https://feed.craftedsignal.io/tags/buffer_overflow/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 20:16:26 +0000https://feed.craftedsignal.io/briefs/2026-04-sysgauge-bo/Wed, 29 Apr 2026 20:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-sysgauge-bo/SysGauge Pro 4.6.12 is vulnerable to a local buffer overflow in the Register function, allowing local attackers to overwrite the structured exception handler and execute arbitrary code by supplying a crafted unlock key during registration.SysGauge Pro version 4.6.12 is susceptible to a local buffer overflow vulnerability (CVE-2018-25307) within its registration process. This vulnerability allows a local attacker to gain arbitrary code execution with the privileges of the SysGauge Pro application. Specifically, by providing a maliciously crafted “Unlock Key” during the registration, an attacker can overwrite the Structured Exception Handler (SEH). This overwrite allows the injection of shellcode, leading to the execution of attacker-controlled code within the context of the application. This is a local vulnerability, meaning the attacker needs local system access to exploit it. The report dates back to 2018, but was only recently published in the NVD database.

Attack Chain

1. Attacker gains local access to the target system.
2. Attacker identifies that SysGauge Pro 4.6.12 is installed.
3. Attacker launches SysGauge Pro.
4. Attacker initiates the registration process within SysGauge Pro.
5. Attacker provides a crafted “Unlock Key” containing shellcode designed to overwrite the Structured Exception Handler (SEH).
6. The application attempts to process the overly long “Unlock Key” without proper bounds checking.
7. The buffer overflow occurs, overwriting the SEH with the attacker’s shellcode address.
8. When an exception occurs within the application, the overwritten SEH is invoked, redirecting execution to the attacker’s shellcode, leading to arbitrary code execution with application privileges.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the SysGauge Pro application. This could lead to complete system compromise if the application is running with elevated privileges. The impact includes potential data theft, modification of system settings, or installation of malware. Given that this is a local exploit, the primary risk is to systems where untrusted users have local access.

Recommendation

• Monitor process creations for SysGauge Pro (SysGauge.exe) spawning unusual child processes to detect potential exploitation attempts, using a process_creation Sigma rule.
• Consider deploying application control or whitelisting to prevent execution of unsigned or untrusted executables within the SysGauge Pro process.
• Since no patch is available, consider uninstalling SysGauge Pro 4.6.12 from systems where the risk outweighs the benefit of the software.

]]>highadvisoryvulnerabilitybuffer_overflowprivilege_escalationhttps://feed.craftedsignal.io/briefs/2026-04-tenda-f456-bo/Mon, 27 Apr 2026 04:16:09 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f456-bo/A buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 in the `fromGstDhcpSetSer` function, allowing remote attackers to execute arbitrary code by manipulating the 'dips' argument via a crafted HTTP request to `/goform/GstDhcpSetSer`.A critical buffer overflow vulnerability, identified as CVE-2026-7081, affects Tenda F456 router version 1.0.0.5. The vulnerability resides in the fromGstDhcpSetSer function within the /goform/GstDhcpSetSer file, a component of the device’s httpd service. Successful exploitation allows a remote attacker to execute arbitrary code on the device. Publicly available exploit code increases the risk of widespread exploitation. This vulnerability poses a significant threat as it can lead to complete compromise of the affected device, potentially allowing attackers to gain unauthorized access to the network, steal sensitive information, or use the device as part of a botnet.

Attack Chain

1. The attacker identifies a vulnerable Tenda F456 router (version 1.0.0.5) exposed to the internet.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/GstDhcpSetSer endpoint.
3. The HTTP request includes the dips argument, which is intentionally oversized to trigger the buffer overflow.
4. The vulnerable fromGstDhcpSetSer function processes the request without proper bounds checking.
5. The oversized dips argument overwrites adjacent memory regions on the stack.
6. The attacker carefully crafts the overflow to overwrite the return address with an address pointing to attacker-controlled code.
7. The fromGstDhcpSetSer function returns, causing execution to jump to the attacker’s code.
8. The attacker’s code executes with the privileges of the httpd process, potentially leading to full device compromise.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the affected Tenda F456 router. This can result in complete device compromise, including the ability to modify device settings, intercept network traffic, and potentially use the compromised device as a pivot point for further attacks within the network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, making this a significant security concern.

