CWE-121
AllowedStack-based Buffer Overflow
Abstraction: Variant · Status: Draft
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
5212 vulnerabilities reference this CWE, most recent first.
GHSA-PWFQ-7WQ2-V4WR
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Stack-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2026-55055"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:17Z",
"severity": "HIGH"
},
"details": "Stack-based buffer overflow in Microsoft Office Word allows an unauthorized attacker to execute code locally.",
"id": "GHSA-pwfq-7wq2-v4wr",
"modified": "2026-07-14T18:32:34Z",
"published": "2026-07-14T18:32:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55055"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-55055"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWFX-QRRF-76CP
Vulnerability from github – Published: 2023-10-13 00:30 – Updated: 2024-04-04 08:36A Stack-based Buffer Overflow vulnerability in the CLI command of Juniper Networks Junos and Junos EVO allows a low privileged attacker to execute a specific CLI commands leading to Denial of Service.
Repeated actions by the attacker will create a sustained Denial of Service (DoS) condition.
This issue affects Juniper Networks:
Junos OS:
- All versions prior to 19.1R3-S10;
- 19.2 versions prior to 19.2R3-S7;
- 19.3 versions prior to 19.3R3-S8;
- 19.4 versions prior to 19.4R3-S12;
- 20.2 versions prior to 20.2R3-S8;
- 20.4 versions prior to 20.4R3-S8;
- 21.2 versions prior to 21.2R3-S6;
- 21.3 versions prior to 21.3R3-S5;
- 21.4 versions prior to 21.4R3-S4;
- 22.1 versions prior to 22.1R3-S3;
- 22.2 versions prior to 22.2R3-S1;
- 22.3 versions prior to 22.3R3;
- 22.4 versions prior to 22.4R2.
Junos OS Evolved:
- All versions prior to 20.4R3-S8-EVO;
- 21.2 versions prior to 21.2R3-S6-EVO;
- 21.3 versions prior to 21.3R3-S5-EVO;
- 21.4 versions prior to 21.4R3-S4-EVO;
- 22.1 versions prior to 22.1R3-S3-EVO;
- 22.2 versions prior to 22.2R3-S1-EVO;
- 22.3 versions prior to 22.3R3-EVO;
- 22.4 versions prior to 22.4R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2023-44177"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-13T00:15:11Z",
"severity": "MODERATE"
},
"details": "\nA Stack-based Buffer Overflow vulnerability in the CLI command of Juniper Networks Junos and Junos EVO allows a low privileged attacker to execute a specific CLI commands leading to Denial of Service.\n\nRepeated actions by the attacker will create a sustained Denial of Service (DoS) condition.\n\nThis issue affects Juniper Networks:\n\nJunos OS:\n\n\n\n * All versions prior to 19.1R3-S10;\n * 19.2 versions prior to 19.2R3-S7;\n * 19.3 versions prior to 19.3R3-S8;\n * 19.4 versions prior to 19.4R3-S12;\n * 20.2 versions prior to 20.2R3-S8;\n * 20.4 versions prior to 20.4R3-S8;\n * 21.2 versions prior to 21.2R3-S6;\n * 21.3 versions prior to 21.3R3-S5;\n * 21.4 versions prior to 21.4R3-S4;\n * 22.1 versions prior to 22.1R3-S3;\n * 22.2 versions prior to 22.2R3-S1;\n * 22.3 versions prior to 22.3R3;\n * 22.4 versions prior to 22.4R2.\n\n\n\n\nJunos OS Evolved:\n\n\n\n * All versions prior to 20.4R3-S8-EVO;\n * 21.2 versions prior to 21.2R3-S6-EVO;\n * 21.3 versions prior to 21.3R3-S5-EVO;\n * 21.4 versions prior to 21.4R3-S4-EVO;\n * 22.1 versions prior to 22.1R3-S3-EVO;\n * 22.2 versions prior to 22.2R3-S1-EVO;\n * 22.3 versions prior to 22.3R3-EVO;\n * 22.4 versions prior to 22.4R2-EVO.\n\n\n\n\n\n\n",
"id": "GHSA-pwfx-qrrf-76cp",
"modified": "2024-04-04T08:36:39Z",
"published": "2023-10-13T00:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44177"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA73140"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWHP-27H2-CRQJ
Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2024-04-04 05:32All versions prior to Delta Electronic’s CNCSoft version 1.01.34 (running ScreenEditor versions 1.01.5 and prior) are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2022-4634"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-03T03:15:00Z",
"severity": "HIGH"
},
"details": "All versions prior to Delta Electronic\u2019s CNCSoft version 1.01.34 (running ScreenEditor versions 1.01.5 and prior) are vulnerable to a stack-based buffer overflow, which could allow an attacker to remotely execute arbitrary code.",
"id": "GHSA-pwhp-27h2-crqj",
"modified": "2024-04-04T05:32:34Z",
"published": "2023-07-06T19:24:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4634"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWPH-948J-PGVJ
Vulnerability from github – Published: 2026-05-21 12:31 – Updated: 2026-05-21 15:34libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024).
