Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-23456

Summary
Assigner-Linux
Assigner Org ID-416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At-03 Apr, 2026 | 15:15
Updated At-11 May, 2026 | 22:07
Rejected At-
Credits

netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Linux
Assigner Org ID:416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At:03 Apr, 2026 | 15:15
Updated At:11 May, 2026 | 22:07
Rejected At:
â–¼CVE Numbering Authority (CNA)
netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().

Affected Products
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • net/netfilter/nf_conntrack_h323_asn1.c
Default Status
unaffected
Versions
Affected
  • From 5e35941d990123f155b02d5663e51a24f816b6f3 before a2cd54b9348e485d338b3c132338a4410c99afaf (git)
  • From 5e35941d990123f155b02d5663e51a24f816b6f3 before c95dc674ebf01ecfb40388b6facfc89b81fed3b7 (git)
  • From 5e35941d990123f155b02d5663e51a24f816b6f3 before 41b417ff73a24b2c68134992cc44c88db27f482d (git)
  • From 5e35941d990123f155b02d5663e51a24f816b6f3 before 52235bf88159a1ef16434ab49e47e99c8a09ab20 (git)
  • From 5e35941d990123f155b02d5663e51a24f816b6f3 before 774a434f8c9c8602a976b2536f65d0172a07f4d2 (git)
  • From 5e35941d990123f155b02d5663e51a24f816b6f3 before 6bce72daeccca9aa1746e92d6c3d4784e71f2ebb (git)
  • From 5e35941d990123f155b02d5663e51a24f816b6f3 before fb6c3596823ec5dd09c2123340330d7448f51a59 (git)
  • From 5e35941d990123f155b02d5663e51a24f816b6f3 before 1e3a3593162c96e8a8de48b1e14f60c3b57fca8a (git)
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • net/netfilter/nf_conntrack_h323_asn1.c
Default Status
affected
Versions
Affected
  • 2.6.17
Unaffected
  • From 0 before 2.6.17 (semver)
  • From 5.10.253 through 5.10.* (semver)
  • From 5.15.203 through 5.15.* (semver)
  • From 6.1.167 through 6.1.* (semver)
  • From 6.6.130 through 6.6.* (semver)
  • From 6.12.78 through 6.12.* (semver)
  • From 6.18.20 through 6.18.* (semver)
  • From 6.19.10 through 6.19.* (semver)
  • From 7.0 through * (original_commit_for_fix)
Metrics
VersionBase scoreBase severityVector
3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afaf
N/A
https://git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7
N/A
https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d
N/A
https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20
N/A
https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2
N/A
https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb
N/A
https://git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59
N/A
https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a
N/A
Hyperlink: https://git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afaf
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a
Resource: N/A
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At:03 Apr, 2026 | 16:16
Updated At:26 May, 2026 | 14:41

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_int() CONS case In decode_int(), the CONS case calls get_bits(bs, 2) to read a length value, then calls get_uint(bs, len) without checking that len bytes remain in the buffer. The existing boundary check only validates the 2 bits for get_bits(), not the subsequent 1-4 bytes that get_uint() reads. This allows a malformed H.323/RAS packet to cause a 1-4 byte slab-out-of-bounds read. Add a boundary check for len bytes after get_bits() and before get_uint().

