Common Weakness Enumeration

CWE-121

Allowed

Stack-based Buffer Overflow

Abstraction: Variant · Status: Draft

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

5209 vulnerabilities reference this CWE, most recent first.

CVE-2026-40489 (GCVE-0-2026-40489)

Vulnerability from cvelistv5 – Published: 2026-04-18 01:24 – Updated: 2026-04-20 16:15
VLAI
Title
editorconfig-core-c has incomplete fix for CVE-2023-0341
Summary
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix.
SSVC
Exploitation: poc Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40489",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-20T16:10:35.794222Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-20T16:15:31.570Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "editorconfig-core-c",
          "vendor": "editorconfig",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.12.11"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "editorconfig-core-c  is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allows an attacker to crash any application using libeditorconfig by providing a specially crafted directory structure and .editorconfig file. This is an incomplete fix for CVE-2023-0341. The pcre_str buffer was protected in 0.12.6 but the adjacent l_pattern[8194] stack buffer received no equivalent protection. On Ubuntu 24.04, FORTIFY_SOURCE converts the overflow to SIGABRT (DoS). Version 0.12.11 contains an updated fix."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-18T01:24:57.278Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-97xg-vrcq-254h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/editorconfig/editorconfig-core-c/security/advisories/GHSA-97xg-vrcq-254h"
        },
        {
          "name": "https://github.com/editorconfig/editorconfig-core-c/commit/5159be88ad50641d9843289adda791ba300421ff",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/editorconfig/editorconfig-core-c/commit/5159be88ad50641d9843289adda791ba300421ff"
        },
        {
          "name": "https://github.com/editorconfig/editorconfig-core-c/releases/tag/v0.12.11",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/editorconfig/editorconfig-core-c/releases/tag/v0.12.11"
        }
      ],
      "source": {
        "advisory": "GHSA-97xg-vrcq-254h",
        "discovery": "UNKNOWN"
      },
      "title": "editorconfig-core-c has incomplete fix for CVE-2023-0341"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40489",
    "datePublished": "2026-04-18T01:24:57.278Z",
    "dateReserved": "2026-04-13T19:50:42.114Z",
    "dateUpdated": "2026-04-20T16:15:31.570Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40399 (GCVE-0-2026-40399)

