A heap-based buffer overflow vulnerability exists in the Nicolet WFT parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted .wft file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-03T14:32:14.987Z",
        "orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
        "shortName": "talos"
      },
      "references": [
        {
          "name": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2362",
          "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2362"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
    "assignerShortName": "talos",
    "cveId": "CVE-2026-20777",
    "datePublished": "2026-03-03T14:32:14.987Z",
    "dateReserved": "2026-01-28T12:55:18.367Z",
    "dateUpdated": "2026-03-03T15:17:02.898Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20809 (GCVE-0-2026-20809)

Vulnerability from cvelistv5 – Published: 2026-01-13 17:56 – Updated: 2026-04-01 13:48
VLAI
Title
Windows Kernel Memory Elevation of Privilege Vulnerability
Summary
Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
  • CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
Microsoft Windows 10 Version 1607 Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 1809 Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 21H2 Affected: 10.0.19044.0 , < 10.0.19044.6809 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 22H2 Affected: 10.0.19045.0 , < 10.0.19045.6809 (custom)
Create a notification for this product.
Microsoft Windows 11 version 22H3 Affected: 10.0.22631.0 , < 10.0.22631.6491 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 23H2 Affected: 10.0.22631.0 , < 10.0.22631.6491 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 24H2 Affected: 10.0.26100.0 , < 10.0.26100.7623 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 25H2 Affected: 10.0.26200.0 , < 10.0.26200.7623 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 R2 Affected: 6.3.9600.0 , < 6.3.9600.22968 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 R2 (Server Core installation) Affected: 6.3.9600.0 , < 6.3.9600.22968 (custom)
Create a notification for this product.
Microsoft Windows Server 2016 Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows Server 2016 (Server Core installation) Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 (Server Core installation) Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows Server 2022 Affected: 10.0.20348.0 , < 10.0.20348.4648 (custom)
Create a notification for this product.
Microsoft Windows Server 2022, 23H2 Edition (Server Core installation) Affected: 10.0.25398.0 , < 10.0.25398.2092 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 Affected: 10.0.26100.0 , < 10.0.26100.32230 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 (Server Core installation) Affected: 10.0.26100.0 , < 10.0.26100.32230 (custom)
Create a notification for this product.
Date Public
2026-01-13 16:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20809",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T04:57:03.274555Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T15:04:39.841Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1607",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1809",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 21H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19044.6809",
              "status": "affected",
              "version": "10.0.19044.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 22H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19045.6809",
              "status": "affected",
              "version": "10.0.19045.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems"
          ],
          "product": "Windows 11 version 22H3",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.6491",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 23H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.6491",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 24H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.7623",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Windows 11 Version 25H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26200.7623",
              "status": "affected",
              "version": "10.0.26200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 R2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.3.9600.22968",
              "status": "affected",
              "version": "6.3.9600.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 R2 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.3.9600.22968",
              "status": "affected",
              "version": "6.3.9600.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2016 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.20348.4648",
              "status": "affected",
              "version": "10.0.20348.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022, 23H2 Edition (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.25398.2092",
              "status": "affected",
              "version": "10.0.25398.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32230",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32230",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.20348.4648",
                  "versionStartIncluding": "10.0.20348.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.19044.6809",
                  "versionStartIncluding": "10.0.19044.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.19045.6809",
                  "versionStartIncluding": "10.0.19045.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32230",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26200.7623",
                  "versionStartIncluding": "10.0.26200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.22631.6491",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.22631.6491",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.25398.2092",
                  "versionStartIncluding": "10.0.25398.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26100.7623",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32230",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.3.9600.22968",
                  "versionStartIncluding": "6.3.9600.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.3.9600.22968",
                  "versionStartIncluding": "6.3.9600.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-01-13T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Time-of-check time-of-use (toctou) race condition in Windows Kernel Memory allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-367",
              "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
              "lang": "en-US",
              "type": "CWE"
            },
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T13:48:18.573Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Windows Kernel Memory Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20809"
        }
      ],
      "title": "Windows Kernel Memory Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-20809",
    "datePublished": "2026-01-13T17:56:09.743Z",
    "dateReserved": "2025-12-03T05:54:20.372Z",
    "dateUpdated": "2026-04-01T13:48:18.573Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20820 (GCVE-0-2026-20820)