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
CPE Matches

Linux Kernel Organization, Inc
linux
>>linux_kernel>>Versions from 2.6.17(inclusive) to 5.10.253(exclusive)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>Versions from 5.11(inclusive) to 5.15.203(exclusive)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>Versions from 5.16(inclusive) to 6.1.167(exclusive)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>Versions from 6.2(inclusive) to 6.6.130(exclusive)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>Versions from 6.7(inclusive) to 6.12.78(exclusive)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>Versions from 6.13(inclusive) to 6.18.20(exclusive)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>Versions from 6.19(inclusive) to 6.19.10(exclusive)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>7.0
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>7.0
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>7.0
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
Linux Kernel Organization, Inc
linux
>>linux_kernel>>7.0
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-125Primarynvd@nist.gov
CWE ID: CWE-125
Type: Primary
Source: nvd@nist.gov
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afaf416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
https://git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59416baaa9-dc9f-4396-8d5f-8c081fb06d67
Patch
Hyperlink: https://git.kernel.org/stable/c/1e3a3593162c96e8a8de48b1e14f60c3b57fca8a
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource:
Patch
Hyperlink: https://git.kernel.org/stable/c/41b417ff73a24b2c68134992cc44c88db27f482d
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource:
Patch
Hyperlink: https://git.kernel.org/stable/c/52235bf88159a1ef16434ab49e47e99c8a09ab20
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource:
Patch
Hyperlink: https://git.kernel.org/stable/c/6bce72daeccca9aa1746e92d6c3d4784e71f2ebb
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource:
Patch
Hyperlink: https://git.kernel.org/stable/c/774a434f8c9c8602a976b2536f65d0172a07f4d2
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource:
Patch
Hyperlink: https://git.kernel.org/stable/c/a2cd54b9348e485d338b3c132338a4410c99afaf
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource:
Patch
Hyperlink: https://git.kernel.org/stable/c/c95dc674ebf01ecfb40388b6facfc89b81fed3b7
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource:
Patch
Hyperlink: https://git.kernel.org/stable/c/fb6c3596823ec5dd09c2123340330d7448f51a59
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource:
Patch

Change History

0
Information is not available yet

Similar CVEs

794Records found

CVE-2026-43233
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-8.2||HIGH
EPSS-0.46% / 36.86%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 11:28
Updated-12 May, 2026 | 19:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
netfilter: nf_conntrack_h323: fix OOB read in decode_choice()

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack_h323: fix OOB read in decode_choice() In decode_choice(), the boundary check before get_len() uses the variable `len`, which is still 0 from its initialization at the top of the function: unsigned int type, ext, len = 0; ... if (ext || (son->attr & OPEN)) { BYTE_ALIGN(bs); if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */ return H323_ERROR_BOUND; len = get_len(bs); /* OOB read */ When the bitstream is exactly consumed (bs->cur == bs->end), the check nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end), which is false. The subsequent get_len() call then dereferences *bs->cur++, reading 1 byte past the end of the buffer. If that byte has bit 7 set, get_len() reads a second byte as well. This can be triggered remotely by sending a crafted Q.931 SETUP message with a User-User Information Element containing exactly 2 bytes of PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with the nf_conntrack_h323 helper active. The decoder fully consumes the PER buffer before reaching this code path, resulting in a 1-2 byte heap-buffer-overflow read confirmed by AddressSanitizer. Fix this by checking for 2 bytes (the maximum that get_len() may read) instead of the uninitialized `len`. This matches the pattern used at every other get_len() call site in the same file, where the caller checks for 2 bytes of available data before calling get_len().

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-43190
Matching Score-10
Assigner-kernel.org
ShareView Details
Matching Score-10
Assigner-kernel.org
CVSS Score-8.2||HIGH
EPSS-0.46% / 36.86%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 11:27
Updated-11 May, 2026 | 22:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
netfilter: xt_tcpmss: check remaining length before reading optlen

In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_tcpmss: check remaining length before reading optlen Quoting reporter: In net/netfilter/xt_tcpmss.c (lines 53-68), the TCP option parser reads op[i+1] directly without validating the remaining option length. If the last byte of the option field is not EOL/NOP (0/1), the code attempts to index op[i+1]. In the case where i + 1 == optlen, this causes an out-of-bounds read, accessing memory past the optlen boundary (either reading beyond the stack buffer _opt or the following payload).

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2019-19770
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-8.2||HIGH
EPSS-2.45% / 82.37%
||
7 Day CHG~0.00%
Published-12 Dec, 2019 | 19:39
Updated-05 Aug, 2024 | 02:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In the Linux kernel 4.19.83, there is a use-after-free (read) in the debugfs_remove function in fs/debugfs/inode.c (which is used to remove a file or directory in debugfs that was previously created with a call to another debugfs function such as debugfs_create_file). NOTE: Linux kernel developers dispute this issue as not being an issue with debugfs, instead this is an issue with misuse of debugfs within blktrace

