Common Weakness Enumeration

CWE-787

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

CVE-2026-57876 (GCVE-0-2026-57876)

Vulnerability from cvelistv5 – Published: 2026-06-26 07:17 – Updated: 2026-06-26 15:40
VLAI
Title
GV-LPC2011/LPC2211 - unauthorized out-of-bounds writing vulnerability (onvif.cgi)
Summary
An unauthenticated out-of-bounds write vulnerability exists in onvif.cgi in GeoVision GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient bounds checking when processing HTTP request body data. A remote attacker may exploit this vulnerability by sending a crafted request with excessive input, causing memory corruption and resulting in a denial of service.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
GV
References
Impacted products
Vendor Product Version
GeoVision Inc. GV-LPCLPC2011/2211 Affected: 1.12
Unaffected: 1.13
Create a notification for this product.
Date Public
2026-06-26 02:55
Credits
Jincheng Wang (@winmt), Professor Le Yu of Nanjing University of Posts and Telecommunications, and Professor Xiapu Luo of The Hong Kong Polytechnic University has reported:
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-57876",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T15:39:48.481133Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T15:40:10.368Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "GV-LPCLPC2011/2211",
          "vendor": "GeoVision Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "1.12"
            },
            {
              "status": "unaffected",
              "version": "1.13"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.12:*:linux:*:*:*:*:*",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:geovision_inc.:gv-lpclpc2011_2211:1.13:*:linux:*:*:*:*:*",
                  "vulnerable": false
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jincheng Wang (@winmt), Professor Le Yu of Nanjing University of Posts and Telecommunications, and Professor Xiapu Luo of The Hong Kong Polytechnic University has reported:"
        }
      ],
      "datePublic": "2026-06-26T02:55:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn unauthenticated\nout-of-bounds write vulnerability exists in onvif.cgi in GeoVision GV-LPC2011\nand GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient\nbounds checking when processing HTTP request body data. A remote attacker may\nexploit this vulnerability by sending a crafted request with excessive input,\ncausing memory corruption and resulting in a denial of service.\u003c/p\u003e"
            }
          ],
          "value": "An unauthenticated\nout-of-bounds write vulnerability exists in onvif.cgi in GeoVision GV-LPC2011\nand GV-LPC2211 V1.12 and earlier. The vulnerability is caused by insufficient\nbounds checking when processing HTTP request body data. A remote attacker may\nexploit this vulnerability by sending a crafted request with excessive input,\ncausing memory corruption and resulting in a denial of service."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-100",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-100 Overflow Buffers"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T07:17:19.427Z",
        "orgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
        "shortName": "GV"
      },
      "references": [
        {
          "url": "https://www.geovision.com.tw/cyber_security.php"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-17T07:08:00.000Z",
          "value": "Finder reports vulnerability to vendor"
        }
      ],
      "title": "GV-LPC2011/LPC2211 - unauthorized out-of-bounds writing vulnerability (onvif.cgi)",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0df08a0e-a200-4957-9bb0-084f562506f9",
    "assignerShortName": "GV",
    "cveId": "CVE-2026-57876",
    "datePublished": "2026-06-26T07:17:19.427Z",
    "dateReserved": "2026-06-26T02:40:42.397Z",
    "dateUpdated": "2026-06-26T15:40:10.368Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-58049 (GCVE-0-2026-58049)

