{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/buffer_overflow/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2018-25307"}],"_cs_exploited":false,"_cs_products":["SysGauge Pro 4.6.12"],"_cs_severities":["high"],"_cs_tags":["vulnerability","buffer_overflow","privilege_escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eSysGauge Pro version 4.6.12 is susceptible to a local buffer overflow vulnerability (CVE-2018-25307) within its registration process. This vulnerability allows a local attacker to gain arbitrary code execution with the privileges of the SysGauge Pro application. Specifically, by providing a maliciously crafted \u0026ldquo;Unlock Key\u0026rdquo; during the registration, an attacker can overwrite the Structured Exception Handler (SEH). This overwrite allows the injection of shellcode, leading to the execution of attacker-controlled code within the context of the application. This is a local vulnerability, meaning the attacker needs local system access to exploit it. The report dates back to 2018, but was only recently published in the NVD database.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to the target system.\u003c/li\u003e\n\u003cli\u003eAttacker identifies that SysGauge Pro 4.6.12 is installed.\u003c/li\u003e\n\u003cli\u003eAttacker launches SysGauge Pro.\u003c/li\u003e\n\u003cli\u003eAttacker initiates the registration process within SysGauge Pro.\u003c/li\u003e\n\u003cli\u003eAttacker provides a crafted \u0026ldquo;Unlock Key\u0026rdquo; containing shellcode designed to overwrite the Structured Exception Handler (SEH).\u003c/li\u003e\n\u003cli\u003eThe application attempts to process the overly long \u0026ldquo;Unlock Key\u0026rdquo; without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow occurs, overwriting the SEH with the attacker\u0026rsquo;s shellcode address.\u003c/li\u003e\n\u003cli\u003eWhen an exception occurs within the application, the overwritten SEH is invoked, redirecting execution to the attacker\u0026rsquo;s shellcode, leading to arbitrary code execution with application privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the SysGauge Pro application. This could lead to complete system compromise if the application is running with elevated privileges. The impact includes potential data theft, modification of system settings, or installation of malware. Given that this is a local exploit, the primary risk is to systems where untrusted users have local access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for SysGauge Pro (SysGauge.exe) spawning unusual child processes to detect potential exploitation attempts, using a \u003ccode\u003eprocess_creation\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eConsider deploying application control or whitelisting to prevent execution of unsigned or untrusted executables within the SysGauge Pro process.\u003c/li\u003e\n\u003cli\u003eSince no patch is available, consider uninstalling SysGauge Pro 4.6.12 from systems where the risk outweighs the benefit of the software.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:26Z","date_published":"2026-04-29T20:16:26Z","id":"/briefs/2026-04-sysgauge-bo/","summary":"SysGauge Pro 4.6.12 is vulnerable to a local buffer overflow in the Register function, allowing local attackers to overwrite the structured exception handler and execute arbitrary code by supplying a crafted unlock key during registration.","title":"SysGauge Pro 4.6.12 Local Buffer Overflow Vulnerability (CVE-2018-25307)","url":"https://feed.craftedsignal.io/briefs/2026-04-sysgauge-bo/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7081"}],"_cs_exploited":false,"_cs_products":["F456"],"_cs_severities":["critical"],"_cs_tags":["cve","buffer_overflow","router"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, identified as CVE-2026-7081, affects Tenda F456 router version 1.0.0.5. The vulnerability resides in the \u003ccode\u003efromGstDhcpSetSer\u003c/code\u003e function within the \u003ccode\u003e/goform/GstDhcpSetSer\u003c/code\u003e file, a component of the device\u0026rsquo;s httpd service. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread exploitation. This vulnerability poses a significant threat as it can lead to complete compromise of the affected device, potentially allowing attackers to gain unauthorized access to the network, steal sensitive information, or use the device as part of a botnet.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/GstDhcpSetSer\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe HTTP request includes the \u003ccode\u003edips\u003c/code\u003e argument, which is intentionally oversized to trigger the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efromGstDhcpSetSer\u003c/code\u003e function processes the request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003edips\u003c/code\u003e argument overwrites adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite the return address with an address pointing to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromGstDhcpSetSer\u003c/code\u003e function returns, causing execution to jump to the attacker\u0026rsquo;s code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes with the privileges of the httpd process, potentially leading to full device compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F456 router. This can result in complete device compromise, including the ability to modify device settings, intercept network traffic, and potentially use the compromised device as a pivot point for further attacks within the network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, making this a significant security concern.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/GstDhcpSetSer\u003c/code\u003e with unusually long \u003ccode\u003edips\u003c/code\u003e parameter values to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Tenda F456 Buffer Overflow Attempt\u003c/code\u003e to identify malicious HTTP requests.