Action-Not Available
Vendor-n/aLinux Kernel Organization, Inc
Product-linux_kerneln/a
CWE ID-CWE-416
Use After Free
CVE-2026-53268
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.2||HIGH
EPSS-0.36% / 28.39%
||
7 Day CHG+0.19%
Published-25 Jun, 2026 | 08:39
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
netfilter: conntrack_irc: fix possible out-of-bounds read

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack_irc: fix possible out-of-bounds read When parsing fails after we've matched the command string we should bail out instead of trying to match a different command. This helper should be deprecated, given prevalence of TLS I doubt it has any relevance in 2026.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-46037
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.2||HIGH
EPSS-0.43% / 34.77%
||
7 Day CHG~0.00%
Published-27 May, 2026 | 12:56
Updated-16 Jun, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ipv4: icmp: validate reply type before using icmp_pointers

In the Linux kernel, the following vulnerability has been resolved: ipv4: icmp: validate reply type before using icmp_pointers Extended echo replies use ICMP_EXT_ECHOREPLY as the outbound reply type. That value is outside the range covered by icmp_pointers[], which only describes the traditional ICMP types up to NR_ICMP_TYPES. Avoid consulting icmp_pointers[] for reply types outside that range, and use array_index_nospec() for the remaining in-range lookup. Normal ICMP replies keep their existing behavior unchanged.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CVE-2026-43452
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.2||HIGH
EPSS-0.44% / 35.54%
||
7 Day CHG~0.00%
Published-08 May, 2026 | 14:22
Updated-21 May, 2026 | 16:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
netfilter: x_tables: guard option walkers against 1-byte tail reads

In the Linux kernel, the following vulnerability has been resolved: netfilter: x_tables: guard option walkers against 1-byte tail reads When the last byte of options is a non-single-byte option kind, walkers that advance with i += op[i + 1] ? : 1 can read op[i + 1] past the end of the option area. Add an explicit i == optlen - 1 check before dereferencing op[i + 1] in xt_tcpudp and xt_dccp option walkers.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CVE-2022-1012
Matching Score-8
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-8
Assigner-Red Hat, Inc.
CVSS Score-8.2||HIGH
EPSS-2.97% / 85.58%
||
7 Day CHG~0.00%
Published-05 Aug, 2022 | 00:00
Updated-02 Aug, 2024 | 23:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of service problem.

Action-Not Available
Vendor-n/aLinux Kernel Organization, Inc
Product-linux_kernelKernel
CWE ID-CWE-401
Missing Release of Memory after Effective Lifetime
CVE-2026-31631
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.2||HIGH
EPSS-0.39% / 30.53%
||
7 Day CHG~0.00%
Published-24 Apr, 2026 | 14:44
Updated-11 May, 2026 | 22:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
rxrpc: Fix buffer overread in rxgk_do_verify_authenticator()

In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix buffer overread in rxgk_do_verify_authenticator() Fix rxgk_do_verify_authenticator() to check the buffer size before checking the nonce.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-787
Out-of-bounds Write
CVE-2023-25926
Matching Score-8
Assigner-IBM Corporation
ShareView Details
Matching Score-8
Assigner-IBM Corporation
CVSS Score-5.5||MEDIUM
EPSS-1.38% / 68.78%
||
7 Day CHG~0.00%
Published-29 Feb, 2024 | 00:27
Updated-13 Dec, 2024 | 20:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Guardium Key Lifecycle Manager XML external entity injection

IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 247599.

Action-Not Available
Vendor-IBM CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-aixsecurity_guardium_key_lifecycle_managerwindowslinux_kernelSecurity Guardium Key Lifecycle Manager
CWE ID-CWE-611
Improper Restriction of XML External Entity Reference
CVE-2026-8578
Matching Score-6
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-6
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-3.1||LOW
EPSS-0.16% / 5.13%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 19:52
Updated-21 May, 2026 | 17:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in GPU in Google Chrome on Linux prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Action-Not Available
Vendor-Linux Kernel Organization, IncGoogle LLC
Product-linux_kernelchromeChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2024-42264
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.22% / 12.04%
||
7 Day CHG~0.00%
Published-17 Aug, 2024 | 08:54
Updated-11 May, 2026 | 20:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
drm/v3d: Prevent out of bounds access in performance query extensions

