CWE-122
Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CVE-2026-22828 (GCVE-0-2026-22828)
Vulnerability from cvelistv5 – Published: 2026-04-14 15:38 – Updated: 2026-04-15 03:58
VLAI
Summary
A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Escalation of privilege
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Fortinet | FortiAnalyzer Cloud |
Affected:
7.6.2 , ≤ 7.6.4
(semver)
cpe:2.3:a:fortinet:fortianalyzercloud:7.6.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortianalyzercloud:7.6.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortianalyzercloud:7.6.2:*:*:*:*:*:*:* |
|
| Fortinet | FortiManager Cloud |
Affected:
7.6.2 , ≤ 7.6.4
(semver)
cpe:2.3:a:fortinet:fortimanagercloud:7.6.4:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortimanagercloud:7.6.3:*:*:*:*:*:*:* cpe:2.3:a:fortinet:fortimanagercloud:7.6.2:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T03:58:26.193Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:fortinet:fortianalyzercloud:7.6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortianalyzercloud:7.6.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortianalyzercloud:7.6.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiAnalyzer Cloud",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "7.6.4",
"status": "affected",
"version": "7.6.2",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:fortinet:fortimanagercloud:7.6.4:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortimanagercloud:7.6.3:*:*:*:*:*:*:*",
"cpe:2.3:a:fortinet:fortimanagercloud:7.6.2:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "FortiManager Cloud",
"vendor": "Fortinet",
"versions": [
{
"lessThanOrEqual": "7.6.4",
"status": "affected",
"version": "7.6.2",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Escalation of privilege",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:38:22.657Z",
"orgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"shortName": "fortinet"
},
"references": [
{
"name": "https://fortiguard.fortinet.com/psirt/FG-IR-26-121",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-121"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to upcoming FortiManager Cloud version 8.0.0 or above\nUpgrade to FortiManager Cloud version 7.6.5 or above\nUpgrade to upcoming FortiAnalyzer Cloud version 8.0.0 or above\nUpgrade to FortiAnalyzer Cloud version 7.6.5 or above"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "6abe59d8-c742-4dff-8ce8-9b0ca1073da8",
"assignerShortName": "fortinet",
"cveId": "CVE-2026-22828",
"datePublished": "2026-04-14T15:38:22.657Z",
"dateReserved": "2026-01-12T08:32:04.788Z",
"dateUpdated": "2026-04-15T03:58:26.193Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22854 (GCVE-0-2026-22854)
Vulnerability from cvelistv5 – Published: 2026-01-14 17:47 – Updated: 2026-02-26 15:04
VLAI
Title
FreeRDP has a heap-buffer-overflow in drive_process_irp_read
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/FreeRDP/FreeRDP/security/advis… | x_refsource_CONFIRM |
| https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T04:55:49.110014Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T15:04:09.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreeRDP",
"vendor": "FreeRDP",
"versions": [
{
"status": "affected",
"version": "\u003c 3.20.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap-buffer-overflow occurs in drive read when a server-controlled read length is used to read file data into an IRP output stream buffer without a hard upper bound, allowing an oversized read to overwrite heap memory. This vulnerability is fixed in 3.20.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-14T17:47:49.588Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-47vj-g3c3-3rmf"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.20.1"
}
],
"source": {
"advisory": "GHSA-47vj-g3c3-3rmf",
"discovery": "UNKNOWN"
},
"title": "FreeRDP has a heap-buffer-overflow in drive_process_irp_read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22854",
"datePublished": "2026-01-14T17:47:49.588Z",
"dateReserved": "2026-01-12T16:20:16.746Z",
"dateUpdated": "2026-02-26T15:04:09.526Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22891 (GCVE-0-2026-22891)
Vulnerability from cvelistv5 – Published: 2026-03-03 14:32 – Updated: 2026-03-03 15:17
VLAI
Summary
A heap-based buffer overflow vulnerability exists in the Intan CLP parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted Intan CLP file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The Biosig Project | libbiosig |
Affected:
3.9.2
Affected: Master Branch (db9a9a63) |
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-03-03T15:17:04.426Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2026-2361"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-03T15:17:18.000036Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T15:17:25.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libbiosig",
"vendor": "The Biosig Project",
"versions": [
{
"status": "affected",
"version": "3.9.2"
},
{
"status": "affected",
"version": "Master Branch (db9a9a63)"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered by Mark Bereza and Lilith \u0026gt;_\u0026gt; of Cisco Talos."