Vulnerability from cvelistv5 – Published: 2026-05-12 16:58 – Updated: 2026-06-19 16:12
VLAI
Title
Windows TCP/IP Elevation of Privilege Vulnerability
Summary
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
Microsoft Windows 10 Version 1607 Affected: 10.0.14393.0 , < 10.0.14393.9140 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 1809 Affected: 10.0.17763.0 , < 10.0.17763.8755 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 21H2 Affected: 10.0.19044.0 , < 10.0.19044.7291 (custom)
Create a notification for this product.
Microsoft Windows 10 Version 22H2 Affected: 10.0.19045.0 , < 10.0.19045.7417 (custom)
Create a notification for this product.
Microsoft Windows 11 version 23H2 Affected: 10.0.22631.0 , < 10.0.22631.7079 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 23H2 Affected: 10.0.22631.0 , < 10.0.22631.7219 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 24H2 Affected: 10.0.26100.0 , < 10.0.26100.8457 (custom)
Create a notification for this product.
Microsoft Windows 11 Version 25H2 Affected: 10.0.26200.0 , < 10.0.26200.8457 (custom)
Create a notification for this product.
Microsoft Windows 11 version 26H1 Affected: 10.0.28000.0 , < 10.0.28000.2113 (custom)
Create a notification for this product.
Microsoft Windows Server 2016 Affected: 10.0.14393.0 , < 10.0.14393.9140 (custom)
Create a notification for this product.
Microsoft Windows Server 2016 (Server Core installation) Affected: 10.0.14393.0 , < 10.0.14393.9140 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 Affected: 10.0.17763.0 , < 10.0.17763.8755 (custom)
Create a notification for this product.
Microsoft Windows Server 2019 (Server Core installation) Affected: 10.0.17763.0 , < 10.0.17763.8755 (custom)
Create a notification for this product.
Microsoft Windows Server 2022 Affected: 10.0.20348.0 , < 10.0.20348.5139 (custom)
Create a notification for this product.
Microsoft Windows Server 2022, 23H2 Edition (Server Core installation) Affected: 10.0.25398.0 , < 10.0.25398.2330 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 Affected: 10.0.26100.0 , < 10.0.26100.32860 (custom)
Create a notification for this product.
Microsoft Windows Server 2025 (Server Core installation) Affected: 10.0.26100.0 , < 10.0.26100.32860 (custom)
Create a notification for this product.
Date Public
2026-05-12 14:00
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40399",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-07T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T03:56:15.291Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1607",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.9140",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 1809",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8755",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 21H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19044.7291",
              "status": "affected",
              "version": "10.0.19044.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "32-bit Systems",
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 10 Version 22H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.19045.7417",
              "status": "affected",
              "version": "10.0.19045.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems"
          ],
          "product": "Windows 11 version 23H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.7079",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 23H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.22631.7219",
              "status": "affected",
              "version": "10.0.22631.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 24H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.8457",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 11 Version 25H2",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26200.8457",
              "status": "affected",
              "version": "10.0.26200.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "ARM64-based Systems",
            "x64-based Systems"
          ],
          "product": "Windows 11 version 26H1",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.28000.2113",
              "status": "affected",
              "version": "10.0.28000.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2016",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.9140",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2016 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.14393.9140",
              "status": "affected",
              "version": "10.0.14393.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8755",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2019 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.17763.8755",
              "status": "affected",
              "version": "10.0.17763.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.20348.5139",
              "status": "affected",
              "version": "10.0.20348.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2022, 23H2 Edition (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.25398.2330",
              "status": "affected",
              "version": "10.0.25398.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32860",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        },
        {
          "platforms": [
            "x64-based Systems"
          ],
          "product": "Windows Server 2025 (Server Core installation)",
          "vendor": "Microsoft",
          "versions": [
            {
              "lessThan": "10.0.26100.32860",
              "status": "affected",
              "version": "10.0.26100.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.17763.8755",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8755",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.17763.8755",
                  "versionStartIncluding": "10.0.17763.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.20348.5139",
                  "versionStartIncluding": "10.0.20348.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_21H2:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.19044.7291",
                  "versionStartIncluding": "10.0.19044.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_22H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.19045.7417",
                  "versionStartIncluding": "10.0.19045.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32860",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_25H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26200.8457",
                  "versionStartIncluding": "10.0.26200.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.22631.7079",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_23H2:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.22631.7219",
                  "versionStartIncluding": "10.0.22631.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_23h2:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.25398.2330",
                  "versionStartIncluding": "10.0.25398.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_24H2:*:*:*:*:*:*:arm64:*",
                  "versionEndExcluding": "10.0.26100.8457",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.26100.32860",
                  "versionStartIncluding": "10.0.26100.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_11_26H1:*:*:*:*:*:*:x64:*",
                  "versionEndExcluding": "10.0.28000.2113",
                  "versionStartIncluding": "10.0.28000.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*",
                  "versionEndExcluding": "10.0.14393.9140",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.14393.9140",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "10.0.14393.9140",
                  "versionStartIncluding": "10.0.14393.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "datePublic": "2026-05-12T14:00:00.000Z",
      "descriptions": [
        {
          "lang": "en-US",
          "value": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Windows TCP/IP allows an authorized attacker to elevate privileges locally."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-19T16:12:20.133Z",
        "orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
        "shortName": "microsoft"
      },
      "references": [
        {
          "name": "Windows TCP/IP Elevation of Privilege Vulnerability",
          "tags": [
            "vendor-advisory",
            "patch"
          ],
          "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40399"
        }
      ],
      "title": "Windows TCP/IP Elevation of Privilege Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
    "assignerShortName": "microsoft",
    "cveId": "CVE-2026-40399",
    "datePublished": "2026-05-12T16:58:41.680Z",
    "dateReserved": "2026-04-13T00:27:50.797Z",
    "dateUpdated": "2026-06-19T16:12:20.133Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40170 (GCVE-0-2026-40170)