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Prevent out of bounds access in performance query extensions Check that the number of perfmons userspace is passing in the copy and reset extensions is not greater than the internal kernel storage where the ids will be copied into. (cherry picked from commit f32b5128d2c440368b5bf3a7a356823e235caabb)

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-9113
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.17%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 19:12
Updated-21 May, 2026 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Microsoft CorporationLinux Kernel Organization, IncApple Inc.Google LLC
Product-linux_kernelwindowsmacoschromeChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-9121
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-8.8||HIGH
EPSS-0.33% / 24.92%
||
7 Day CHG~0.00%
Published-20 May, 2026 | 19:12
Updated-21 May, 2026 | 16:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Action-Not Available
Vendor-Microsoft CorporationLinux Kernel Organization, IncApple Inc.Google LLC
Product-linux_kernelwindowsmacoschromeChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2024-38599
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.24% / 15.54%
||
7 Day CHG~0.00%
Published-19 Jun, 2024 | 13:45
Updated-12 May, 2026 | 12:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jffs2: prevent xattr node from overflowing the eraseblock

In the Linux kernel, the following vulnerability has been resolved: jffs2: prevent xattr node from overflowing the eraseblock Add a check to make sure that the requested xattr node size is no larger than the eraseblock minus the cleanmarker. Unlike the usual inode nodes, the xattr nodes aren't split into parts and spread across multiple eraseblocks, which means that a xattr node must not occupy more than one eraseblock. If the requested xattr value is too large, the xattr node can spill onto the next eraseblock, overwriting the nodes and causing errors such as: jffs2: argh. node added in wrong place at 0x0000b050(2) jffs2: nextblock 0x0000a000, expected at 0000b00c jffs2: error: (823) do_verify_xattr_datum: node CRC failed at 0x01e050, read=0xfc892c93, calc=0x000000 jffs2: notice: (823) jffs2_get_inode_nodes: Node header CRC failed at 0x01e00c. {848f,2fc4,0fef511f,59a3d171} jffs2: Node at 0x0000000c with length 0x00001044 would run over the end of the erase block jffs2: Perhaps the file system was created with the wrong erase size? jffs2: jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x00000010: 0x1044 instead This breaks the filesystem and can lead to KASAN crashes such as: BUG: KASAN: slab-out-of-bounds in jffs2_sum_add_kvec+0x125e/0x15d0 Read of size 4 at addr ffff88802c31e914 by task repro/830 CPU: 0 PID: 830 Comm: repro Not tainted 6.9.0-rc3+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xc6/0x120 print_report+0xc4/0x620 ? __virt_addr_valid+0x308/0x5b0 kasan_report+0xc1/0xf0 ? jffs2_sum_add_kvec+0x125e/0x15d0 ? jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_sum_add_kvec+0x125e/0x15d0 jffs2_flash_direct_writev+0xa8/0xd0 jffs2_flash_writev+0x9c9/0xef0 ? __x64_sys_setxattr+0xc4/0x160 ? do_syscall_64+0x69/0x140 ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Action-Not Available
Vendor-Siemens AGLinux Kernel Organization, Inc
Product-linux_kernelLinuxSIMATIC S7-1500 TM MFP - GNU/Linux subsystem
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-9953
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 15.92%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 22:25
Updated-01 Jun, 2026 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in ANGLE in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Microsoft CorporationLinux Kernel Organization, IncApple Inc.Google LLC
Product-linux_kernelwindowsmacoschromeChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-23340
Matching Score-6
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-6
Assigner-NVIDIA Corporation
CVSS Score-3.3||LOW
EPSS-0.17% / 6.25%
||
7 Day CHG~0.00%
Published-24 Sep, 2025 | 13:13
Updated-03 Nov, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. A successful exploit of this vulnerability may lead to a partial denial of service.

Action-Not Available
Vendor-NVIDIA CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-cuda_toolkitlinux_kernelwindowsNVIDIA CUDA Toolkit
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-23334
Matching Score-6
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-6
Assigner-NVIDIA Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.73% / 49.60%
||
7 Day CHG~0.00%
Published-06 Aug, 2025 | 12:43
Updated-12 Aug, 2025 | 16:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds read by sending a request. A successful exploit of this vulnerability might lead to information disclosure.

