CWE-121
AllowedStack-based Buffer Overflow
Abstraction: Variant · Status: Draft
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
5215 vulnerabilities reference this CWE, most recent first.
GHSA-G26V-2W7V-M2QP
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:35TurboVNC server code contains stack buffer overflow vulnerability in commit prior to cea98166008301e614e0d36776bf9435a536136e. This could possibly result into remote code execution, since stack frame is not protected with stack canary. This attack appear to be exploitable via network connectivity. To exploit this vulnerability authorization on server is required. These issues have been fixed in commit cea98166008301e614e0d36776bf9435a536136e.
{
"affected": [],
"aliases": [
"CVE-2019-15683"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-29T19:15:00Z",
"severity": "CRITICAL"
},
"details": "TurboVNC server code contains stack buffer overflow vulnerability in commit prior to cea98166008301e614e0d36776bf9435a536136e. This could possibly result into remote code execution, since stack frame is not protected with stack canary. This attack appear to be exploitable via network connectivity. To exploit this vulnerability authorization on server is required. These issues have been fixed in commit cea98166008301e614e0d36776bf9435a536136e.",
"id": "GHSA-g26v-2w7v-m2qp",
"modified": "2024-04-04T02:35:58Z",
"published": "2022-05-24T17:00:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-15683"
},
{
"type": "WEB",
"url": "https://github.com/TurboVNC/turbovnc/commit/cea98166008301e614e0d36776bf9435a536136e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G28M-WPC6-78C8
Vulnerability from github – Published: 2023-10-18 00:31 – Updated: 2024-04-04 08:45SonicOS post-authentication user assertion failure leads to Stack-Based Buffer Overflow vulnerability via main.cgi leads to a firewall crash.
{
"affected": [],
"aliases": [
"CVE-2023-39278"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-17T23:15:11Z",
"severity": "MODERATE"
},
"details": "SonicOS post-authentication user assertion failure leads to Stack-Based Buffer Overflow vulnerability via main.cgi leads to a firewall crash.\n",
"id": "GHSA-g28m-wpc6-78c8",
"modified": "2024-04-04T08:45:17Z",
"published": "2023-10-18T00:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39278"
},
{
"type": "WEB",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0012"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G293-7M92-J383
Vulnerability from github – Published: 2025-11-20 15:30 – Updated: 2025-11-20 18:31Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the urls parameter of /goform/saveParentControlInfo.
{
"affected": [],
"aliases": [
"CVE-2025-65223"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-20T15:17:40Z",
"severity": "MODERATE"
},
"details": "Tenda AC21 V16.03.08.16 is vulnerable to Buffer Overflow via the urls parameter of /goform/saveParentControlInfo.",
"id": "GHSA-g293-7m92-j383",
"modified": "2025-11-20T18:31:00Z",
"published": "2025-11-20T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65223"
},
{
"type": "WEB",
"url": "https://github.com/Madgeaaaaa/MY_VULN_2/blob/main/Tenda/VULN4.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G2CQ-R84H-65G2
Vulnerability from github – Published: 2024-04-24 21:31 – Updated: 2024-04-24 21:31A vulnerability was found in Tenda W15E 15.11.0.14 and classified as critical. This issue affects the function formSetSysTime of the file /goform/SetSysTimeCfg. The manipulation of the argument manualTime leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261869 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2024-4126"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-24T20:15:08Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in Tenda W15E 15.11.0.14 and classified as critical. This issue affects the function formSetSysTime of the file /goform/SetSysTimeCfg. The manipulation of the argument manualTime leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261869 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-g2cq-r84h-65g2",
"modified": "2024-04-24T21:31:56Z",
"published": "2024-04-24T21:31:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4126"
},
{
"type": "WEB",
"url": "https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Tenda/W15Ev1.0/formSetSysTime.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.261869"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.261869"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.317831"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G2GQ-8XV6-M432
Vulnerability from github – Published: 2025-10-24 18:31 – Updated: 2025-10-24 21:31D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the next_page parameter in the function formDeviceReboot.
{
"affected": [],
"aliases": [
"CVE-2025-60551"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-24T16:19:09Z",
"severity": "HIGH"
},
"details": "D-Link DIR600L Ax FW116WWb01 was discovered to contain a buffer overflow via the next_page parameter in the function formDeviceReboot.",
"id": "GHSA-g2gq-8xv6-m432",
"modified": "2025-10-24T21:31:10Z",
"published": "2025-10-24T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60551"
},
{
"type": "WEB",
"url": "https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/07-buffer%20overflow-formDeviceReboot.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G2H4-MW8P-V523
Vulnerability from github – Published: 2025-07-31 15:35 – Updated: 2025-09-23 18:30A stack-based buffer overflow vulnerability exists in D-Link DIR-605L Wireless N300 Cloud Router firmware versions 1.12 and 1.13 via the getAuthCode() function. The flaw arises from unsafe usage of sprintf() when processing user-supplied CAPTCHA data via the FILECODE parameter in /goform/formLogin. A remote unauthenticated attacker can exploit this to execute arbitrary code with root privileges on the device.
