Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-9539

Summary
Assigner-STAR_Labs
Assigner Org ID-b1571b85-cbc9-431f-830b-0c8155323a69
Published At-24 Jun, 2026 | 04:37
Updated At-24 Jun, 2026 | 12:39
Rejected At-
Credits

libslirp TCP URG OOB Read Information Leak

An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a privileged guest VM attacker (root or CAP_NET_RAW) to leak gigabytes of sensitive host-process heap memory via sending crafted TCP segments with manipulated URG flags and urgent pointers (ti_urp).

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:STAR_Labs
Assigner Org ID:b1571b85-cbc9-431f-830b-0c8155323a69
Published At:24 Jun, 2026 | 04:37
Updated At:24 Jun, 2026 | 12:39
Rejected At:
â–¼CVE Numbering Authority (CNA)
libslirp TCP URG OOB Read Information Leak

An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a privileged guest VM attacker (root or CAP_NET_RAW) to leak gigabytes of sensitive host-process heap memory via sending crafted TCP segments with manipulated URG flags and urgent pointers (ti_urp).

Affected Products
Vendor
freedesktop.orgfreedesktop.org
Product
libslirp
Repo
https://gitlab.freedesktop.org/slirp/libslirp/
Default Status
unaffected
Versions
Affected
  • From 0 before 4.9.2 (semver)
    • -> unaffectedfrom4.9.2
Problem Types
TypeCWE IDDescription
CWECWE-125CWE-125 Out-of-bounds read
Type: CWE
CWE ID: CWE-125
Description: CWE-125 Out-of-bounds read
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-131CAPEC-131 Resource Leak Exposure
CAPEC ID: CAPEC-131
Description: CAPEC-131 Resource Leak Exposure
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Bruce Chen of STAR Labs SG Pte. Ltd.
finder
Shi Weiming of STAR Labs SG Pte. Ltd.
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93
issue-tracking
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/927bca7344e31fd58e2f7afaca784aad4400eb84
patch
https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.9.2
release-notes
Hyperlink: https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93
Resource:
issue-tracking
Hyperlink: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/927bca7344e31fd58e2f7afaca784aad4400eb84
Resource:
patch
Hyperlink: https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.9.2
Resource:
release-notes
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93
exploit
Hyperlink: https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93
Resource:
exploit
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:info@starlabs.sg
Published At:24 Jun, 2026 | 05:17
Updated At:24 Jun, 2026 | 13:16

An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a privileged guest VM attacker (root or CAP_NET_RAW) to leak gigabytes of sensitive host-process heap memory via sending crafted TCP segments with manipulated URG flags and urgent pointers (ti_urp).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
N/A
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Type: N/A
Version:
Base score:
Base severity: N/A
Vector:
CPE Matches

Weaknesses
CWE IDTypeSource
CWE-125Secondaryinfo@starlabs.sg
CWE ID: CWE-125
Type: Secondary
Source: info@starlabs.sg
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/927bca7344e31fd58e2f7afaca784aad4400eb84info@starlabs.sg
N/A
https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.9.2info@starlabs.sg
N/A
https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93info@starlabs.sg
N/A
https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/927bca7344e31fd58e2f7afaca784aad4400eb84
Source: info@starlabs.sg
Resource: N/A
Hyperlink: https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.9.2
Source: info@starlabs.sg
Resource: N/A
Hyperlink: https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93
Source: info@starlabs.sg
Resource: N/A
Hyperlink: https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

12Records found

CVE-2025-21465
Matching Score-4
Assigner-Qualcomm, Inc.
ShareView Details
Matching Score-4
Assigner-Qualcomm, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 0.20%
||
7 Day CHG~0.00%
Published-06 Aug, 2025 | 07:25
Updated-28 Nov, 2025 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Out-of-bounds Read in Core

Information disclosure while processing the hash segment in an MBN file.