Vulnerability from cvelistv5 – Published: 2026-06-28 01:32 – Updated: 2026-06-30 12:10
VLAI
Title
FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta()
Summary
FFmpeg's RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
FFmpeg FFmpeg Affected: 0 , ≤ bcd2c69e087a09b07cf45c6bd2428ee1ccb2925c (git)
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
Create a notification for this product.
Red Hat Red Hat OpenShift AI (RHOAI)     cpe:/a:redhat:openshift_ai
Create a notification for this product.
Date Public
2026-06-26 00:00
Credits
ashdfrkl
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-58049",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T13:52:19.360635Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T13:52:27.762Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:openshift_ai"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat OpenShift AI (RHOAI)",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-28T01:32:52.900Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in FFmpeg\u0027s RASC video decoder. A remote attacker could exploit this by providing a crafted media stream using the RASC FourCC (Four Character Code), which is then decoded by libavcodec. This vulnerability triggers a bitstream-controlled out-of-bounds heap write and an adjacent out-of-bounds read, leading to memory corruption. This can result in a denial of service or potentially arbitrary code execution."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.6,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:10:42.134Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-58049"
          },
          {
            "name": "RHBZ#2493952",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493952"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-58049.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-28T03:01:15.644Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-28T01:32:52.900Z",
            "value": "Made public."
          }
        ],
        "title": "FFmpeg: FFmpeg: Memory corruption via crafted RASC video stream",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "FFmpeg",
          "vendor": "FFmpeg",
          "versions": [
            {
              "lessThanOrEqual": "bcd2c69e087a09b07cf45c6bd2428ee1ccb2925c",
              "status": "affected",
              "version": "0",
              "versionType": "git"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ffmpeg:ffmpeg:*:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "ashdfrkl"
        }
      ],
      "datePublic": "2026-06-26T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "FFmpeg\u0027s RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check and validates the DLTA region in pixel rather than byte units, so a DLTA run on a PAL8 frame can access several bytes past the row allocation. A crafted media stream using the RASC FourCC, decoded by libavcodec, triggers a bitstream-controlled out-of-bounds heap write and adjacent out-of-bounds read, leading to memory corruption."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        },
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-28T01:32:52.900Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "Proof of Concept",
          "tags": [
            "exploit",
            "third-party-advisory"
          ],
          "url": "https://github.com/bikini/exploitarium/tree/main/ffmpeg-rasc-dlta-calc-poc"
        },
        {
          "name": "libavcodec/rasc.c",
          "tags": [
            "product"
          ],
          "url": "https://github.com/FFmpeg/FFmpeg/blob/master/libavcodec/rasc.c"
        },
        {
          "name": "VulnCheck Advisory: FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta()",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/ffmpeg-out-of-bounds-write-in-rasc-decoder-decode-dlta"
        }
      ],
      "title": "FFmpeg - Out-of-Bounds Write in RASC Decoder decode_dlta()",
      "x_generator": {
        "engine": "vulncheck-endgame"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-58049",
    "datePublished": "2026-06-28T01:32:52.900Z",
    "dateReserved": "2026-06-28T00:55:25.425Z",
    "dateUpdated": "2026-06-30T12:10:42.134Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-58592 (GCVE-0-2026-58592)