Action-Not Available
Vendor-NVIDIA CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-triton_inference_serverwindowslinux_kernelTriton Inference Server
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-53224
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-9.1||CRITICAL
EPSS-0.55% / 41.84%
||
7 Day CHG+0.34%
Published-25 Jun, 2026 | 08:39
Updated-02 Jul, 2026 | 20:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
sctp: validate embedded INIT chunk and address list lengths in cookie

In the Linux kernel, the following vulnerability has been resolved: sctp: validate embedded INIT chunk and address list lengths in cookie sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header. A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctp_init_chunk). Later, sctp_process_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads. In addition, raw_addr_list_len is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len and cause sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads. Fix this by: - requiring the embedded INIT chunk length to be at least sizeof(struct sctp_init_chunk); - validating that the INIT chunk and raw address list together fit within the cookie payload; - verifying sufficient data exists for each address parameter header and payload before parsing it. Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled. This will be addressed in a separate patch.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-23333
Matching Score-6
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-6
Assigner-NVIDIA Corporation
CVSS Score-5.9||MEDIUM
EPSS-0.44% / 35.34%
||
7 Day CHG~0.00%
Published-06 Aug, 2025 | 12:42
Updated-12 Aug, 2025 | 16:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds read by manipulating shared memory data. A successful exploit of this vulnerability might lead to information disclosure.

Action-Not Available
Vendor-NVIDIA CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-triton_inference_serverwindowslinux_kernelTriton Inference Server
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-7354
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-8.8||HIGH
EPSS-0.26% / 17.77%
||
7 Day CHG~0.00%
Published-28 Apr, 2026 | 22:35
Updated-30 Apr, 2026 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read and write in Angle in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationGoogle LLCLinux Kernel Organization, Inc
Product-chromewindowslinux_kernelmacosChrome
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-7899
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-8.8||HIGH
EPSS-0.30% / 21.36%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 18:12
Updated-07 May, 2026 | 03:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read and write in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationGoogle LLCLinux Kernel Organization, Inc
Product-chromewindowslinux_kernelmacosChrome
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-7902
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-8.8||HIGH
EPSS-0.34% / 26.40%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 18:12
Updated-10 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds memory access in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Apple Inc.Google LLCLinux Kernel Organization, IncMicrosoft Corporation
Product-chromewindowslinux_kernelmacosChrome
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-7904
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.22%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 18:12
Updated-06 May, 2026 | 23:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in Fonts in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationGoogle LLCLinux Kernel Organization, Inc
Product-chromewindowslinux_kernelmacosChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-7933
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.56%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 18:12
Updated-06 May, 2026 | 23:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Medium)

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationGoogle LLCLinux Kernel Organization, Inc
Product-chromewindowslinux_kernelmacosChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-7949
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-3.1||LOW
EPSS-0.18% / 7.61%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 18:12
Updated-07 May, 2026 | 02:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in Skia in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: Medium)

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationGoogle LLCLinux Kernel Organization, Inc
Product-chromewindowslinux_kernelmacosChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-7950
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-5.4||MEDIUM
EPSS-0.17% / 6.79%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 18:12
Updated-07 May, 2026 | 02:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read and write in GFX in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform arbitrary read/write via malicious network traffic. (Chromium security severity: Medium)

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationGoogle LLCLinux Kernel Organization, Inc
Product-chromewindowslinux_kernelmacosChrome
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-7981
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-8.1||HIGH
EPSS-0.20% / 10.30%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 18:13
Updated-07 May, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in Codecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)

Action-Not Available
Vendor-Apple Inc.Google LLCLinux Kernel Organization, IncMicrosoft Corporation
Product-chromewindowslinux_kernelmacosChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-7983
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-4.3||MEDIUM
EPSS-0.19% / 9.22%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 18:13
Updated-06 May, 2026 | 23:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationGoogle LLCLinux Kernel Organization, Inc
Product-chromewindowslinux_kernelmacosChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-7995
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-8.8||HIGH
EPSS-0.22% / 12.80%
||
7 Day CHG~0.00%
Published-06 May, 2026 | 18:13
Updated-07 May, 2026 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in AdFilter in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

