Common Weakness Enumeration

CWE-787

Allowed-with-Review

Out-of-bounds Write

Abstraction: Base · Status: Draft

The product writes data past the end, or before the beginning, of the intended buffer.

15106 vulnerabilities reference this CWE, most recent first.

CVE-2026-29078 (GCVE-0-2026-29078)

Vulnerability from cvelistv5 – Published: 2026-03-13 17:18 – Updated: 2026-03-16 17:05
VLAI
Title
Integer Underflow in Lexbor ISO‑2022‑JP Encoder
Summary
Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-191 - Integer Underflow (Wrap or Wraparound)
  • CWE-787 - Out-of-bounds Write
Assigner
References
Impacted products
Vendor Product Version
lexbor lexbor Affected: < 2.7.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29078",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-16T17:05:45.395180Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-16T17:05:52.178Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "lexbor",
          "vendor": "lexbor",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.7.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Lexbor is a web browser engine library. Prior to 2.7.0, the ISO\u20112022\u2011JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx-\u003ebuffer_used -= size with a stale size = 3 causes an integer underflow that wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out\u2011of\u2011bounds read from the stack and an out\u2011of\u2011bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-191",
              "description": "CWE-191: Integer Underflow (Wrap or Wraparound)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-13T17:18:47.646Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/lexbor/lexbor/security/advisories/GHSA-mrwr-xh7f-96v3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/lexbor/lexbor/security/advisories/GHSA-mrwr-xh7f-96v3"
        }
      ],
      "source": {
        "advisory": "GHSA-mrwr-xh7f-96v3",
        "discovery": "UNKNOWN"
      },
      "title": "Integer Underflow in Lexbor ISO\u20112022\u2011JP Encoder"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29078",
    "datePublished": "2026-03-13T17:18:47.646Z",
    "dateReserved": "2026-03-03T20:51:43.483Z",
    "dateUpdated": "2026-03-16T17:05:52.178Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-28693 (GCVE-0-2026-28693)

Vulnerability from cvelistv5 – Published: 2026-03-09 21:42 – Updated: 2026-07-15 01:11
VLAI
Title
ImageMagick has an integer overflow in DIB coder can result in out of bounds read or write
Summary
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
ImageMagick ImageMagick Affected: >= 7.0.0, < 7.1.2-16
Affected: < 6.9.13-41
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7 Extended Lifecycle Support Unaffected: 0:6.9.10.68-15.el7_9 , < * (rpm)
    cpe:/o:redhat:rhel_els:7
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-28693",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T03:56:28.087Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:rhel_els:7"
            ],
            "defaultStatus": "affected",
            "packageName": "ImageMagick",
            "product": "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:6.9.10.68-15.el7_9",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "unknown",
            "packageName": "ImageMagick",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-03-09T21:42:28.143Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in ImageMagick, a free and open-source software used for editing and manipulating digital images. An integer overflow vulnerability in the DIB (Device Independent Bitmap) coder component can be exploited by a remote attacker. By processing a specially crafted image file, this flaw may lead to an out-of-bounds read or write, potentially resulting in arbitrary code execution, privilege escalation, information disclosure, or a Denial of Service (DoS)."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:11:36.417Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-28693"
          },
          {
            "name": "RHBZ#2445888",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445888"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28693.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:6713"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:6713: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-03-09T22:01:52.790Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-03-09T21:42:28.143Z",
            "value": "Made public."
          }
        ],
        "title": "ImageMagick: ImageMagick: Out-of-bounds read or write due to integer overflow in DIB coder",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ImageMagick",
          "vendor": "ImageMagick",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.0.0, \u003c 7.1.2-16"
            },
            {
              "status": "affected",
              "version": "\u003c 6.9.13-41"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190: Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-09T21:42:28.143Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hffp-q43q-qq76",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-hffp-q43q-qq76"
        }
      ],
      "source": {
        "advisory": "GHSA-hffp-q43q-qq76",
        "discovery": "UNKNOWN"
      },
      "title": "ImageMagick has an integer overflow in DIB coder can result in out of bounds read or write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-28693",
    "datePublished": "2026-03-09T21:42:28.143Z",
    "dateReserved": "2026-03-02T21:43:19.927Z",
    "dateUpdated": "2026-07-15T01:11:36.417Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27890 (GCVE-0-2026-27890)