Vulnerability from cvelistv5 – Published: 2026-07-01 19:27 – Updated: 2026-07-02 15:55
VLAI
Title
Ladybird - Web-Reachable Code Execution via Dangling FunctionType Reference in WebAssembly ESM Integration
Summary
Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose host callback captures and later reads that reference; once the ESM link-loop iteration ends the FunctionType is destroyed, leaving the callback with a dangling reference (the normal instantiate path uses a long-lived reference and is not affected). Stale result-type data lets the host callback return an empty result vector for a statically non-empty result, so the destination register retains an attacker-influenced value that is then consumed by the WASM-GC array.set handler, which bit-casts the reference low bits to an ArrayInstance pointer after only a null check, yielding an arbitrary write. A web page can chain this into code execution in the WebContent process. Verified reachable from HTML content without any instrumentation or source modification.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-825 - Expired Pointer Dereference
  • CWE-843 - Access of Resource Using Incompatible Type (Type Confusion)
  • CWE-787 - Out-of-bounds Write
Assigner
Impacted products
Date Public
2026-07-01 00:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-58592",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T15:27:43.547840Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T15:55:07.091Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Ladybird",
          "vendor": "LadybirdBrowser",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        }
      ],
      "datePublic": "2026-07-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to create_host_function, whose host callback captures and later reads that reference; once the ESM link-loop iteration ends the FunctionType is destroyed, leaving the callback with a dangling reference (the normal instantiate path uses a long-lived reference and is not affected). Stale result-type data lets the host callback return an empty result vector for a statically non-empty result, so the destination register retains an attacker-influenced value that is then consumed by the WASM-GC array.set handler, which bit-casts the reference low bits to an ArrayInstance pointer after only a null check, yielding an arbitrary write. A web page can chain this into code execution in the WebContent process. Verified reachable from HTML content without any instrumentation or source modification."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        },
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.9,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-825",
              "description": "Expired Pointer Dereference",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-843",
              "description": "Access of Resource Using Incompatible Type (Type Confusion)",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-787",
              "description": "Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T19:27:22.629Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "Proof of Concept",
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/bikini/exploitarium/tree/main/ladybird-wasm-esm-host-function-rce-poc"
        },
        {
          "name": "Affected source",
          "tags": [
            "product"
          ],
          "url": "https://github.com/LadybirdBrowser/ladybird/blob/master/Libraries/LibWeb/WebAssembly/WebAssemblyModule.cpp"
        },
        {
          "name": "VulnCheck Advisory: Ladybird - Web-Reachable Code Execution via Dangling FunctionType Reference in WebAssembly ESM Integration",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/ladybird-web-reachable-code-execution-via-dangling-functiontype-reference-in-webassembly-esm-integration"
        }
      ],
      "title": "Ladybird - Web-Reachable Code Execution via Dangling FunctionType Reference in WebAssembly ESM Integration",
      "x_generator": {
        "engine": "vulncheck-endgame"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-58592",
    "datePublished": "2026-07-01T19:27:22.629Z",
    "dateReserved": "2026-07-01T17:20:57.549Z",
    "dateUpdated": "2026-07-02T15:55:07.091Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6039 (GCVE-0-2026-6039)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:21 – Updated: 2026-06-15 18:17
VLAI
Title
Heap buffer overflow in DXF polyline import
Summary
LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
The Document Foundation LibreOffice Affected: 25.8 , < < 25.8.7 (25.8 series)
Affected: 26.2 , < < 26.2.3 (26.2 series)
Create a notification for this product.
Date Public
2026-06-15 00:00
Credits
Anthropic (automated discovery using Claude) Trail of Bits (triage and validation)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6039",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:16:06.325169Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:17:13.933Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 25.8.7",
              "status": "affected",
              "version": "25.8",
              "versionType": "25.8 series"
            },
            {
              "lessThan": "\u003c 26.2.3",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Trail of Bits (triage and validation)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected.\u003c/p\u003e"
            }
          ],
          "value": "LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-197",
              "description": "CWE-197 Numeric Truncation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T16:21:16.514Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-6039"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap buffer overflow in DXF polyline import",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-6039",
    "datePublished": "2026-06-15T16:21:16.514Z",
    "dateReserved": "2026-04-09T16:29:22.953Z",
    "dateUpdated": "2026-06-15T18:17:13.933Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6040 (GCVE-0-2026-6040)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:21 – Updated: 2026-06-30 12:11
VLAI
Title
Heap use-after-free in ODF number-format blank-width parsing
Summary
A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
The Document Foundation LibreOffice Affected: 25.8 , < < 25.8.7 (25.8 series)
Affected: 26.2 , < < 26.2.3 (26.2 series)
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Date Public
2026-06-15 00:00
Credits
Anthropic (automated discovery using Claude) Trail of Bits (triage and validation)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6040",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:14:24.996356Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:14:30.848Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-06-15T16:21:53.903Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A vulnerability was found in LibreOffice. If a user inadvertently opens a malicious OpenDocument Format (ODF) file, an attacker could execute unauthorized code and potentially gain full control of the system."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-825",
                "description": "Expired Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:11:11.361Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-6040"
          },
          {
            "name": "RHBZ#2488966",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2488966"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6040.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-06-15T18:01:31.633Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-06-15T16:21:53.903Z",
            "value": "Made public."
          }
        ],
        "title": "libreoffice: LibreOffice: Heap use-after-free allows arbitrary code execution via malformed ODF number format",
        "workarounds": [
          {
            "lang": "en",
            "value": "Users should exercise caution and avoid opening untrusted OpenDocument Format (ODF) files."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 25.8.7",
              "status": "affected",
              "version": "25.8",
              "versionType": "25.8 series"
            },
            {
              "lessThan": "\u003c 26.2.3",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Trail of Bits (triage and validation)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use.\u003c/p\u003e"
            }
          ],
          "value": "A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the document was not checked against the length of the format-code string, so a malformed number format could be processed against memory outside that string. In fixed versions the position is bounds-checked before use."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T16:21:53.903Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-6040"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap use-after-free in ODF number-format blank-width parsing",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-6040",
    "datePublished": "2026-06-15T16:21:53.903Z",
    "dateReserved": "2026-04-09T16:42:11.799Z",
    "dateUpdated": "2026-06-30T12:11:11.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6045 (GCVE-0-2026-6045)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:22 – Updated: 2026-06-15 18:13
VLAI
Title
Heap buffer overflow in EMF+ gradient brush import
Summary
LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could overflow, so a small buffer was allocated and then filled as if it were large, writing past its end. In fixed versions the blend-point count is checked against the data actually available before allocating.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-787 - Out-of-bounds Write
  • CWE-190 - Integer Overflow or Wraparound
Assigner
Impacted products
Vendor Product Version
The Document Foundation LibreOffice Affected: 25.8 , < < 25.8.7 (25.8 series)
Affected: 26.2 , < < 26.2.3 (26.2 series)
Create a notification for this product.
Date Public
2026-06-15 00:00
Credits
Anthropic (automated discovery using Claude) Trail of Bits (triage and validation)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6045",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:12:50.303654Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:13:24.274Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 25.8.7",
              "status": "affected",
              "version": "25.8",
              "versionType": "25.8 series"
            },
            {
              "lessThan": "\u003c 26.2.3",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Trail of Bits (triage and validation)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could overflow, so a small buffer was allocated and then filled as if it were large, writing past its end. In fixed versions the blend-point count is checked against the data actually available before allocating.\u003c/p\u003e"
            }
          ],
          "value": "LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could overflow, so a small buffer was allocated and then filled as if it were large, writing past its end. In fixed versions the blend-point count is checked against the data actually available before allocating."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T16:22:16.574Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-6045"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap buffer overflow in EMF+ gradient brush import",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-6045",
    "datePublished": "2026-06-15T16:22:16.574Z",
    "dateReserved": "2026-04-09T19:07:34.963Z",
    "dateUpdated": "2026-06-15T18:13:24.274Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6047 (GCVE-0-2026-6047)

