Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-125
Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.
CVE-2026-25209 (GCVE-0-2026-25209)
Vulnerability from cvelistv5 – Published: 2026-04-13 04:52 – Updated: 2026-04-13 13:09
VLAI
Summary
Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds read
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Samsung Open Source | Escargot |
Affected:
97e8115ab1110bc502b4b5e4a0c689a71520d335
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25209",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T13:09:40.874896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T13:09:49.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Escargot",
"vendor": "Samsung Open Source",
"versions": [
{
"status": "affected",
"version": "97e8115ab1110bc502b4b5e4a0c689a71520d335"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Sebasti\u00e1n Alba Vives / @Sebasteuo"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.\u003cp\u003eThis issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.\u003c/p\u003e"
}
],
"value": "Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335."
}
],
"impacts": [
{
"capecId": "CAPEC-131",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-131 Resource Leak Exposure"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T05:41:09.937Z",
"orgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe",
"shortName": "samsung.tv_appliance"
},
"references": [
{
"url": "https://github.com/Samsung/escargot/pull/1554"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "ca193ba2-0cff-4e34-b04e-1ea07103c6fe",
"assignerShortName": "samsung.tv_appliance",
"cveId": "CVE-2026-25209",
"datePublished": "2026-04-13T04:52:18.209Z",
"dateReserved": "2026-01-30T06:07:11.090Z",
"dateUpdated": "2026-04-13T13:09:49.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25258 (GCVE-0-2026-25258)
Vulnerability from cvelistv5 – Published: 2026-06-01 22:05 – Updated: 2026-06-03 03:55
VLAI
Title
Out-of-bounds Read in DSP Service
Summary
Memory corruption while processing IOCTL calls for escape operations.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Qualcomm, Inc. | Snapdragon |
Affected:
Cologne
Affected: FastConnect 6900 Affected: FastConnect 7800 Affected: QCA0000 Affected: SC8380XP Affected: WCD9378C Affected: WCD9380 Affected: WCD9385 Affected: WSA8840 Affected: WSA8845 Affected: WSA8845H Affected: X2000077 Affected: X2000086 Affected: X2000090 Affected: X2000092 Affected: X2000094 Affected: XG101002 Affected: XG101032 Affected: XG101039 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25258",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T03:55:53.350Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Snapdragon Compute",
"Snapdragon Industrial IOT"
],
"product": "Snapdragon",
"vendor": "Qualcomm, Inc.",
"versions": [
{
"status": "affected",
"version": "Cologne"
},
{
"status": "affected",
"version": "FastConnect 6900"
},
{
"status": "affected",
"version": "FastConnect 7800"
},
{
"status": "affected",
"version": "QCA0000"
},
{
"status": "affected",
"version": "SC8380XP"
},
{
"status": "affected",
"version": "WCD9378C"
},
{
"status": "affected",
"version": "WCD9380"
},
{
"status": "affected",
"version": "WCD9385"
},
{
"status": "affected",
"version": "WSA8840"
},
{
"status": "affected",
"version": "WSA8845"
},
{
"status": "affected",
"version": "WSA8845H"
},
{
"status": "affected",
"version": "X2000077"
},
{
"status": "affected",
"version": "X2000086"
},
{
"status": "affected",
"version": "X2000090"
},
{
"status": "affected",
"version": "X2000092"
},
{
"status": "affected",
"version": "X2000094"
},
{
"status": "affected",
"version": "XG101002"
},
{
"status": "affected",
"version": "XG101032"
},
{
"status": "affected",
"version": "XG101039"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Memory corruption while processing IOCTL calls for escape operations."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T22:05:42.726Z",
"orgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f",
"shortName": "qualcomm"
},
"references": [
{
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2026-bulletin.html"
}
],
"title": "Out-of-bounds Read in DSP Service"
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f",
"assignerShortName": "qualcomm",
"cveId": "CVE-2026-25258",
"datePublished": "2026-06-01T22:05:42.726Z",
"dateReserved": "2026-02-02T04:19:00.939Z",
"dateUpdated": "2026-06-03T03:55:53.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25508 (GCVE-0-2026-25508)
Vulnerability from cvelistv5 – Published: 2026-02-04 17:58 – Updated: 2026-02-04 19:21
VLAI
Title
ESF-IDF Has Memory Safety Vulnerabilities in BLE Provisioning
Summary
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7.