Vulnerability from cvelistv5 – Published: 2026-04-16 21:34 – Updated: 2026-07-15 01:01
VLAI
Title
ngtcp2 has a qlog transport parameter serialization stack buffer overflow
Summary
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow
  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Assigner
Impacted products
Vendor Product Version
ngtcp2 ngtcp2 Affected: < 1.22.1
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10 Unaffected: 0:4.23.5-109.el10_2 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:10.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:4.23.5-10.el9_8 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9
    cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat Hardened Images Unaffected: 1.22.1-1.hum1 , < * (rpm)
    cpe:/a:redhat:hummingbird:1
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-17T18:17:35.758Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/17/12"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40170",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T14:52:12.292330Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-20T15:00:26.193Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.2"
            ],
            "defaultStatus": "affected",
            "packageName": "samba",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:4.23.5-109.el10_2",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9",
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "packageName": "samba",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:4.23.5-10.el9_8",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:hummingbird:1"
            ],
            "defaultStatus": "affected",
            "packageName": "ngtcp2-main",
            "product": "Red Hat Hardened Images",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1.22.1-1.hum1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10"
            ],
            "defaultStatus": "unaffected",
            "packageName": "nodejs22",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10"
            ],
            "defaultStatus": "unaffected",
            "packageName": "nodejs24",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "packageName": "nodejs",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "packageName": "nodejs:20/nodejs",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "packageName": "nodejs:22/nodejs",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "packageName": "nodejs:24/nodejs",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "unaffected",
            "packageName": "nodejs",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "unaffected",
            "packageName": "nodejs:20/nodejs",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "unaffected",
            "packageName": "nodejs:22/nodejs",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "unaffected",
            "packageName": "nodejs:24/nodejs",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-04-16T21:34:07.610Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in ngtcp2, a C implementation of the IETF QUIC (Quick UDP Internet Connections) protocol. A remote attacker can exploit a stack buffer overflow vulnerability by sending specially crafted, large transport parameters during the QUIC handshake. This occurs when the qlog callback is enabled and untrusted peer transport parameters are processed, leading to writes beyond a fixed-size buffer. This can result in a denial of service."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-120",
                "description": "Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:01:24.150Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-40170"
          },
          {
            "name": "RHBZ#2459061",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459061"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40170.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:22963"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:25049"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:9113"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:22963: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:25049: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux Resilient Storage (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:9113: Red Hat Hardened Images"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-04-16T22:00:56.443Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-04-16T21:34:07.610Z",
            "value": "Made public."
          }
        ],
        "title": "ngtcp2: ngtcp2: Denial of service via stack buffer overflow during QUIC handshake",
        "workarounds": [
          {
            "lang": "en",
            "value": "To mitigate this issue, disable the `qlog` callback in applications utilizing the ngtcp2 library. This action prevents the vulnerable code path from being exercised when processing untrusted QUIC peer transport parameters. Disabling `qlog` may impact logging and debugging capabilities. Applications linked against ngtcp2 must be restarted for the change to take effect."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ngtcp2",
          "vendor": "ngtcp2",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.22.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack buffer without bounds checking. When qlog is enabled, a remote peer can send sufficiently large transport parameters during the QUIC handshake to cause writes beyond the buffer boundary, resulting in a stack buffer overflow. This affects deployments that enable the qlog callback and process untrusted peer transport parameters. This issue has been fixed in version 1.22.1. If developers are unable to immediately upgrade, they can disable the qlog on client."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T21:34:07.610Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f"
        },
        {
          "name": "https://github.com/ngtcp2/ngtcp2/commit/708a7640c1f48fb8ffb540c4b8ea5b4c1dfb8ee5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ngtcp2/ngtcp2/commit/708a7640c1f48fb8ffb540c4b8ea5b4c1dfb8ee5"
        }
      ],
      "source": {
        "advisory": "GHSA-f523-465f-8c8f",
        "discovery": "UNKNOWN"
      },
      "title": "ngtcp2 has a qlog transport parameter serialization stack buffer overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40170",
    "datePublished": "2026-04-16T21:34:07.610Z",
    "dateReserved": "2026-04-09T19:31:56.015Z",
    "dateUpdated": "2026-07-15T01:01:24.150Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39853 (GCVE-0-2026-39853)