Vulnerability from cvelistv5 – Published: 2026-06-15 16:22 – Updated: 2026-06-15 18:11
VLAI
Title
Heap buffer overflow in OOXML text box element import
Summary
LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-787 - Out-of-bounds Write
  • CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
Assigner
Impacted products
Vendor Product Version
The Document Foundation LibreOffice Affected: 25.8 , < < 25.8.7 (25.8 series)
Affected: 26.2 , < < 26.2.3 (26.2 series)
Create a notification for this product.
Date Public
2026-06-15 00:00
Credits
Anthropic (automated discovery using Claude) Trail of Bits (triage and validation)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6047",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-15T18:11:34.358602Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-15T18:11:48.806Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 25.8.7",
              "status": "affected",
              "version": "25.8",
              "versionType": "25.8 series"
            },
            {
              "lessThan": "\u003c 26.2.3",
              "status": "affected",
              "version": "26.2",
              "versionType": "26.2 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthropic (automated discovery using Claude)"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "Trail of Bits (triage and validation)"
        }
      ],
      "datePublic": "2026-06-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eLibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type\u0027s field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.\u003c/p\u003e"
            }
          ],
          "value": "LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type\u0027s field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-44",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-44 Overflow Binary Resource File"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-843",
              "description": "CWE-843 Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T16:22:37.208Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2026-6047"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Heap buffer overflow in OOXML text box element import",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2026-6047",
    "datePublished": "2026-06-15T16:22:37.208Z",
    "dateReserved": "2026-04-09T19:21:23.491Z",
    "dateUpdated": "2026-06-15T18:11:48.806Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6100 (GCVE-0-2026-6100)