Severity
6.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/espressif/esp-idf/security/adv… | x_refsource_CONFIRM |
| https://github.com/espressif/esp-idf/commit/0540c… | x_refsource_MISC |
| https://github.com/espressif/esp-idf/commit/1ff26… | x_refsource_MISC |
| https://github.com/espressif/esp-idf/commit/47552… | x_refsource_MISC |
| https://github.com/espressif/esp-idf/commit/4c3fd… | x_refsource_MISC |
| https://github.com/espressif/esp-idf/commit/894c2… | x_refsource_MISC |
| https://github.com/espressif/esp-idf/commit/cde7b… | x_refsource_MISC |
| https://github.com/espressif/esp-idf/commit/dba9a… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25508",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T19:21:25.847888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T19:21:38.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esp-idf",
"vendor": "espressif",
"versions": [
{
"status": "affected",
"version": "= 5.5.2"
},
{
"status": "affected",
"version": "= 5.4.3"
},
{
"status": "affected",
"version": "= 5.3.4"
},
{
"status": "affected",
"version": "= 5.2.6"
},
{
"status": "affected",
"version": "= 5.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T17:58:28.502Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54x9"
},
{
"name": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9"
},
{
"name": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7"
},
{
"name": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70"
},
{
"name": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6"
},
{
"name": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf"
},
{
"name": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663"
},
{
"name": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63"
}
],
"source": {
"advisory": "GHSA-9j5x-rf36-54x9",
"discovery": "UNKNOWN"
},
"title": "ESF-IDF Has Memory Safety Vulnerabilities in BLE Provisioning"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25508",
"datePublished": "2026-02-04T17:58:28.502Z",
"dateReserved": "2026-02-02T18:21:42.486Z",
"dateUpdated": "2026-02-04T19:21:38.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25585 (GCVE-0-2026-25585)
Vulnerability from cvelistv5 – Published: 2026-02-04 22:13 – Updated: 2026-02-05 15:07
VLAI
Title
iccDEV vulnerable to OOB in CIccXform3DLut::Apply()
Summary
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a vulnerability IccCmm.cpp:5793 when reading through index during ICC profile processing. The malformed ICC profile triggers improper array bounds validation in the color management module, resulting in an out-of-bounds read that can lead to memory disclosure or segmentation fault from accessing memory beyond the array boundary. This issue has been patched in version 2.3.1.3.
Severity
7.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/InternationalColorConsortium/i… | x_refsource_CONFIRM |
| https://github.com/InternationalColorConsortium/i… | x_refsource_MISC |
| https://github.com/InternationalColorConsortium/i… | x_refsource_MISC |
| https://github.com/InternationalColorConsortium/i… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| InternationalColorConsortium | iccDEV |
Affected:
< 2.3.1.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25585",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-05T15:07:36.794767Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T15:07:43.492Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "iccDEV",
"vendor": "InternationalColorConsortium",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a vulnerability IccCmm.cpp:5793 when reading through index during ICC profile processing. The malformed ICC profile triggers improper array bounds validation in the color management module, resulting in an out-of-bounds read that can lead to memory disclosure or segmentation fault from accessing memory beyond the array boundary. This issue has been patched in version 2.3.1.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129: Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T22:13:45.863Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmqx-q624-jg6w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmqx-q624-jg6w"
},
{
"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/552",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/552"
},
{
"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/563",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/563"
},
{
"name": "https://github.com/InternationalColorConsortium/iccDEV/commit/ba81cd94b9c82b1d3905d45427badbd9d8adfa15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/ba81cd94b9c82b1d3905d45427badbd9d8adfa15"
}
],
"source": {
"advisory": "GHSA-pmqx-q624-jg6w",
"discovery": "UNKNOWN"
},
"title": "iccDEV vulnerable to OOB in CIccXform3DLut::Apply()"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25585",
"datePublished": "2026-02-04T22:13:30.803Z",
"dateReserved": "2026-02-03T01:02:46.715Z",
"dateUpdated": "2026-02-05T15:07:43.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25627 (GCVE-0-2026-25627)
Vulnerability from cvelistv5 – Published: 2026-03-30 20:11 – Updated: 2026-03-31 19:09
VLAI
Title
nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket
Summary
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ’s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8.