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap-based buffer overflow vulnerability exists in the Intan CLP parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted Intan CLP file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T14:32:16.524Z",
"orgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"shortName": "talos"
},
"references": [
{
"name": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2361",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2026-2361"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b",
"assignerShortName": "talos",
"cveId": "CVE-2026-22891",
"datePublished": "2026-03-03T14:32:16.524Z",
"dateReserved": "2026-01-28T12:55:08.823Z",
"dateUpdated": "2026-03-03T15:17:25.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23530 (GCVE-0-2026-23530)
Vulnerability from cvelistv5 – Published: 2026-01-19 16:58 – Updated: 2026-01-20 21:36
VLAI
Title
FreeRDP has heap-buffer-overflow in planar_decompress_plane_rle
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/FreeRDP/FreeRDP/security/advis… | x_refsource_CONFIRM |
| https://github.com/FreeRDP/FreeRDP/blob/38514dfa5… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/blob/38514dfa5… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/blob/38514dfa5… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23530",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T21:36:24.283241Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T21:36:30.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreeRDP",
"vendor": "FreeRDP",
"versions": [
{
"status": "affected",
"version": "\u003c 3.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar-\u003emaxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client\u2011side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code\u2011execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T17:18:45.760Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1689-L1696",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1689-L1696"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1713-L1716",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1713-L1716"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L951-L953",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L951-L953"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0"
}
],
"source": {
"advisory": "GHSA-r4hv-852m-fq7p",
"discovery": "UNKNOWN"
},
"title": "FreeRDP has heap-buffer-overflow in planar_decompress_plane_rle"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23530",
"datePublished": "2026-01-19T16:58:46.712Z",
"dateReserved": "2026-01-13T18:22:43.981Z",
"dateUpdated": "2026-01-20T21:36:30.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23531 (GCVE-0-2026-23531)
Vulnerability from cvelistv5 – Published: 2026-01-19 17:01 – Updated: 2026-01-20 21:37
VLAI
Title
FreeRDP has heap-buffer-overflow in clear_decompress
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/FreeRDP/FreeRDP/security/advis… | x_refsource_CONFIRM |
| https://github.com/FreeRDP/FreeRDP/blob/38514dfa5… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23531",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T21:37:06.179601Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T21:37:13.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreeRDP",
"vendor": "FreeRDP",
"versions": [
{
"status": "affected",
"version": "\u003c 3.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client\u2011side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code\u2011execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T17:01:01.380Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L1139-L1145",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L1139-L1145"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0"
}
],
"source": {
"advisory": "GHSA-xj5h-9cr5-23c5",
"discovery": "UNKNOWN"
},
"title": "FreeRDP has heap-buffer-overflow in clear_decompress"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23531",
"datePublished": "2026-01-19T17:01:01.380Z",
"dateReserved": "2026-01-13T18:22:43.981Z",
"dateUpdated": "2026-01-20T21:37:13.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23532 (GCVE-0-2026-23532)
Vulnerability from cvelistv5 – Published: 2026-01-19 17:03 – Updated: 2026-01-20 21:37
VLAI
Title
FreeRDP has heap-buffer-overflow in gdi_SurfaceToSurface
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/FreeRDP/FreeRDP/security/advis… | x_refsource_CONFIRM |
| https://github.com/FreeRDP/FreeRDP/blob/38514dfa5… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23532",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T21:37:47.185394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T21:37:53.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreeRDP",
"vendor": "FreeRDP",
"versions": [
{
"status": "affected",
"version": "\u003c 3.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client\u2019s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client\u2011side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code\u2011execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T17:03:51.328Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0"
}
],
"source": {
"advisory": "GHSA-fq8c-87hj-7gvr",
"discovery": "UNKNOWN"
},
"title": "FreeRDP has heap-buffer-overflow in gdi_SurfaceToSurface"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23532",
"datePublished": "2026-01-19T17:03:51.328Z",
"dateReserved": "2026-01-13T18:22:43.981Z",
"dateUpdated": "2026-01-20T21:37:53.418Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23533 (GCVE-0-2026-23533)
Vulnerability from cvelistv5 – Published: 2026-01-19 17:07 – Updated: 2026-01-20 21:38
VLAI
Title
FreeRDP has heap-buffer-overflow in clear_decompress_residual_data
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRDP/FreeRDP/security/advis… | x_refsource_CONFIRM |
| https://github.com/FreeRDP/FreeRDP/blob/38514dfa5… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/blob/38514dfa5… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23533",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T21:38:13.072739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T21:38:24.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreeRDP",
"vendor": "FreeRDP",
"versions": [
{
"status": "affected",
"version": "\u003c 3.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client\u2011side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code\u2011execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T17:07:18.283Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L268-L281",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L268-L281"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L336",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L336"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0"
}
],
"source": {
"advisory": "GHSA-32q9-m5qr-9j2v",
"discovery": "UNKNOWN"
},
"title": "FreeRDP has heap-buffer-overflow in clear_decompress_residual_data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23533",
"datePublished": "2026-01-19T17:07:18.283Z",
"dateReserved": "2026-01-13T18:22:43.981Z",