Vulnerability from cvelistv5 – Published: 2026-04-13 17:15 – Updated: 2026-06-30 12:11
VLAI
Title
Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure
Summary
Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
PSF
References
URL Tags
https://github.com/python/cpython/pull/148396 patch
https://mail.python.org/archives/list/security-an… vendor-advisory
https://github.com/python/cpython/issues/148395 issue-tracking
https://github.com/python/cpython/commit/6a5f79c8… patch
https://github.com/python/cpython/commit/8fc66aef… patch
https://github.com/python/cpython/commit/c3cf71c3… patch
https://github.com/python/cpython/commit/47128e64… patch
https://github.com/python/cpython/commit/e20c6c96… patch
http://www.openwall.com/lists/oss-security/2026/0…
https://access.redhat.com/security/cve/CVE-2026-6100 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2457932 issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:13812 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:16699 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:10711 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19064 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19019 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:11077 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:11062 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:10950 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19590 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:17619 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19549 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:26187 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19571 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19570 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:13692 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:21682 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:14653 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:17525 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19576 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:14652 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:14656 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:10949 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:10774 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:10745 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19216 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19175 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19177 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19176 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:25096 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:30078 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:30089 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:30088 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:30087 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:10140 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:10141 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8822 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8824 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:10117 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:9228 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:11768 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:21275 vendor-advisoryx_refsource_REDHAT
Impacted products
Vendor Product Version
Python Software Foundation CPython Affected: 0 , < 3.13.14 (python)
Affected: 3.14.0a1 , < 3.14.5rc1 (python)
Affected: 3.15.0a1 , < 3.15.0b1 (python)
Create a notification for this product.
Red Hat Middleware Containers for OpenShift     cpe:/a:redhat:rhosemc:1.0::el8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.4)     cpe:/a:redhat:rhel_aus:8.4::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)     cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.6)     cpe:/a:redhat:rhel_aus:8.6::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.6)     cpe:/a:redhat:rhel_e4s:8.6::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.6)     cpe:/a:redhat:rhel_tus:8.6::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.8)     cpe:/a:redhat:rhel_e4s:8.8::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.8)     cpe:/a:redhat:rhel_tus:8.8::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.0)     cpe:/a:redhat:rhel_e4s:9.0::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS (v. 8)     cpe:/o:redhat:enterprise_linux:8::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS AUS (v.8.4)     cpe:/o:redhat:rhel_aus:8.4::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)     cpe:/o:redhat:rhel_eus_long_life:8.4::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS AUS (v.8.6)     cpe:/o:redhat:rhel_aus:8.6::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS E4S (v.8.6)     cpe:/o:redhat:rhel_e4s:8.6::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS TUS (v.8.6)     cpe:/o:redhat:rhel_tus:8.6::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS E4S (v.8.8)     cpe:/o:redhat:rhel_e4s:8.8::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS TUS (v.8.8)     cpe:/o:redhat:rhel_tus:8.8::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS E4S (v.9.0)     cpe:/o:redhat:rhel_e4s:9.0::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS E4S (v.9.2)     cpe:/o:redhat:rhel_e4s:9.2::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS EUS (v.9.4)     cpe:/o:redhat:rhel_eus:9.4::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS EUS (v.9.6)     cpe:/o:redhat:rhel_eus:9.6::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux BaseOS (v. 9)     cpe:/o:redhat:enterprise_linux:9::baseos
Create a notification for this product.
Red Hat Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux CRB (v. 8)     cpe:/a:redhat:enterprise_linux:8::crb
Create a notification for this product.
Red Hat Red Hat CodeReady Linux Builder EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::crb
Create a notification for this product.
Red Hat Red Hat CodeReady Linux Builder EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::crb
Create a notification for this product.
Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)     cpe:/a:redhat:enterprise_linux:9::crb
Create a notification for this product.
Red Hat Red Hat AI Inference Server 3.2     cpe:/a:redhat:ai_inference_server:3.2::el9
Create a notification for this product.
Red Hat Red Hat AI Inference Server 3.3     cpe:/a:redhat:ai_inference_server:3.3::el9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AI 3.3     cpe:/a:redhat:enterprise_linux_ai:3.3::el9
Create a notification for this product.
Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
Create a notification for this product.
Red Hat Red Hat Update Infrastructure 5     cpe:/a:redhat:rhui:5::el9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux AI (RHEL AI) 3     cpe:/a:redhat:enterprise_linux_ai:3
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Credits
Ryan Hileman Stan Ulbrych Seth Larson Stan Ulbrych Ryan Hileman
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6100",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T19:21:03.412763Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T19:21:10.878Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-13T19:29:27.322Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/13/10"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:rhosemc:1.0::el8"
            ],
            "defaultStatus": "affected",
            "product": "Middleware Containers for OpenShift",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.1",
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.4::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_tus:8.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:8.8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_tus:8.8::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.0::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.2::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.4::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::appstream"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AppStream (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.1",
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_aus:8.4::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS AUS (v.8.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_eus_long_life:8.4::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_aus:8.6::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS AUS (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_e4s:8.6::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS E4S (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_tus:8.6::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS TUS (v.8.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_e4s:8.8::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS E4S (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_tus:8.8::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS TUS (v.8.8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_e4s:9.0::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS E4S (v.9.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_e4s:9.2::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS E4S (v.9.2)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_eus:9.4::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS EUS (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:rhel_eus:9.6::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9::baseos"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux BaseOS (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.1",
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CRB (v. 8)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.4::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9::crb"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ai_inference_server:3.2::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat AI Inference Server 3.2",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ai_inference_server:3.3::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat AI Inference Server 3.3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3.3::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AI 3.3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:rhui:5::el9"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Update Infrastructure 5",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:enterprise_linux_ai:3"
            ],
            "defaultStatus": "affected",
            "product": "Red Hat Enterprise Linux AI (RHEL AI) 3",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-04-13T17:15:47.606Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Python\u0027s decompression modules, including `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile`. This vulnerability, a use-after-free, can occur if a program attempts to re-use a decompression object after a memory allocation error, especially when the system is experiencing high memory usage. Exploitation of this flaw could potentially allow an attacker to execute arbitrary code or access sensitive data. The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-825",
                "description": "Expired Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:11:10.781Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-6100"
          },
          {
            "name": "RHBZ#2457932",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457932"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6100.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:13812"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:16699"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:10711"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19064"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19019"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:11077"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:11062"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:10950"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19590"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:17619"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19549"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:26187"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19571"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19570"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:13692"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:21682"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:14653"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:17525"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19576"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:14652"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:14656"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:10949"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:10774"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:10745"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19216"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19175"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19177"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:19176"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25096"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:30078"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:30089"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:30088"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:30087"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:10140"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:10141"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8822"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8824"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:10117"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9228"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:11768"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:21275"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:13812: Middleware Containers for OpenShift"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:16699: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:10711: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19064: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19019: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:11077: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux BaseOS (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:11062: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:10950: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19590: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:17619: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS E4S (v.8.6), Red Hat Enterprise Linux BaseOS TUS (v.8.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19549: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:26187: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19571: Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux BaseOS E4S (v.9.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19570: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:13692: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:21682: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux BaseOS EUS (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:14653: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:17525: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19576: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:14652: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:14656: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:10949: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:10774: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:10745: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19216: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19175: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19177: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:19176: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25096: Red Hat AI Inference Server 3.2"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:30078: Red Hat AI Inference Server 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:30089: Red Hat AI Inference Server 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:30088: Red Hat AI Inference Server 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:30087: Red Hat AI Inference Server 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:10140: Red Hat Enterprise Linux AI 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:10141: Red Hat Enterprise Linux AI 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8822: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8824: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:10117: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9228: Red Hat Hardened Images"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:11768: Red Hat Update Infrastructure 5"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:21275: Red Hat Update Infrastructure 5"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-04-13T18:01:31.970Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-04-13T17:15:47.606Z",
            "value": "Made public."
          }
        ],
        "title": "python: Python: Arbitrary code execution or information disclosure via use-after-free in decompression modules",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CPython",
          "repo": "https://github.com/python/cpython",
          "vendor": "Python Software Foundation",
          "versions": [
            {
              "lessThan": "3.13.14",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            },
            {
              "lessThan": "3.14.5rc1",
              "status": "affected",
              "version": "3.14.0a1",
              "versionType": "python"
            },
            {
              "lessThan": "3.15.0b1",
              "status": "affected",
              "version": "3.15.0a1",
              "versionType": "python"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Ryan Hileman"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Stan Ulbrych"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "Seth Larson"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Stan Ulbrych"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Ryan Hileman"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\u003cbr\u003e\u003cbr\u003eThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable."
            }
          ],
          "value": "Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\n\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416 Use after free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T18:58:01.371Z",
        "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "shortName": "PSF"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/pull/148396"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/python/cpython/issues/148395"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure",
      "x_generator": {
        "engine": "Vulnogram 0.6.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
    "assignerShortName": "PSF",
    "cveId": "CVE-2026-6100",
    "datePublished": "2026-04-13T17:15:47.606Z",
    "dateReserved": "2026-04-10T21:13:45.428Z",
    "dateUpdated": "2026-06-30T12:11:10.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6325 (GCVE-0-2026-6325)