Recommendation

• Monitor web server logs for suspicious POST requests to /goform/GstDhcpSetSer with unusually long dips parameter values to detect potential exploitation attempts.
• Deploy the provided Sigma rule Detect Tenda F456 Buffer Overflow Attempt to identify malicious HTTP requests.
• Since no patch is available, consider replacing the affected Tenda F456 routers (version 1.0.0.5) with more secure alternatives.

]]>criticaladvisorycvebuffer_overflowrouterhttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-buffer-overflow/Mon, 20 Apr 2026 11:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-f451-buffer-overflow/A buffer overflow vulnerability (CVE-2026-6631) in Tenda F451 router version 1.0.0.7_cn_svn7958 allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/webExcptypemanFilter component.CVE-2026-6631 is a critical buffer overflow vulnerability affecting Tenda F451 routers running firmware version 1.0.0.7_cn_svn7958. The vulnerability resides in the fromwebExcptypemanFilter function within the /goform/webExcptypemanFilter component of the router’s httpd web server. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted HTTP request with an overly long ‘page’ parameter. Publicly available exploits exist, increasing the risk of widespread exploitation. Successful exploitation allows attackers to execute arbitrary code on the router, potentially leading to full device compromise and network access.

Attack Chain

1. Attacker identifies a vulnerable Tenda F451 router exposed to the internet.
2. Attacker crafts a malicious HTTP GET or POST request targeting /goform/webExcptypemanFilter.
3. The crafted request includes the page parameter with a payload exceeding the buffer size allocated for it.
4. The httpd server processes the request and passes the page parameter to the vulnerable fromwebExcptypemanFilter function.
5. Due to the lack of proper bounds checking, the overly long page parameter overwrites adjacent memory regions on the stack.
6. The attacker carefully designs the overflow payload to overwrite the return address on the stack with the address of malicious code injected elsewhere in memory.
7. The fromwebExcptypemanFilter function completes execution and attempts to return, jumping to the attacker-controlled address.
8. The attacker’s malicious code executes with the privileges of the httpd server, potentially gaining full control of the router.

Impact

Successful exploitation of CVE-2026-6631 allows remote attackers to execute arbitrary code on vulnerable Tenda F451 routers. This can lead to complete device compromise, allowing attackers to modify router settings, intercept network traffic, or use the router as a point of entry for further attacks on the internal network. Given the widespread use of Tenda routers, a large number of devices could be vulnerable, potentially impacting both home and small business networks. The availability of public exploits further increases the likelihood of exploitation.

Recommendation

• Apply available firmware updates from Tenda to patch CVE-2026-6631.
• Monitor web server logs for suspicious requests to /goform/webExcptypemanFilter with unusually long page parameters, using the Sigma rule DetectTendaF451BufferOverflow.
• Implement network intrusion detection systems (IDS) to detect and block exploit attempts targeting CVE-2026-6631.
• Consider deploying the Sigma rule DetectTendaF451SuspiciousProcess to identify unexpected processes spawned by the httpd daemon.
• If patching is not immediately feasible, consider restricting access to the router’s web interface from the public internet to mitigate the risk of remote exploitation.

]]>criticaladvisorytendarouterbuffer_overflowcve-2026-6631webserverhttps://feed.craftedsignal.io/briefs/2026-04-tenda-rce/Fri, 10 Apr 2026 00:16:36 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-rce/A stack-based buffer overflow vulnerability in the Tenda F451 router (version 1.0.0.7) allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the fromRouteStatic function of the /goform/RouteStatic file.A critical vulnerability, identified as CVE-2026-5989, affects the Tenda F451 router, specifically version 1.0.0.7. The vulnerability lies within the fromRouteStatic function of the /goform/RouteStatic file. By manipulating the page argument, a remote attacker can trigger a stack-based buffer overflow, potentially leading to arbitrary code execution. Publicly available exploit code exists, increasing the risk of exploitation. This vulnerability poses a significant threat as it allows unauthenticated remote attackers to compromise the router, potentially leading to network disruption, data theft, or use of the device in botnet activities.