"dateUpdated": "2026-01-20T21:38:24.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23534 (GCVE-0-2026-23534)
Vulnerability from cvelistv5 – Published: 2026-01-19 17:09 – Updated: 2026-01-20 14:42
VLAI
Title
FreeRDP has heap-buffer-overflow in clear_decompress_bands_data
Summary
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/FreeRDP/FreeRDP/security/advis… | x_refsource_CONFIRM |
| https://github.com/FreeRDP/FreeRDP/blob/38514dfa5… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/blob/38514dfa5… | x_refsource_MISC |
| https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23534",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:42:05.964862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:42:31.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FreeRDP",
"vendor": "FreeRDP",
"versions": [
{
"status": "affected",
"version": "\u003c 3.21.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client\u2011side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code\u2011execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T17:09:55.715Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L878-L879",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L878-L879"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L883-L884",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L883-L884"
},
{
"name": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0"
}
],
"source": {
"advisory": "GHSA-3frr-mp8w-4599",
"discovery": "UNKNOWN"
},
"title": "FreeRDP has heap-buffer-overflow in clear_decompress_bands_data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23534",
"datePublished": "2026-01-19T17:09:55.715Z",
"dateReserved": "2026-01-13T18:22:43.981Z",
"dateUpdated": "2026-01-20T14:42:31.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23567 (GCVE-0-2026-23567)
Vulnerability from cvelistv5 – Published: 2026-01-29 08:47 – Updated: 2026-01-29 16:44
VLAI
Title
Integer underflow in Content Distribution Service UDP handler
Summary
An integer underflow in the UDP command handler of the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to trigger a heap-based buffer overflow and cause a denial-of-service (service crash) via specially crafted UDP packets.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TeamViewer | DEX |
Affected:
0 , < 26.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23567",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T15:56:32.513279Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T16:44:12.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Content Distribution Service",
"NomadBranch.exe"
],
"platforms": [
"Windows"
],
"product": "DEX",
"vendor": "TeamViewer",
"versions": [
{
"lessThan": "26.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Threat Hunt Team of Bank of America"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An integer underflow in the UDP command handler of the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to trigger a heap-based buffer overflow and cause a denial-of-service (service crash) via specially crafted UDP packets."
}
],
"value": "An integer underflow in the UDP command handler of the TeamViewer DEX Client (former 1E Client) - Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to trigger a heap-based buffer overflow and cause a denial-of-service (service crash) via specially crafted UDP packets."
}
],
"impacts": [
{
"capecId": "CAPEC-100",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-100 Overflow Buffers"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T08:47:13.169Z",
"orgId": "13430f76-86eb-43b2-a71c-82c956ef31b6",
"shortName": "TV"
},
"references": [
{
"url": "https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the TeamViewer DEX Client (1E Client) to the latest available version."
}
],
"value": "Update the TeamViewer DEX Client (1E Client) to the latest available version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Integer underflow in Content Distribution Service UDP handler",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "13430f76-86eb-43b2-a71c-82c956ef31b6",
"assignerShortName": "TV",
"cveId": "CVE-2026-23567",
"datePublished": "2026-01-29T08:47:13.169Z",
"dateReserved": "2026-01-14T13:54:40.322Z",
"dateUpdated": "2026-01-29T16:44:12.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23665 (GCVE-0-2026-23665)
Vulnerability from cvelistv5 – Published: 2026-03-10 17:05 – Updated: 2026-04-14 16:36
VLAI
Title
Linux Azure Diagnostic extension (LAD) Elevation of Privilege Vulnerability
Summary
Heap-based buffer overflow in Azure Linux Virtual Machines allows an authorized attacker to elevate privileges locally.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerabi… | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Azure Linux Virtual Machines with Azure Diagnostics extension |
Affected:
1.0.0 , < 2.1.24
(custom)
|
Date Public
2026-03-10 14:00
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23665",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-05T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T03:56:20.558Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Azure Linux Virtual Machines with Azure Diagnostics extension",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "2.1.24",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:azure_linux_virtual_machines_azure_diagnostics:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.1.24",
"versionStartIncluding": "1.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"datePublic": "2026-03-10T14:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "Heap-based buffer overflow in Azure Linux Virtual Machines allows an authorized attacker to elevate privileges locally."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T16:36:35.603Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"name": "Linux Azure Diagnostic extension (LAD) Elevation of Privilege Vulnerability",
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23665"
}
],
"title": "Linux Azure Diagnostic extension (LAD) Elevation of Privilege Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2026-23665",
"datePublished": "2026-03-10T17:05:16.915Z",
"dateReserved": "2026-01-14T16:59:33.464Z",
"dateUpdated": "2026-04-14T16:36:35.603Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phases:
Description:
- Pre-design: Use a language or compiler that performs automatic bounds checking.
Mitigation
Phase: Architecture and Design
Description:
- Use an abstraction library to abstract away risky APIs. Not a complete solution.
Mitigation ID: MIT-10
Phases: Operation, Build and Compilation
Strategy: Environment Hardening
Description:
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation ID: MIT-11
Phases: Operation, Build and Compilation
Strategy: Environment Hardening
Description:
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation
Phase: Implementation
Description:
- Implement and perform bounds checking on input.
Mitigation
Phase: Implementation
Strategy: Libraries or Frameworks
Description:
- Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
Mitigation
Phase: Operation
Description:
- Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.