VYPR

CWE-122

Heap-based Buffer Overflow

VariantDraftLikelihood: High

Description

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-92

CVEs mapped to this weakness (568)

page 7 of 29
  • CVE-2026-48131HigMay 26, 2026
    risk 0.53cvss 8.1epss 0.03

    The VPN service may mishandle an unexpected IKE fragment value received on the IKE port 500/UDP during the early stage of a connection attempt. This can cause the service to terminate unexpectedly, resulting in denial of service (temporary disruption of VPN-related…

  • CVE-2026-9256HigMay 22, 2026
    risk 0.53cvss 8.1epss 0.04

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a…

  • CVE-2026-45584HigMay 20, 2026
    risk 0.53cvss 8.1epss 0.01

    Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.

  • CVE-2026-8711HigMay 19, 2026
    risk 0.53cvss 8.1epss 0.01

    NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker…

  • CVE-2026-42945HigMay 13, 2026
    risk 0.53cvss 8.1epss 0.61

    NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1,…

  • CVE-2026-42512HigApr 30, 2026
    risk 0.53cvss 8.1epss 0.01

    As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun. A specially crafted packet…

  • CVE-2026-35547HigApr 30, 2026
    risk 0.53cvss 8.1epss 0.00

    When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an…

  • CVE-2026-22828HigApr 14, 2026
    risk 0.53cvss 8.1epss 0.01

    A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation…

  • CVE-2026-23750HigFeb 26, 2026
    risk 0.53cvss 8.1epss 0.00

    Golioth Pouch version 0.1.0, prior to commit 1b2219a1, contains a heap-based buffer overflow in BLE GATT server certificate handling. server_cert_write() allocates a heap buffer of size CONFIG_POUCH_SERVER_CERT_MAX_LEN when receiving the first fragment, then appends subsequent…

  • CVE-2025-25249HigJan 13, 2026
    risk 0.53cvss 8.1epss 0.01

    A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5…

  • CVE-2025-61553HigOct 16, 2025
    risk 0.53cvss 8.2epss 0.00

    An out-of-bounds write in VirtIO network device emulation in BitVisor from commit 108df6 (2020-05-20) to commit 480907 (2025-07-06) allows local attackers to cause a denial of service (host hypervisor crash) via a crafted PCI configuration space access. Given it's a heap…

  • CVE-2025-1943HigMar 4, 2025
    risk 0.53cvss 8.2epss 0.00

    Memory safety bugs present in Firefox 135 and Thunderbird 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 136 and…

  • CVE-2023-31276HigFeb 12, 2025
    risk 0.53cvss 8.2epss 0.00

    Heap-based buffer overflow in BMC Firmware for the Intel(R) Server Board S2600WF, Intel(R) Server Board S2600ST, Intel(R) Server Board S2600BP, before version 02.01.0017 and Intel(R) Server Board M50CYP and Intel(R) Server Board D50TNP before version R01.01.0009 may allow a…

  • CVE-2024-6873HigAug 1, 2024
    risk 0.53cvss 8.1epss 0.01

    It is possible to crash or redirect the execution flow of the ClickHouse server process from an unauthenticated vector by sending a specially crafted request to the ClickHouse server native interface. This redirection is limited to what is available within a 256-byte range of…

  • CVE-2023-5404HigApr 17, 2024
    risk 0.53cvss 8.1epss 0.01

    Server receiving a malformed message can cause a pointer to be overwritten which can result in a remote code execution or failure. See Honeywell Security Notification for recommendations on upgrading and versioning.

  • CVE-2023-5400HigApr 17, 2024
    risk 0.53cvss 8.1epss 0.01

    Server receiving a malformed message based on a using the specified key values can cause a heap overflow vulnerability which could lead to an attacker performing remote code execution or causing a failure.  See Honeywell Security Notification for recommendations on upgrading…

  • CVE-2024-25262HigFeb 29, 2024
    risk 0.53cvss 8.1epss 0.01

    texlive-bin commit c515e was discovered to contain heap buffer overflow via the function ttfLoadHDMX:ttfdump. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted TTF file.

  • CVE-2023-6779HigJan 31, 2024
    risk 0.53cvss 8.2epss 0.03

    An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an…

  • CVE-2026-49840CriJun 9, 2026
    risk 0.52cvss 9.1epss 0.00

    FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.11.1, esl_recv_event() parses Content-Length with atol() and passes the…

  • CVE-2026-0059HigJun 1, 2026
    risk 0.52cvss 8.0epss 0.00

    In multiple functions of sdp_discovery.cc, there is a possible way to achieve code execution due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for…