Attack Chain

1. The attacker identifies a vulnerable Tenda F451 router (version 1.0.0.7) exposed to the internet.
2. The attacker crafts a malicious HTTP request targeting the /goform/RouteStatic endpoint.
3. The request includes a page argument with a payload designed to overflow the stack buffer in the fromRouteStatic function.
4. The vulnerable fromRouteStatic function processes the malicious page argument without proper bounds checking.
5. The buffer overflow overwrites critical data on the stack, including the return address.
6. Upon function return, control is redirected to the attacker-controlled memory region.
7. The attacker executes arbitrary code injected into the overflowed buffer, such as downloading and executing a reverse shell.
8. The attacker gains remote access to the router, potentially allowing further exploitation or network compromise.

Impact

Successful exploitation of CVE-2026-5989 allows an attacker to gain complete control of the Tenda F451 router. This can lead to a variety of damaging outcomes, including denial-of-service attacks against the local network, interception of network traffic, modification of router settings, and the potential use of the compromised router as a node in a botnet. Given the widespread use of Tenda routers in home and small business environments, a large number of devices could be at risk if this vulnerability is actively exploited.

Recommendation

• Monitor web server logs for requests to /goform/RouteStatic containing abnormally long page arguments, as this is indicative of potential exploit attempts. Deploy the Sigma rule Detect Tenda F451 Exploit Attempt to detect these malicious requests.
• Implement rate limiting on requests to the /goform/RouteStatic endpoint to mitigate potential denial-of-service attacks.
• Since there is no patch available, consider replacing vulnerable Tenda F451 routers with more secure devices from other vendors.

]]>criticalthreattendarouterbuffer_overflowrcehttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-buffer-overflow/Thu, 09 Apr 2026 21:16:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-buffer-overflow/A buffer overflow vulnerability exists in the D-Link DIR-605L router version 2.13B01, allowing a remote attacker to execute arbitrary code by manipulating the `curTime` argument in the `formSetMACFilter` function.CVE-2026-5980 is a critical buffer overflow vulnerability affecting the D-Link DIR-605L router, specifically version 2.13B01. The vulnerability resides in the formSetMACFilter function within the /goform/formSetMACFilter component’s POST Request Handler. A remote attacker can exploit this by sending a crafted POST request with a malicious curTime argument, leading to a buffer overflow. Exploit code is publicly available. Due to the product’s end-of-life status, no patch is available, making unpatched devices highly vulnerable. This allows for potential remote code execution and complete compromise of the device.

Attack Chain

1. The attacker identifies a vulnerable D-Link DIR-605L router (version 2.13B01) exposed to the internet.
2. The attacker crafts a malicious POST request targeting the /goform/formSetMACFilter endpoint.
3. Within the POST request, the attacker includes the curTime parameter, injecting a string exceeding the buffer’s expected size.
4. The router’s formSetMACFilter function processes the POST request without proper bounds checking on the curTime argument.
5. The oversized curTime string overflows the buffer, overwriting adjacent memory regions.
6. The attacker carefully crafts the overflow to overwrite critical data, such as return addresses or function pointers.
7. When the formSetMACFilter function attempts to return, the overwritten return address is used, redirecting execution to attacker-controlled code.
8. The attacker gains arbitrary code execution on the router, potentially installing malware, changing configurations, or using the device for further malicious activities.

Impact

Successful exploitation of CVE-2026-5980 allows a remote attacker to gain complete control over the vulnerable D-Link DIR-605L router. Given that the affected product is no longer supported, a large number of legacy routers remain vulnerable. Attackers can leverage compromised routers to establish botnets, conduct man-in-the-middle attacks, or gain unauthorized access to internal networks connected to the router. The lack of patches elevates the severity, as affected users have no direct mitigation available other than replacing the device.

Recommendation

• Deploy the Sigma rule Detect D-Link DIR-605L Buffer Overflow Attempt to identify malicious POST requests targeting the /goform/formSetMACFilter endpoint on D-Link DIR-605L devices.
• Implement network segmentation to isolate potentially vulnerable D-Link DIR-605L routers to limit the impact of a successful compromise.
• If possible, replace D-Link DIR-605L routers (version 2.13B01) with newer, supported devices to eliminate the vulnerability.