Severity
6.5 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nanomq/nanomq/security/advisor… | x_refsource_CONFIRM |
| https://github.com/nanomq/NanoNNG/pull/1405 | x_refsource_MISC |
| https://github.com/nanomq/NanoNNG/commit/e80b30ba… | x_refsource_MISC |
| https://github.com/nanomq/nanomq/releases/tag/0.24.8 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25627",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T18:38:44.968276Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T19:09:34.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nanomq",
"vendor": "nanomq",
"versions": [
{
"status": "affected",
"version": "\u003c 0.24.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.8, NanoMQ\u2019s MQTT-over-WebSocket transport can be crashed by sending an MQTT packet with a deliberately large Remaining Length in the fixed header while providing a much shorter actual payload. The code path copies Remaining Length bytes without verifying that the current receive buffer contains that many bytes, resulting in an out-of-bounds read (ASAN reports OOB / crash). This is remotely triggerable over the WebSocket listener. This issue has been patched in version 0.24.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T20:11:08.586Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nanomq/nanomq/security/advisories/GHSA-w4rh-v3h2-j29x"
},
{
"name": "https://github.com/nanomq/NanoNNG/pull/1405",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/NanoNNG/pull/1405"
},
{
"name": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/NanoNNG/commit/e80b30bad6d855593a68d18f2785bfaca6faf09e"
},
{
"name": "https://github.com/nanomq/nanomq/releases/tag/0.24.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nanomq/nanomq/releases/tag/0.24.8"
}
],
"source": {
"advisory": "GHSA-w4rh-v3h2-j29x",
"discovery": "UNKNOWN"
},
"title": "nanomq: OOB Read / Crash (DoS) via Malformed MQTT Remaining Length over WebSocket"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25627",
"datePublished": "2026-03-30T20:11:08.586Z",
"dateReserved": "2026-02-04T05:15:41.789Z",
"dateUpdated": "2026-03-31T19:09:34.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25884 (GCVE-0-2026-25884)
Vulnerability from cvelistv5 – Published: 2026-03-02 19:41 – Updated: 2026-03-02 20:15
VLAI
Title
Exiv2: Out-of-bounds read in CrwMap::decode0x0805
Summary
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerability is in the CRW image parser. This issue has been patched in version 0.28.8.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Exiv2/exiv2/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/Exiv2/exiv2/pull/3462 | x_refsource_MISC |
| https://github.com/Exiv2/exiv2/commit/cbba4d20651… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25884",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T20:15:01.199664Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T20:15:22.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "exiv2",
"vendor": "Exiv2",
"versions": [
{
"status": "affected",
"version": "\u003c 0.28.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerability is in the CRW image parser. This issue has been patched in version 0.28.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T19:41:21.157Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp"
},
{
"name": "https://github.com/Exiv2/exiv2/pull/3462",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Exiv2/exiv2/pull/3462"
},
{
"name": "https://github.com/Exiv2/exiv2/commit/cbba4d206512fe63e12d164fdd1881562f072a9d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Exiv2/exiv2/commit/cbba4d206512fe63e12d164fdd1881562f072a9d"
}
],
"source": {
"advisory": "GHSA-9mxq-4j5g-5wrp",
"discovery": "UNKNOWN"
},
"title": "Exiv2: Out-of-bounds read in CrwMap::decode0x0805"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25884",
"datePublished": "2026-03-02T19:41:21.157Z",
"dateReserved": "2026-02-06T21:08:39.129Z",
"dateUpdated": "2026-03-02T20:15:22.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25898 (GCVE-0-2026-25898)
Vulnerability from cvelistv5 – Published: 2026-02-24 01:18 – Updated: 2026-02-26 15:26
VLAI
Title
Imagemagick Has Global Buffer Overflow (OOB Read) via Negative Pixel Index in UIL and XPM Writer
Summary
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/ImageMagick/ImageMagick/securi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ImageMagick | ImageMagick |