Vulnerability from cvelistv5 – Published: 2026-04-17 18:14 – Updated: 2026-04-17 18:50
VLAI
Title
Firebird has Pre-Auth DOS when Processing Out of Order CNCT_specific_data Segments
Summary
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's grow() method computes a negative size value, causing a SIGSEGV crash. An unauthenticated attacker who knows only the server's IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-787 - Out-of-bounds Write
Assigner
Impacted products
Vendor Product Version
FirebirdSQL firebird Affected: >= 3.0.0, < 3.0.14
Affected: >= 4.0.0, < 4.0.7
Affected: >= 5.0.0, < 5.0.4
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27890",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-17T18:50:13.916401Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-17T18:50:22.134Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "firebird",
          "vendor": "FirebirdSQL",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.0.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.0.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.0.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCT_specific_data segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class\u0027s grow() method computes a negative size value, causing a SIGSEGV crash. An unauthenticated attacker who knows only the server\u0027s IP and port can exploit this to crash the server. This issue has been fixed in versions 5.0.4, 4.0.7 and 3.0.14."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-17T18:36:11.924Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-6crx-4g37-7j49",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-6crx-4g37-7j49"
        },
        {
          "name": "https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FirebirdSQL/firebird/releases/tag/v3.0.14"
        },
        {
          "name": "https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FirebirdSQL/firebird/releases/tag/v4.0.7"
        },
        {
          "name": "https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/FirebirdSQL/firebird/releases/tag/v5.0.4"
        }
      ],
      "source": {
        "advisory": "GHSA-6crx-4g37-7j49",
        "discovery": "UNKNOWN"
      },
      "title": "Firebird has Pre-Auth DOS when Processing Out of Order CNCT_specific_data Segments"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27890",
    "datePublished": "2026-04-17T18:14:29.433Z",
    "dateReserved": "2026-02-24T15:19:29.716Z",
    "dateUpdated": "2026-04-17T18:50:22.134Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27816 (GCVE-0-2026-27816)

Vulnerability from cvelistv5 – Published: 2026-03-26 16:32 – Updated: 2026-03-26 18:24
VLAI
Title
EVerest's ISO15118 update_energy_transfer_modes overflow can corrupt EVSE state
Summary
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_update_energy_transfer_modes copies a variable-length list into a fixed-size array of length 6 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can trigger out-of-bounds writes and corrupt adjacent EVSE state or crash the process. Version 2026.02.0 contains a patch.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
EVerest everest-core Affected: < 2026.02.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27816",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T17:48:28.483916Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T18:24:18.212Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "everest-core",
          "vendor": "EVerest",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2026.02.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_update_energy_transfer_modes copies a variable-length list into a fixed-size array of length 6 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can trigger out-of-bounds writes and corrupt adjacent EVSE state or crash the process. Version 2026.02.0 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T16:33:57.619Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-gq54-j8f4-xj8c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-gq54-j8f4-xj8c"
        }
      ],
      "source": {
        "advisory": "GHSA-gq54-j8f4-xj8c",
        "discovery": "UNKNOWN"
      },
      "title": "EVerest\u0027s ISO15118 update_energy_transfer_modes overflow can corrupt EVSE state"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27816",
    "datePublished": "2026-03-26T16:32:05.363Z",
    "dateReserved": "2026-02-24T02:32:39.798Z",
    "dateUpdated": "2026-03-26T18:24:18.212Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27815 (GCVE-0-2026-27815)

Vulnerability from cvelistv5 – Published: 2026-03-26 16:30 – Updated: 2026-03-28 02:25
VLAI
Title
EVerest: ISO15118 session_setup payment options overflow can corrupt EVSE state
Summary
EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_session_setup copies a variable-length payment_options list into a fixed-size array of length 2 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can trigger out-of-bounds writes and corrupt adjacent EVSE state or crash the process. Version 2026.02.0 contains a patch.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
EVerest everest-core Affected: < 2026.02.0
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27815",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-28T02:24:51.876893Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-28T02:25:02.011Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "everest-core",
          "vendor": "EVerest",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2026.02.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "EVerest is an EV charging software stack. Prior to versions to 2026.02.0, ISO15118_chargerImpl::handle_session_setup copies a variable-length payment_options list into a fixed-size array of length 2 without bounds checking. With schema validation disabled by default, oversized MQTT Cmd payloads can trigger out-of-bounds writes and corrupt adjacent EVSE state or crash the process. Version 2026.02.0 contains a patch."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T16:31:34.779Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/EVerest/EVerest/security/advisories/GHSA-7wmg-crc8-6xxf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/EVerest/EVerest/security/advisories/GHSA-7wmg-crc8-6xxf"
        }
      ],
      "source": {
        "advisory": "GHSA-7wmg-crc8-6xxf",
        "discovery": "UNKNOWN"
      },
      "title": "EVerest: ISO15118 session_setup payment options overflow can corrupt EVSE state"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27815",
    "datePublished": "2026-03-26T16:30:29.860Z",
    "dateReserved": "2026-02-24T02:31:33.268Z",
    "dateUpdated": "2026-03-28T02:25:02.011Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27703 (GCVE-0-2026-27703)

