CWE-124
Buffer Underwrite ('Buffer Underflow')
The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
CVE-2026-28419 (GCVE-0-2026-28419)
Vulnerability from cvelistv5 – Published: 2026-02-27 22:02 – Updated: 2026-03-02 21:54
VLAI
Title
Vim has Heap-based Buffer Underflow in Emacs tags parsing
Summary
Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.
Severity
5.3 (Medium)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/vim/vim/security/advisories/GH… | x_refsource_CONFIRM |
| https://github.com/vim/vim/commit/9b7dfa2948c9e1e… | x_refsource_MISC |
| https://github.com/vim/vim/releases/tag/v9.2.0075 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-02-28T00:15:33.748Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/27/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28419",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T21:54:21.226456Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T21:54:29.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "vim",
"vendor": "vim",
"versions": [
{
"status": "affected",
"version": "\u003c 9.2.0075"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim\u0027s Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-124",
"description": "CWE-124: Buffer Underwrite (\u0027Buffer Underflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T22:02:55.952Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv"
},
{
"name": "https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812"
},
{
"name": "https://github.com/vim/vim/releases/tag/v9.2.0075",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/vim/vim/releases/tag/v9.2.0075"
}
],
"source": {
"advisory": "GHSA-xcc8-r6c5-hvwv",
"discovery": "UNKNOWN"
},
"title": "Vim has Heap-based Buffer Underflow in Emacs tags parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28419",
"datePublished": "2026-02-27T22:02:55.952Z",
"dateReserved": "2026-02-27T15:33:57.290Z",
"dateUpdated": "2026-03-02T21:54:29.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41499 (GCVE-0-2026-41499)
Vulnerability from cvelistv5 – Published: 2026-04-29 18:01 – Updated: 2026-04-29 18:31
VLAI
Title
Wazuh: Multiple Heap-based NULL WRITE Buffer Underflows in parse_uname_string()
Summary
Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agents and contains a dangerous code pattern that appears in 4 locations within the same function: writing to strlen(ptr) - 1 without checking for empty strings. When the string is empty, strlen() returns 0, and 0 - 1 wraps to SIZE_MAX due to unsigned integer underflow. Due to pointer arithmetic wrapping, SIZE_MAX effectively becomes -1, causing a write exactly 1 byte before the allocated buffer. This corrupts heap metadata (e.g., the chunk size field in glibc malloc), leading to heap corruption. This issue has been patched in version 4.14.4.
Severity
6.5 (Medium)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/wazuh/wazuh/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/wazuh/wazuh/releases/tag/v4.14.4 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41499",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T18:31:03.330693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T18:31:46.154Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-qvqj-p8mm-r7h3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "wazuh",
"vendor": "wazuh",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c 4.14.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parse_uname_string() (remoted_op.c). This function processes OS identification data from agents and contains a dangerous code pattern that appears in 4 locations within the same function: writing to strlen(ptr) - 1 without checking for empty strings. When the string is empty, strlen() returns 0, and 0 - 1 wraps to SIZE_MAX due to unsigned integer underflow. Due to pointer arithmetic wrapping, SIZE_MAX effectively becomes -1, causing a write exactly 1 byte before the allocated buffer. This corrupts heap metadata (e.g., the chunk size field in glibc malloc), leading to heap corruption. This issue has been patched in version 4.14.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-124",
"description": "CWE-124: Buffer Underwrite (\u0027Buffer Underflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T18:01:25.078Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/wazuh/wazuh/security/advisories/GHSA-qvqj-p8mm-r7h3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-qvqj-p8mm-r7h3"
},
{
"name": "https://github.com/wazuh/wazuh/releases/tag/v4.14.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wazuh/wazuh/releases/tag/v4.14.4"
}
],
"source": {
"advisory": "GHSA-qvqj-p8mm-r7h3",
"discovery": "UNKNOWN"
},
"title": "Wazuh: Multiple Heap-based NULL WRITE Buffer Underflows in parse_uname_string()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41499",
"datePublished": "2026-04-29T18:01:25.078Z",
"dateReserved": "2026-04-20T16:14:19.009Z",
"dateUpdated": "2026-04-29T18:31:46.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5089 (GCVE-0-2026-5089)
Vulnerability from cvelistv5 – Published: 2026-05-12 16:14 – Updated: 2026-05-14 13:51
VLAI
Title
YAML::Syck versions before 1.38 for Perl has an out-of-bounds read
Summary
YAML::Syck versions before 1.38 for Perl has an out-of-bounds read.
The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer:
while ( colon >= ptr && *colon != ':' )
{
colon--;
}
if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here
When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.
Severity
7.3 (High)
CWE
- CWE-124 - Buffer Underwrite ('Buffer Underflow')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://metacpan.org/release/TODDR/YAML-Syck-1.38… | release-notes |
| https://github.com/cpan-authors/YAML-Syck/issues/132 | issue-tracking |
| https://github.com/cpan-authors/YAML-Syck/pull/133 | issue-tracking |
| https://github.com/cpan-authors/YAML-Syck/commit/… | patch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TODDR | YAML::Syck |
Affected:
0 , < 1.38
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-12T18:35:46.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/12/16"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-5089",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:50:53.123874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:51:01.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/cpan-authors/YAML-Syck/issues/132"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "YAML-Syck",
"product": "YAML::Syck",
"programFiles": [
"perl_syck.h"
],
"repo": "https://github.com/toddr/YAML-Syck",
"vendor": "TODDR",
"versions": [
{
"lessThan": "1.38",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "YAML::Syck versions before 1.38 for Perl has an out-of-bounds read.\n\nThe base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer:\n\n while ( colon \u003e= ptr \u0026\u0026 *colon != \u0027:\u0027 )\n {\n colon--;\n }\n if ( *colon == \u0027:\u0027 ) *colon = \u0027\\0\u0027; // colon may be ptr-1 here\n\nWhen no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-124",
"description": "CWE-124 Buffer Underwrite (\u0027Buffer Underflow\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T16:14:21.951Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/TODDR/YAML-Syck-1.38/changes"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/cpan-authors/YAML-Syck/issues/132"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/cpan-authors/YAML-Syck/pull/133"
},
{
"tags": [
"patch"
],
"url": "https://github.com/cpan-authors/YAML-Syck/commit/208a4d3bd1b5cdb4a791a6e3905bd6bd45e9d005.patch"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to YAML::Syck version 1.38 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "YAML::Syck versions before 1.38 for Perl has an out-of-bounds read",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-5089",
"datePublished": "2026-05-12T16:14:21.951Z",
"dateReserved": "2026-03-28T19:33:37.653Z",
"dateUpdated": "2026-05-14T13:51:01.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Requirements
Description:
- Choose a language that is not susceptible to these issues.
Mitigation
Phase: Implementation
Description:
- All calculated values that are used as index or for pointer arithmetic should be validated to ensure that they are within an expected range.
No CAPEC attack patterns related to this CWE.