\u003c/li\u003e\n\u003cli\u003eSince no patch is available, consider replacing the affected Tenda F456 routers (version 1.0.0.5) with more secure alternatives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-27T04:16:09Z","date_published":"2026-04-27T04:16:09Z","id":"/briefs/2026-04-tenda-f456-bo/","summary":"A buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 in the `fromGstDhcpSetSer` function, allowing remote attackers to execute arbitrary code by manipulating the 'dips' argument via a crafted HTTP request to `/goform/GstDhcpSetSer`.","title":"Tenda F456 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f456-bo/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","router","buffer_overflow","cve-2026-6631","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6631 is a critical buffer overflow vulnerability affecting Tenda F451 routers running firmware version 1.0.0.7_cn_svn7958. The vulnerability resides in the \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function within the \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e component of the router\u0026rsquo;s \u003ccode\u003ehttpd\u003c/code\u003e web server. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request with an overly long \u0026lsquo;page\u0026rsquo; parameter. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows attackers to execute arbitrary code on the router, potentially leading to full device compromise and network access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda F451 router exposed to the internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP GET or POST request targeting \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes the \u003ccode\u003epage\u003c/code\u003e parameter with a payload exceeding the buffer size allocated for it.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ehttpd\u003c/code\u003e server processes the request and passes the \u003ccode\u003epage\u003c/code\u003e parameter to the vulnerable \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper bounds checking, the overly long \u003ccode\u003epage\u003c/code\u003e parameter overwrites adjacent memory regions on the stack.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully designs the overflow payload to overwrite the return address on the stack with the address of malicious code injected elsewhere in memory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efromwebExcptypemanFilter\u003c/code\u003e function completes execution and attempts to return, jumping to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious code executes with the privileges of the \u003ccode\u003ehttpd\u003c/code\u003e server, potentially gaining full control of the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6631 allows remote attackers to execute arbitrary code on vulnerable Tenda F451 routers. This can lead to complete device compromise, allowing attackers to modify router settings, intercept network traffic, or use the router as a point of entry for further attacks on the internal network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting both home and small business networks. The availability of public exploits further increases the likelihood of exploitation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available firmware updates from Tenda to patch CVE-2026-6631.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003e/goform/webExcptypemanFilter\u003c/code\u003e with unusually long \u003ccode\u003epage\u003c/code\u003e parameters, using the Sigma rule \u003ccode\u003eDetectTendaF451BufferOverflow\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection systems (IDS) to detect and block exploit attempts targeting CVE-2026-6631.\u003c/li\u003e\n\u003cli\u003eConsider deploying the Sigma rule \u003ccode\u003eDetectTendaF451SuspiciousProcess\u003c/code\u003e to identify unexpected processes spawned by the httpd daemon.\u003c/li\u003e\n\u003cli\u003eIf patching is not immediately feasible, consider restricting access to the router\u0026rsquo;s web interface from the public internet to mitigate the risk of remote exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-20T11:16:19Z","date_published":"2026-04-20T11:16:19Z","id":"/briefs/2026-04-tenda-f451-buffer-overflow/","summary":"A buffer overflow vulnerability (CVE-2026-6631) in Tenda F451 router version 1.0.0.7_cn_svn7958 allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/webExcptypemanFilter component.","title":"Tenda F451 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-f451-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5989"}],"_cs_exploited":true,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","router","buffer_overflow","rce"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability, identified as CVE-2026-5989, affects the Tenda F451 router, specifically version 1.0.0.7. The vulnerability lies within the \u003ccode\u003efromRouteStatic\u003c/code\u003e function of the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e file. By manipulating the \u003ccode\u003epage\u003c/code\u003e argument, a remote attacker can trigger a stack-based buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat as it allows unauthenticated remote attackers to compromise the router, potentially leading to network disruption, data theft, or use of the device in botnet activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda F451 router (version 1.0.0.7) exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003epage\u003c/code\u003e argument with a payload designed to overflow the stack buffer in the \u003ccode\u003efromRouteStatic\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efromRouteStatic\u003c/code\u003e function processes the malicious \u003ccode\u003epage\u003c/code\u003e argument without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites critical data on the stack, including the return address.