Vulnerability from cvelistv5 – Published: 2026-06-25 21:04 – Updated: 2026-06-26 10:23
VLAI
Title
Out-of-bounds write in SetSuitesHashSigAlgo on oversized signature algorithms list
Summary
Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write past the bounds of the destination buffer.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
wolfSSL wolfSSL Affected: 4.8.0 , ≤ 5.9.1 (semver)
Create a notification for this product.
Credits
Muhammad Arya Arjuna Habibullah (Pelioro)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6325",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T10:22:44.145921Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T10:23:33.220Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/wolfSSL/wolfssl",
          "defaultStatus": "unaffected",
          "product": "wolfSSL",
          "vendor": "wolfSSL",
          "versions": [
            {
              "lessThanOrEqual": "5.9.1",
              "status": "affected",
              "version": "4.8.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Muhammad Arya Arjuna Habibullah (Pelioro)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOut-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write past the bounds of the destination buffer.\u003c/p\u003e"
            }
          ],
          "value": "Out-of-bounds write in SetSuitesHashSigAlgo when processing an oversized signature algorithms list, allowing a write past the bounds of the destination buffer."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 2,
            "baseSeverity": "LOW",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "CLEAR",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/U:Clear",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T21:04:31.827Z",
        "orgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
        "shortName": "wolfSSL"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/wolfSSL/wolfssl/pull/10204"
        },
        {
          "url": "https://www.wolfssl.com/docs/security-vulnerabilities/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Out-of-bounds write in SetSuitesHashSigAlgo on oversized signature algorithms list",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "50d2cd11-d01a-48ed-9441-5bfce9d63b27",
    "assignerShortName": "wolfSSL",
    "cveId": "CVE-2026-6325",
    "datePublished": "2026-06-25T21:04:31.827Z",
    "dateReserved": "2026-04-14T20:57:15.490Z",
    "dateUpdated": "2026-06-26T10:23:33.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-6507 (GCVE-0-2026-6507)

