CWE-123
Write-what-where Condition
Description
Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (20)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-69809 | Cri | 0.64 | 9.8 | 0.01 | Mar 16, 2026 | A write-what-where condition in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to write arbitrary values to memory, enabling arbitrary code execution via a crafted packet. | ||
| CVE-2015-8271 | Cri | 0.64 | 9.8 | 0.06 | Apr 13, 2017 | The AMF3CD_AddProp function in amf.c in RTMPDump 2.4 allows remote RTMP Media servers to execute arbitrary code. | ||
| CVE-2024-42479 | Cri | 0.58 | 10.0 | 0.03 | Aug 12, 2024 | llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address writing. This vulnerability is fixed in b3561. | ||
| CVE-2025-9900 | Hig | 0.57 | 8.8 | 0.01 | Sep 23, 2025 | A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into… | ||
| CVE-2026-43284 | Hig | 0.55 | 8.8 | 0.93 | May 8, 2026 | In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths… | ||
| CVE-2024-44067 | Hig | 0.55 | 8.4 | 0.00 | Aug 19, 2024 | The T-Head XuanTie C910 CPU in the TH1520 SoC and the T-Head XuanTie C920 CPU in the SOPHON SG2042 have instructions that allow unprivileged attackers to write to arbitrary physical memory locations, aka GhostWrite. | ||
| CVE-2024-36877 | Hig | 0.54 | 8.2 | 0.01 | Aug 12, 2024 | Micro-Star International Z-series motherboards (Z590, Z490, and Z790) and B-series motherboards (B760, B560, B660, and B460) with firmware 7D25v14, 7D25v17 to 7D25v19, and 7D25v1A to 7D25v1H was discovered to contain a write-what-where condition in the in the SW handler for SMI… | ||
| CVE-2026-30121 | Cri | 0.52 | 9.1 | 0.00 | Jun 15, 2026 | remotion-dev remotion v4.0.409 was discovered to contain an arbitrary file write vulnerability. | ||
| CVE-2026-41952 | Hig | 0.51 | 7.8 | 0.00 | Apr 29, 2026 | Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183. | ||
| CVE-2018-16962 | Hig | 0.51 | 7.8 | 0.01 | Sep 12, 2018 | Webroot SecureAnywhere before 9.0.8.34 on macOS mishandles access to the driver by a process that lacks root privileges. | ||
| CVE-2018-12036 | — | Hig | 0.51 | 7.8 | 0.02 | Jun 7, 2018 | OWASP Dependency-Check before 3.2.0 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames. | |
| CVE-2017-6282 | Hig | 0.51 | 7.8 | 0.00 | Mar 6, 2018 | NVIDIA Tegra kernel driver contains a vulnerability in NVMAP where an attacker has the ability to write an arbitrary value to an arbitrary location which may lead to an escalation of privileges. This issue is rated as high. | ||
| CVE-2017-10994 | Hig | 0.48 | 7.3 | 0.05 | Jul 7, 2017 | Foxit Reader before 8.3.1 and PhantomPDF before 8.3.1 have an Arbitrary Write vulnerability, which allows remote attackers to execute arbitrary code via a crafted document. | ||
| CVE-2018-15376 | Med | 0.44 | 6.7 | 0.00 | Oct 5, 2018 | A vulnerability in the embedded test subsystem of Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers could allow an authenticated, local attacker to write arbitrary values to arbitrary locations in the memory space of an affected device. The… | ||
| CVE-2018-15375 | Med | 0.44 | 6.7 | 0.00 | Oct 5, 2018 | A vulnerability in the embedded test subsystem of Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers could allow an authenticated, local attacker to write arbitrary values to arbitrary locations in the memory space of an affected device. The… | ||
| CVE-2025-14857 | Med | 0.35 | — | 0.00 | Apr 7, 2026 | An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical… | ||
| CVE-2025-29943 | Med | 0.30 | — | 0.00 | Jan 16, 2026 | Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an SEV-SNP guest. | ||
| CVE-2025-62164 | 0.00 | — | 0.01 | Nov 21, 2025 | vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When… | |||
| CVE-2025-64324 | 0.00 | — | 0.00 | Nov 18, 2025 | KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more… | |||
| CVE-2025-55298 | 0.00 | — | 0.04 | Aug 26, 2025 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to… |
- risk 0.64cvss 9.8epss 0.01
A write-what-where condition in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to write arbitrary values to memory, enabling arbitrary code execution via a crafted packet.