Action-Not Available
Vendor-Qualcomm Technologies, Inc.
Product-qcn9000_firmwareqca8072_firmwaresdx80msdx55sm4125qam8650psnapdragon_x72_5g_modem-rf_systemqcn5121sa6155psnapdragon_870_5g_mobile_platform_\(sm8250-ac\)snapdragon_7c\+_gen_3_compute_firmwaresnapdragon_8\+_gen_2_mobile_platformsnapdragon_8cx_compute_platform_\(sc8180xp-ac\)_firmwareqfw7124_firmwaresnapdragon_8cx_gen_3_compute_platform_\(sc8280xp-ab\)_firmwaresdx61aqt1000snapdragon_8cx_compute_platform_\(sc8180x-ab\)qdx1011snapdragon_8_gen_2_mobile_platform_firmwaresm7325p_firmwareqxm8083_firmwareqcn9022_firmwareqam8255p_firmwaresrv1l_firmwarevision_intelligence_400_platformsa8150p_firmwareqcf8000sfpqcm8550_firmwareqamsrv1h_firmwaresnapdragon_auto_4g_modemsd855wcd9341_firmwaresd_8_gen1_5gsnapdragon_xr2\+_gen_1_platform_firmwaresnapdragon_845_mobile_platformqca8075wcd9306_firmwarewcd9385_firmwareqcm6490_firmwaresa7255p_firmwareqcn9072snapdragon_x62_5g_modem-rf_systemqcn6412_firmwareqcs4290qcs4290_firmwareqca6335_firmwareqca6584au_firmwaresnapdragon_480_5g_mobile_platformsnapdragon_x72_5g_modem-rf_system_firmwaresd_675_firmwaresnapdragon_x62_5g_modem-rf_system_firmwaresm8635p_firmwaresnapdragon_888\+_5g_mobile_platform_\(sm8350-ac\)_firmwareqcm8550snapdragon_8cx_gen_2_5g_compute_platform_\(sc8180x-af\)_firmwareqcn9024sc8380xp_firmwarewsa8815sm7315qcs8300srv1hqcm4490_firmwaresnapdragon_855_mobile_platformvideo_collaboration_vc5_platformwcd9326_firmwaresnapdragon_8cx_gen_2_5g_compute_platform_\(sc8180xp-ab\)snapdragon_480_5g_mobile_platform_firmwareqca6421_firmwaresm8550p_firmwarevideo_collaboration_vc3_platform_firmwareqca6574au_firmwaresnapdragon_8cx_compute_platform_\(sc8180x-aa\)qcm4290_firmwaresnapdragon_662_mobile_platform_firmwaresnapdragon_wear_1300_platform_firmwareqca6595au_firmwaresnapdragon_460_mobile_platformsnapdragon_8_gen_2_mobile_platformqcc7225_firmwareqdx1010qsm8250_firmwarecsra6620wcn3980qca6584auipq5312sd662_firmwarevision_intelligence_300_platform_firmwaresnapdragon_ar1_gen_1_platform_\"luna1\"_firmwaresa8145p_firmwareqcn6224_firmwaresm8750_firmwareqcm2290smart_audio_400_platformsa8155pqcm6125sa8540p_firmwarewcd9385qca4024_firmwarewcd9380_firmwareqca8386_firmwareqsm8250qcn5124_firmwaresm8750pwcn6450snapdragon_680_4g_mobile_platformsnapdragon_675_mobile_platformqcf8000sfp_firmwaresc8180x\+sdx55_firmwareipq9048wcn7880ipq6028sg8275p_firmwareqca8337_firmwaresd662wcn3988_firmwarecsra6640_firmwaresnapdragon_8c_compute_platform_\(sc8180x-ad\)_firmwareqca6698aqsnapdragon_x70_modem-rf_systemsxr2130_firmwareqsm8350_firmwareipq9554_firmwaresnapdragon_x24_lte_modemsm7675psm6250fastconnect_6800qca6574a_firmware9205_lte_modemwsa8832_firmwaresa8650psa2150p_firmwaresxr2230p_firmwaresnapdragon_690_5g_mobile_platform_firmwareqca6678aq_firmwaresm6250_firmwareqsm8350qcn9070snapdragon_680_4g_mobile_platform_firmwaresm8550pwcd9378_firmwareqcn9013_firmwarewcn7881_firmwareqcn6023_firmwareqcn9274_firmwareqca6431_firmwaressg2115p_firmwaresm7315_firmwarefastconnect_6900_firmwareqca6678aqwsa8835_firmwaresa8295psc8380xpqdx1011_firmwaresdx55_firmwaresd730snapdragon_xr1_platform_firmwarewcn3988sa8540pqca6696_firmwarevision_intelligence_300_platformqca8084snapdragon_8c_compute_platform_\(sc8180xp-ad\)_firmwaresnapdragon_x55_5g_modem-rf_system_firmwareqcs4490_firmwaresm7675_firmwareqcn5022qcn9012snapdragon_662_mobile_platformsxr2250pwcn6755_firmwaresxr2330p_firmwarewsa8810_firmwaresnapdragon_x65_5g_modem-rf_system_firmwareqcc7226_firmwarewcn6650wcd9360qdu1110_firmwareqcm4325ipq9554wsa8840snapdragon_778g_5g_mobile_platformqdu1110csr8811ipq9574wsa8840_firmwaresnapdragon_460_mobile_platform_firmwaresnapdragon_8\+_gen_2_mobile_platform_firmwareqcc711_firmwareipq6000qdu1000sm7250p_firmwarewcn3950_firmwareqcn5122_firmwarewsa8845hqrb5165msnapdragon_auto_5g_modem-rf_firmwareqca6310snapdragon_780g_5g_mobile_platform_firmwaresdx57mssg2125p_firmwaresxr1120_firmwaresnapdragon_720g_mobile_platform_firmwareqcn9274snapdragon_865_5g_mobile_platformsnapdragon_8cx_gen_2_5g_compute_platform_\(sc8180xp-aa\)sm7325pqca0000qcm4290qcn6024_firmwareqcs9100qfw7114snapdragon_665_mobile_platform_firmwareqca6421wcd9370_firmwaresnapdragon_855_mobile_platform_firmwaresnapdragon_8cx_gen_3_compute_platform_\(sc8280xp-bb\)ar8035_firmwareqcn9000srv1lwsa8845sdx80m_firmwareimmersive_home_326_platformwcn7860_firmwareqamsrv1hqru1062sm8750snapdragon_xr2_5g_platformsa6150p_firmwaresg4150p_firmwarewcn3910_firmwaresm8750p_firmwaresnapdragon_4_gen_1_mobile_platform_firmwaresnapdragon_8\+_gen_1_mobile_platform_firmwaresg8275pqca4004fastconnect_7800_firmwareqxm8083qru1052_firmwaresnapdragon_8cx_gen_3_compute_platform_\(sc8280xp-bb\)_firmwaresnapdragon