Vulnerability from cvelistv5 – Published: 2026-01-13 17:56 – Updated: 2026-04-01 13:48
VLAI
Title
Windows Common Log File System Driver Elevation of Privilege Vulnerability
Summary
Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
Microsoft Windows 10 Version 1607 Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 1809 Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 21H2 Affected: 10.0.19044.0 , < 10.0.19044.6809 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 22H2 Affected: 10.0.19045.0 , < 10.0.19045.6809 (custom)
Create a notification for this product.
Microsoft Windows 11 version 22H3 Affected: 10.0.22631.0 , < 10.0.22631.6491 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 23H2 Affected: 10.0.22631.0 , < 10.0.22631.6491 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 24H2 Affected: 10.0.26100.0 , < 10.0.26100.7623 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 25H2 Affected: 10.0.26200.0 , < 10.0.26200.7623 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 R2 Service Pack 1 Affected: 6.1.7601.0 , < 6.1.7601.28117 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 R2 Service Pack 1 (Server Core installation) Affected: 6.1.7601.0 , < 6.1.7601.28117 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 Service Pack 2 Affected: 6.0.6003.0 , < 6.0.6003.23717 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 Service Pack 2 (Server Core installation) Affected: 6.0.6003.0 , < 6.0.6003.23717 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 Affected: 6.2.9200.0 , < 6.2.9200.25868 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 (Server Core installation) Affected: 6.2.9200.0 , < 6.2.9200.25868 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 R2 Affected: 6.3.9600.0 , < 6.3.9600.22968 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 R2 (Server Core installation) Affected: 6.3.9600.0 , < 6.3.9600.22968 (custom)
Create a notification for this product.
Microsoft Windows Server 2016 Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows Server 2016 (Server Core installation) Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 (Server Core installation) Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows Server 2022 Affected: 10.0.20348.0 , < 10.0.20348.4648 (custom)
Create a notification for this product.
Microsoft Windows Server 2022, 23H2 Edition (Server Core installation) Affected: 10.0.25398.0 , < 10.0.25398.2092 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 Affected: 10.0.26100.0 , < 10.0.26100.32230 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 (Server Core installation) Affected: 10.0.26100.0 , < 10.0.26100.32230 (custom)
Create a notification for this product.
Date Public
2026-01-13 16:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20820",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T04:56:47.834411Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T15:04:37.829Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1607",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1809",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 21H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19044.6809",
              "status": "affected",
              "version": "10.0.19044.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 22H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19045.6809",
              "status": "affected",
              "version": "10.0.19045.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems"
          ],
          "product": "Windows 11 version 22H3",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.6491",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 23H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.6491",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 24H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.7623",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Windows 11 Version 25H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26200.7623",
              "status": "affected",
              "version": "10.0.26200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 R2 Service Pack 1",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.1.7601.28117",
              "status": "affected",
              "version": "6.1.7601.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.1.7601.28117",
              "status": "affected",
              "version": "6.1.7601.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 Service Pack 2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.0.6003.23717",
              "status": "affected",
              "version": "6.0.6003.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 Service Pack 2 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.0.6003.23717",
              "status": "affected",
              "version": "6.0.6003.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.2.9200.25868",
              "status": "affected",
              "version": "6.2.9200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.2.9200.25868",
              "status": "affected",
              "version": "6.2.9200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 R2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.3.9600.22968",
              "status": "affected",
              "version": "6.3.9600.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 R2 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.3.9600.22968",
              "status": "affected",
              "version": "6.3.9600.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2016 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.20348.4648",
              "status": "affected",
              "version": "10.0.20348.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022, 23H2 Edition (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.25398.2092",
              "status": "affected",
              "version": "10.0.25398.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32230",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32230",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.20348.4648",
                  "versionStartIncluding": "10.0.20348.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.19044.6809",
                  "versionStartIncluding": "10.0.19044.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32230",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.19045.6809",
                  "versionStartIncluding": "10.0.19045.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_2H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.26200.7623",
                  "versionStartIncluding": "10.0.26200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.22631.6491",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.25398.2092",
                  "versionStartIncluding": "10.0.25398.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.22631.6491",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26100.7623",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32230",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.0.6003.23717",
                  "versionStartIncluding": "6.0.6003.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.1.7601.28117",
                  "versionStartIncluding": "6.1.7601.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "6.0.6003.23717",
                  "versionStartIncluding": "6.0.6003.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.1.7601.28117",
                  "versionStartIncluding": "6.1.7601.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.2.9200.25868",
                  "versionStartIncluding": "6.2.9200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.3.9600.22968",
                  "versionStartIncluding": "6.3.9600.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.2.9200.25868",
                  "versionStartIncluding": "6.2.9200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.3.9600.22968",
                  "versionStartIncluding": "6.3.9600.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-01-13T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T13:48:24.640Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Windows Common Log File System Driver Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20820"
        }
      ],
      "title": "Windows Common Log File System Driver Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-20820",
    "datePublished": "2026-01-13T17:56:15.849Z",
    "dateReserved": "2025-12-03T05:54:20.373Z",
    "dateUpdated": "2026-04-01T13:48:24.640Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20837 (GCVE-0-2026-20837)