Action-Not Available
Vendor-Apple Inc.Microsoft CorporationGoogle LLCLinux Kernel Organization, Inc
Product-chromewindowslinux_kernelmacosChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-23271
Matching Score-6
Assigner-NVIDIA Corporation
ShareView Details
Matching Score-6
Assigner-NVIDIA Corporation
CVSS Score-3.3||LOW
EPSS-0.17% / 6.25%
||
7 Day CHG~0.00%
Published-24 Sep, 2025 | 13:11
Updated-03 Nov, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

NVIDIA CUDA Toolkit for all platforms contains a vulnerability in the nvdisasm binary where a user may cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. A successful exploit of this vulnerability may lead to a partial denial of service.

Action-Not Available
Vendor-NVIDIA CorporationLinux Kernel Organization, IncMicrosoft Corporation
Product-cuda_toolkitlinux_kernelwindowsNVIDIA CUDA Toolkit
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-23156
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.18% / 7.67%
||
7 Day CHG+0.01%
Published-01 May, 2025 | 12:55
Updated-11 May, 2026 | 21:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
media: venus: hfi_parser: refactor hfi packet parsing logic

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: refactor hfi packet parsing logic words_count denotes the number of words in total payload, while data points to payload of various property within it. When words_count reaches last word, data can access memory beyond the total payload. This can lead to OOB access. With this patch, the utility api for handling individual properties now returns the size of data consumed. Accordingly remaining bytes are calculated before parsing the payload, thereby eliminates the OOB access possibilities.

Action-Not Available
Vendor-Debian GNU/LinuxLinux Kernel Organization, Inc
Product-debian_linuxlinux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-8535
Matching Score-6
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
ShareView Details
Matching Score-6
Assigner-Android (associated with Google Inc. or Open Handset Alliance)
CVSS Score-5.3||MEDIUM
EPSS-0.19% / 8.74%
||
7 Day CHG~0.00%
Published-14 May, 2026 | 19:52
Updated-19 May, 2026 | 16:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in Media in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted JPEG file. (Chromium security severity: High)

Action-Not Available
Vendor-Linux Kernel Organization, IncGoogle LLC
Product-linux_kernelchrome_oschromeChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-23157
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.18% / 7.67%
||
7 Day CHG+0.01%
Published-01 May, 2025 | 12:55
Updated-11 May, 2026 | 21:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
media: venus: hfi_parser: add check to avoid out of bound access

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi_parser: add check to avoid out of bound access There is a possibility that init_codecs is invoked multiple times during manipulated payload from video firmware. In such case, if codecs_count can get incremented to value more than MAX_CODEC_NUM, there can be OOB access. Reset the count so that it always starts from beginning.

Action-Not Available
Vendor-Debian GNU/LinuxLinux Kernel Organization, Inc
Product-debian_linuxlinux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-22118
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.14% / 3.88%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 14:13
Updated-11 May, 2026 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ice: validate queue quanta parameters to prevent OOB access

In the Linux kernel, the following vulnerability has been resolved: ice: validate queue quanta parameters to prevent OOB access Add queue wraparound prevention in quanta configuration. Ensure end_qid does not overflow by validating start_qid and num_queues.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21782
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.24% / 15.30%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 02:18
Updated-11 May, 2026 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
orangefs: fix a oob in orangefs_debug_write

In the Linux kernel, the following vulnerability has been resolved: orangefs: fix a oob in orangefs_debug_write I got a syzbot report: slab-out-of-bounds Read in orangefs_debug_write... several people suggested fixes, I tested Al Viro's suggestion and made this patch.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21789
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.22% / 12.01%
||
7 Day CHG+0.01%
Published-27 Feb, 2025 | 02:18
Updated-11 May, 2026 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LoongArch: csum: Fix OoB access in IP checksum code for negative lengths

