CWE-248
AllowedUncaught Exception
Abstraction: Base · Status: Draft
An exception is thrown from a function, but it is not caught.
420 vulnerabilities reference this CWE, most recent first.
GHSA-4RXP-72G2-FXHM
Vulnerability from github – Published: 2026-04-07 18:31 – Updated: 2026-04-07 18:31NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-24175"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T18:16:40Z",
"severity": "HIGH"
},
"details": "NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service.",
"id": "GHSA-4rxp-72g2-fxhm",
"modified": "2026-04-07T18:31:38Z",
"published": "2026-04-07T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24175"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5816"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24175"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4V88-6PP2-RX52
Vulnerability from github – Published: 2023-09-20 03:30 – Updated: 2024-04-04 07:44NVIDIA Cumulus Linux contains a vulnerability in neighmgrd and nlmanager where an attacker on an adjacent network may cause an uncaught exception by injecting a crafted packet. A successful exploit may lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2023-25526"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-20T01:15:52Z",
"severity": "MODERATE"
},
"details": "NVIDIA Cumulus Linux contains a vulnerability in neighmgrd and nlmanager where an attacker on an adjacent network may cause an uncaught exception by injecting a crafted packet. A successful exploit may lead to denial of service.",
"id": "GHSA-4v88-6pp2-rx52",
"modified": "2024-04-04T07:44:52Z",
"published": "2023-09-20T03:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25526"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5480"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4VH4-C5MM-JQMW
Vulnerability from github – Published: 2024-04-08 03:30 – Updated: 2025-03-13 18:31In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed
{
"affected": [],
"aliases": [
"CVE-2023-52342"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T03:15:08Z",
"severity": "HIGH"
},
"details": "In modem-ps-nas-ngmm, there is a possible undefined behavior due to incorrect error handling. This could lead to remote information disclosure no additional execution privileges needed",
"id": "GHSA-4vh4-c5mm-jqmw",
"modified": "2025-03-13T18:31:54Z",
"published": "2024-04-08T03:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52342"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1777143682512781313"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-4W56-VR39-RVQR
Vulnerability from github – Published: 2024-12-12 12:31 – Updated: 2024-12-12 12:31Null pointer dereference vulnerability in the image decoding module Impact: Successful exploitation of this vulnerability will affect availability.
{
"affected": [],
"aliases": [
"CVE-2024-54106"
],
"database_specific": {
"cwe_ids": [
"CWE-248",
"CWE-476"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-12T12:15:25Z",
"severity": "HIGH"
},
"details": "Null pointer dereference vulnerability in the image decoding module\nImpact: Successful exploitation of this vulnerability will affect availability.",
"id": "GHSA-4w56-vr39-rvqr",
"modified": "2024-12-12T12:31:16Z",
"published": "2024-12-12T12:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54106"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52XJ-VX8W-46QJ
Vulnerability from github – Published: 2026-01-20 21:31 – Updated: 2026-01-20 21:31We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when async_hooks.createHook() is enabled. Instead of reaching process.on('uncaughtException'), the process terminates, making the crash unrecoverable. Applications that rely on AsyncLocalStorage (v22, v20) or async_hooks.createHook() (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.
{
"affected": [],
"aliases": [
"CVE-2025-59466"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-20T21:16:04Z",
"severity": "MODERATE"
},
"details": "We have identified a bug in Node.js error handling where \"Maximum call stack size exceeded\" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(\u0027uncaughtException\u0027)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.",
"id": "GHSA-52xj-vx8w-46qj",
"modified": "2026-01-20T21:31:35Z",
"published": "2026-01-20T21:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59466"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5375-PQ7M-F5R2
Vulnerability from github – Published: 2026-06-11 13:27 – Updated: 2026-06-11 13:27Impact
An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.
Patches
The following version have fixes for this vulnerability:
- 1.9.16
- 1.10.12
- 1.11.4
- 1.12.7
- 1.13.5
- 1.14.4
Workarounds
There is no workaround.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.10.0"
},
{
"fixed": "1.10.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.11.0"
},
{
"fixed": "1.11.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@grpc/grpc-js"
},
"ranges": [
{
"events": [
{
"introduced": "1.14.0"
},
{
"fixed": "1.14.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48068"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-11T13:27:54Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\nAn invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js.\n\n### Patches\nThe following version have fixes for this vulnerability:\n\n - 1.9.16\n - 1.10.12\n - 1.11.4\n - 1.12.7\n - 1.13.5\n - 1.14.4\n\n### Workarounds\nThere is no workaround.",
"id": "GHSA-5375-pq7m-f5r2",
"modified": "2026-06-11T13:27:54Z",
"published": "2026-06-11T13:27:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/security/advisories/GHSA-5375-pq7m-f5r2"
},
{
"type": "PACKAGE",
"url": "https://github.com/grpc/grpc-node"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.10.12"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.11.4"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.12.7"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.13.5"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.14.4"
},
{
"type": "WEB",
"url": "https://github.com/grpc/grpc-node/releases/tag/%40grpc%2Fgrpc-js%401.9.16"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "@grpc/grpc-js: A malformed request can cause a server crash"
}
GHSA-56PQ-38G7-F784
Vulnerability from github – Published: 2026-07-07 06:31 – Updated: 2026-07-07 06:31Uncaught Exception (CWE-248) in the T20 Readers allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service. Version of Command Centre affected:
- 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1))
- 9.40 prior to vCR9.40.260616a (distributed in 9.40.3130(MR3))
- 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5))
- 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7))
- all versions of 9.10 and prior.
