Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

CVEs (2,316)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-5403 1Wireshark 1Wireshark May 1, 2026 May 1, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 SBC codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service and possible code execution
CVE-2026-42512 1Freebsd 1Freebsd May 1, 2026 Apr 30, 2026 N/A· v4 8.1 HIGH· v3 N/A· v2 As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulti...Show more As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun. A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.Show less
CVE-2026-35547 1Freebsd 1Freebsd May 1, 2026 Apr 30, 2026 N/A· v4 8.1 HIGH· v3 N/A· v2 When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigge...Show more When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges.Show less
CVE-2026-6530 1Wireshark 1Wireshark May 1, 2026 Apr 30, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 DCP-ETSI protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVE-2026-6529 1Wireshark 1Wireshark May 1, 2026 Apr 30, 2026 N/A· v4 5.5 MEDIUM· v3 N/A· v2 iLBC audio codec crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVE-2026-5653 1Wireshark 1Wireshark May 1, 2026 Apr 30, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 DCP-ETSI protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVE-2026-5402 1Wireshark 1Wireshark May 1, 2026 Apr 30, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 TLS protocol dissector heap overflow in Wireshark 4.6.0 to 4.6.4 allows denial of service and possible code execution
CVE-2026-7378 1Wireshark 1Wireshark May 1, 2026 Apr 30, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 Crash in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
CVE-2026-7353 1Google 1Chrome Apr 30, 2026 Apr 28, 2026 N/A· v4 8.3 HIGH· v3 N/A· v2 Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security...Show more Heap buffer overflow in Skia in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)Show less
CVE-2026-7339 1Google 1Chrome Apr 30, 2026 Apr 28, 2026 N/A· v4 8.8 HIGH· v3 N/A· v2 Heap buffer overflow in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
CVE-2026-20766 - - Apr 28, 2026 Apr 28, 2026 8.6 HIGH· v4 8.8 HIGH· v3 N/A· v2 An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras.
CVE-2026-7040 1Rrwo 1Text\ May 7, 2026 Apr 27, 2026 N/A· v4 7.5 HIGH· v3 N/A· v2 Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruptio...Show more Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have a heap overflow when processing some malformed UTF-8 characters. The minify functions mishandled some malformed UTF-8 characters, leading to heap corruption. Note that the minify_utf8 function is an alias for minify.Show less
CVE-2026-33602 1Powerdns 1Dnsdist Apr 24, 2026 Apr 22, 2026 N/A· v4 8.2 HIGH· v3 N/A· v2 A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.
CVE-2026-6846 2Gnu Redhat 4Binutils Enterprise LinuxHardened Images+1 more May 20, 2026 Apr 22, 2026 N/A· v4 7.8 HIGH· v3 N/A· v2 A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user int...Show more A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF (Extended Common Object File Format) object file during linking. A local attacker could trick a user into processing this malicious file, which could lead to arbitrary code execution, allowing the attacker to run unauthorized commands, or cause a denial of service, making the system unavailable.Show less
CVE-2026-40706 - - Apr 22, 2026 Apr 21, 2026 N/A· v4 8.4 HIGH· v3 N/A· v2 In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS...Show more In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.Show less
CVE-2026-40614 1Pjsip 1Pjsip Apr 23, 2026 Apr 21, 2026 8.5 HIGH· v4 8.8 HIGH· v3 N/A· v2 PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec...Show more PJSIP is a free and open source multimedia communication library written in C. In 2.16 and earlier, there is a buffer overflow when decoding Opus audio frames due to insufficient buffer size validation in the Opus codec decode path. The FEC decode buffers (dec_frame[].buf) were allocated based on a PCM-derived formula: (sample_rate/1000) * 60 * channel_cnt * 2. At 8 kHz mono this yields only 960 bytes, but codec_parse() can output encoded frames up to MAX_ENCODED_PACKET_SIZE (1280) bytes via opus_repacketizer_out_range(). The three pj_memcpy() calls in codec_decode() copied input->size bytes without bounds checking, causing a heap buffer overflow.Show less
CVE-2026-5450 1Gnu 1Glibc Apr 23, 2026 Apr 20, 2026 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one by...Show more Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.Show less
CVE-2026-32135 1Emqx 1Nanomq Apr 22, 2026 Apr 20, 2026 7.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ's REST API. The vulnerability o...Show more NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Versions prior to 0.24.11 have a remotely triggerable heap buffer overflow in the `uri_param_parse` function of NanoMQ's REST API. The vulnerability occurs due to an off-by-one error when allocating memory for query parameter keys and values, allowing an attacker to write a null byte beyond the allocated buffer. This can be triggered via a crafted HTTP request. Version 0.24.11 patches the issue.Show less
CVE-2026-41445 - - Apr 20, 2026 Apr 20, 2026 8.7 HIGH· v4 8.8 HIGH· v3 N/A· v2 KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther(dimReal+2)sizeof(kiss_fft_scalar) overflows s...Show more KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther(dimReal+2)sizeof(kiss_fft_scalar) overflows signed 32-bit integer arithmetic before being widened to size_t, causing malloc() to allocate an undersized buffer. Attackers can trigger heap buffer overflow by providing crafted dimensions that cause the multiplication to exceed INT_MAX, allowing writes beyond the allocated buffer region when kiss_fftndr() processes the data.Show less
CVE-2026-32961 1Silextechnology 2Amc Manager Sd 330ac Firmware Apr 22, 2026 Apr 20, 2026 6.9 MEDIUM· v4 5.3 MEDIUM· v3 N/A· v2 SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based buffer overflow vulnerability in packet data processing of sx_smpd. Processing a crafted packet may cause a temporary denial-of-service (Do...Show more SD-330AC and AMC Manager provided by silex technology, Inc. contain a heap-based buffer overflow vulnerability in packet data processing of sx_smpd. Processing a crafted packet may cause a temporary denial-of-service (DoS) condition.Show less

Previous 1...91011...116 Next