CWE-121
AllowedStack-based Buffer Overflow
Abstraction: Variant · Status: Draft
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
5212 vulnerabilities reference this CWE, most recent first.
GHSA-HJ52-RQMP-XWX6
Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31Inbit Messenger versions 4.6.0 to 4.9.0 contain a remote stack-based buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code by sending malformed network packets. Attackers can craft a specially designed payload targeting the messenger's network handler to overwrite the Structured Exception Handler (SEH) and execute shellcode on vulnerable Windows systems.
{
"affected": [],
"aliases": [
"CVE-2023-54330"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T23:16:00Z",
"severity": "CRITICAL"
},
"details": "Inbit Messenger versions 4.6.0 to 4.9.0 contain a remote stack-based buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code by sending malformed network packets. Attackers can craft a specially designed payload targeting the messenger\u0027s network handler to overwrite the Structured Exception Handler (SEH) and execute shellcode on vulnerable Windows systems.",
"id": "GHSA-hj52-rqmp-xwx6",
"modified": "2026-01-14T00:31:29Z",
"published": "2026-01-14T00:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-54330"
},
{
"type": "WEB",
"url": "https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20200122082432/https://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/51126"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/inbit-messenger-unauthenticated-remote-seh-overflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HJ8G-F5GH-VQMQ
Vulnerability from github – Published: 2025-04-22 15:30 – Updated: 2025-04-22 15:30NEXTU FLETA AX1500 WIFI6 Router v1.0.3 was discovered to contain a stack overflow via the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
{
"affected": [],
"aliases": [
"CVE-2024-46546"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-22T14:15:24Z",
"severity": "HIGH"
},
"details": "NEXTU FLETA AX1500 WIFI6 Router v1.0.3 was discovered to contain a stack overflow via the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.",
"id": "GHSA-hj8g-f5gh-vqmq",
"modified": "2025-04-22T15:30:52Z",
"published": "2025-04-22T15:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46546"
},
{
"type": "WEB",
"url": "https://ez-net.co.kr/new_2012/customer/download_view.php?cid=\u0026sid=\u0026goods=\u0026cate=\u0026q=\u0026seq=233"
},
{
"type": "WEB",
"url": "https://ez-net.co.kr/new_2012/product/view.php?cid=461\u0026sid=467\u0026q=%C7%C3%B7%B9%C5%B8\u0026seq=3479\u0026page="
},
{
"type": "WEB",
"url": "https://gist.github.com/laskdjlaskdj12/5b29b8b68f8a2279c9294708f080496b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HJ9R-Q6X8-GPF5
Vulnerability from github – Published: 2024-05-03 03:30 – Updated: 2024-05-03 03:30D-Link DAP-2622 DDP Set SSID List RADIUS Secret Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-2622 routers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the DDP service. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20099.
{
"affected": [],
"aliases": [
"CVE-2023-37321"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T02:15:42Z",
"severity": "HIGH"
},
"details": "D-Link DAP-2622 DDP Set SSID List RADIUS Secret Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-2622 routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the DDP service. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20099.",
"id": "GHSA-hj9r-q6x8-gpf5",
"modified": "2024-05-03T03:30:53Z",
"published": "2024-05-03T03:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37321"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10349"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1275"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HJC5-MWX5-GC6H
Vulnerability from github – Published: 2025-08-08 21:30 – Updated: 2025-08-08 21:30A stack-based buffer overflow vulnerability exists in ActFax Server version 4.32, specifically in the "Import Users from File" functionality of the client interface. The application fails to properly validate the length of tab-delimited fields in .exp files, leading to unsafe usage of strcpy() during CSV parsing. An attacker can exploit this vulnerability by crafting a malicious .exp file and importing it using the default character set "ECMA-94 / Latin 1 (ISO 8859)". Successful exploitation may result in arbitrary code execution, leading to full system compromise. User interaction is required to trigger the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2012-10043"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-08T19:15:34Z",
"severity": "CRITICAL"
},
"details": "A stack-based buffer overflow vulnerability exists in ActFax Server version 4.32, specifically in the \"Import Users from File\" functionality of the client interface. The application fails to properly validate the length of tab-delimited fields in .exp files, leading to unsafe usage of strcpy() during CSV parsing. An attacker can exploit this vulnerability by crafting a malicious .exp file and importing it using the default character set \"ECMA-94 / Latin 1 (ISO 8859)\". Successful exploitation may result in arbitrary code execution, leading to full system compromise. User interaction is required to trigger the vulnerability.",
"id": "GHSA-hjc5-mwx5-gc6h",
"modified": "2025-08-08T21:30:38Z",
"published": "2025-08-08T21:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-10043"
},
{
"type": "WEB",
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/actfax_import_users_bof.rb"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20130712072809/http://www.pwnag3.com/2012/08/actfax-local-privilege-escalation.html"
},
{
"type": "WEB",
"url": "https://www.actfax.com"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/20915"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/actfax-client-importer-buffer-overflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HJC9-MJ3Q-MX36
Vulnerability from github – Published: 2024-04-23 15:30 – Updated: 2024-07-03 18:36Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the PPPOEPassword parameter in ip/goform/QuickIndex.