\u003c/li\u003e\n\u003cli\u003eUpon function return, control is redirected to the attacker-controlled memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code injected into the overflowed buffer, such as downloading and executing a reverse shell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the router, potentially allowing further exploitation or network compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5989 allows an attacker to gain complete control of the Tenda F451 router. This can lead to a variety of damaging outcomes, including denial-of-service attacks against the local network, interception of network traffic, modification of router settings, and the potential use of the compromised router as a node in a botnet. Given the widespread use of Tenda routers in home and small business environments, a large number of devices could be at risk if this vulnerability is actively exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e containing abnormally long \u003ccode\u003epage\u003c/code\u003e arguments, as this is indicative of potential exploit attempts. Deploy the Sigma rule \u003ccode\u003eDetect Tenda F451 Exploit Attempt\u003c/code\u003e to detect these malicious requests.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on requests to the \u003ccode\u003e/goform/RouteStatic\u003c/code\u003e endpoint to mitigate potential denial-of-service attacks.\u003c/li\u003e\n\u003cli\u003eSince there is no patch available, consider replacing vulnerable Tenda F451 routers with more secure devices from other vendors.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T00:16:36Z","date_published":"2026-04-10T00:16:36Z","id":"/briefs/2026-04-tenda-rce/","summary":"A stack-based buffer overflow vulnerability in the Tenda F451 router (version 1.0.0.7) allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the fromRouteStatic function of the /goform/RouteStatic file.","title":"Tenda F451 Router Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5980"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","buffer_overflow","router","d-link"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5980 is a critical buffer overflow vulnerability affecting the D-Link DIR-605L router, specifically version 2.13B01. The vulnerability resides in the \u003ccode\u003eformSetMACFilter\u003c/code\u003e function within the \u003ccode\u003e/goform/formSetMACFilter\u003c/code\u003e component\u0026rsquo;s POST Request Handler. A remote attacker can exploit this by sending a crafted POST request with a malicious \u003ccode\u003ecurTime\u003c/code\u003e argument, leading to a buffer overflow. Exploit code is publicly available. Due to the product\u0026rsquo;s end-of-life status, no patch is available, making unpatched devices highly vulnerable. This allows for potential remote code execution and complete compromise of the device.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable D-Link DIR-605L router (version 2.13B01) exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/goform/formSetMACFilter\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker includes the \u003ccode\u003ecurTime\u003c/code\u003e parameter, injecting a string exceeding the buffer\u0026rsquo;s expected size.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s \u003ccode\u003eformSetMACFilter\u003c/code\u003e function processes the POST request without proper bounds checking on the \u003ccode\u003ecurTime\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003ecurTime\u003c/code\u003e string overflows the buffer, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite critical data, such as return addresses or function pointers.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003eformSetMACFilter\u003c/code\u003e function attempts to return, the overwritten return address is used, redirecting execution to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router, potentially installing malware, changing configurations, or using the device for further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5980 allows a remote attacker to gain complete control over the vulnerable D-Link DIR-605L router. Given that the affected product is no longer supported, a large number of legacy routers remain vulnerable. Attackers can leverage compromised routers to establish botnets, conduct man-in-the-middle attacks, or gain unauthorized access to internal networks connected to the router. The lack of patches elevates the severity, as affected users have no direct mitigation available other than replacing the device.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect D-Link DIR-605L Buffer Overflow Attempt\u003c/code\u003e to identify malicious POST requests targeting the \u003ccode\u003e/goform/formSetMACFilter\u003c/code\u003e endpoint on D-Link DIR-605L devices.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate potentially vulnerable D-Link DIR-605L routers to limit the impact of a successful compromise.\u003c/li\u003e\n\u003cli\u003eIf possible, replace D-Link DIR-605L routers (version 2.13B01) with newer, supported devices to eliminate the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T21:16:14Z","date_published":"2026-04-09T21:16:14Z","id":"/briefs/2026-04-dlink-dir605l-buffer-overflow/","summary":"A buffer overflow vulnerability exists in the D-Link DIR-605L router version 2.13B01, allowing a remote attacker to execute arbitrary code by manipulating the `curTime` argument in the `formSetMACFilter` function.","title":"D-Link DIR-605L Router Buffer Overflow Vulnerability (CVE-2026-5980)","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-5979"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["dlink","router","buffer_overflow","cve-2026-5979"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA buffer overflow vulnerability, CVE-2026-5979, has been identified in D-Link DIR-605L router with firmware version 2.13B01. The vulnerability resides in the \u003ccode\u003eformVirtualServ\u003c/code\u003e function within the \u003ccode\u003e/goform/formVirtualServ\u003c/code\u003e component, specifically within the POST request handler. By manipulating the \u003ccode\u003ecurTime\u003c/code\u003e argument, a remote attacker can trigger a buffer overflow. According to the NVD, an exploit is publicly available, increasing the risk of exploitation. This vulnerability affects end-of-life products, making patching impossible.