Affected:
>= 7.0.0, < 7.1.2-15
Affected: < 6.9.13-40 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25898",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T15:26:22.441113Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:26:43.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "ImageMagick",
"vendor": "ImageMagick",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c 7.1.2-15"
},
{
"status": "affected",
"version": "\u003c 6.9.13-40"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, the UIL and XPM image encoder do not validate the pixel index value returned by `GetPixelIndex()` before using it as an array subscript. In HDRI builds, `Quantum` is a floating-point type, so pixel index values can be negative. An attacker can craft an image with negative pixel index values to trigger a global buffer overflow read during conversion, leading to information disclosure or a process crash. Versions 7.1.2-15 and 6.9.13-40 contain a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T01:18:33.031Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-vpxv-r9pg-7gpr"
}
],
"source": {
"advisory": "GHSA-vpxv-r9pg-7gpr",
"discovery": "UNKNOWN"
},
"title": "Imagemagick Has Global Buffer Overflow (OOB Read) via Negative Pixel Index in UIL and XPM Writer"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25898",
"datePublished": "2026-02-24T01:18:33.031Z",
"dateReserved": "2026-02-06T21:08:39.131Z",
"dateUpdated": "2026-02-26T15:26:43.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25920 (GCVE-0-2026-25920)
Vulnerability from cvelistv5 – Published: 2026-02-09 21:32 – Updated: 2026-02-11 19:58
VLAI
Title
SumatraPDF has a heap out-of-bounds read in MOBI HuffDic decompressor
Summary
SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF's MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 << codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/sumatrapdfreader/sumatrapdf/se… | x_refsource_CONFIRM |
| https://github.com/sumatrapdfreader/sumatrapdf/co… | x_refsource_MISC |
| https://github.com/sumatrapdfreader/sumatrapdf/bl… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| sumatrapdfreader | sumatrapdf |
Affected:
<= 3.5.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25920",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T15:30:05.345742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T15:57:35.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "sumatrapdf",
"vendor": "sumatrapdfreader",
"versions": [
{
"status": "affected",
"version": "\u003c= 3.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SumatraPDF is a multi-format reader for Windows. In 3.5.2 and earlier, a heap out-of-bounds read vulnerability exists in SumatraPDF\u0027s MOBI HuffDic decompressor. The bounds check in AddCdicData() only validates half the range that DecodeOne() actually accesses. Opening a crafted .mobi file can read nearly (1 \u003c\u003c codeLength) bytes beyond the CDIC dictionary buffer, leading to a crash."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-11T19:58:04.411Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-5mwx-65x7-cffp"
},
{
"name": "https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sumatrapdfreader/sumatrapdf/commit/12b6887e9dfff874fe8749bab1bdc53d4ff075b3"
},
{
"name": "https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sumatrapdfreader/sumatrapdf/blob/916392f94bc34e24f3c3286893ac6d7fa1e1c428/src/MobiDoc.cpp"
}
],
"source": {
"advisory": "GHSA-5mwx-65x7-cffp",
"discovery": "UNKNOWN"
},
"title": "SumatraPDF has a heap out-of-bounds read in MOBI HuffDic decompressor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25920",
"datePublished": "2026-02-09T21:32:26.520Z",
"dateReserved": "2026-02-09T16:22:17.784Z",
"dateUpdated": "2026-02-11T19:58:04.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25941 (GCVE-0-2026-25941)
Vulnerability from cvelistv5 – Published: 2026-02-25 19:55 – Updated: 2026-02-26 21:33
VLAI
Title
FreeRDP: vuln_1_15_1 RDPGFX WIRE_TO_SURFACE_2 Out-of-Bounds Read
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client's RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/FreeRDP/FreeRDP/security/advis… | x_refsource_CONFIRM |