_8c_compute_platform_\(sc8180xp-ad\)qca9984sxr2230psa8620p_firmwaresnapdragon_ar2_gen_1_platformqcs7230snapdragon_850_mobile_compute_platform_firmwaresnapdragon_695_5g_mobile_platformrobotics_rb2_platform_firmwaresa8770pqrb5165nsrv1m_firmwarewcd9375qca6574_firmwaresnapdragon_x24_lte_modem_firmwaresa6145p_firmwaresnapdragon_x75_5g_modem-rf_system_firmwareqca6430qca6391_firmwareqdu1000_firmwarewcn6755snapdragon_8cx_gen_2_5g_compute_platform_\(sc8180xp-aa\)_firmwaresd_8cx_firmwareipq9570_firmwaresnapdragon_8_gen_3_mobile_platformqcn5052qca6688aq_firmwareqcf8001qcn5124ipq5300sw5100p_firmwaresnapdragon_850_mobile_compute_platformsa6155_firmwaresnapdragon_7c_gen_2_compute_platform_\(sc7180-ad\)_\"rennell_pro\"snapdragon_x75_5g_modem-rf_systemwcn7861sa8775pwcn6650_firmwareqcn5022_firmwareimmersive_home_326_platform_firmwaresnapdragon_765g_5g_mobile_platform_\(sm7250-ab\)qca6431sd_8cxfastconnect_6800_firmwarewcd9375_firmwareimmersive_home_3210_platformqcn9074_firmwareqca6564auqca6595auqcc710ssg2125pqamsrv1mqca8085_firmwaresnapdragon_710_mobile_platformsnapdragon_wear_1300_platformsnapdragon_ar2_gen_1_platform_firmwareqfw7114_firmwareqru1032_firmwareqts110_firmwaresm8635psnapdragon_670_mobile_platformsnapdragon_x50_5g_modem-rf_system_firmwareqcs9100_firmwaresnapdragon_8_gen_3_mobile_platform_firmwareqca6174a_firmwaresm4635qca6564a_firmwaresnapdragon_8cx_gen_2_5g_compute_platform_\(sc8180x-ac\)_firmwaresnapdragon_w5\+_gen_1_wearable_platform_firmwaresa4150p_firmwaresw5100talynplus_firmwarewsa8830qcn5122csrb31024wsa8830_firmwareqcn6023qca6430_firmwaresa8155p_firmwaresnapdragon_678_mobile_platform_\(sm6150-ac\)_firmwareqcm6490c-v2x_9150_firmwaresnapdragon_xr2_5g_platform_firmwaresd865_5g_firmwareqca6436_firmwareqca6595wcn3999ipq9574_firmwaresnapdragon_750g_5g_mobile_platformwcd9380smart_audio_400_platform_firmwaresnapdragon_xr1_platform315_5g_iot_modem_firmwareqca6564qcs6490_firmwaresnapdragon_888_5g_mobile_platform_firmwaresnapdragon_8cx_compute_platform_\(sc8180x-ab\)_firmwareqca6310_firmwareipq6000_firmwaresnapdragon_auto_5g_modem-rf_gen_2_firmwaresd670_firmwareqca6420_firmwareqca6688aqwcd9340_firmwareqamsrv1m_firmwaresnapdragon_720g_mobile_platformsnapdragon_730g_mobile_platform_\(sm7150-ab\)ar8031qcs8550sxr1120qca9984_firmwareqep8111_firmwareqcn5021_firmwaresdx65msdx61_firmwaresnapdragon_x50_5g_modem-rf_systemsnapdragon_w5\+_gen_1_wearable_platformsnapdragon_665_mobile_platformsm4635_firmwaresnapdragon_auto_5g_modem-rf_gen_2wcd9360_firmwaresnapdragon_765g_5g_mobile_platform_\(sm7250-ab\)_firmwareqam8295pssg2115psm7675qep8111qca6391csr8811_firmwaresa8295p_firmware9205_lte_modem_firmwareqcs6490ipq9570qcc7226wsa8810qcs610qts110qcn9160_firmwaresnapdragon_xr2\+_gen_1_platformqdu1010_firmwaresnapdragon_778g_5g_mobile_platform_firmwaresg4150pvideo_collaboration_vc5_platform_firmwareqru1062_firmwaresnapdragon_4_gen_2_mobile_platform_firmwaresm6370sd_8_gen1_5g_firmwarewcd9378snapdragon_865\+_5g_mobile_platform_\(sm8250-ab\)_firmwareipq6028_firmwaresa8530pqcs8300_firmwareqca8386snapdragon_480\+_5g_mobile_platform_\(sm4350-ac\)_firmwareqcs8250_firmwarewcn7880_firmwaresnapdragon_730g_mobile_platform_\(sm7150-ab\)_firmwareqcn6274snapdragon_778g\+_5g_mobile_platform_\(sm7325-ae\)sa8150pqcs610_firmwaresnapdragon_x70_modem-rf_system_firmwareqca6797aqqam8650p_firmwareipq6005qca6564asnapdragon_8cx_gen_2_5g_compute_platform_\(sc8180x-af\)snapdragon_8cx_gen_2_5g_compute_platform_\(sc8180x-ac\)sw5100_firmwareqcs410ipq6005_firmwareqcn6024qca9377_firmwareqca8075_firmwareqca6574asnapdragon_8cx_gen_3_compute_platform_\(sc8280xp-ab\)wcn3999_firmwareqca6564_firmwareqca8082_firmwareqca6436wsa8845_firmwareqrb5165n_firmwarewcd9340wcd9341sa7255pqca6426_firmwareqcs8155_firmwaresd460snapdragon_685_4g_mobile_platform_\(sm6225-ad\)_firmwarefastconnect_6200snapdragon_7c_compute_platform_\(sc7180-ac\)sd888snapdragon_x35_5g_modem-rf_systemsnapdragon_675_mobile_platform_firmwaresnapdragon_765_5g_mobile_platform_\(sm7250-aa\)_firmwaresnapdragon_8cx_compute_platform_\(sc8180x-aa\)_firmwareimmersive_home_3210_platform_firmwareipq6018wsa8832aqt1000_firmwaresnapdragon_ar1_gen_1_platform_firmwaresd675_firmwareqcc7225qdu1210sdx65m_firmwareqcn6224snapdragon_7c\+_gen_3_computesnapdragon_ar1_gen_1_platformsm6250pqcs2290sdx57m_firmwaresnapdragon_480\+_5g_mobile_platform_\(sm4350-ac\)snapdragon_670_mobile_platform_firmwarewcd9370qca8081_firmwareqcc710_firmwareqca6698aq_firmwarecsra6640wcd9306snapdragon_712_mobile_platformqcn9013sa4150psw5100psc8180x\+sdx55wcn7860sm7250psm6650qcs5430qcs2290_firmwaresa8145pwsa8845h_firmwarewcd9395_firmwaresd670wcd9371snapdragon_x35_5g_modem-rf_system_firmwaresa8195psa9000psnapdragon_4_gen_1_mobile_platformipq6010snapdragon_712_mobile_platform_firmwaresnapdragon_888_5g_mobile_platformqcn9072_firmwarewcd9390ar8035sa8775p_firmwaresm7675p_firmwareqcn7606_firmwareqam8775pqcm2290_firmwaremdm9205svision_intelligence_400_platform_firmwareqca6797aq_firmwareqcs8250qca6564au_firmwaresnapdragon_8cx_gen_2_5g_compute_platform_\(sc8180xp-ab\)_firmwaresnapdragon_730_mobile_platform_\(sm7150-aa\)sa8650p_firmwaremdm9205s_firmwareqcn9011_firmwareqcc711snapdragon_678_mobile_platform_\(sm6150-ac\)wcn7881robotics_rb3_platform_firmwaresxr2250p_firmwaresnapdragon_780g_5g_mobile_platformsrv1mqcn9012_firmwarecsra6620_firmwarewcd9395qcs410_firmwareqcn5052_firmwareqcm4490qru1052robotics_rb2_platformsnapdragon_768g_5g_mobile_platform_\(sm7250-ac\)_firmwareqca8085qdu1210_firmwaresnapdragon_8cx_compute_platform_\(sc8180xp-af\)qca4004_firmwaresxr1230pqcc7228_firmwarewcn7861_firmwareqca9377qcn7606fastconnect_6700_firmwaresa8155_firmwaresnapdragon_685_4g_mobile_platform_\(sm6225-ad\)snapdragon_782g_mobile_platform_\(sm7325-af\)_firmwaresnapdragon_8cx_compute_platform_\(sc8180xp-af\)_firmwarefastconnect_6700snapdragon_730_mobile_platform_\(sm7150-aa\)_firmwareipq5300_firmwarewcn3980_firmwareqca6696qcm5430_firmwaresnapdragon_8cx_compute_platform_\(sc8180xp-ac\)sxr2330pqcs8550_firmwarerobotics_rb5_platformqca6426qdx1010_firmwaresa4155p_firmwareipq9008qcn9074qcn9011snapdragon_8\+_gen_1_mobile_platformqca8084_firmwareqcf8000qcn5121_firmwaresa2150pqam8295p_firmwarewcn3910qcf8001_firmwaresm7635_firmwaresnapdragon_690_5g_mobile_platformsnapdragon_4_gen_2_mobile_platformwcd9326snapdragon_x55_5g_modem-rf_systemsnapdragon_870_5g_mobile_platform_\(sm8250-ac\)_firmwaresnapdragon_8_gen_1_mobile_platformqdu1010snapdragon_865_5g_mobile_platform_firmwaresnapdragon_7c_gen_2_compute_platform_\(sc7180-ad\)_\"rennell_pro\"_firmwaresa8155snapdragon_695_5g_mobile_platform_firmwaresnapdragon_710_mobile_platform_firmwaresnapdragon_845_mobile_platform_firmwareqcn9022qcm6125_firmwaresdx71m_firmwareqca6574wcn6740_firmwaresa8255p_firmwareqcn6412ipq5332qcs7230_firmwaresa6155sxr1230p_firmwaresd855_firmwaresnapdragon_782g_mobile_platform_\(sm7325-af\)ipq5302qcn9160sdx71msnapdragon_855\+\/860_mobile_platform_\(sm8150-ac\)_firmwarerobotics_rb5_platform_firmwarevideo_collaboration_vc1_platform_firmwareqcn6432snapdragon_ar1_gen_1_platform_\"luna1\"snapdragon_765_5g_mobile_platform_\(sm7250-aa\)qcs8155sd675sa7775pvideo_collaboration_vc1_platformqcn6402qcn6402_firmwaresnapdragon_888\+_5g_mobile_platform_\(sm8350-ac\)snapdragon_8_gen_1_mobile_platform_firmwareqcs4490flight_rb5_5g_platform_firmwaresa8620pwcn6450_firmwaresnapdragon_768g_5g_mobile_platform_\(sm7250-ac\)snapdragon_auto_5g_modem-rfqcc7228sm6370_firmwareqrb5165m_firmwareqca6595_firmwareqam8775p_firmwaresa8195p_firmwaresnapdragon_x65_5g_modem-rf_systemqcn6432_firmwarewcn6740qca8081sm7635qcm4325_firmwareqcn5152qcn5152_firmwaresnapdragon_732g_mobile_platform_\(sm7150-ac\)wcd9335_firmwaresd888_firmwaresm8635sa7775p_firmwarecsrb31024_firmwareipq5302_firmwaresnapdragon_750g_5g_mobile_platform_firmwarewcd9335wsa8815_firmwareipq5312_firmwaresa9000p_firmwaresnapdragon_865\+_5g_mobile_platform_\(sm8250-ab\)wcd9390_firmwarefastconnect_6900qam8255pvideo_collaboration_vc3_platformqcn6274_firmwaresnapdragon_8c_compute_platform_\(sc8180x-ad\)fastconnect_6200_firmwarewsa8835sd865_5grobotics_rb3_platformqca8072flight_rb5_5g_platformsa6150pqam8620pipq6010_firmwaresnapdragon_732g_mobile_platform_\(sm7150-ac\)_firmwaresm4125_firmwarear8031_firmwareqcn9070_firmwaresnapdragon_778g\+_5g_mobile_platform_\(sm7325-ae\)_firmwareqcn9024_firmwaresa6155p_firmwarec-v2x_9150qca4024ipq9008_firmwarewcn3950sm6650_firmwaresa4155psrv1h_firmwareqca8082fastconnect_7800qcs6125_firmwareqcf8000_firmwareqfw7124sd_675qcs6125qcn5021sa6145pqcm5430talynplussa8530p_firmwaresd730_firmwaresm6250p_firmwareqcn6422_firmwareqcn6422qca6174asnapdragon_7c_compute_platform_\(sc7180-ac\)_firmwareqca6335snapdragon_855\+\/860_mobile_platform_\(sm8150-ac\)ipq9048_firmwareqca8337qru1032sd460_firmwareqca0000_firmwareqam8620p_firmware315_5g_iot_modemwcn3990_firmwaresnapdragon_auto_4g_modem_firmwarewcd9371_firmwarewcn3990qca6574auipq6018_firmwareqcs5430_firmwaresa8770p_firmwareqca6420sxr2130ipq5332_firmwaresa8255psm8635_firmwareSnapdragon
CWE ID-CWE-125
Out-of-bounds Read
CVE-2025-21464
Matching Score-4
Assigner-Qualcomm, Inc.
ShareView Details
Matching Score-4
Assigner-Qualcomm, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.08% / 0.20%
||
7 Day CHG~0.00%
Published-06 Aug, 2025 | 07:25
Updated-28 Nov, 2025 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Out-of-bounds Read in Core

