CWE-121
AllowedStack-based Buffer Overflow
Abstraction: Variant · Status: Draft
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
5213 vulnerabilities reference this CWE, most recent first.
GHSA-H5M9-MJC5-CXVQ
Vulnerability from github – Published: 2024-04-02 00:30 – Updated: 2024-04-02 00:30TP-Link Omada ER605 DHCPv6 Client Options Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of DHCP options. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22420.
{
"affected": [],
"aliases": [
"CVE-2024-1179"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-01T22:15:12Z",
"severity": "HIGH"
},
"details": "TP-Link Omada ER605 DHCPv6 Client Options Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of TP-Link Omada ER605 routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of DHCP options. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22420.",
"id": "GHSA-h5m9-mjc5-cxvq",
"modified": "2024-04-02T00:30:46Z",
"published": "2024-04-02T00:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1179"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-085"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5XV-74X6-XP2M
Vulnerability from github – Published: 2025-05-21 21:31 – Updated: 2025-05-21 21:31Affected Vertiv products contain a stack based buffer overflow vulnerability. An attacker could exploit this vulnerability to gain code execution on the device.
{
"affected": [],
"aliases": [
"CVE-2025-41426"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-21T20:15:31Z",
"severity": "CRITICAL"
},
"details": "Affected Vertiv products contain a stack based buffer overflow vulnerability. An attacker could exploit this vulnerability to gain code execution on the device.",
"id": "GHSA-h5xv-74x6-xp2m",
"modified": "2025-05-21T21:31:41Z",
"published": "2025-05-21T21:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41426"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-10"
},
{
"type": "WEB",
"url": "https://www.vertiv.com/en-us/support/security-support-center"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H63X-7924-M7QF
Vulnerability from github – Published: 2026-03-26 09:30 – Updated: 2026-04-01 15:30Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first.
As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel.
In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.
{
"affected": [],
"aliases": [
"CVE-2026-4747"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-26T07:16:20Z",
"severity": "HIGH"
},
"details": "Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first.\n\nAs kgssapi.ko\u0027s RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel\u0027s NFS server while kgssapi.ko is loaded into the kernel.\n\nIn userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.",
"id": "GHSA-h63x-7924-m7qf",
"modified": "2026-04-01T15:30:57Z",
"published": "2026-03-26T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4747"
},
{
"type": "WEB",
"url": "https://github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/exploit.py"
},
{
"type": "WEB",
"url": "https://github.com/califio/publications/tree/main/MADBugs/CVE-2026-4747"
},
{
"type": "WEB",
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H646-5V7R-PX43
Vulnerability from github – Published: 2025-11-04 06:31 – Updated: 2025-11-04 06:31Memory corruption while processing client message during device management.
{
"affected": [],
"aliases": [
"CVE-2025-47360"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-04T04:15:38Z",
"severity": "HIGH"
},
"details": "Memory corruption while processing client message during device management.",
"id": "GHSA-h646-5v7r-px43",
"modified": "2025-11-04T06:31:11Z",
"published": "2025-11-04T06:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47360"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H65F-PJ95-WMGC
Vulnerability from github – Published: 2026-05-27 21:31 – Updated: 2026-05-27 21:31A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources:
{
"affected": [],
"aliases": [
"CVE-2026-8363"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T20:16:43Z",
"severity": "CRITICAL"
},
"details": "A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources:",
"id": "GHSA-h65f-pj95-wmgc",
"modified": "2026-05-27T21:31:26Z",
"published": "2026-05-27T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8363"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/research/TRA-2026-45"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H65X-J3J5-QJWH
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36A Stack-Based Buffer Overflow issue was discovered in Wecon Technologies LEVI Studio HMI Editor before 1.8.1. This vulnerability causes a buffer overflow, which could result in denial of service when a malicious project file is run on the system.