Vulnerability from cvelistv5 – Published: 2026-01-13 17:56 – Updated: 2026-04-01 13:48
VLAI
Title
Windows Media Remote Code Execution Vulnerability
Summary
Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
Microsoft Windows 10 Version 1809 Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 21H2 Affected: 10.0.19044.0 , < 10.0.19044.6809 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 22H2 Affected: 10.0.19045.0 , < 10.0.19045.6809 (custom)
Create a notification for this product.
Microsoft Windows 11 version 22H3 Affected: 10.0.22631.0 , < 10.0.22631.6491 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 23H2 Affected: 10.0.22631.0 , < 10.0.22631.6491 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 24H2 Affected: 10.0.26100.0 , < 10.0.26100.7623 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 25H2 Affected: 10.0.26200.0 , < 10.0.26200.7623 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 (Server Core installation) Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows Server 2022 Affected: 10.0.20348.0 , < 10.0.20348.4648 (custom)
Create a notification for this product.
Microsoft Windows Server 2022, 23H2 Edition (Server Core installation) Affected: 10.0.25398.0 , < 10.0.25398.2092 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 Affected: 10.0.26100.0 , < 10.0.26100.32230 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 (Server Core installation) Affected: 10.0.26100.0 , < 10.0.26100.32230 (custom)
Create a notification for this product.
Date Public
2026-01-13 16:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20837",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T04:56:19.247871Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T15:04:36.370Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1809",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 21H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19044.6809",
              "status": "affected",
              "version": "10.0.19044.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 22H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19045.6809",
              "status": "affected",
              "version": "10.0.19045.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems"
          ],
          "product": "Windows 11 version 22H3",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.6491",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 23H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.6491",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 24H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.7623",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Windows 11 Version 25H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26200.7623",
              "status": "affected",
              "version": "10.0.26200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.20348.4648",
              "status": "affected",
              "version": "10.0.20348.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022, 23H2 Edition (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.25398.2092",
              "status": "affected",
              "version": "10.0.25398.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32230",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32230",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.20348.4648",
                  "versionStartIncluding": "10.0.20348.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.19044.6809",
                  "versionStartIncluding": "10.0.19044.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.19045.6809",
                  "versionStartIncluding": "10.0.19045.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32230",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26200.7623",
                  "versionStartIncluding": "10.0.26200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.22631.6491",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.22631.6491",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.25398.2092",
                  "versionStartIncluding": "10.0.25398.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26100.7623",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32230",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-01-13T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T13:48:34.380Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Windows Media Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20837"
        }
      ],
      "title": "Windows Media Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-20837",
    "datePublished": "2026-01-13T17:56:25.378Z",
    "dateReserved": "2025-12-03T05:54:20.375Z",
    "dateUpdated": "2026-04-01T13:48:34.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-20840 (GCVE-0-2026-20840)