In the Linux kernel, the following vulnerability has been resolved: LoongArch: csum: Fix OoB access in IP checksum code for negative lengths Commit 69e3a6aa6be2 ("LoongArch: Add checksum optimization for 64-bit system") would cause an undefined shift and an out-of-bounds read. Commit 8bd795fedb84 ("arm64: csum: Fix OoB access in IP checksum code for negative lengths") fixes the same issue on ARM64.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21742
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.21% / 11.00%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 02:12
Updated-11 May, 2026 | 21:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
usbnet: ipheth: use static NDP16 location in URB

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: use static NDP16 location in URB Original code allowed for the start of NDP16 to be anywhere within the URB based on the `wNdpIndex` value in NTH16. Only the start position of NDP16 was checked, so it was possible for even the fixed-length part of NDP16 to extend past the end of URB, leading to an out-of-bounds read. On iOS devices, the NDP16 header always directly follows NTH16. Rely on and check for this specific format. This, along with NCM-specific minimal URB length check that already exists, will ensure that the fixed-length part of NDP16 plus a set amount of DPEs fit within the URB. Note that this commit alone does not fully address the OoB read. The limit on the amount of DPEs needs to be enforced separately.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21815
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.18% / 8.16%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 20:04
Updated-11 May, 2026 | 21:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
mm/compaction: fix UBSAN shift-out-of-bounds warning

In the Linux kernel, the following vulnerability has been resolved: mm/compaction: fix UBSAN shift-out-of-bounds warning syzkaller reported a UBSAN shift-out-of-bounds warning of (1UL << order) in isolate_freepages_block(). The bogus compound_order can be any value because it is union with flags. Add back the MAX_PAGE_ORDER check to fix the warning.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21743
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.20% / 10.47%
||
7 Day CHG+0.01%
Published-27 Feb, 2025 | 02:12
Updated-11 May, 2026 | 21:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
usbnet: ipheth: fix possible overflow in DPE length check

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflow in DPE length check Originally, it was possible for the DPE length check to overflow if wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB read. Move the wDatagramIndex term to the other side of the inequality. An existing condition ensures that wDatagramIndex < urb->actual_length.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21687
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.8||HIGH
EPSS-0.22% / 12.36%
||
7 Day CHG-0.00%
Published-10 Feb, 2025 | 15:58
Updated-11 May, 2026 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
vfio/platform: check the bounds of read/write syscalls

In the Linux kernel, the following vulnerability has been resolved: vfio/platform: check the bounds of read/write syscalls count and offset are passed from user space and not checked, only offset is capped to 40 bits, which can be used to read/write out of bounds of the device.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-787
Out-of-bounds Write
CVE-2025-21741
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.21% / 11.00%
||
7 Day CHG~0.00%
Published-27 Feb, 2025 | 02:12
Updated-11 May, 2026 | 21:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
usbnet: ipheth: fix DPE OoB read

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix DPE OoB read Fix an out-of-bounds DPE read, limit the number of processed DPEs to the amount that fits into the fixed-size NDP16 header.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-22112
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.17% / 6.38%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 14:12
Updated-23 May, 2026 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
eth: bnxt: fix out-of-range access of vnic_info array

In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: fix out-of-range access of vnic_info array The bnxt_queue_{start | stop}() access vnic_info as much as allocated, which indicates bp->nr_vnics. So, it should not reach bp->vnic_info[bp->nr_vnics].

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21946
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.19% / 9.40%
||
7 Day CHG+0.01%
Published-01 Apr, 2025 | 15:41
Updated-11 May, 2026 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ksmbd: fix out-of-bounds in parse_sec_desc()

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bounds in parse_sec_desc() If osidoffset, gsidoffset and dacloffset could be greater than smb_ntsd struct size. If it is smaller, It could cause slab-out-of-bounds. And when validating sid, It need to check it included subauth array size.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21905
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.21% / 10.89%
||
7 Day CHG+0.01%
Published-01 Apr, 2025 | 15:40
Updated-11 May, 2026 | 21:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wifi: iwlwifi: limit printed string from FW file

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: limit printed string from FW file There's no guarantee here that the file is always with a NUL-termination, so reading the string may read beyond the end of the TLV. If that's the last TLV in the file, it can perhaps even read beyond the end of the file buffer. Fix that by limiting the print format to the size of the buffer we have.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-22121
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.16% / 5.11%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 14:13
Updated-11 May, 2026 | 21:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()