Vulnerability from cvelistv5 – Published: 2026-04-09 15:50 – Updated: 2026-04-09 16:15
VLAI
Title
osslsigncode has a Stack Buffer Overflow via Unbounded Digest Copy During Signature Verification
Summary
osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
mtrojnar osslsigncode Affected: < 2.12
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39853",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T16:13:50.325421Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T16:15:19.583Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "osslsigncode",
          "vendor": "mtrojnar",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.12"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "osslsigncode is a tool that implements Authenticode signing and timestamping. Prior to 2.12, A stack buffer overflow vulnerability exists in osslsigncode in several signature verification paths. During verification of a PKCS#7 signature, the code copies the digest value from a parsed SpcIndirectDataContent structure into a fixed-size stack buffer  (mdbuf[EVP_MAX_MD_SIZE], 64 bytes) without validating that the source length fits within the destination buffer. This pattern is present in the verification handlers for PE, MSI, CAB, and script files. An attacker can craft a malicious signed file with an oversized digest field in SpcIndirectDataContent. When a user verifies such a file with osslsigncode verify, the unbounded memcpy can overflow the stack buffer and corrupt adjacent stack state. This vulnerability is fixed in 2.12."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T15:50:26.548Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/mtrojnar/osslsigncode/security/advisories/GHSA-hx87-8754-xvh4"
        },
        {
          "name": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mtrojnar/osslsigncode/commit/cbee1e723c5a8547302bd841ad9943ed8144db68"
        },
        {
          "name": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/mtrojnar/osslsigncode/releases/tag/2.12"
        }
      ],
      "source": {
        "advisory": "GHSA-hx87-8754-xvh4",
        "discovery": "UNKNOWN"
      },
      "title": "osslsigncode has a Stack Buffer Overflow via Unbounded Digest Copy During Signature Verification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39853",
    "datePublished": "2026-04-09T15:50:26.548Z",
    "dateReserved": "2026-04-07T19:13:20.378Z",
    "dateUpdated": "2026-04-09T16:15:19.583Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39461 (GCVE-0-2026-39461)

Vulnerability from cvelistv5 – Published: 2026-05-21 09:20 – Updated: 2026-05-22 03:55
VLAI
Title
select(2) file descriptor set overflow causes stack overflow
Summary
libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
FreeBSD FreeBSD Affected: 15.0-RELEASE , < p9 (release)
Affected: 14.4-RELEASE , < p5 (release)
Affected: 14.3-RELEASE , < p14 (release)
Create a notification for this product.
Date Public
2026-05-20 23:00
Credits
Joshua Rogers of AISLE Research Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 8.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39461",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-21T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-22T03:55:38.128Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "libcasper"
          ],
          "product": "FreeBSD",
          "vendor": "FreeBSD",
          "versions": [
            {
              "lessThan": "p9",
              "status": "affected",
              "version": "15.0-RELEASE",
              "versionType": "release"
            },
            {
              "lessThan": "p5",
              "status": "affected",
              "version": "14.4-RELEASE",
              "versionType": "release"
            },
            {
              "lessThan": "p14",
              "status": "affected",
              "version": "14.3-RELEASE",
              "versionType": "release"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Joshua Rogers of AISLE Research Team"
        }
      ],
      "datePublic": "2026-05-20T23:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available.  However, it does not verify that its socket descriptor fits within select(2)\u0027s descriptor set size limit of FD_SETSIZE (1024).\n\nAn attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption.  If the target application runs with setuid root privileges, this could be used to escalate local privileges."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-21T09:20:26.126Z",
        "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
        "shortName": "freebsd"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc"
        }
      ],
      "title": "select(2) file descriptor set overflow causes stack overflow",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
    "assignerShortName": "freebsd",
    "cveId": "CVE-2026-39461",
    "datePublished": "2026-05-21T09:20:26.126Z",
    "dateReserved": "2026-04-28T15:08:10.637Z",
    "dateUpdated": "2026-05-22T03:55:38.128Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39457 (GCVE-0-2026-39457)

Vulnerability from cvelistv5 – Published: 2026-04-30 08:01 – Updated: 2026-05-01 03:55
VLAI
Title
Stack overflow via select() file descriptor set overflow
Summary
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
FreeBSD FreeBSD Affected: 15.0-RELEASE , < p7 (release)
Affected: 14.4-RELEASE , < p3 (release)
Affected: 14.3-RELEASE , < p12 (release)
Affected: 13.5-RELEASE , < p13 (release)
Create a notification for this product.
Date Public
2026-04-29 19:00
Credits
Joshua Rogers of AISLE Research Team
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-39457",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-30T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-01T03:55:51.194Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "libnv"
          ],
          "product": "FreeBSD",
          "vendor": "FreeBSD",
          "versions": [
            {
              "lessThan": "p7",
              "status": "affected",
              "version": "15.0-RELEASE",
              "versionType": "release"
            },
            {
              "lessThan": "p3",
              "status": "affected",
              "version": "14.4-RELEASE",
              "versionType": "release"
            },
            {
              "lessThan": "p12",
              "status": "affected",
              "version": "14.3-RELEASE",
              "versionType": "release"
            },
            {
              "lessThan": "p13",
              "status": "affected",
              "version": "13.5-RELEASE",
              "versionType": "release"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Joshua Rogers of AISLE Research Team"
        }
      ],
      "datePublic": "2026-04-29T19:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "When exchanging data over a socket, libnv uses select(2) to wait for data to arrive.  However, it does not verify whether the provided socket descriptor fits in select(2)\u0027s file descriptor set size limit of FD_SETSIZE (1024).\n\nAn attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption.  If the target application is setuid-root, then this could be used to elevate local privileges."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121: Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-30T08:01:49.015Z",
        "orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
        "shortName": "freebsd"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc"
        }
      ],
      "title": "Stack overflow via select() file descriptor set overflow",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
    "assignerShortName": "freebsd",
    "cveId": "CVE-2026-39457",
    "datePublished": "2026-04-30T08:01:49.015Z",
    "dateReserved": "2026-04-28T15:08:10.626Z",
    "dateUpdated": "2026-05-01T03:55:51.194Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35553 (GCVE-0-2026-35553)