]]>criticaladvisorycvebuffer_overflowrouterd-linkhttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-bo/Thu, 09 Apr 2026 21:16:13 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-dlink-dir605l-bo/A remote buffer overflow vulnerability exists in the D-Link DIR-605L version 2.13B01 due to improper handling of the 'curTime' argument in the '/goform/formVirtualServ' POST request handler, potentially allowing attackers to execute arbitrary code.A buffer overflow vulnerability, CVE-2026-5979, has been identified in D-Link DIR-605L router with firmware version 2.13B01. The vulnerability resides in the formVirtualServ function within the /goform/formVirtualServ component, specifically within the POST request handler. By manipulating the curTime argument, a remote attacker can trigger a buffer overflow. According to the NVD, an exploit is publicly available, increasing the risk of exploitation. This vulnerability affects end-of-life products, making patching impossible.

Attack Chain

1. Attacker identifies a vulnerable D-Link DIR-605L router running firmware 2.13B01.
2. Attacker crafts a malicious HTTP POST request targeting the /goform/formVirtualServ endpoint.
3. The POST request includes the curTime argument with a value exceeding the buffer’s capacity.
4. The router’s formVirtualServ function processes the POST request without proper bounds checking.
5. The oversized curTime value overwrites adjacent memory regions on the stack or heap.
6. The attacker carefully crafts the overflow payload to overwrite the return address.
7. Upon returning from the formVirtualServ function, control is transferred to the attacker-controlled address.
8. The attacker executes arbitrary code on the router, potentially gaining full control.

Impact

Successful exploitation of this buffer overflow vulnerability (CVE-2026-5979) can lead to complete compromise of the D-Link DIR-605L router. Attackers could potentially execute arbitrary code, enabling them to modify router settings, intercept network traffic, or use the compromised device as a pivot point for further attacks within the network. Due to the product being end-of-life, a patch is not available. The number of vulnerable devices is unknown.

Recommendation

• Monitor webserver logs for requests to /goform/formVirtualServ with unusually long curTime parameters to detect potential exploitation attempts (see Sigma rule “Detect Suspiciously Long curTime Parameter in D-Link Routers”).
• Implement network intrusion detection system (IDS) rules to detect suspicious traffic patterns associated with buffer overflow exploits targeting web interfaces.
• Since this device is end-of-life, consider replacing the D-Link DIR-605L router with a supported model to mitigate the risk, as there will be no patches issued.
• Examine network traffic for unusual outbound connections originating from D-Link DIR-605L routers to identify potentially compromised devices (see Sigma rule “Detect Outbound Connections from D-Link Routers”).

]]>criticaladvisorydlinkrouterbuffer_overflowcve-2026-5979https://feed.craftedsignal.io/briefs/2026-03-jad-decompiler-overflow/Sat, 28 Mar 2026 12:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-jad-decompiler-overflow/JAD Java Decompiler 1.5.8e-1kali1 and prior is vulnerable to a stack-based buffer overflow, allowing attackers to execute arbitrary code by providing overly long input to the jad command leading to a return-oriented programming chain execution and shell spawning.JAD Java Decompiler version 1.5.8e-1kali1 and prior contains a critical stack-based buffer overflow vulnerability (CVE-2017-20227). An attacker can exploit this flaw by crafting a malicious input that, when processed by the jad command, overflows the stack buffer. This overflow can be leveraged to overwrite critical memory regions, allowing the attacker to inject and execute arbitrary code. The successful exploitation results in the execution of a return-oriented programming (ROP) chain, ultimately leading to the spawning of a shell with the privileges of the user running the vulnerable JAD decompiler. This vulnerability poses a significant risk to developers and systems utilizing the affected versions of JAD, particularly in environments where untrusted or externally sourced Java bytecode is routinely decompiled.

Attack Chain

1. An attacker crafts a malicious Java class file or other input designed to trigger the buffer overflow in JAD.
2. The attacker lures a user or system into using the vulnerable JAD decompiler version 1.5.8e-1kali1 or prior to decompile the malicious input file using the jad command.
3. JAD attempts to process the overly long input string, exceeding the boundaries of a stack-based buffer.
4. The buffer overflow corrupts the stack, overwriting return addresses and other critical data.
5. The attacker-controlled return addresses are used to construct a return-oriented programming (ROP) chain.
6. The ROP chain executes a series of small code snippets already present in the JAD binary or system libraries to achieve a desired outcome, such as disabling security features or preparing for shell execution.
7. The ROP chain prepares the environment and executes a system call to spawn a shell.
8. The attacker gains arbitrary code execution within the context of the user running JAD.

