CWE-122
Heap-based Buffer Overflow
Description
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-92
CVEs mapped to this weakness (568)
page 15 of 29| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-9951 | Hig | 0.47 | — | 0.00 | Sep 9, 2025 | A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000. | ||
| CVE-2025-48797 | Hig | 0.47 | 7.3 | 0.00 | May 27, 2025 | A flaw was found in GIMP when processing certain TGA image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing a heap buffer overflow. | ||
| CVE-2025-46333 | Hig | 0.47 | — | 0.00 | Apr 25, 2025 | z2d is a pure Zig 2D graphics library. Versions of z2d after `0.5.1` and up to and including `0.6.0`, when writing from one surface to another using `z2d.compositor.StrideCompositor.run`, and higher-level operations when the anti-aliasing mode is set to `.default` (such as… | ||
| CVE-2025-31344 | Hig | 0.47 | 7.3 | 0.00 | Apr 14, 2025 | Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux. This vulnerability is associated with program files gif2rgb.C. This issue affects giflib: through 5.2.2. | ||
| CVE-2025-29069 | — | Hig | 0.47 | 7.3 | 0.00 | Apr 1, 2025 | A heap buffer overflow vulnerability has been identified in the lcms2-2.16. The vulnerability exists in the UnrollChunkyBytes function in cmspack.c, which is responsible for handling color space transformations. NOTE: this is disputed by the Supplier because the finding… | |
| CVE-2026-45653 | Hig | 0.46 | 7.0 | 0.00 | Jun 9, 2026 | Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | ||
| CVE-2026-41108 | Hig | 0.46 | 7.0 | 0.00 | Jun 9, 2026 | Heap-based buffer overflow in Microsoft Windows DNS allows an authorized attacker to elevate privileges locally. | ||
| CVE-2026-48690 | Hig | 0.46 | 7.1 | 0.00 | May 26, 2026 | FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture buffer allocation. In src/packet_storage.hpp, the allocate_buffer() function computes memory_size_in_bytes as 'buffer_size_in_packets * (max_captured_packet_size +… | ||
| CVE-2026-32741 | Hig | 0.46 | 7.1 | 0.00 | May 19, 2026 | libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel… | ||
| CVE-2026-29004 | Hig | 0.46 | 8.1 | 0.00 | May 4, 2026 | BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a… | ||
| CVE-2026-42477 | Hig | 0.46 | 7.1 | 0.00 | May 1, 2026 | A heap-based out-of-bounds read vulnerability in RWObj_Reader::read in the OBJ file parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows user-assisted attackers to cause a denial of service or obtain sensitive information by persuading a victim to open a crafted OBJ file.… | ||
| CVE-2026-32623 | Hig | 0.46 | 8.1 | 0.01 | Apr 17, 2026 | xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in the NeutrinoRDP module. When proxying RDP sessions from xrdp to another server, the module fails to properly validate the size of reassembled fragmented virtual… | ||
| CVE-2026-32093 | Hig | 0.46 | 7.0 | 0.01 | Apr 14, 2026 | Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally. | ||
| CVE-2026-32087 | Hig | 0.46 | 7.0 | 0.00 | Apr 14, 2026 | Heap-based buffer overflow in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally. | ||
| CVE-2026-32316 | Hig | 0.46 | 8.2 | 0.00 | Apr 13, 2026 | jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer… | ||
| CVE-2026-2646 | Hig | 0.46 | 8.1 | 0.00 | Mar 19, 2026 | A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to… | ||
| CVE-2025-30402 | Hig | 0.46 | 8.1 | 0.00 | Jul 11, 2025 | A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f | ||
| CVE-2023-33152 | Hig | 0.46 | 7.0 | 0.00 | Jul 11, 2023 | Microsoft ActiveX Remote Code Execution Vulnerability | ||
| CVE-2018-1165 | Hig | 0.46 | 7.0 | 0.01 | Feb 21, 2018 | This vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS release-20170803-20170803T064301Z. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.… | ||
| CVE-2016-1762 | Hig | 0.46 | 8.1 | 0.06 | Mar 24, 2016 | The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. |
- risk 0.47cvss —epss 0.00
A heap-buffer-overflow write exists in jpeg2000dec FFmpeg which allows an attacker to potentially gain remote code execution or cause denial of service via the channel definition cdef atom of JPEG2000.
- risk 0.47cvss 7.3epss 0.00
A flaw was found in GIMP when processing certain TGA image files. If a user opens one of these image files that has been specially crafted by an attacker, GIMP can be tricked into making serious memory errors, potentially leading to crashes and causing a heap buffer overflow.
- risk 0.47cvss —epss 0.00
z2d is a pure Zig 2D graphics library. Versions of z2d after `0.5.1` and up to and including `0.6.0`, when writing from one surface to another using `z2d.compositor.StrideCompositor.run`, and higher-level operations when the anti-aliasing mode is set to `.default` (such as…
- risk 0.47cvss 7.3epss 0.00
Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux. This vulnerability is associated with program files gif2rgb.C. This issue affects giflib: through 5.2.2.
- risk 0.47cvss 7.3epss 0.00
A heap buffer overflow vulnerability has been identified in the lcms2-2.16. The vulnerability exists in the UnrollChunkyBytes function in cmspack.c, which is responsible for handling color space transformations. NOTE: this is disputed by the Supplier because the finding…
- risk 0.46cvss 7.0epss 0.00
Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally.
- risk 0.46cvss 7.0epss 0.00
Heap-based buffer overflow in Microsoft Windows DNS allows an authorized attacker to elevate privileges locally.
- risk 0.46cvss 7.1epss 0.00
FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture buffer allocation. In src/packet_storage.hpp, the allocate_buffer() function computes memory_size_in_bytes as 'buffer_size_in_packets * (max_captured_packet_size +…
- risk 0.46cvss 7.1epss 0.00
libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel…
- risk 0.46cvss 8.1epss 0.00
BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a…
- risk 0.46cvss 7.1epss 0.00
A heap-based out-of-bounds read vulnerability in RWObj_Reader::read in the OBJ file parser in Open CASCADE Technology (OCCT) V8_0_0_rc5 allows user-assisted attackers to cause a denial of service or obtain sensitive information by persuading a victim to open a crafted OBJ file.…
- risk 0.46cvss 8.1epss 0.01
xrdp is an open source RDP server. Versions through 0.10.5 contain a heap-based buffer overflow vulnerability in the NeutrinoRDP module. When proxying RDP sessions from xrdp to another server, the module fails to properly validate the size of reassembled fragmented virtual…
- risk 0.46cvss 7.0epss 0.01
Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.
- risk 0.46cvss 7.0epss 0.00
Heap-based buffer overflow in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.
- risk 0.46cvss 8.2epss 0.00
jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer…
- risk 0.46cvss 8.1epss 0.00
A heap-buffer-overflow vulnerability exists in wolfSSL's wolfSSL_d2i_SSL_SESSION() function. When deserializing session data with SESSION_CERTS enabled, certificate and session id lengths are read from an untrusted input without bounds validation, allowing an attacker to…
- risk 0.46cvss 8.1epss 0.00
A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f
- risk 0.46cvss 7.0epss 0.00
Microsoft ActiveX Remote Code Execution Vulnerability
- risk 0.46cvss 7.0epss 0.01
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS release-20170803-20170803T064301Z. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.…
- risk 0.46cvss 8.1epss 0.06
The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.