Vulnerability from cvelistv5 – Published: 2026-04-13 04:03 – Updated: 2026-04-13 15:00
VLAI
Summary
Bluetooth ACPI Drivers provided by Dynabook Inc. contain a stack-based buffer overflow vulnerability. An attacker may execute arbitrary code by modifying certain registry values.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based buffer overflow
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35553",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T15:00:14.215479Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T15:00:22.042Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "TOSRFEC.SYS",
          "vendor": "Dynabook Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "product": "DRFEC.SYS",
          "vendor": "Dynabook Inc.",
          "versions": [
            {
              "status": "affected",
              "version": "v11.0.0.0 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Bluetooth ACPI Drivers provided by Dynabook Inc. contain a stack-based buffer overflow vulnerability. An attacker may execute arbitrary code by modifying certain registry values."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "Stack-based buffer overflow",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T04:03:43.009Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://global.sharp/corporate/info/product-security/advisory-list/2026-001/"
        },
        {
          "url": "https://corporate.jp.sharp/info/product-security/advisory-list/2026-001/"
        },
        {
          "url": "https://jvn.jp/en/vu/JVNVU96334293/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2026-35553",
    "datePublished": "2026-04-13T04:03:43.009Z",
    "dateReserved": "2026-04-03T08:21:59.910Z",
    "dateUpdated": "2026-04-13T15:00:22.042Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35085 (GCVE-0-2026-35085)

Vulnerability from cvelistv5 – Published: 2026-06-03 10:42 – Updated: 2026-07-03 08:53
VLAI
Title
Stack buffer overflow in method gdv-serverconfig
Summary
A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
MBS Single-A Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-A Profibus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-A x-link Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Single-X Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X CAN Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X DALI Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X KNX Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X LON Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X M-Bus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X PROFINET Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X x-link Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X KNX+DALI Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X KNX+LON Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X KNX+M-Bus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+DALI Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+KNX Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+LON Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+M-Bus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
Credits
Daniel Hulliger from Armasuisse Cyber-Defence campus. Damian Pfammatter from Armasuisse Cyber-Defence campus. Adrien Rey from Armasuisse Cyber Defense Campus Zurich
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35085",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T12:38:10.423532Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T12:38:18.598Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Single-A",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A Profibus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Single-X",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X CAN",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X PROFINET",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Hulliger from Armasuisse Cyber-Defence campus."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Damian Pfammatter from Armasuisse Cyber-Defence campus."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Adrien Rey from Armasuisse Cyber Defense Campus Zurich"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root.\u003c/p\u003e"
            }
          ],
          "value": "A remote attacker with user privileges can exploit a stack buffer overflow in gdv-serverconfig to gain full system access as root."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T08:53:29.811Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
        }
      ],
      "source": {
        "advisory": "VDE-2026-039",
        "defect": [
          "CERT@VDE#642009"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Stack buffer overflow in method gdv-serverconfig",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2026-35085",
    "datePublished": "2026-06-03T10:42:22.835Z",
    "dateReserved": "2026-04-01T08:28:27.142Z",
    "dateUpdated": "2026-07-03T08:53:29.811Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35084 (GCVE-0-2026-35084)