- risk 0.64cvss 9.8epss 0.06
The AMF3CD_AddProp function in amf.c in RTMPDump 2.4 allows remote RTMP Media servers to execute arbitrary code.
- risk 0.58cvss 10.0epss 0.03
llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address writing. This vulnerability is fixed in b3561.
- risk 0.57cvss 8.8epss 0.01
A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into…
- risk 0.55cvss 8.8epss 0.93
In the Linux kernel, the following vulnerability has been resolved: xfrm: esp: avoid in-place decrypt on shared skb frags MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(), so later paths…
- risk 0.55cvss 8.4epss 0.00
The T-Head XuanTie C910 CPU in the TH1520 SoC and the T-Head XuanTie C920 CPU in the SOPHON SG2042 have instructions that allow unprivileged attackers to write to arbitrary physical memory locations, aka GhostWrite.
- risk 0.54cvss 8.2epss 0.01
Micro-Star International Z-series motherboards (Z590, Z490, and Z790) and B-series motherboards (B760, B560, B660, and B460) with firmware 7D25v14, 7D25v17 to 7D25v19, and 7D25v1A to 7D25v1H was discovered to contain a write-what-where condition in the in the SW handler for SMI…
- risk 0.52cvss 9.1epss 0.00
remotion-dev remotion v4.0.409 was discovered to contain an arbitrary file write vulnerability.
- risk 0.51cvss 7.8epss 0.00
Local privilege escalation due to improper input validation. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212, Acronis Cyber Protect Cloud Agent (Windows) before build 42183.
- risk 0.51cvss 7.8epss 0.01
Webroot SecureAnywhere before 9.0.8.34 on macOS mishandles access to the driver by a process that lacks root privileges.
- risk 0.51cvss 7.8epss 0.02
OWASP Dependency-Check before 3.2.0 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.
- risk 0.51cvss 7.8epss 0.00
NVIDIA Tegra kernel driver contains a vulnerability in NVMAP where an attacker has the ability to write an arbitrary value to an arbitrary location which may lead to an escalation of privileges. This issue is rated as high.
- risk 0.48cvss 7.3epss 0.05
Foxit Reader before 8.3.1 and PhantomPDF before 8.3.1 have an Arbitrary Write vulnerability, which allows remote attackers to execute arbitrary code via a crafted document.
- risk 0.44cvss 6.7epss 0.00
A vulnerability in the embedded test subsystem of Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers could allow an authenticated, local attacker to write arbitrary values to arbitrary locations in the memory space of an affected device. The…
- risk 0.44cvss 6.7epss 0.00
A vulnerability in the embedded test subsystem of Cisco IOS Software for Cisco 800 Series Industrial Integrated Services Routers could allow an authenticated, local attacker to write arbitrary values to arbitrary locations in the memory space of an affected device. The…
- risk 0.35cvss —epss 0.00
An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical…
- risk 0.30cvss —epss 0.00
Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an SEV-SNP guest.
- CVE-2025-62164Nov 21, 2025risk 0.00cvss —epss 0.01
vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When…
- CVE-2025-64324Nov 18, 2025risk 0.00cvss —epss 0.00
KubeVirt is a virtual machine management add-on for Kubernetes. The `hostDisk` feature in KubeVirt allows mounting a host file or directory owned by the user with UID 107 into a VM. However, prior to version 1.6.1 and 1.7.0, the implementation of this feature and more…
- CVE-2025-55298Aug 26, 2025risk 0.00cvss —epss 0.04
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to…