Vulnerability from cvelistv5 – Published: 2026-03-11 19:38 – Updated: 2026-03-12 19:53
VLAI
Title
RIOT has an Out-of-Bounds Write in nanoCoAP Handler
Summary
RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution.
SSVC
Exploitation: poc Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
RIOT-OS RIOT Affected: <= 2026.01
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27703",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-12T19:53:15.324425Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-12T19:53:21.857Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "RIOT",
          "vendor": "RIOT-OS",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2026.01"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In 2026.01 and earlier, the default handler for the well_known_core resource coap_well_known_core_default_handler writes user-provided option data and other data into a fixed size buffer without validating the buffer is large enough to contain the response. This vulnerability allows an attacker to corrupt neighboring stack location, including security-sensitive addresses like the return address, leading to denial of service or arbitrary code execution."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-11T19:38:02.866Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-qgj4-9jff-93cj"
        }
      ],
      "source": {
        "advisory": "GHSA-qgj4-9jff-93cj",
        "discovery": "UNKNOWN"
      },
      "title": "RIOT has an Out-of-Bounds Write in nanoCoAP Handler"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27703",
    "datePublished": "2026-03-11T19:38:02.866Z",
    "dateReserved": "2026-02-23T17:56:51.202Z",
    "dateUpdated": "2026-03-12T19:53:21.857Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27692 (GCVE-0-2026-27692)

Vulnerability from cvelistv5 – Published: 2026-02-25 14:40 – Updated: 2026-02-25 20:42
VLAI
Title
iccDEV has HBO in CIccTagTextDescription::Release()
Summary
iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, heap-buffer-overflow read occurs during CIccTagTextDescription::Release() when strlen() reads past a heap buffer while parsing ICC profile XML text description tags, causing a crash. Commit 29d088840b962a7cdd35993dfabc2cb35a049847 fixes the issue. No known workarounds are available.
SSVC
Exploitation: poc Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27692",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T20:42:45.836415Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T20:42:56.820Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "iccDEV",
          "vendor": "InternationalColorConsortium",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.3.1.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, heap-buffer-overflow read occurs during CIccTagTextDescription::Release() when strlen() reads past a heap buffer while parsing ICC profile XML text description tags, causing a crash. Commit 29d088840b962a7cdd35993dfabc2cb35a049847 fixes the issue. No known workarounds are available."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-170",
              "description": "CWE-170: Improper Null Termination",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-25T14:40:22.740Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3869-prw8-gjqr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3869-prw8-gjqr"
        },
        {
          "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/609",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/609"
        },
        {
          "name": "https://github.com/InternationalColorConsortium/iccDEV/pull/610",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/610"
        },
        {
          "name": "https://github.com/InternationalColorConsortium/iccDEV/commit/29d088840b962a7cdd35993dfabc2cb35a049847",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/29d088840b962a7cdd35993dfabc2cb35a049847"
        }
      ],
      "source": {
        "advisory": "GHSA-3869-prw8-gjqr",
        "discovery": "UNKNOWN"
      },
      "title": "iccDEV has HBO in CIccTagTextDescription::Release()"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27692",
    "datePublished": "2026-02-25T14:40:22.740Z",
    "dateReserved": "2026-02-23T17:56:51.202Z",
    "dateUpdated": "2026-02-25T20:42:56.820Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27664 (GCVE-0-2026-27664)