| https://github.com/FreeRDP/FreeRDP/commit/2e3b77e… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T21:07:27.951810Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T21:33:42.006Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreeRDP",
"vendor": "FreeRDP",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c 2.11.8"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.23.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Versions on the 2.x branch prior to to 2.11.8 and on the 3.x branch prior to 3.23.0 have an out-of-bounds read vulnerability in the FreeRDP client\u0027s RDPGFX channel that allows a malicious RDP server to read uninitialized heap memory by sending a crafted WIRE_TO_SURFACE_2 PDU with a `bitmapDataLength` value larger than the actual data in the packet. This can lead to information disclosure or client crashes when a user connects to a malicious server. Versions 2.11.8 and 3.23.0 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T19:55:24.984Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3546-x645-5cf8"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/commit/2e3b77e28ac6a398897d28ba464dcc5dfab9c9e2"
}
],
"source": {
"advisory": "GHSA-3546-x645-5cf8",
"discovery": "UNKNOWN"
},
"title": "FreeRDP: vuln_1_15_1 RDPGFX WIRE_TO_SURFACE_2 Out-of-Bounds Read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25941",
"datePublished": "2026-02-25T19:55:24.984Z",
"dateReserved": "2026-02-09T16:22:17.787Z",
"dateUpdated": "2026-02-26T21:33:42.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25942 (GCVE-0-2026-25942)
Vulnerability from cvelistv5 – Published: 2026-02-25 20:01 – Updated: 2026-02-26 20:47
VLAI
Title
FreeRDP has global-buffer-overflow in xf_rail_server_execute_result
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0–6) with an unchecked `execResult->execResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/FreeRDP/FreeRDP/security/advis… | x_refsource_CONFIRM |
| https://github.com/FreeRDP/FreeRDP/commit/9362a0b… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/blob/3370e30e9… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/blob/3370e30e9… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/blob/3370e30e9… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/blob/3370e30e9… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25942",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T20:46:57.440011Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T20:47:09.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreeRDP",
"vendor": "FreeRDP",
"versions": [
{
"status": "affected",
"version": "\u003c 3.23.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_rail_server_execute_result` indexes the global `error_code_names[]` array (7 elements, indices 0\u20136) with an unchecked `execResult-\u003eexecResult` value received from the server, allowing an out-of-bounds read when the server sends an `execResult` value of 7 or greater. Version 3.23.0 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-25T20:01:16.472Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78q6-67m7-wwf6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-78q6-67m7-wwf6"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/commit/9362a0bf8dda04eedbca07d5dfaec1044e67cc6b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/commit/9362a0bf8dda04eedbca07d5dfaec1044e67cc6b"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L528",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L528"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L75-L76",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/channels/rail/client/rail_orders.c#L75-L76"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L1014-L1017",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L1014-L1017"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L40-L46",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_rail.c#L40-L46"
}
],
"source": {
"advisory": "GHSA-78q6-67m7-wwf6",
"discovery": "UNKNOWN"
},
"title": "FreeRDP has global-buffer-overflow in xf_rail_server_execute_result"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25942",
"datePublished": "2026-02-25T20:01:16.472Z",
"dateReserved": "2026-02-09T16:22:17.787Z",
"dateUpdated": "2026-02-26T20:47:09.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Phase: Architecture and Design
Strategy: Language Selection
Description:
- Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.