Vulnerability from cvelistv5 – Published: 2026-01-13 17:56 – Updated: 2026-04-01 13:48
VLAI
Title
Windows NTFS Remote Code Execution Vulnerability
Summary
Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
Microsoft Windows 10 Version 1607 Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 1809 Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 21H2 Affected: 10.0.19044.0 , < 10.0.19044.6809 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 22H2 Affected: 10.0.19045.0 , < 10.0.19045.6809 (custom)
Create a notification for this product.
Microsoft Windows 11 version 22H3 Affected: 10.0.22631.0 , < 10.0.22631.6491 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 23H2 Affected: 10.0.22631.0 , < 10.0.22631.6491 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 24H2 Affected: 10.0.26100.0 , < 10.0.26100.7623 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 25H2 Affected: 10.0.26200.0 , < 10.0.26200.7623 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 R2 Service Pack 1 Affected: 6.1.7601.0 , < 6.1.7601.28117 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 R2 Service Pack 1 (Server Core installation) Affected: 6.1.7601.0 , < 6.1.7601.28117 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 Service Pack 2 Affected: 6.0.6003.0 , < 6.0.6003.23717 (custom)
Create a notification for this product.
Microsoft Windows Server 2008 Service Pack 2 (Server Core installation) Affected: 6.0.6003.0 , < 6.0.6003.23717 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 Affected: 6.2.9200.0 , < 6.2.9200.25868 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 (Server Core installation) Affected: 6.2.9200.0 , < 6.2.9200.25868 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 R2 Affected: 6.3.9600.0 , < 6.3.9600.22968 (custom)
Create a notification for this product.
Microsoft Windows Server 2012 R2 (Server Core installation) Affected: 6.3.9600.0 , < 6.3.9600.22968 (custom)
Create a notification for this product.
Microsoft Windows Server 2016 Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows Server 2016 (Server Core installation) Affected: 10.0.14393.0 , < 10.0.14393.8783 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 (Server Core installation) Affected: 10.0.17763.0 , < 10.0.17763.8276 (custom)
Create a notification for this product.
Microsoft Windows Server 2022 Affected: 10.0.20348.0 , < 10.0.20348.4648 (custom)
Create a notification for this product.
Microsoft Windows Server 2022, 23H2 Edition (Server Core installation) Affected: 10.0.25398.0 , < 10.0.25398.2092 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 Affected: 10.0.26100.0 , < 10.0.26100.32230 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 (Server Core installation) Affected: 10.0.26100.0 , < 10.0.26100.32230 (custom)
Create a notification for this product.
Date Public
2026-01-13 16:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-20840",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-14T04:56:17.262285Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T15:04:36.099Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1607",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1809",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 21H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19044.6809",
              "status": "affected",
              "version": "10.0.19044.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 22H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19045.6809",
              "status": "affected",
              "version": "10.0.19045.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems"
          ],
          "product": "Windows 11 version 22H3",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.6491",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 23H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.6491",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 24H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.7623",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "Windows 11 Version 25H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26200.7623",
              "status": "affected",
              "version": "10.0.26200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 R2 Service Pack 1",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.1.7601.28117",
              "status": "affected",
              "version": "6.1.7601.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.1.7601.28117",
              "status": "affected",
              "version": "6.1.7601.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 Service Pack 2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.0.6003.23717",
              "status": "affected",
              "version": "6.0.6003.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows Server 2008 Service Pack 2 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.0.6003.23717",
              "status": "affected",
              "version": "6.0.6003.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.2.9200.25868",
              "status": "affected",
              "version": "6.2.9200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.2.9200.25868",
              "status": "affected",
              "version": "6.2.9200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 R2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.3.9600.22968",
              "status": "affected",
              "version": "6.3.9600.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2012 R2 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "6.3.9600.22968",
              "status": "affected",
              "version": "6.3.9600.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2016 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.8783",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8276",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.20348.4648",
              "status": "affected",
              "version": "10.0.20348.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022, 23H2 Edition (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.25398.2092",
              "status": "affected",
              "version": "10.0.25398.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32230",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32230",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8276",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.20348.4648",
                  "versionStartIncluding": "10.0.20348.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.19044.6809",
                  "versionStartIncluding": "10.0.19044.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.19045.6809",
                  "versionStartIncluding": "10.0.19045.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32230",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26200.7623",
                  "versionStartIncluding": "10.0.26200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.22631.6491",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.22631.6491",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.25398.2092",
                  "versionStartIncluding": "10.0.25398.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26100.7623",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32230",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.14393.8783",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.0.6003.23717",
                  "versionStartIncluding": "6.0.6003.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_sp2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.0.6003.23717",
                  "versionStartIncluding": "6.0.6003.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.1.7601.28117",
                  "versionStartIncluding": "6.1.7601.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2008_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.1.7601.28117",
                  "versionStartIncluding": "6.1.7601.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.2.9200.25868",
                  "versionStartIncluding": "6.2.9200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.2.9200.25868",
                  "versionStartIncluding": "6.2.9200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.3.9600.22968",
                  "versionStartIncluding": "6.3.9600.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2012_R2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "6.3.9600.22968",
                  "versionStartIncluding": "6.3.9600.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-01-13T16:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Heap-based buffer overflow in Windows NTFS allows an authorized attacker to execute code locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-01T13:48:36.773Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Windows NTFS Remote Code Execution Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20840"
        }
      ],
      "title": "Windows NTFS Remote Code Execution Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-20840",
    "datePublished": "2026-01-13T17:56:27.184Z",
    "dateReserved": "2025-12-03T05:54:20.376Z",
    "dateUpdated": "2026-04-01T13:48:36.773Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation

Phases:

Description:

  • Pre-design: Use a language or compiler that performs automatic bounds checking.
Mitigation

Phase: Architecture and Design

Description:

  • Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation ID: MIT-10

Phases: Operation, Build and Compilation

Strategy: Environment Hardening

Description:

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation ID: MIT-11

Phases: Operation, Build and Compilation

Strategy: Environment Hardening

Description:

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation

Phase: Implementation

Description:

  • Implement and perform bounds checking on input.
Mitigation

Phase: Implementation

Strategy: Libraries or Frameworks

Description:

  • Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
Mitigation

Phase: Operation

Description:

  • Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
CAPEC-92: Forced Integer Overflow

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Back to CWE stats page