Information disclosure while reading data from an image using specified offset and size parameters.

Action-Not Available
Vendor-Qualcomm Technologies, Inc.
Product-qcn9000_firmwareqca8072_firmwaresdx80msdx55sm4125qam8650psnapdragon_x72_5g_modem-rf_systemqcn5121sa6155psnapdragon_870_5g_mobile_platform_\(sm8250-ac\)snapdragon_7c\+_gen_3_compute_firmwaresnapdragon_8\+_gen_2_mobile_platformsnapdragon_8cx_compute_platform_\(sc8180xp-ac\)_firmwareqfw7124_firmwaresnapdragon_8cx_gen_3_compute_platform_\(sc8280xp-ab\)_firmwaresdx61aqt1000snapdragon_8cx_compute_platform_\(sc8180x-ab\)qdx1011snapdragon_8_gen_2_mobile_platform_firmwaresm7325p_firmwareqxm8083_firmwareqcn9022_firmwareqam8255p_firmwaresrv1l_firmwarevision_intelligence_400_platformsa8150p_firmwareqcf8000sfpqcm8550_firmwareqamsrv1h_firmwaresnapdragon_auto_4g_modemsd855wcd9341_firmwaresd_8_gen1_5gsnapdragon_xr2\+_gen_1_platform_firmwaresnapdragon_845_mobile_platformqca8075wcd9306_firmwarewcd9385_firmwareqcm6490_firmwaresnapdragon_x62_5g_modem-rf_systemqcn9072sa7255p_firmwareqcn6412_firmwareqcs4290qcs4290_firmwareqca6335_firmwareqca6584au_firmwaresnapdragon_480_5g_mobile_platformsnapdragon_x72_5g_modem-rf_system_firmwaresnapdragon_x62_5g_modem-rf_system_firmwaresd_675_firmwaresm8635p_firmwaresnapdragon_888\+_5g_mobile_platform_\(sm8350-ac\)_firmwareqcm8550snapdragon_8cx_gen_2_5g_compute_platform_\(sc8180x-af\)_firmwareqcn9024sc8380xp_firmwarewsa8815sm7315qcs8300srv1hqcm4490_firmwaresnapdragon_855_mobile_platformvideo_collaboration_vc5_platformwcd9326_firmwaresnapdragon_8cx_gen_2_5g_compute_platform_\(sc8180xp-ab\)snapdragon_480_5g_mobile_platform_firmwareqca6421_firmwaresm8550p_firmwarevideo_collaboration_vc3_platform_firmwareqca6574au_firmwaresnapdragon_8cx_compute_platform_\(sc8180x-aa\)qcm4290_firmwaresnapdragon_662_mobile_platform_firmwaresnapdragon_wear_1300_platform_firmwareqca6595au_firmwaresnapdragon_460_mobile_platformsnapdragon_8_gen_2_mobile_platformqdx1010qsm8250_firmwarecsra6620wcn3980qca6584auipq5312sd662_firmwarevision_intelligence_300_platform_firmwaresnapdragon_ar1_gen_1_platform_\"luna1\"_firmwaresa8145p_firmwareqcn6224_firmwaresm8750_firmwareqcm2290smart_audio_400_platformsa8155pqcm6125sa8540p_firmwarewcd9385qca4024_firmwarewcd9380_firmwareqca8386_firmwareqsm8250qcn5124_firmwaresm8750pwcn6450snapdragon_680_4g_mobile_platformsnapdragon_675_mobile_platformqcf8000sfp_firmwaresc8180x\+sdx55_firmwareipq9048wcn7880ipq6028sg8275p_firmwareqca8337_firmwaresd662wcn3988_firmwarecsra6640_firmwaresnapdragon_8c_compute_platform_\(sc8180x-ad\)_firmwareqca6698aqsnapdragon_x70_modem-rf_systemqsm8350_firmwareipq9554_firmwaresnapdragon_x24_lte_modemsm7675psm6250fastconnect_6800qca6574a_firmware9205_lte_modemwsa8832_firmwaresa8650psa2150p_firmwaresxr2230p_firmwaresnapdragon_690_5g_mobile_platform_firmwareqca6678aq_firmwaresm6250_firmwareqsm8350qcn9070snapdragon_680_4g_mobile_platform_firmwaresm8550pwcd9378_firmwareqcn9013_firmwarewcn7881_firmwareqcn6023_firmwareqcn9274_firmwareqca6431_firmwaressg2115p_firmwaresm7315_firmwarefastconnect_6900_firmwareqca6678aqwsa8835_firmwaresa8295psc8380xpqdx1011_firmwaresdx55_firmwaresd730wcn3988sa8540pqca6696_firmwarevision_intelligence_300_platformqca8084snapdragon_8c_compute_platform_\(sc8180xp-ad\)_firmwaresnapdragon_x55_5g_modem-rf_system_firmwareqcs4490_firmwaresm7675_firmwareqcn5022qcn9012snapdragon_662_mobile_platformsxr2250pwcn6755_firmwaresxr2330p_firmwaresnapdragon_x65_5g_modem-rf_system_firmwarewsa8810_firmwarewcn6650wcd9360qdu1110_firmwareipq9554wsa8840qcm4325snapdragon_778g_5g_mobile_platformqdu1110csr8811ipq9574wsa8840_firmwaresnapdragon_460_mobile_platform_firmwaresnapdragon_8\+_gen_2_mobile_platform_firmwareqcc711_firmwareipq6000qdu1000sm7250p_firmwarewcn3950_firmwareqcn5122_firmwarewsa8845hqrb5165msnapdragon_auto_5g_modem-rf_firmwareqca6310snapdragon_780g_5g_mobile_platform_firmwaresdx57mssg2125p_firmwaresnapdragon_720g_mobile_platform_firmwareqcn9274snapdragon_865_5g_mobile_platformsnapdragon_8cx_gen_2_5g_compute_platform_\(sc8180xp-aa\)sm7325pqca0000qcn6024_firmwareqcm4290qcs9100qfw7114snapdragon_665_mobile_platform_firmwareqca6421wcd9370_firmwaresnapdragon_855_mobile_platform_firmwaresnapdragon_8cx_gen_3_compute_platform_\(sc8280xp-bb\)ar8035_firmwareqcn9000srv1lwsa8845sdx80m_firmwareimmersive_home_326_platformwcn7860_firmwareqamsrv1hqru1062sm8750snapdragon_xr2_5g_platformsa6150p_firmwaresg4150p_firmwarewcn3910_firmwaresm8750p_firmwaresnapdragon_4_gen_1_mobile_platform_firmwaresnapdragon_8\+_gen_1_mobile_platform_firmwaresg8275pqca4004fastconnect_7800_firmwareqxm8083qru1052_firmwaresnapdragon_8cx_gen_3_compute_platform_\(sc8280xp-bb\)_firmwaresnapdragon_8c_compute_platform_\(sc8180xp-ad\)qca9984sxr2230psa8620p_firmwaresnapdragon_ar2_gen_1_platformqcs7230snapdragon_850_mobile_compute_platform_firmwaresnapdragon_695_5g_mobile_platformrobotics_rb2_platform_firmwaresa8770pqrb5165nsrv1m_firmwarewcd9375qca6574_firmwaresnapdragon_x24_lte_modem_firmwaresa6145p_firmwaresnapdragon_x75_5g_modem-rf_system_firmwareqca6430qca6391_firmwareqdu1000_firmwarewcn6755snapdragon_8cx_gen_2_5g_compute_platform_\(sc8180xp-aa\)_firmwaresd_8cx_firmwareipq9570_firmwaresnapdragon_8_gen_3_mobile_platformqcn5052qca6688aq_firmwareqcf8001qcn5124ipq5300sw5100p_firmwaresnapdragon_850_mobile_compute_platformsa6155_firmwaresnapdragon_7c_gen_2_compute_platform_\(sc7180-ad\)_\"rennell_pro\"snapdragon_x75_5g_modem-rf_systemwcn7861sa8775pwcn6650_firmwareqcn5022_firmwareimmersive_home_326_platform_firmwaresnapdragon_765g_5g_mobile_platform_\(sm7250-ab\)qca6431sd_8cxfastconnect_6800_firmwarewcd9375_firmwareimmersive_home_3210_platformqcn9074_firmwareqca6564auqca6595auqcc710ssg2125pqamsrv1mqca8085_firmwaresnapdragon_wear_1300_platformsnapdragon_ar2_gen_1_platform_firmwareqfw7114_firmwareqru1032_firmwareqts110_firmwaresm8635psnapdragon_670_mobile_platformsnapdragon_x50_5g_modem-rf_system_firmwareqcs9100_firmwaresnapdragon_8_gen_3_mobile_platform_firmwareqca6174a_firmwaresm4635qca6564a_firmwaresnapdragon_8cx_gen_2_5g_compute_platform_\(sc8180x-ac\)_firmwaresnapdragon_w5\+_gen_1_wearable_platform_firmwaresa4150p_firmwaresw5100talynplus_firmwarewsa8830qcn5122csrb31024wsa8830_firmwareqcn6023qca6430_firmwaresa8155p_firmwaresnapdragon_678_mobile_platform_\(sm6150-ac\)_firmwareqcm6490c-v2x_9150_firmwaresnapdragon_xr2_5g_platform_firmwaresd865_5g_firmwareqca6436_firmwareqca6595wcn3999ipq9574_firmwaresnapdragon_750g_5g_mobile_platformwcd9380smart_audio_400_platform_firmware315_5g_iot_modem_firmwareqcs6490_firmwareqca6564snapdragon_888_5g_mobile_platform_firmwaresnapdragon_8cx_compute_platform_\(sc8180x-ab\)_firmwareqca6310_firmwareipq6000_firmwaresnapdragon_auto_5g_modem-rf_gen_2_firmwaresd670_firmwareqca6420_firmwareqca6688aqwcd9340_firmwareqamsrv1m_firmwaresnapdragon_720g_mobile_platformsnapdragon_730g_mobile_platform_\(sm7150