{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/heap-buffer-overflow/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-6846"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["binutils","heap-buffer-overflow","CVE-2026-6846","xcoff"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6846 describes a heap-based buffer overflow vulnerability found in the binutils suite of programs. The vulnerability occurs when processing a maliciously crafted XCOFF (Extended Common Object File Format) object file during the linking process. An attacker with local access could potentially exploit this flaw by enticing a user to process a malicious XCOFF file. Successful exploitation could lead to arbitrary code execution with the privileges of the user running binutils, unauthorized command execution, or a denial-of-service condition rendering the system unusable. This vulnerability affects systems where binutils is used for software development and linking, making it a significant concern for developers and system administrators.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious XCOFF object file designed to trigger the heap-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe attacker gains local access to a system where the victim uses binutils.\u003c/li\u003e\n\u003cli\u003eThe attacker social engineers or tricks the victim into using binutils to link the malicious XCOFF file. This could involve including the malicious file in a build script or project.\u003c/li\u003e\n\u003cli\u003eWhen binutils attempts to process the specially crafted XCOFF file during linking, it allocates an insufficient buffer on the heap.\u003c/li\u003e\n\u003cli\u003eThe parsing of the malicious XCOFF file causes the heap buffer to overflow, overwriting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow to overwrite critical data structures or function pointers in memory.\u003c/li\u003e\n\u003cli\u003eThe overwritten data structures or function pointers are used by binutils later in the linking process, diverting execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution with the privileges of the user running binutils or causes a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6846 can have severe consequences. An attacker can gain arbitrary code execution with the privileges of the user running binutils, potentially leading to complete system compromise. A denial-of-service condition can also be triggered, rendering the affected system unusable. This vulnerability primarily impacts developers and system administrators who rely on binutils for software development and linking tasks. While the source does not provide specific numbers of victims, the wide usage of binutils makes this a potentially widespread vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches released by your Linux distribution or other binutils vendor to address CVE-2026-6846.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to binutils binaries.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Binutils Invocation\u003c/code\u003e to identify potential exploitation attempts based on command-line arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for binutils executing with unusual or unexpected parent processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T09:16:27Z","date_published":"2026-04-22T09:16:27Z","id":"/briefs/2026-04-binutils-xcoff-heap-overflow/","summary":"A heap-buffer-overflow vulnerability exists in binutils when processing a specially crafted XCOFF object file, potentially leading to arbitrary code execution or denial of service.","title":"Binutils XCOFF Heap-Based Buffer Overflow Vulnerability (CVE-2026-6846)","url":"https://feed.craftedsignal.io/briefs/2026-04-binutils-xcoff-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33901"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["imagemagick","heap-buffer-overflow","cve-2026-33901"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eImageMagick is a widely used open-source software suite for displaying, converting, and editing raster image files.  CVE-2026-33901 describes a heap buffer overflow vulnerability within the MVG (Magick Vector Graphics) decoder. This flaw exists in ImageMagick versions prior to 7.1.2-19 and 6.9.13-44. An attacker can exploit this vulnerability by crafting a malicious image file. When a vulnerable ImageMagick version processes this crafted image, the MVG decoder attempts to write data beyond the allocated buffer, resulting in an out-of-bounds write. This can lead to application crashes, denial-of-service conditions, or potentially arbitrary code execution on the targeted system.  Organizations utilizing ImageMagick for image processing are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious image file containing a specially designed MVG (Magick Vector Graphics) payload.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted image file to a target system, potentially via a web upload form or email attachment.\u003c/li\u003e\n\u003cli\u003eA user or automated process on the target system uses a vulnerable version of ImageMagick to process the image file.\u003c/li\u003e\n\u003cli\u003eThe ImageMagick MVG decoder attempts to parse the malicious MVG data within the image.\u003c/li\u003e\n\u003cli\u003eDue to the heap buffer overflow vulnerability (CVE-2026-33901), the decoder writes data beyond the allocated buffer on the heap.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds write corrupts adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eDepending on the overwritten memory, the application might crash, leading to a denial-of-service.\u003c/li\u003e\n\u003cli\u003eIn some scenarios, this memory corruption could potentially be leveraged for arbitrary code execution, allowing the attacker to gain control of the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33901 can lead to denial of service due to application crashes. In more severe cases, the vulnerability could allow for arbitrary code execution, potentially leading to complete system compromise.  The impact will depend on the privileges of the user account running ImageMagick, but could lead to data loss, system instability, or unauthorized access. Organizations using affected versions of ImageMagick are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ImageMagick to version 7.1.2-19 or 6.9.13-44 or later to patch CVE-2026-33901.