{
"affected": [],
"aliases": [
"CVE-2012-10021"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-31T15:15:32Z",
"severity": "CRITICAL"
},
"details": "A stack-based buffer overflow vulnerability exists in D-Link DIR-605L Wireless N300 Cloud Router firmware versions 1.12 and 1.13 via the getAuthCode() function. The flaw arises from unsafe usage of sprintf() when processing user-supplied CAPTCHA data via the FILECODE parameter in /goform/formLogin. A remote unauthenticated attacker can exploit this to execute arbitrary code with root privileges on the device.",
"id": "GHSA-g2h4-mw8p-v523",
"modified": "2025-09-23T18:30:21Z",
"published": "2025-07-31T15:35:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-10021"
},
{
"type": "WEB",
"url": "https://forums.dlink.com/index.php?topic=51923.0"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_dir605l_captcha_bof.rb"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20121012062554/http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/29127"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/dlink-dir605l-captcha-handling-stack-based-buffer-overflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G2HF-3HH4-QWXQ
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device.
{
"affected": [],
"aliases": [
"CVE-2021-1342"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-04T17:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly. These vulnerabilities are due to improper validation of user-supplied input in the web-based management interface. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a denial of service (DoS) condition. To exploit these vulnerabilities, an attacker would need to have valid administrator credentials on the affected device.",
"id": "GHSA-g2hf-3hh4-qwxq",
"modified": "2022-05-24T17:41:04Z",
"published": "2022-05-24T17:41:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1342"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-ghZP68yj"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G2MP-F56J-3FV9
Vulnerability from github – Published: 2024-01-10 00:30 – Updated: 2024-01-12 21:30AMI’s SPx contains a vulnerability in the BMC where an Attacker may cause a stack-based buffer overflow via an adjacent network. A successful exploitation of this vulnerability may lead to a loss of confidentiality, integrity, and/or availability.
{
"affected": [],
"aliases": [
"CVE-2023-3043"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-09T23:15:09Z",
"severity": "CRITICAL"
},
"details": "\n\n\n\n\n\n\n\n\nAMI\u2019s SPx contains\na vulnerability in the BMC where an Attacker may\ncause a stack-based buffer overflow via an adjacent network. A successful exploitation\nof this vulnerability may lead to a loss of confidentiality, integrity, and/or\navailability. \n\n\n\n\n\n\n\n \n\n\n\n\n\n\n\n \n\n\n\n\n\n\n\n \n\n\n\n\n\n\n\n \n\n\n\n\n\n\n\n \n\n\n\n\n\n\n\n",
"id": "GHSA-g2mp-f56j-3fv9",
"modified": "2024-01-12T21:30:19Z",
"published": "2024-01-10T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3043"
},
{
"type": "WEB",
"url": "https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023010.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G2MQ-5MGX-WG6W
Vulnerability from github – Published: 2025-10-15 03:30 – Updated: 2025-10-15 03:30Valve's Source SDK (source-sdk-2013)'s ragdoll model parsing logic contains a stack-based buffer overflow vulnerability.The tokenizer function nexttoken copies characters from an input string into a fixed-size stack buffer without performing bounds checks. When ParseKeyValue processes a collisionpair rule longer than the destination buffer (256 bytes), an overflow of the stack buffer szToken can occur and overwrite the function return address. A remote attacker can trigger the vulnerable code by supplying a specially crafted ragdoll model which causes the oversized collisionpair rule to be parsed, resulting in remote code execution on affected clients or servers. Valve has addressed this issue in many of their Source games, but independently-developed games must manually apply patch.
{
"affected": [],
"aliases": [
"CVE-2017-20205"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T02:15:31Z",
"severity": "CRITICAL"
},
"details": "Valve\u0027s Source SDK (source-sdk-2013)\u0027s ragdoll model parsing logic contains a stack-based buffer overflow vulnerability.The tokenizer function `nexttoken` copies characters from an input string into a fixed-size stack buffer without performing bounds checks. When `ParseKeyValue` processes a collisionpair rule longer than the destination buffer (256 bytes), an overflow of the stack buffer `szToken` can occur and overwrite the function return address. A remote attacker can trigger the vulnerable code by supplying a specially crafted ragdoll model which causes the oversized collisionpair rule to be parsed, resulting in remote code execution on affected clients or servers. Valve has addressed this issue in many of their Source games, but independently-developed games must manually apply patch.",
"id": "GHSA-g2mq-5mgx-wg6w",
"modified": "2025-10-15T03:30:40Z",
"published": "2025-10-15T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20205"
},
{
"type": "WEB",
"url": "https://github.com/ValveSoftware/source-sdk-2013"
},
{
"type": "WEB",
"url": "https://www.oneupsecurity.com/research/remote-code-execution-in-source-games"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/valve-source-sdk-stack-based-buffer-overflow-rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G2QH-FGM2-83WP
Vulnerability from github – Published: 2025-07-24 21:30 – Updated: 2025-07-24 21:30Tenda AC8V4 V16.03.34.06was discovered to contain stack overflow at /goform/SetSysTimeCfg. The manipulation of the argumenttimeZoneandtimeType` leads to stack-based buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2025-51085"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-24T15:15:26Z",
"severity": "MODERATE"
},
"details": "Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/SetSysTimeCfg. The manipulation of the argument `timeZone` and `timeType` leads to stack-based buffer overflow.",
"id": "GHSA-g2qh-fgm2-83wp",
"modified": "2025-07-24T21:30:39Z",
"published": "2025-07-24T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51085"
},
{
"type": "WEB",
"url": "https://github.com/TL-SN/IOT/blob/main/Tenda/Tenda-AC8v4%20%20V16.03.34.06/CVE-2025-51085.md"
},
{
"type": "WEB",
"url": "http://tenda.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Implement and perform bounds checking on input.
Mitigation
Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
No CAPEC attack patterns related to this CWE.