An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.
{
"affected": [],
"aliases": [
"CVE-2026-39461"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-21T10:16:25Z",
"severity": "HIGH"
},
"details": "libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)\u0027s descriptor set size limit of FD_SETSIZE (1024).\n\nAn attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.",
"id": "GHSA-pwph-948j-pgvj",
"modified": "2026-05-21T15:34:07Z",
"published": "2026-05-21T12:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39461"
},
{
"type": "WEB",
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWWX-2GVR-J6QV
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-05-24 17:29In PLC WinProladder Version 3.28 and prior, a stack-based buffer overflow vulnerability can be exploited when a valid user opens a specially crafted file, which may allow an attacker to remotely execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2020-16234"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-30T21:15:00Z",
"severity": "HIGH"
},
"details": "In PLC WinProladder Version 3.28 and prior, a stack-based buffer overflow vulnerability can be exploited when a valid user opens a specially crafted file, which may allow an attacker to remotely execute arbitrary code.",
"id": "GHSA-pwwx-2gvr-j6qv",
"modified": "2022-05-24T17:29:49Z",
"published": "2022-05-24T17:29:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16234"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-254-02"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PX2H-RWQR-R48V
Vulnerability from github – Published: 2023-07-06 15:30 – Updated: 2025-11-04 21:30Multiple buffer overflow vulnerabilities exist in the vtysh_ubus binary of Milesight UR32L v32.3.0.5 due to the use of an unsafe sprintf pattern. A specially crafted HTTP request can lead to a buffer overflow. An attacker can send HTTP requests to trigger these vulnerabilities.This buffer overflow occurs in the set_gre function with the local_ip variable.
{
"affected": [],
"aliases": [
"CVE-2023-25109"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-06T15:15:14Z",
"severity": "HIGH"
},
"details": "Multiple buffer overflow vulnerabilities exist in the vtysh_ubus binary of Milesight UR32L v32.3.0.5 due to the use of an unsafe sprintf pattern. A specially crafted HTTP request can lead to a buffer overflow. An attacker can send HTTP requests to trigger these vulnerabilities.This buffer overflow occurs in the set_gre function with the local_ip variable.",
"id": "GHSA-px2h-rwqr-r48v",
"modified": "2025-11-04T21:30:36Z",
"published": "2023-07-06T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25109"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1716"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PX58-JC8J-245H
Vulnerability from github – Published: 2025-07-30 21:31 – Updated: 2025-07-30 21:31TrustedFirmware-M (aka Trusted Firmware for M profile Arm CPUs) before 2.1.3 and 2.2.x before 2.2.1 lacks length validation during a firmware upgrade. While processing a new image, the Firmware Upgrade (FWU) module does not validate the length field of the Type-Length-Value (TLV) structure for dependent components against the maximum allowed size. If the length specified in the TLV exceeds the size of the buffer allocated on the stack, the FWU module will overwrite the buffer (and potentially other stack data) with the TLV's value content. An attacker could exploit this by crafting a malicious TLV entry in the unprotected section of the MCUBoot upgrade image. By setting the length field to exceed the expected structure size, the attacker can manipulate the stack memory of the system during the upgrade process.