{
"affected": [],
"aliases": [
"CVE-2024-33211"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-23T15:15:50Z",
"severity": "HIGH"
},
"details": "Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the PPPOEPassword parameter in ip/goform/QuickIndex.",
"id": "GHSA-hjc9-mj3q-mx36",
"modified": "2024-07-03T18:36:43Z",
"published": "2024-04-23T15:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33211"
},
{
"type": "WEB",
"url": "https://palm-vertebra-fe9.notion.site/formQuickIndex-e1f24466830f4cb4a7756d6997f411b4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HM55-VJ5M-259P
Vulnerability from github – Published: 2025-07-24 21:30 – Updated: 2025-07-24 21:30Tenda AC8V4 V16.03.34.06was discovered to contain stack overflow at /goform/fast_setting_wifi_set. The manipulation of the argumenttimeZone` leads to stack-based buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2025-51082"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-24T15:15:26Z",
"severity": "MODERATE"
},
"details": "Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/fast_setting_wifi_set. The manipulation of the argument `timeZone` leads to stack-based buffer overflow.",
"id": "GHSA-hm55-vj5m-259p",
"modified": "2025-07-24T21:30:39Z",
"published": "2025-07-24T21:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51082"
},
{
"type": "WEB",
"url": "https://github.com/TL-SN/IOT/blob/main/Tenda/Tenda-AC8v4%20%20V16.03.34.06/CVE-2025-51082.md"
},
{
"type": "WEB",
"url": "http://tenda.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HM7Q-2H38-JCWX
Vulnerability from github – Published: 2026-05-01 18:31 – Updated: 2026-05-01 21:31AGL agl-service-can-low-level contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.
{
"affected": [],
"aliases": [
"CVE-2026-42485"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T17:16:25Z",
"severity": "HIGH"
},
"details": "AGL agl-service-can-low-level contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE.",
"id": "GHSA-hm7q-2h38-jcwx",
"modified": "2026-05-01T21:31:20Z",
"published": "2026-05-01T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42485"
},
{
"type": "WEB",
"url": "https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level"
},
{
"type": "WEB",
"url": "https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HMF7-F8GF-8F4P
Vulnerability from github – Published: 2023-09-18 18:30 – Updated: 2026-05-12 12:31A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.
{
"affected": [],
"aliases": [
"CVE-2023-4527"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-18T17:15:55Z",
"severity": "MODERATE"
},
"details": "A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.",
"id": "GHSA-hmf7-f8gf-8f4p",
"modified": "2026-05-12T12:31:29Z",
"published": "2023-09-18T18:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4527"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:5453"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:5455"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-4527"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234712"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-831302.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202310-03"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231116-0012"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/09/25/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HMHJ-HH4G-C89R
Vulnerability from github – Published: 2026-01-28 18:30 – Updated: 2026-01-28 18:30Nidesoft 3GP Video Converter 2.6.18 contains a local stack buffer overflow vulnerability in the license registration parameter. Attackers can craft a malicious payload and paste it into the 'License Code' field to execute arbitrary code on the system.
{
"affected": [],
"aliases": [
"CVE-2020-36971"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-28T18:16:47Z",
"severity": "HIGH"
},
"details": "Nidesoft 3GP Video Converter 2.6.18 contains a local stack buffer overflow vulnerability in the license registration parameter. Attackers can craft a malicious payload and paste it into the \u0027License Code\u0027 field to execute arbitrary code on the system.",
"id": "GHSA-hmhj-hh4g-c89r",
"modified": "2026-01-28T18:30:48Z",
"published": "2026-01-28T18:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36971"
},
{
"type": "WEB",
"url": "https://nidesoft-3gp-video-converter.software.informer.com/2.6"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/49034"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/nidesoft-gp-video-converter-local-stack-buffer-overflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HMQ6-2XJ3-79W5
Vulnerability from github – Published: 2022-04-13 00:00 – Updated: 2024-02-23 18:30It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB versions prior to 5.0.4, 4.4.11, 4.2.16.
{
"affected": [],
"aliases": [
"CVE-2021-32040"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-12T15:15:00Z",
"severity": "HIGH"
},
"details": "It may be possible to have an extremely long aggregation pipeline in conjunction with a specific stage/operator and cause a stack overflow due to the size of the stack frames used by that stage. If an attacker could cause such an aggregation to occur, they could maliciously crash MongoDB in a DoS attack. This vulnerability affects MongoDB versions prior to 5.0.4, 4.4.11, 4.2.16.",
"id": "GHSA-hmq6-2xj3-79w5",
"modified": "2024-02-23T18:30:58Z",
"published": "2022-04-13T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32040"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-58203"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-59299"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-60218"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220609-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Implement and perform bounds checking on input.
Mitigation
Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
No CAPEC attack patterns related to this CWE.