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable D-Link DIR-605L router running firmware 2.13B01.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/formVirtualServ\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the \u003ccode\u003ecurTime\u003c/code\u003e argument with a value exceeding the buffer\u0026rsquo;s capacity.\u003c/li\u003e\n\u003cli\u003eThe router\u0026rsquo;s \u003ccode\u003eformVirtualServ\u003c/code\u003e function processes the POST request without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe oversized \u003ccode\u003ecurTime\u003c/code\u003e value overwrites adjacent memory regions on the stack or heap.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow payload to overwrite the return address.\u003c/li\u003e\n\u003cli\u003eUpon returning from the \u003ccode\u003eformVirtualServ\u003c/code\u003e function, control is transferred to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the router, potentially gaining full control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability (CVE-2026-5979) can lead to complete compromise of the D-Link DIR-605L router. Attackers could potentially execute arbitrary code, enabling them to modify router settings, intercept network traffic, or use the compromised device as a pivot point for further attacks within the network. Due to the product being end-of-life, a patch is not available. The number of vulnerable devices is unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/goform/formVirtualServ\u003c/code\u003e with unusually long \u003ccode\u003ecurTime\u003c/code\u003e parameters to detect potential exploitation attempts (see Sigma rule \u0026ldquo;Detect Suspiciously Long curTime Parameter in D-Link Routers\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (IDS) rules to detect suspicious traffic patterns associated with buffer overflow exploits targeting web interfaces.\u003c/li\u003e\n\u003cli\u003eSince this device is end-of-life, consider replacing the D-Link DIR-605L router with a supported model to mitigate the risk, as there will be no patches issued.\u003c/li\u003e\n\u003cli\u003eExamine network traffic for unusual outbound connections originating from D-Link DIR-605L routers to identify potentially compromised devices (see Sigma rule \u0026ldquo;Detect Outbound Connections from D-Link Routers\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T21:16:13Z","date_published":"2026-04-09T21:16:13Z","id":"/briefs/2026-04-dlink-dir605l-bo/","summary":"A remote buffer overflow vulnerability exists in the D-Link DIR-605L version 2.13B01 due to improper handling of the 'curTime' argument in the '/goform/formVirtualServ' POST request handler, potentially allowing attackers to execute arbitrary code.","title":"D-Link DIR-605L Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-bo/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","buffer_overflow","java_decompiler"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJAD Java Decompiler version 1.5.8e-1kali1 and prior contains a critical stack-based buffer overflow vulnerability (CVE-2017-20227). An attacker can exploit this flaw by crafting a malicious input that, when processed by the \u003ccode\u003ejad\u003c/code\u003e command, overflows the stack buffer. This overflow can be leveraged to overwrite critical memory regions, allowing the attacker to inject and execute arbitrary code. The successful exploitation results in the execution of a return-oriented programming (ROP) chain, ultimately leading to the spawning of a shell with the privileges of the user running the vulnerable JAD decompiler. This vulnerability poses a significant risk to developers and systems utilizing the affected versions of JAD, particularly in environments where untrusted or externally sourced Java bytecode is routinely decompiled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Java class file or other input designed to trigger the buffer overflow in JAD.\u003c/li\u003e\n\u003cli\u003eThe attacker lures a user or system into using the vulnerable JAD decompiler version 1.5.8e-1kali1 or prior to decompile the malicious input file using the \u003ccode\u003ejad\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eJAD attempts to process the overly long input string, exceeding the boundaries of a stack-based buffer.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow corrupts the stack, overwriting return addresses and other critical data.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled return addresses are used to construct a return-oriented programming (ROP) chain.\u003c/li\u003e\n\u003cli\u003eThe ROP chain executes a series of small code snippets already present in the JAD binary or system libraries to achieve a desired outcome, such as disabling security features or preparing for shell execution.\u003c/li\u003e\n\u003cli\u003eThe ROP chain prepares the environment and executes a system call to spawn a shell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the user running JAD.