In the Linux kernel, the following vulnerability has been resolved: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() There's issue as follows: BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790 Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172 CPU: 3 PID: 15172 Comm: syz-executor.0 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iput_final fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4_orphan_cleanup fs/ext4/super.c:3298 [inline] ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300 mount_bdev+0x355/0x410 fs/super.c:1446 legacy_get_tree+0xfe/0x220 fs/fs_context.c:611 vfs_get_tree+0x8d/0x2f0 fs/super.c:1576 do_new_mount fs/namespace.c:2983 [inline] path_mount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __do_sys_mount fs/namespace.c:3540 [inline] __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Above issue happens as ext4_xattr_delete_inode() isn't check xattr is valid if xattr is in inode. To solve above issue call xattr_check_inode() check if xattr if valid in inode. In fact, we can directly verify in ext4_iget_extra_inode(), so that there is no divergent verification.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21794
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.22% / 12.32%
||
7 Day CHG+0.01%
Published-27 Feb, 2025 | 02:18
Updated-11 May, 2026 | 21:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints()

In the Linux kernel, the following vulnerability has been resolved: HID: hid-thrustmaster: fix stack-out-of-bounds read in usb_check_int_endpoints() Syzbot[1] has detected a stack-out-of-bounds read of the ep_addr array from hid-thrustmaster driver. This array is passed to usb_check_int_endpoints function from usb.c core driver, which executes a for loop that iterates over the elements of the passed array. Not finding a null element at the end of the array, it tries to read the next, non-existent element, crashing the kernel. To fix this, a 0 element was added at the end of the array to break the for loop. [1] https://syzkaller.appspot.com/bug?extid=9c9179ac46169c56c1ad

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21993
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.19% / 8.61%
||
7 Day CHG~0.00%
Published-02 Apr, 2025 | 12:53
Updated-11 May, 2026 | 21:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()

In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-22039
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.24% / 15.31%
||
7 Day CHG~0.00%
Published-16 Apr, 2025 | 14:11
Updated-11 May, 2026 | 21:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ksmbd: fix overflow in dacloffset bounds check

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix overflow in dacloffset bounds check The dacloffset field was originally typed as int and used in an unchecked addition, which could overflow and bypass the existing bounds check in both smb_check_perm_dacl() and smb_inherit_dacl(). This could result in out-of-bounds memory access and a kernel crash when dereferencing the DACL pointer. This patch converts dacloffset to unsigned int and uses check_add_overflow() to validate access to the DACL.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-190
Integer Overflow or Wraparound
CVE-2026-6308
Matching Score-6
Assigner-Chrome
ShareView Details
Matching Score-6
Assigner-Chrome
CVSS Score-7.5||HIGH
EPSS-0.29% / 21.02%
||
7 Day CHG~0.00%
Published-15 Apr, 2026 | 19:04
Updated-26 May, 2026 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Out of bounds read in Media in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)

Action-Not Available
Vendor-Microsoft CorporationLinux Kernel Organization, IncGoogle LLCApple Inc.
Product-linux_kernelwindowsmacoschromeChrome
CWE ID-CWE-125
Out-of-bounds Read
CVE-2022-49163
Matching Score-6
Assigner-kernel.org
ShareView Details
Matching Score-6
Assigner-kernel.org
CVSS Score-7.1||HIGH
EPSS-0.25% / 16.42%
||
7 Day CHG+0.01%
Published-26 Feb, 2025 | 01:55
Updated-11 May, 2026 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
media: imx-jpeg: fix a bug of accessing array out of bounds

In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: fix a bug of accessing array out of bounds When error occurs in parsing jpeg, the slot isn't acquired yet, it may be the default value MXC_MAX_SLOTS. If the driver access the slot using the incorrect slot number, it will access array out of bounds. The result is the driver will change num_domains, which follows slot_data in struct mxc_jpeg_dev. Then the driver won't detach the pm domain at rmmod, which will lead to kernel panic when trying to insmod again.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 15
  • 16
  • Next
Details not found