Vulnerability from cvelistv5 – Published: 2026-04-17 12:23 – Updated: 2026-04-20 14:59
VLAI
Title
Dnsmasq: dnsmasq: denial of service due to out-of-bounds write in dhcp bootreply processing
Summary
A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds write vulnerability by sending a specially crafted BOOTREPLY (Bootstrap Protocol Reply) packet to a dnsmasq server configured with the `--dhcp-split-relay` option. This can lead to memory corruption, causing the dnsmasq daemon to crash and resulting in a denial of service (DoS).
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
URL Tags
https://access.redhat.com/security/cve/CVE-2026-6507 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2459181 issue-trackingx_refsource_REDHAT
Date Public
2026-04-17 11:37
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6507",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T14:30:05.928163Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-20T14:59:06.735Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "unaffected",
          "packageName": "dnsmasq",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unaffected",
          "packageName": "dnsmasq",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "packageName": "dnsmasq",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "packageName": "dnsmasq",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "dnsmasq",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "packageName": "rhcos",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2026-04-17T11:37:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in dnsmasq. A remote attacker could exploit an out-of-bounds write vulnerability by sending a specially crafted BOOTREPLY (Bootstrap Protocol Reply) packet to a dnsmasq server configured with the `--dhcp-split-relay` option. This can lead to memory corruption, causing the dnsmasq daemon to crash and resulting in a denial of service (DoS)."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Moderate"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-20T11:47:24.852Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2026-6507"
        },
        {
          "name": "RHBZ#2459181",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459181"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-17T00:00:00.000Z",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2026-04-17T11:37:00.000Z",
          "value": "Made public."
        }
      ],
      "title": "Dnsmasq: dnsmasq: denial of service due to out-of-bounds write in dhcp bootreply processing",
      "workarounds": [
        {
          "lang": "en",
          "value": "To mitigate this issue, ensure that the `dnsmasq` service is not configured with the `--dhcp-split-relay` option. If this option is currently in use, remove it from the `dnsmasq` configuration. After modifying the configuration, the `dnsmasq` service must be restarted for the changes to take effect. This may temporarily interrupt DHCP and DNS services provided by `dnsmasq`."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-787: Out-of-bounds Write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2026-6507",
    "datePublished": "2026-04-17T12:23:31.852Z",
    "dateReserved": "2026-04-17T11:32:04.326Z",
    "dateUpdated": "2026-04-20T14:59:06.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation ID: MIT-3

Phase: Requirements

Strategy: Language Selection

Description:

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
  • Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Mitigation ID: MIT-4.1

Phase: Architecture and Design

Strategy: Libraries or Frameworks

Description:

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Mitigation ID: MIT-10

Phases: Operation, Build and Compilation

Strategy: Environment Hardening

Description:

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation ID: MIT-9

Phase: Implementation

Description:

  • Consider adhering to the following rules when allocating and managing an application's memory:
  • Double check that the buffer is as large as specified.
  • When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
  • Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
  • If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Mitigation ID: MIT-11

Phases: Operation, Build and Compilation

Strategy: Environment Hardening

Description:

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation ID: MIT-12

Phase: Operation

Strategy: Environment Hardening

Description:

  • Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
  • For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation ID: MIT-13

Phase: Implementation

Description:

  • Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page