-ab\)ar8031qcs8550qca9984_firmwareqep8111_firmwarewcn3950qcn5021_firmwaresdx65msnapdragon_x50_5g_modem-rf_systemsdx61_firmwaresnapdragon_w5\+_gen_1_wearable_platformsnapdragon_665_mobile_platformsm4635_firmwaresnapdragon_auto_5g_modem-rf_gen_2wcd9360_firmwaresnapdragon_765g_5g_mobile_platform_\(sm7250-ab\)_firmwareqam8295pssg2115psm7675qep8111qca6391csr8811_firmwaresa8295p_firmware9205_lte_modem_firmwareqcs6490ipq9570wsa8810qcs610qts110qcn9160_firmwaresnapdragon_xr2\+_gen_1_platformqdu1010_firmwaresnapdragon_778g_5g_mobile_platform_firmwaresg4150pvideo_collaboration_vc5_platform_firmwareqru1062_firmwaresnapdragon_4_gen_2_mobile_platform_firmwaresm6370sd_8_gen1_5g_firmwarewcd9378snapdragon_865\+_5g_mobile_platform_\(sm8250-ab\)_firmwareipq6028_firmwaresa8530pqcs8300_firmwareqca8386snapdragon_480\+_5g_mobile_platform_\(sm4350-ac\)_firmwareqcs8250_firmwarewcn7880_firmwaresnapdragon_730g_mobile_platform_\(sm7150-ab\)_firmwareqcn6274snapdragon_778g\+_5g_mobile_platform_\(sm7325-ae\)sa8150pqcs610_firmwaresnapdragon_x70_modem-rf_system_firmwareqca6797aqqam8650p_firmwareipq6005qca6564asnapdragon_8cx_gen_2_5g_compute_platform_\(sc8180x-af\)snapdragon_8cx_gen_2_5g_compute_platform_\(sc8180x-ac\)sw5100_firmwareqcs410ipq6005_firmwareqcn6024qca9377_firmwareqca8075_firmwareqca6574asnapdragon_8cx_gen_3_compute_platform_\(sc8280xp-ab\)wcn3999_firmwareqca6564_firmwareqca8082_firmwareqca6436wsa8845_firmwareqrb5165n_firmwarewcd9340wcd9341sa7255pqca6426_firmwareqcs8155_firmwaresd460snapdragon_685_4g_mobile_platform_\(sm6225-ad\)_firmwarefastconnect_6200snapdragon_7c_compute_platform_\(sc7180-ac\)sd888snapdragon_x35_5g_modem-rf_systemsnapdragon_675_mobile_platform_firmwaresnapdragon_765_5g_mobile_platform_\(sm7250-aa\)_firmwaresnapdragon_8cx_compute_platform_\(sc8180x-aa\)_firmwareimmersive_home_3210_platform_firmwareipq6018wsa8832aqt1000_firmwaresnapdragon_ar1_gen_1_platform_firmwaresd675_firmwareqdu1210sdx65m_firmwareqcn6224snapdragon_7c\+_gen_3_computesnapdragon_ar1_gen_1_platformsm6250pqcs2290sdx57m_firmwaresnapdragon_480\+_5g_mobile_platform_\(sm4350-ac\)snapdragon_670_mobile_platform_firmwarewcd9370qca8081_firmwareqcc710_firmwareqca6698aq_firmwarecsra6640wcd9306qcn9013sa4150psw5100psc8180x\+sdx55wcn7860sm7250psm6650qcs5430qcs2290_firmwaresa8145pwsa8845h_firmwarewcd9371sd670wcd9395_firmwaresnapdragon_x35_5g_modem-rf_system_firmwaresa8195psa9000psnapdragon_4_gen_1_mobile_platformipq6010snapdragon_888_5g_mobile_platformqcn9072_firmwarewcd9390ar8035sa8775p_firmwaresm7675p_firmwareqcn7606_firmwareqam8775pqcm2290_firmwaremdm9205svision_intelligence_400_platform_firmwareqca6797aq_firmwareqcs8250qca6564au_firmwaresnapdragon_8cx_gen_2_5g_compute_platform_\(sc8180xp-ab\)_firmwaresnapdragon_730_mobile_platform_\(sm7150-aa\)sa8650p_firmwaremdm9205s_firmwareqcn9011_firmwareqcc711snapdragon_678_mobile_platform_\(sm6150-ac\)wcn7881robotics_rb3_platform_firmwaresxr2250p_firmwaresnapdragon_780g_5g_mobile_platformsrv1mqcn9012_firmwarecsra6620_firmwarewcd9395qcs410_firmwareqcn5052_firmwareqcm4490qru1052robotics_rb2_platformsnapdragon_768g_5g_mobile_platform_\(sm7250-ac\)_firmwareqca8085qdu1210_firmwaresnapdragon_8cx_compute_platform_\(sc8180xp-af\)qca4004_firmwaresxr1230pwcn7861_firmwareqca9377qcn7606fastconnect_6700_firmwaresa8155_firmwaresnapdragon_685_4g_mobile_platform_\(sm6225-ad\)snapdragon_782g_mobile_platform_\(sm7325-af\)_firmwaresnapdragon_8cx_compute_platform_\(sc8180xp-af\)_firmwarefastconnect_6700snapdragon_730_mobile_platform_\(sm7150-aa\)_firmwareipq5300_firmwareqca6696wcn3980_firmwareqcm5430_firmwaresnapdragon_8cx_compute_platform_\(sc8180xp-ac\)sxr2330pqcs8550_firmwarerobotics_rb5_platformqca6426qdx1010_firmwaresa4155p_firmwareipq9008qcn9074qcn9011snapdragon_8\+_gen_1_mobile_platformqca8084_firmwareqcf8000qcn5121_firmwaresa2150pqam8295p_firmwarewcn3910qcf8001_firmwaresm7635_firmwaresnapdragon_690_5g_mobile_platformsnapdragon_4_gen_2_mobile_platformwcd9326snapdragon_x55_5g_modem-rf_systemsnapdragon_870_5g_mobile_platform_\(sm8250-ac\)_firmwaresnapdragon_8_gen_1_mobile_platformqdu1010snapdragon_865_5g_mobile_platform_firmwaresnapdragon_7c_gen_2_compute_platform_\(sc7180-ad\)_\"rennell_pro\"_firmwaresa8155snapdragon_695_5g_mobile_platform_firmwaresnapdragon_845_mobile_platform_firmwareqcn9022qcm6125_firmwaresdx71m_firmwareqca6574wcn6740_firmwaresa8255p_firmwareqcn6412ipq5332qcs7230_firmwaresa6155sxr1230p_firmwaresd855_firmwareipq5302snapdragon_782g_mobile_platform_\(sm7325-af\)qcn9160sdx71msnapdragon_855\+\/860_mobile_platform_\(sm8150-ac\)_firmwarerobotics_rb5_platform_firmwarevideo_collaboration_vc1_platform_firmwareqcn6432snapdragon_ar1_gen_1_platform_\"luna1\"snapdragon_765_5g_mobile_platform_\(sm7250-aa\)qcs8155sd675sa7775pvideo_collaboration_vc1_platformqcn6402qcn6402_firmwaresnapdragon_888\+_5g_mobile_platform_\(sm8350-ac\)snapdragon_8_gen_1_mobile_platform_firmwareqcs4490flight_rb5_5g_platform_firmwaresa8620pwcn6450_firmwaresnapdragon_768g_5g_mobile_platform_\(sm7250-ac\)snapdragon_auto_5g_modem-rfsm6370_firmwareqrb5165m_firmwareqca6595_firmwareqam8775p_firmwaresa8195p_firmwaresnapdragon_x65_5g_modem-rf_systemqcn6432_firmwarewcn6740qca8081sm7635qcm4325_firmwareqcn5152qcn5152_firmwaresnapdragon_732g_mobile_platform_\(sm7150-ac\)wcd9335_firmwaresd888_firmwaresm8635sa7775p_firmwarecsrb31024_firmwareipq5302_firmwaresnapdragon_750g_5g_mobile_platform_firmwarewcd9335wsa8815_firmwareipq5312_firmwaresa9000p_firmwaresnapdragon_865\+_5g_mobile_platform_\(sm8250-ab\)wcd9390_firmwarefastconnect_6900qam8255pvideo_collaboration_vc3_platformqcn6274_firmwaresnapdragon_8c_compute_platform_\(sc8180x-ad\)fastconnect_6200_firmwarewsa8835sd865_5grobotics_rb3_platformqca8072flight_rb5_5g_platformsa6150pqam8620pipq6010_firmwaresnapdragon_732g_mobile_platform_\(sm7150-ac\)_firmwaresm4125_firmwarear8031_firmwareqcn9070_firmwaresnapdragon_778g\+_5g_mobile_platform_\(sm7325-ae\)_firmwareqcn9024_firmwaresa6155p_firmwarec-v2x_9150qca4024ipq9008_firmwaresa4155psm6650_firmwaresrv1h_firmwaresxr2130_firmwareqca8082fastconnect_7800qcs6125_firmwareqcf8000_firmwareqfw7124sd_675qcs6125qcn5021sa6145pqcm5430talynplussa8530p_firmwaresd730_firmwaresm6250p_firmwareqcn6422_firmwareqcn6422qca6174aqca6335qca8337snapdragon_855\+\/860_mobile_platform_\(sm8150-ac\)ipq9048_firmwaresnapdragon_7c_compute_platform_\(sc7180-ac\)_firmwareqru1032sd460_firmwareqca0000_firmwareqam8620p_firmware315_5g_iot_modemsnapdragon_auto_4g_modem_firmwarewcd9371_firmwarewcn3990_firmwarewcn3990qca6574auipq6018_firmwareqcs5430_firmwaresa8770p_firmwareqca6420sxr2130ipq5332_firmwaresa8255psm8635_firmwareSnapdragon
CWE ID-CWE-125
Out-of-bounds Read
CVE-2020-10756
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.51% / 39.75%
||
7 Day CHG~0.00%
Published-09 Jul, 2020 | 15:34
Updated-04 Aug, 2024 | 11:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1.