{
"affected": [],
"aliases": [
"CVE-2025-53022"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-30T20:15:36Z",
"severity": "HIGH"
},
"details": "TrustedFirmware-M (aka Trusted Firmware for M profile Arm CPUs) before 2.1.3 and 2.2.x before 2.2.1 lacks length validation during a firmware upgrade. While processing a new image, the Firmware Upgrade (FWU) module does not validate the length field of the Type-Length-Value (TLV) structure for dependent components against the maximum allowed size. If the length specified in the TLV exceeds the size of the buffer allocated on the stack, the FWU module will overwrite the buffer (and potentially other stack data) with the TLV\u0027s value content. An attacker could exploit this by crafting a malicious TLV entry in the unprotected section of the MCUBoot upgrade image. By setting the length field to exceed the expected structure size, the attacker can manipulate the stack memory of the system during the upgrade process.",
"id": "GHSA-px58-jc8j-245h",
"modified": "2025-07-30T21:31:39Z",
"published": "2025-07-30T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53022"
},
{
"type": "WEB",
"url": "https://git.trustedfirmware.org/plugins/gitiles/TF-M/trusted-firmware-m.git/+/refs/heads/main/secure_fw/partitions/firmware_update/bootloader/mcuboot/tfm_mcuboot_fwu.c#257"
},
{
"type": "WEB",
"url": "https://trustedfirmware-m.readthedocs.io/en/latest/security/security_advisories/fwu_tlv_payload_out_of_bounds_vulnerability.html"
},
{
"type": "WEB",
"url": "https://www.trustedfirmware.org/projects/tf-m"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PX7C-6W6C-RWJ2
Vulnerability from github – Published: 2024-01-10 15:30 – Updated: 2024-01-13 03:30Tenda AX1803 v1.0.0.1 contains a stack overflow via the adv.iptv.stballvlans parameter in the function formSetIptv.
{
"affected": [],
"aliases": [
"CVE-2023-51955"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-10T15:15:09Z",
"severity": "CRITICAL"
},
"details": "Tenda AX1803 v1.0.0.1 contains a stack overflow via the adv.iptv.stballvlans parameter in the function formSetIptv.",
"id": "GHSA-px7c-6w6c-rwj2",
"modified": "2024-01-13T03:30:16Z",
"published": "2024-01-10T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51955"
},
{
"type": "WEB",
"url": "https://grove-laser-8ad.notion.site/Tenda-AX1803-Buffer-Overflow-in-formSetIptv-d758f5dba8f646afaf5cddc6f8d3ec70"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PXCV-W3GG-4FC7
Vulnerability from github – Published: 2024-07-10 18:32 – Updated: 2024-08-01 15:31Tenda AX12 v1.0 v22.03.01.46 contains a stack overflow in the deviceList parameter of the sub_42E410 function.
{
"affected": [],
"aliases": [
"CVE-2024-40412"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-10T16:15:04Z",
"severity": "MODERATE"
},
"details": "Tenda AX12 v1.0 v22.03.01.46 contains a stack overflow in the deviceList parameter of the sub_42E410 function.",
"id": "GHSA-pxcv-w3gg-4fc7",
"modified": "2024-08-01T15:31:55Z",
"published": "2024-07-10T18:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40412"
},
{
"type": "WEB",
"url": "https://github.com/Feng-ZZ-pwn/IOT/blob/main/Tenda%20AX12/1/README.md"
},
{
"type": "WEB",
"url": "https://static.tenda.com.cn/tdcweb/download/uploadfile/AX12/V22.03.01.46.zip"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PXHG-86JQ-9G88
Vulnerability from github – Published: 2025-08-25 15:32 – Updated: 2025-11-03 21:34A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8759 of biosig.c on the current master branch (35a819fa), when the Tag is 5:
else if (tag==5) //0x05: number of channels
{
uint16_t oldNS=hdr->NS;
if (len>4) fprintf(stderr,"Warning MFER tag5 incorrect length %i>4\n",len);
curPos += ifread(buf,1,len,hdr);
{
"affected": [],
"aliases": [
"CVE-2025-54483"
],
"database_specific": {
"cwe_ids": [
"CWE-121"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-25T14:15:34Z",
"severity": "CRITICAL"
},
"details": "A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8759 of biosig.c on the current master branch (35a819fa), when the Tag is 5:\n\n\t\t\t\telse if (tag==5) //0x05: number of channels\n\t\t\t\t{\n\t\t\t\t\tuint16_t oldNS=hdr-\u003eNS;\n\t\t\t\t\tif (len\u003e4) fprintf(stderr,\"Warning MFER tag5 incorrect length %i\u003e4\\n\",len);\n\t\t\t\t\tcurPos += ifread(buf,1,len,hdr);",
"id": "GHSA-pxhg-86jq-9g88",
"modified": "2025-11-03T21:34:23Z",
"published": "2025-08-25T15:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54483"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2234"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2234"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation
Implement and perform bounds checking on input.
Mitigation
Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
No CAPEC attack patterns related to this CWE.