{
"affected": [],
"aliases": [
"CVE-2026-27790"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-07T05:16:50Z",
"severity": "LOW"
},
"details": "Uncaught Exception (CWE-248)\u00a0in\u00a0the T20 Readers\u00a0allows an authenticated and authorized operator to trigger a restart by sending specific requests, resulting in a temporary denial of service.\u00a0Version of Command Centre affected:\n\n\n\n\n\n * 9.50 prior to vCR9.50.260616a (distributed in 9.50.1587(MR1))\n * 9.40 prior to vCR9.40.260616a (distributed in\u00a09.40.3130(MR3))\n * 9.30 prior to vCR9.30.260616a (distributed in 9.30.3983(MR5))\n * 9.20 prior to vCR9.20.260616a (distributed in 9.20.4349(MR7))\n * all versions of 9.10 and prior.",
"id": "GHSA-56pq-38g7-f784",
"modified": "2026-07-07T06:31:23Z",
"published": "2026-07-07T06:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27790"
},
{
"type": "WEB",
"url": "https://security.gallagher.com/en-NZ/Security-Advisories/CVE-2026-27790"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-56X4-8XCJ-44R6
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2023-12-21 03:30In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted ‘INGEST_EVAL’ parameter in a Field Transformation crashes the Splunk daemon (splunkd).
{
"affected": [],
"aliases": [
"CVE-2023-22941"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-14T18:15:00Z",
"severity": "HIGH"
},
"details": "In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, an improperly-formatted \u2018INGEST_EVAL\u2019 parameter in a [Field Transformation](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managefieldtransforms) crashes the Splunk daemon (splunkd).",
"id": "GHSA-56x4-8xcj-44r6",
"modified": "2023-12-21T03:30:32Z",
"published": "2023-07-06T19:24:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22941"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2023-0211"
},
{
"type": "WEB",
"url": "https://research.splunk.com/application/08978eca-caff-44c1-84dc-53f17def4e14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5873-6FWQ-463F
Vulnerability from github – Published: 2023-10-25 14:09 – Updated: 2023-10-25 14:09Impact
Panic vulnerability when a specially crafted payload is used. This is because of the following calculation:
inner_payload_len + (4 - inner_payload_len % 4) % 4
If inner_payload_len is 0xffffffff, (4 - inner_payload_len % 4) % 4 = 1 so
inner_payload_len + (4 - inner_payload_len % 4) % 4 = u32::MAX + 1
which overflow.
Patches
Check that inner_payload_len is not above 64 which should never be the case.
Patched in version 0.0.8
Workarounds
Sanitize input payload before it is passed to the vulnerable function so that bytes in payload[32..32+4] and parsed as a u32 is not above 64.
References
GitHub issue #58
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "stellar-strkey"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-46135"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-25T14:09:10Z",
"nvd_published_at": "2023-10-25T18:17:36Z",
"severity": "MODERATE"
},
"details": "### Impact\nPanic vulnerability when a specially crafted payload is used. \nThis is because of the following calculation:\n```rust\ninner_payload_len + (4 - inner_payload_len % 4) % 4\n```\nIf `inner_payload_len` is `0xffffffff`, `(4 - inner_payload_len % 4) % 4 = 1` so\n```rust\ninner_payload_len + (4 - inner_payload_len % 4) % 4 = u32::MAX + 1\n```\nwhich overflow.\n\n### Patches\nCheck that `inner_payload_len` is not above 64 which should never be the case.\nPatched in version 0.0.8\n\n### Workarounds\nSanitize input payload before it is passed to the vulnerable function so that bytes in `payload[32..32+4]` and parsed as a `u32` is not above 64.\n\n### References\nGitHub issue #58\n",
"id": "GHSA-5873-6fwq-463f",
"modified": "2023-10-25T14:09:10Z",
"published": "2023-10-25T14:09:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/stellar/rs-stellar-strkey/security/advisories/GHSA-5873-6fwq-463f"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46135"
},
{
"type": "WEB",
"url": "https://github.com/stellar/rs-stellar-strkey/issues/58"
},
{
"type": "WEB",
"url": "https://github.com/stellar/rs-stellar-strkey/pull/59"
},
{
"type": "WEB",
"url": "https://github.com/stellar/rs-stellar-strkey/commit/83adad0f5b1cda693c7ba8524d395add8077865f"
},
{
"type": "PACKAGE",
"url": "https://github.com/stellar/rs-stellar-strkey"
},
{
"type": "WEB",
"url": "https://github.com/stellar/rs-stellar-strkey/releases/tag/v0.0.8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "stellar-strkey vulnerable to panic in SignedPayload::from_payload"
}
GHSA-595H-5JVM-PM7P
Vulnerability from github – Published: 2024-04-01 03:30 – Updated: 2024-07-03 18:34In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541769; Issue ID: ALPS08541769.
{
"affected": [],
"aliases": [
"CVE-2024-20048"
],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-01T03:15:08Z",
"severity": "MODERATE"
},
"details": "In flashc, there is a possible information disclosure due to an uncaught exception. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08541769; Issue ID: ALPS08541769.",
"id": "GHSA-595h-5jvm-pm7p",
"modified": "2024-07-03T18:34:01Z",
"published": "2024-04-01T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20048"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.