Action-Not Available
Vendor-libslirp_projectn/aCanonical Ltd.Red Hat, Inc.openSUSEDebian GNU/Linux
Product-ubuntu_linuxdebian_linuxopenstackenterprise_linuxlibslirpleapSlirp
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-21989
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-0.45% / 36.24%
||
7 Day CHG~0.00%
Published-24 May, 2021 | 11:43
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (TTC Parser). A malicious actor with access to a virtual machine or remote desktop may be able to exploit these issues leading to information disclosure from the TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)Microsoft Corporation
Product-workstationwindowshorizon_clientVMware Workstation Pro / Player (Workstation), VMware Horizon Client for Windows
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-45329
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.12% / 1.96%
||
7 Day CHG~0.00%
Published-10 Jun, 2026 | 00:34
Updated-11 Jun, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ESF-IDF: Out-of-Bounds Read in ESP-TEE Secure Service Wrappers

ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.4 and 6.0, several ESP-TEE secure-service wrappers in esp_secure_services.c and esp_secure_services_iram.c validated only some of the caller-supplied pointer arguments, leaving input pointer arguments unchecked. Because the underlying TEE-protected hardware peripherals (e.g., ECC, SHA, SPI) run in RISC-V machine mode (M-mode) with full address-space access, a caller could supply pointers into TEE-exclusive memory as inputs, causing the peripheral to read TEE memory and return results derived from it to the REE. Depending on the wrapper, the result contains raw bytes from TEE memory, a computed function of TEE memory recoverable through repeated calls, or a single bit per call that forms an oracle for incremental disclosure of TEE-resident sensitive data. This issue has been patched in versions 5.5.5 and 6.0.1.