Vulnerability from cvelistv5 – Published: 2026-03-26 14:03 – Updated: 2026-04-14 18:24
VLAI
Summary
A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26.10), SICORE Base system (All versions < V26.10.0). The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27664",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T17:50:28.782194Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T18:24:41.814Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-14T18:24:39.273Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://seclists.org/fulldisclosure/2026/Apr/7"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "CPCI85 Central Processing/Communication",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V26.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "SICORE Base system",
          "vendor": "Siemens",
          "versions": [
            {
              "lessThan": "V26.10.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions \u003c V26.10), SICORE Base system (All versions \u003c V26.10.0). The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated attacker to exploit this issue by sending a malicious XML request, which may cause the service to crash, resulting in a denial-of-service condition."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-26T14:03:21.993Z",
        "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
        "shortName": "siemens"
      },
      "references": [
        {
          "url": "https://cert-portal.siemens.com/productcert/html/ssa-246443.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
    "assignerShortName": "siemens",
    "cveId": "CVE-2026-27664",
    "datePublished": "2026-03-26T14:03:21.993Z",
    "dateReserved": "2026-02-23T10:07:00.531Z",
    "dateUpdated": "2026-04-14T18:24:39.273Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27648 (GCVE-0-2026-27648)

Vulnerability from cvelistv5 – Published: 2026-05-19 02:58 – Updated: 2026-05-19 12:42
VLAI
Title
web_webview has an out-of-bounds write vulnerability
Summary
in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
Impacted products
Vendor Product Version
OpenHarmony OpenHarmony Affected: v5.0.3 , ≤ v6.0 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27648",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-19T12:42:42.687024Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-19T12:42:53.646Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "OpenHarmony",
          "vendor": "OpenHarmony",
          "versions": [
            {
              "lessThanOrEqual": "v6.0",
              "status": "affected",
              "version": "v5.0.3",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps."
            }
          ],
          "value": "in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787 Out-of-bounds write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-19T02:58:59.055Z",
        "orgId": "0cf5dd6e-1214-4398-a481-30441e48fafd",
        "shortName": "OpenHarmony"
      },
      "references": [
        {
          "url": "https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "web_webview has an out-of-bounds write vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cf5dd6e-1214-4398-a481-30441e48fafd",
    "assignerShortName": "OpenHarmony",
    "cveId": "CVE-2026-27648",
    "datePublished": "2026-05-19T02:58:59.055Z",
    "dateReserved": "2026-03-03T06:43:20.234Z",
    "dateUpdated": "2026-05-19T12:42:53.646Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27622 (GCVE-0-2026-27622)