Impact

Successful exploitation of CVE-2017-20227 can lead to arbitrary code execution, potentially granting an attacker complete control over the affected system. Given a CVSS v3.1 base score of 9.8 (Critical), this vulnerability poses a severe risk. The impact includes full compromise of confidentiality, integrity, and availability. The attack requires no privileges and no user interaction. This can enable lateral movement within a network, data exfiltration, installation of malware, or other malicious activities.

Recommendation

• Implement a network-level block or alert for outbound connections originating from the system running the JAD decompiler, especially if the user routinely decompiles untrusted class files. (Log Source: network_connection)
• Monitor process executions for the jad command with unusually long command-line arguments, indicative of a potential buffer overflow attempt. Deploy the provided Sigma rule for detection. (Log Source: process_creation)
• Consider using alternative Java decompilers that are not vulnerable to this specific stack-based buffer overflow.

]]>criticaladvisorycvebuffer_overflowjava_decompilerhttps://feed.craftedsignal.io/briefs/2026-03-zen-c-overflow/Fri, 27 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-zen-c-overflow/A stack-based buffer overflow vulnerability in Zen C compiler versions before 0.4.4 allows attackers to crash the compiler or potentially execute arbitrary code via a crafted `.zc` source file with overly long identifiers.<p>Zen C is a systems programming language that compiles to human-readable GNU C/C11. Prior to version 0.4.4, a stack-based buffer overflow vulnerability (CVE-2026-33491) exists within the Zen C compiler. This flaw allows a malicious actor to craft a Zen C source file (<code>.zc</code>) containing excessively long struct, function, or trait identifiers. Successful exploitation of this vulnerability can lead to a compiler crash, causing disruption to development workflows, or potentially allow the attacker to…</p> highadvisorycvebuffer_overflowcompilerhttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac21-buffer-overflow/Mon, 23 Mar 2026 01:16:43 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tenda-ac21-buffer-overflow/A buffer overflow vulnerability exists in Tenda AC21 firmware version 16.03.08.16, allowing remote attackers to execute arbitrary code by manipulating arguments to the formSetQosBand function.A critical buffer overflow vulnerability, CVE-2026-4565, affects Tenda AC21 routers running firmware version 16.03.08.16. The flaw resides in the formSetQosBand function within the /goform/SetNetControlList file. Attackers can exploit this vulnerability by crafting malicious argument lists in HTTP requests, leading to arbitrary code execution on the device. The vulnerability can be exploited remotely and a proof-of-concept exploit is publicly available, increasing the risk of widespread exploitation. Successful exploitation allows attackers to gain complete control over the router, potentially compromising connected devices and network traffic.

Attack Chain

1. Attacker identifies a vulnerable Tenda AC21 router with firmware version 16.03.08.16.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/SetNetControlList endpoint.
3. The POST request includes a specially crafted argument list designed to overflow the buffer in the formSetQosBand function.
4. The router processes the HTTP request and passes the malicious arguments to the vulnerable function.
5. The formSetQosBand function attempts to copy the oversized argument list into a fixed-size buffer, triggering a buffer overflow.
6. The buffer overflow overwrites adjacent memory regions, potentially including critical program data or execution pointers.
7. The attacker gains control of the program execution flow and injects malicious code.
8. The injected code executes with elevated privileges, granting the attacker complete control over the router.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code on the Tenda AC21 router. This can lead to a variety of malicious outcomes, including: complete device compromise, modification of router settings, interception of network traffic, deployment of malware to connected devices, and use of the router as a botnet node. Given the wide usage of Tenda routers in home and small business environments, a successful widespread exploit could impact thousands of users.

Recommendation

• Monitor web server logs for suspicious POST requests to /goform/SetNetControlList with unusually long or malformed arguments (see rule: “Detect Suspicious POST Requests to SetNetControlList”).
• Implement rate limiting on HTTP POST requests to prevent attackers from quickly exploiting the vulnerability.
• Deploy the Sigma rule “Detect Tenda AC21 Buffer Overflow Attempt” to identify exploitation attempts based on specific patterns in HTTP requests.
• Consider blocking traffic from known exploit sources, if available.
• Upgrade to a patched firmware version as soon as it becomes available from the vendor.

]]>criticaladvisorytendaac21buffer_overflowcve-2026-4565router