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2017-20227 can lead to arbitrary code execution, potentially granting an attacker complete control over the affected system. Given a CVSS v3.1 base score of 9.8 (Critical), this vulnerability poses a severe risk. The impact includes full compromise of confidentiality, integrity, and availability. The attack requires no privileges and no user interaction. This can enable lateral movement within a network, data exfiltration, installation of malware, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement a network-level block or alert for outbound connections originating from the system running the JAD decompiler, especially if the user routinely decompiles untrusted class files. (Log Source: \u003ccode\u003enetwork_connection\u003c/code\u003e)\u003c/li\u003e\n\u003cli\u003eMonitor process executions for the \u003ccode\u003ejad\u003c/code\u003e command with unusually long command-line arguments, indicative of a potential buffer overflow attempt. Deploy the provided Sigma rule for detection. (Log Source: \u003ccode\u003eprocess_creation\u003c/code\u003e)\u003c/li\u003e\n\u003cli\u003eConsider using alternative Java decompilers that are not vulnerable to this specific stack-based buffer overflow.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T12:16:01Z","date_published":"2026-03-28T12:16:01Z","id":"/briefs/2026-03-jad-decompiler-overflow/","summary":"JAD Java Decompiler 1.5.8e-1kali1 and prior is vulnerable to a stack-based buffer overflow, allowing attackers to execute arbitrary code by providing overly long input to the jad command leading to a return-oriented programming chain execution and shell spawning.","title":"JAD Java Decompiler Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-jad-decompiler-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","buffer_overflow","compiler"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eZen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.4, a stack-based buffer overflow vulnerability (CVE-2026-33491) exists within the Zen C compiler. This flaw allows a malicious actor to craft a Zen C source file (\u003ccode\u003e.zc\u003c/code\u003e) containing excessively long struct, function, or trait identifiers. Successful exploitation of this vulnerability can lead to a compiler crash, causing disruption to development workflows, or potentially allow the attacker to…\u003c/p\u003e\n","date_modified":"2026-03-27T12:00:00Z","date_published":"2026-03-27T12:00:00Z","id":"/briefs/2026-03-zen-c-overflow/","summary":"A stack-based buffer overflow vulnerability in Zen C compiler versions before 0.4.4 allows attackers to crash the compiler or potentially execute arbitrary code via a crafted `.zc` source file with overly long identifiers.","title":"Zen C Compiler Stack-Based Buffer Overflow (CVE-2026-33491)","url":"https://feed.craftedsignal.io/briefs/2026-03-zen-c-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["tenda","ac21","buffer_overflow","cve-2026-4565","router"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical buffer overflow vulnerability, CVE-2026-4565, affects Tenda AC21 routers running firmware version 16.03.08.16. The flaw resides in the \u003ccode\u003eformSetQosBand\u003c/code\u003e function within the \u003ccode\u003e/goform/SetNetControlList\u003c/code\u003e file. Attackers can exploit this vulnerability by crafting malicious argument lists in HTTP requests, leading to arbitrary code execution on the device. The vulnerability can be exploited remotely and a proof-of-concept exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation allows attackers to gain complete control over the router, potentially compromising connected devices and network traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Tenda AC21 router with firmware version 16.03.08.16.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/goform/SetNetControlList\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a specially crafted argument list designed to overflow the buffer in the \u003ccode\u003eformSetQosBand\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe router processes the HTTP request and passes the malicious arguments to the vulnerable function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eformSetQosBand\u003c/code\u003e function attempts to copy the oversized argument list into a fixed-size buffer, triggering a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the program execution flow and injects malicious code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with elevated privileges, granting the attacker complete control over the router.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Tenda AC21 router. This can lead to a variety of malicious outcomes, including: complete device compromise, modification of router settings, interception of network traffic, deployment of malware to connected devices, and use of the router as a botnet node. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploit could impact thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/goform/SetNetControlList\u003c/code\u003e with unusually long or malformed arguments (see rule: \u0026ldquo;Detect Suspicious POST Requests to SetNetControlList\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on HTTP POST requests to prevent attackers from quickly exploiting the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Tenda AC21 Buffer Overflow Attempt\u0026rdquo; to identify exploitation attempts based on specific patterns in HTTP requests.\u003c/li\u003e\n\u003cli\u003eConsider blocking traffic from known exploit sources, if available.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched firmware version as soon as it becomes available from the vendor.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T01:16:43Z","date_published":"2026-03-23T01:16:43Z","id":"/briefs/2026-03-tenda-ac21-buffer-overflow/","summary":"A buffer overflow vulnerability exists in Tenda AC21 firmware version 16.03.08.16, allowing remote attackers to execute arbitrary code by manipulating arguments to the formSetQosBand function.","title":"Tenda AC21 Router Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-tenda-ac21-buffer-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Buffer_overflow","version":"https://jsonfeed.org/version/1.1"}