Action-Not Available
Vendor-espressifespressif
Product-esp-idfesp-idf
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2023-4135
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6||MEDIUM
EPSS-0.41% / 32.83%
||
7 Day CHG~0.00%
Published-04 Aug, 2023 | 13:19
Updated-02 Aug, 2024 | 07:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Out-of-bounds read information disclosure vulnerability

A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.

Action-Not Available
Vendor-n/aQEMUFedora ProjectRed Hat, Inc.
Product-qemufedoraExtra Packages for Enterprise LinuxRed Hat Enterprise Linux 9Red Hat Enterprise Linux 6qemu-kvmRed Hat Enterprise Linux 8 Advanced VirtualizationRed Hat Enterprise Linux 8Red Hat Enterprise Linux 7Fedora
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-32847
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.1||HIGH
EPSS-0.37% / 28.84%
||
7 Day CHG~0.00%
Published-20 Feb, 2023 | 00:00
Updated-10 Mar, 2025 | 21:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Moby HyperKit uninitialized memory use in virtio-sock pci_vtsock_proc_tx

HyperKit is a toolkit for embedding hypervisor capabilities in an application. In versions 0.20210107 and prior, a malicious guest can trigger a vulnerability in the host by abusing the disk driver that may lead to the disclosure of the host memory into the virtualized guest. This issue is fixed in commit cf60095a4d8c3cb2e182a14415467afd356e982f.

Action-Not Available
Vendor-mobyprojectmoby
Product-hyperkithyperkit
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-20295
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.28% / 19.74%
||
7 Day CHG~0.00%
Published-01 Apr, 2022 | 22:17
Updated-03 Aug, 2024 | 17:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756.

Action-Not Available
Vendor-n/aQEMU
Product-qemuQEMU
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-27244
Matching Score-4
Assigner-Zero Day Initiative
ShareView Details
Matching Score-4
Assigner-Zero Day Initiative
CVSS Score-6.5||MEDIUM
EPSS-0.27% / 18.65%
||
7 Day CHG~0.00%
Published-29 Mar, 2021 | 21:05
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows local attackers to disclose sensitive information on affected installations of Parallels Desktop 16.0.1-48919. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The specific flaw exists within the Toolgate component. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. Was ZDI-CAN-11925.

Action-Not Available
Vendor-Parallels International Gmbh
Product-parallels_desktopDesktop
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-21988
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-0.45% / 36.24%
||
7 Day CHG~0.00%
Published-24 May, 2021 | 11:35
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (JPEG2000 Parser). A malicious actor with access to a virtual machine or remote desktop may be able to exploit these issues leading to information disclosure from the TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)Microsoft Corporation
Product-workstationwindowshorizon_clientVMware Workstation Pro / Player (Workstation), VMware Horizon Client for Windows
CWE ID-CWE-125
Out-of-bounds Read
CVE-2021-21987
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-0.56% / 42.46%
||
7 Day CHG~0.00%
Published-24 May, 2021 | 11:34
Updated-03 Aug, 2024 | 18:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VMware Workstation (16.x prior to 16.1.2) and Horizon Client for Windows (5.x prior to 5.5.2) contain out-of-bounds read vulnerability in the Cortado ThinPrint component (TTC Parser). A malicious actor with access to a virtual machine or remote desktop may be able to exploit these issues leading to information disclosure from the TPView process running on the system where Workstation or Horizon Client for Windows is installed.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)Microsoft Corporation
Product-workstationwindowshorizon_clientVMware Workstation Pro / Player (Workstation), VMware Horizon Client for Windows
CWE ID-CWE-125
Out-of-bounds Read
CVE-2020-3990
Matching Score-4
Assigner-VMware by Broadcom
ShareView Details
Matching Score-4
Assigner-VMware by Broadcom
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 24.22%
||
7 Day CHG~0.00%
Published-16 Sep, 2020 | 16:17
Updated-04 Aug, 2024 | 07:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

VMware Workstation (15.x) and Horizon Client for Windows (5.x before 5.4.4) contain an information disclosure vulnerability due to an integer overflow issue in Cortado ThinPrint component. A malicious actor with normal access to a virtual machine may be able to exploit this issue to leak memory from TPView process running on the system where Workstation or Horizon Client for Windows is installed. Exploitation is only possible if virtual printing has been enabled. This feature is not enabled by default on Workstation but it is enabled by default on Horizon Client.

Action-Not Available
Vendor-n/aVMware (Broadcom Inc.)
Product-workstation_playerhorizon_clientworkstation_proVMware Workstation and Horizon Client for Windows
CWE ID-CWE-125
Out-of-bounds Read
CWE ID-CWE-190
Integer Overflow or Wraparound
Details not found