Vulnerability from cvelistv5 – Published: 2026-06-03 10:42 – Updated: 2026-07-03 08:53
VLAI
Title
Stack buffer overflow in method dali-devconfig
Summary
A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
MBS Single-A Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-A Profibus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-A x-link Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Single-X Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X CAN Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X DALI Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X KNX Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X LON Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X M-Bus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X PROFINET Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X x-link Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X KNX+DALI Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X KNX+LON Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X KNX+M-Bus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+DALI Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+KNX Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+LON Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+M-Bus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
Credits
Daniel Hulliger from Armasuisse Cyber-Defence campus. Damian Pfammatter from Armasuisse Cyber-Defence campus. Adrien Rey from Armasuisse Cyber Defense Campus Zurich
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35084",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T19:14:32.995589Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T19:14:54.458Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Single-A",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A Profibus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Single-X",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X CAN",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X PROFINET",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Hulliger from Armasuisse Cyber-Defence campus."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Damian Pfammatter from Armasuisse Cyber-Defence campus."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Adrien Rey from Armasuisse Cyber Defense Campus Zurich"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root.\u003c/p\u003e"
            }
          ],
          "value": "A remote attacker with user privileges can exploit a stack buffer overflow in dali-devconfig to gain full system access as root."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T08:53:13.982Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
        }
      ],
      "source": {
        "advisory": "VDE-2026-039",
        "defect": [
          "CERT@VDE#642009"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Stack buffer overflow in method dali-devconfig",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2026-35084",
    "datePublished": "2026-06-03T10:42:03.287Z",
    "dateReserved": "2026-04-01T08:28:27.142Z",
    "dateUpdated": "2026-07-03T08:53:13.982Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-35083 (GCVE-0-2026-35083)

Vulnerability from cvelistv5 – Published: 2026-06-03 10:41 – Updated: 2026-07-03 08:52
VLAI
Title
Stack buffer overflow in method bac-deviceobject
Summary
A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-121 - Stack-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
MBS Single-A Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-A Profibus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-A x-link Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Single-X Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X CAN Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X DALI Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X KNX Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X LON Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X M-Bus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X PROFINET Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Double-X x-link Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X KNX+DALI Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X KNX+LON Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X KNX+M-Bus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+DALI Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+KNX Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+LON Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
MBS Triple-X PROFINET+M-Bus Affected: V1_00_00 , < V6_00_07 (semver)
Create a notification for this product.
Credits
Daniel Hulliger from Armasuisse Cyber-Defence campus. Damian Pfammatter from Armasuisse Cyber-Defence campus. Adrien Rey from Armasuisse Cyber Defense Campus Zurich
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35083",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T13:13:32.326556Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T14:07:23.610Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Single-A",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A Profibus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-A x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Single-X",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X CAN",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X PROFINET",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Double-X x-link",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X KNX+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+DALI",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+KNX",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+LON",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Triple-X PROFINET+M-Bus",
          "vendor": "MBS",
          "versions": [
            {
              "lessThan": "V6_00_07",
              "status": "affected",
              "version": "V1_00_00",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_a_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_profibus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_a_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:single_x_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_can_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_profinet_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:double_x_x_link_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_knx_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_dali_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_knx_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_lon_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        },
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:mbs:triple_x_profinet_m_bus_firmware:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "V6_00_07",
                  "versionStartIncluding": "V1_00_00",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Daniel Hulliger from Armasuisse Cyber-Defence campus."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Damian Pfammatter from Armasuisse Cyber-Defence campus."
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Adrien Rey from Armasuisse Cyber Defense Campus Zurich"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root.\u003c/p\u003e"
            }
          ],
          "value": "A remote attacker with user privileges can exploit a stack buffer overflow to gain full system access as root."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-121",
              "description": "CWE-121 Stack-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-03T08:52:40.177Z",
        "orgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
        "shortName": "CERTVDE"
      },
      "references": [
        {
          "url": "https://www.certvde.com/en/advisories/VDE-2026-039/"
        }
      ],
      "source": {
        "advisory": "VDE-2026-039",
        "defect": [
          "CERT@VDE#642009"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Stack buffer overflow in method bac-deviceobject",
      "x_generator": {
        "engine": "Vulnogram 0.4.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "270ccfa6-a436-4e77-922e-914ec3a9685c",
    "assignerShortName": "CERTVDE",
    "cveId": "CVE-2026-35083",
    "datePublished": "2026-06-03T10:41:44.226Z",
    "dateReserved": "2026-04-01T08:28:27.142Z",
    "dateUpdated": "2026-07-03T08:52:40.177Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation
Architecture and Design

Use an abstraction library to abstract away risky APIs. Not a complete solution.

Mitigation
Implementation

Implement and perform bounds checking on input.

Mitigation
Implementation

Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.

Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].

No CAPEC attack patterns related to this CWE.