Vulnerability from cvelistv5 – Published: 2026-03-03 22:42 – Updated: 2026-07-15 01:13
VLAI
Title
OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write
Summary
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector<unsigned int> total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32. overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-787 - Out-of-bounds Write
  • CWE-190 - Integer Overflow or Wraparound
Assigner
References
URL Tags
https://github.com/AcademySoftwareFoundation/open… x_refsource_CONFIRM
https://access.redhat.com/security/cve/CVE-2026-27622 vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2444251 issue-trackingx_refsource_REDHAT
https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
https://access.redhat.com/errata/RHSA-2026:7678 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:7682 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8863 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:12340 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:12341 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:12339 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:12338 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8870 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8869 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8871 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8872 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:8888 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:16008 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:16030 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:16009 vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:16174 vendor-advisoryx_refsource_REDHAT
Impacted products
Vendor Product Version
AcademySoftwareFoundation openexr Affected: >= 2.3.0, < 3.2.6
Affected: >= 3.3.0, < 3.3.8
Affected: >= 3.4.0, < 3.4.6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10 Unaffected: 0:3.1.10-8.el10_1.1 , < * (rpm)
    cpe:/o:redhat:enterprise_linux:10.1
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10.0 Extended Update Support Unaffected: 0:3.1.10-8.el10_0.1 , < * (rpm)
    cpe:/o:redhat:enterprise_linux_eus:10.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8 Unaffected: 0:2.2.0-12.el8_10.1 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support Unaffected: 0:2.2.0-11.el8_2.1 , < * (rpm)
    cpe:/a:redhat:rhel_aus:8.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Unaffected: 0:2.2.0-12.el8_4.1 , < * (rpm)
    cpe:/a:redhat:rhel_aus:8.4
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Unaffected: 0:2.2.0-12.el8_4.1 , < * (rpm)
    cpe:/a:redhat:rhel_eus_long_life:8.4
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Unaffected: 0:2.2.0-12.el8_6.1 , < * (rpm)
    cpe:/a:redhat:rhel_aus:8.6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service Unaffected: 0:2.2.0-12.el8_6.1 , < * (rpm)
    cpe:/a:redhat:rhel_tus:8.6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Unaffected: 0:2.2.0-12.el8_6.1 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.8 Telecommunications Update Service Unaffected: 0:2.2.0-12.el8_8.1 , < * (rpm)
    cpe:/a:redhat:rhel_tus:8.8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Unaffected: 0:2.2.0-12.el8_8.1 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:8.8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9 Unaffected: 0:3.1.1-3.el9_7.1 , < * (rpm)
    cpe:/a:redhat:enterprise_linux:9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Unaffected: 0:3.1.1-2.el9_0.2 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:9.0
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Unaffected: 0:3.1.1-2.el9_2.2 , < * (rpm)
    cpe:/a:redhat:rhel_e4s:9.2
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.4 Extended Update Support Unaffected: 0:3.1.1-2.el9_4.2 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.4
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9.6 Extended Update Support Unaffected: 0:3.1.1-3.el9_6.1 , < * (rpm)
    cpe:/a:redhat:rhel_eus:9.6
Create a notification for this product.
Red Hat Red Hat AI Inference Server 3.3 Unaffected: 1778244559 , < * (rpm)
    cpe:/a:redhat:ai_inference_server:3.3::el9
Create a notification for this product.
Red Hat Red Hat AI Inference Server 3.3 Unaffected: 1778244531 , < * (rpm)
    cpe:/a:redhat:ai_inference_server:3.3::el9
Create a notification for this product.
Red Hat Red Hat AI Inference Server 3.3 Unaffected: 1778274666 , < * (rpm)
    cpe:/a:redhat:ai_inference_server:3.3::el9
Create a notification for this product.
Red Hat Red Hat AI Inference Server 3.3 Unaffected: 1778244546 , < * (rpm)
    cpe:/a:redhat:ai_inference_server:3.3::el9
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27622",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-10T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T03:56:39.168Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10.1"
            ],
            "defaultStatus": "affected",
            "packageName": "openexr",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:3.1.10-8.el10_1.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux_eus:10.0"
            ],
            "defaultStatus": "affected",
            "packageName": "openexr",
            "product": "Red Hat Enterprise Linux 10.0 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:3.1.10-8.el10_0.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "affected",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.2.0-12.el8_10.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.2"
            ],
            "defaultStatus": "affected",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 8.2 Advanced Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.2.0-11.el8_2.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.4"
            ],
            "defaultStatus": "affected",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.2.0-12.el8_4.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_eus_long_life:8.4"
            ],
            "defaultStatus": "affected",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.2.0-12.el8_4.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_aus:8.6"
            ],
            "defaultStatus": "affected",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.2.0-12.el8_6.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_tus:8.6"
            ],
            "defaultStatus": "affected",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.2.0-12.el8_6.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:8.6"
            ],
            "defaultStatus": "affected",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.2.0-12.el8_6.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_tus:8.8"
            ],
            "defaultStatus": "affected",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.2.0-12.el8_8.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:8.8"
            ],
            "defaultStatus": "affected",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:2.2.0-12.el8_8.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "affected",
            "packageName": "openexr",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:3.1.1-3.el9_7.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.0"
            ],
            "defaultStatus": "affected",
            "packageName": "openexr",
            "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:3.1.1-2.el9_0.2",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_e4s:9.2"
            ],
            "defaultStatus": "affected",
            "packageName": "openexr",
            "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:3.1.1-2.el9_2.2",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.4"
            ],
            "defaultStatus": "affected",
            "packageName": "openexr",
            "product": "Red Hat Enterprise Linux 9.4 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:3.1.1-2.el9_4.2",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/a:redhat:rhel_eus:9.6"
            ],
            "defaultStatus": "affected",