{
"affected": [],
"aliases": [
"CVE-2017-6035"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-27T00:59:00Z",
"severity": "HIGH"
},
"details": "A Stack-Based Buffer Overflow issue was discovered in Wecon Technologies LEVI Studio HMI Editor before 1.8.1. This vulnerability causes a buffer overflow, which could result in denial of service when a malicious project file is run on the system.",
"id": "GHSA-h65x-j3j5-qjwh",
"modified": "2022-05-13T01:36:35Z",
"published": "2022-05-13T01:36:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-6035"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-103-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97639"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H67Q-H62W-5MJR
Vulnerability from github – Published: 2026-06-29 15:32 – Updated: 2026-06-30 21:31libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking. By supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame. Successful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process.
This issue has been fixed in the commit c2e233fc.
NOTE: The maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.
{
"affected": [],
"aliases": [
"CVE-2026-11979"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T14:16:40Z",
"severity": "LOW"
},
"details": "libxml2 is vulnerable to multiple stack-based buffer overflows in the xmlcatalog utility when running in --shell mode. The usershell() function processes user input using fixed-size stack buffers without proper bounds checking.\nBy supplying an overly long input line, an attacker can overflow internal buffers (command, arg, and argv) during input parsing. This results in memory corruption within the stack frame.\nSuccessful exploitation may cause a crash or potentially allow arbitrary code execution in the context of the xmlcatalog process.\n\nThis issue has been fixed in the commit c2e233fc.\n\nNOTE:\nThe maintainers of this project did not agree that this issue is a vulnerability and considered it a bug.",
"id": "GHSA-h67q-h62w-5mjr",
"modified": "2026-06-30T21:31:38Z",
"published": "2026-06-29T15:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11979"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2026/06/CVE-2026-11979"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/commit/c2e233fc1b341685fc99621b2768b503f777a72e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-H69G-QFWQ-M8HR
Vulnerability from github – Published: 2025-10-31 18:31 – Updated: 2025-11-03 15:30Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the ssid5g parameter in the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.
{
"affected": [],
"aliases": [
"CVE-2025-63461"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-31T17:15:47Z",
"severity": "HIGH"
},
"details": "Totolink A7000R v9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the ssid5g parameter in the urldecode function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request.",
"id": "GHSA-h69g-qfwq-m8hr",
"modified": "2025-11-03T15:30:28Z",
"published": "2025-10-31T18:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63461"
},
{
"type": "WEB",
"url": "https://github.com/0-fool/VulnbyCola/blob/main/TOTOLINK/A7000/7/1.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H6FC-W6R4-3F5V
Vulnerability from github – Published: 2022-05-17 04:11 – Updated: 2025-09-19 21:31Stack-based buffer overflow in Advantech WebAccess before 7.2 allows remote attackers to execute arbitrary code via a long AccessCode argument.
{
"affected": [],
"aliases": [
"CVE-2014-0767"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-04-12T04:37:00Z",
"severity": "HIGH"
},
"details": "Stack-based buffer overflow in Advantech WebAccess before 7.2 allows remote attackers to execute arbitrary code via a long AccessCode argument.",
"id": "GHSA-h6fc-w6r4-3f5v",
"modified": "2025-09-19T21:31:14Z",
"published": "2022-05-17T04:11:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0767"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-079-03"
},
{
"type": "WEB",
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-079-03"
},
{
"type": "WEB",
"url": "http://webaccess.advantech.com"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/66728"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/66740"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H724-W27C-6J67
Vulnerability from github – Published: 2023-09-27 15:30 – Updated: 2024-04-04 07:55Tenda AC10U v1.0 US_AC10UV1.0RTL_V15.03.06.49_multi_TDE01 was discovered to contain a stack overflow via the timeZone parameter in the fromSetSysTime function.
{
"affected": [],
"aliases": [
"CVE-2023-44017"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-27T15:19:35Z",
"severity": "CRITICAL"
},
"details": "Tenda AC10U v1.0 US_AC10UV1.0RTL_V15.03.06.49_multi_TDE01 was discovered to contain a stack overflow via the timeZone parameter in the fromSetSysTime function.",
"id": "GHSA-h724-w27c-6j67",
"modified": "2024-04-04T07:55:03Z",
"published": "2023-09-27T15:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44017"
},
{
"type": "WEB",
"url": "https://github.com/aixiao0621/Tenda/blob/main/AC10U/6/0.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Implement and perform bounds checking on input.
Mitigation
Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
No CAPEC attack patterns related to this CWE.