            "packageName": "openexr",
            "product": "Red Hat Enterprise Linux 9.6 Extended Update Support",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "0:3.1.1-3.el9_6.1",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:ai_inference_server:3.3::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhaiis/model-opt-cuda-rhel9",
            "product": "Red Hat AI Inference Server 3.3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778244559",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:ai_inference_server:3.3::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhaiis/vllm-rocm-rhel9",
            "product": "Red Hat AI Inference Server 3.3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778244531",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:ai_inference_server:3.3::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhaiis/vllm-cuda-rhel9",
            "product": "Red Hat AI Inference Server 3.3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778274666",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://catalog.redhat.com/software/containers/",
            "cpes": [
              "cpe:/a:redhat:ai_inference_server:3.3::el9"
            ],
            "defaultStatus": "affected",
            "packageName": "rhaiis/vllm-spyre-rhel9",
            "product": "Red Hat AI Inference Server 3.3",
            "vendor": "Red Hat",
            "versions": [
              {
                "lessThan": "*",
                "status": "unaffected",
                "version": "1778244546",
                "versionType": "rpm"
              }
            ]
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:6"
            ],
            "defaultStatus": "unknown",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 6",
            "vendor": "Red Hat"
          },
          {
            "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:7"
            ],
            "defaultStatus": "unaffected",
            "packageName": "OpenEXR",
            "product": "Red Hat Enterprise Linux 7",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-03-03T22:42:49.086Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in OpenEXR, an image storage format library for the motion picture industry. An attacker can craft a malicious EXR file that, when processed, causes an integer overflow in the `CompositeDeepScanLine::readPixels` function. This overflow leads to an undersized buffer allocation, which can then be overrun during write operations. Successful exploitation could result in arbitrary code execution or a denial of service (DoS)."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.4,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-15T01:13:52.864Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-27622"
          },
          {
            "name": "RHBZ#2444251",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444251"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27622.json"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:7678"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:7682"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8863"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:12340"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:12341"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:12339"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:12338"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8870"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8869"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8871"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8872"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:8888"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:16008"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:16030"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:16009"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2026:16174"
          }
        ],
        "solutions": [
          {
            "lang": "en",
            "value": "RHSA-2026:7678: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:7682: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8863: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:12340: Red Hat Enterprise Linux AppStream AUS (v. 8.2)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:12341: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:12339: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:12338: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8870: Red Hat Enterprise Linux AppStream E4S (v.9.0)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8869: Red Hat Enterprise Linux AppStream E4S (v.9.2)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8871: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.4)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8872: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:8888: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:16008: Red Hat AI Inference Server 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:16030: Red Hat AI Inference Server 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:16009: Red Hat AI Inference Server 3.3"
          },
          {
            "lang": "en",
            "value": "RHSA-2026:16174: Red Hat AI Inference Server 3.3"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-03-03T23:02:15.379Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-03-03T22:42:49.086Z",
            "value": "Made public."
          }
        ],
        "title": "openexr: OpenEXR: Arbitrary code execution via integer overflow in EXR file processing",
        "workarounds": [
          {
            "lang": "en",
            "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
          }
        ],
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "openexr",
          "vendor": "AcademySoftwareFoundation",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.3.0, \u003c 3.2.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.3.0, \u003c 3.3.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.4.0, \u003c 3.4.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In CompositeDeepScanLine::readPixels, per-pixel totals are accumulated in vector\u003cunsigned int\u003e total_sizes for attacker-controlled large counts across many parts, total_sizes[ptr] wraps modulo 2^32.  overall_sample_count is then derived from wrapped totals and used in samples[channel].resize(overall_sample_count). Decode pointer setup/consumption proceeds with true sample counts, and write operations in core unpack (generic_unpack_deep_pointers) overrun the undersized composite sample buffer. This vulnerability is fixed in v3.2.6, v3.3.8, and v3.4.6."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-03T22:42:49.086Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-cr4v-6jm6-4963"
        }
      ],
      "source": {
        "advisory": "GHSA-cr4v-6jm6-4963",
        "discovery": "UNKNOWN"
      },
      "title": "OpenEXR CompositeDeepScanLine integer-overflow leads to heap OOB write"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27622",
    "datePublished": "2026-03-03T22:42:49.086Z",
    "dateReserved": "2026-02-20T22:02:30.027Z",
    "dateUpdated": "2026-07-15T01:13:52.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
  • Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Mitigation MIT-4.1
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-9
Implementation
  • Consider adhering to the following rules when allocating and managing an application's memory:
  • Double check that the buffer is as large as specified.
  • When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
  • Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
  • If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Operation

Strategy: Environment Hardening

  • Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
  • For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-13
Implementation

Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.

No CAPEC attack patterns related to this CWE.