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to process image files (e.g., via POST requests) to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation to restrict the types and sizes of image files that can be uploaded or processed by ImageMagick.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T21:16:25Z","date_published":"2026-04-13T21:16:25Z","id":"/briefs/2026-04-imagemagick-heap-overflow/","summary":"ImageMagick versions before 7.1.2-19 and 6.9.13-44 are vulnerable to a heap buffer overflow in the MVG decoder, potentially leading to an out-of-bounds write when processing a crafted image, which can result in denial of service or arbitrary code execution.","title":"ImageMagick Heap Buffer Overflow Vulnerability (CVE-2026-33901)","url":"https://feed.craftedsignal.io/briefs/2026-04-imagemagick-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-20884"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libraw","integer-overflow","heap-buffer-overflow","cve-2026-20884"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-20884 describes an integer overflow vulnerability affecting LibRaw, specifically within the \u003ccode\u003edeflate_dng_load_raw\u003c/code\u003e function. This flaw resides in commit 8dc68e2 of the LibRaw library. The vulnerability can be exploited by providing a specially crafted DNG (Digital Negative) image file to an application using the affected LibRaw version. Successful exploitation results in a heap buffer overflow, potentially allowing an attacker to execute arbitrary code or cause a denial-of-service condition. This is significant for defenders because LibRaw is a widely used library for handling raw image formats and is often integrated into image processing applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious DNG image file designed to trigger the integer overflow in \u003ccode\u003edeflate_dng_load_raw\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious DNG file using an application that utilizes the vulnerable LibRaw library.\u003c/li\u003e\n\u003cli\u003eLibRaw\u0026rsquo;s \u003ccode\u003edeflate_dng_load_raw\u003c/code\u003e function is called to process the image data.\u003c/li\u003e\n\u003cli\u003eDuring the processing of the DNG file, an integer overflow occurs when calculating the size of a buffer.\u003c/li\u003e\n\u003cli\u003eThe overflow results in allocating a smaller-than-expected buffer on the heap.\u003c/li\u003e\n\u003cli\u003eSubsequently, when decompressing the image data, the \u003ccode\u003edeflate\u003c/code\u003e algorithm writes beyond the allocated buffer, causing a heap buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe heap buffer overflow overwrites adjacent memory regions, potentially corrupting program data or code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to achieve arbitrary code execution or cause the application to crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20884 allows an attacker to potentially execute arbitrary code within the context of the application using the LibRaw library. This could lead to complete system compromise. Alternatively, the heap buffer overflow could cause the application to crash, resulting in a denial-of-service. The impact depends on the privileges of the application using LibRaw. Image processing software, photography workflows, and digital asset management systems are all potential targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade to a version of LibRaw that addresses CVE-2026-20884 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor for applications processing DNG files from untrusted sources (e.g., web downloads or email attachments).\u003c/li\u003e\n\u003cli\u003eConsider implementing file validation and sanitization techniques to detect and prevent malicious DNG files from being processed.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LibRaw Exploitation via DNG\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to detect applications loading LibRaw library when processing DNG files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T15:17:35Z","date_published":"2026-04-07T15:17:35Z","id":"/briefs/2026-04-libraw-integer-overflow/","summary":"CVE-2026-20884 is an integer overflow vulnerability in LibRaw's deflate_dng_load_raw function that leads to a heap buffer overflow when processing crafted DNG files.","title":"LibRaw Integer Overflow Vulnerability in deflate_dng_load_raw","url":"https://feed.craftedsignal.io/briefs/2026-04-libraw-integer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-35176"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["heap-buffer-overflow","openFPGALoader","denial-of-service","information-disclosure"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eopenFPGALoader is a utility used for programming Field-Programmable Gate Arrays (FPGAs). A heap-buffer-overflow read vulnerability has been identified in versions 1.1.1 and earlier. The vulnerability, tracked as CVE-2026-35176, resides in the \u003ccode\u003ePOFParser::parseSection()\u003c/code\u003e function. It allows an attacker to trigger out-of-bounds heap memory access by supplying a specially crafted \u003ccode\u003e.pof\u003c/code\u003e file. Critically, exploiting this vulnerability does not require any specific FPGA hardware, making it easier to trigger. Successful exploitation could lead to denial of service or information disclosure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious \u003ccode\u003e.pof\u003c/code\u003e file designed to trigger the heap-buffer-overflow.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious \u003ccode\u003e.pof\u003c/code\u003e file to a system running a vulnerable version of openFPGALoader (\u0026lt;= 1.1.1).\u003c/li\u003e\n\u003cli\u003eA user or automated process attempts to parse the malicious \u003ccode\u003e.pof\u003c/code\u003e file using openFPGALoader.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePOFParser::parseSection()\u003c/code\u003e function is called to process a section of the \u003ccode\u003e.pof\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDue to the crafted structure of the \u003ccode\u003e.pof\u003c/code\u003e file, the \u003ccode\u003eparseSection()\u003c/code\u003e function attempts to read beyond the allocated heap buffer.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds read operation causes the program to potentially crash (denial of service) or leak sensitive information from adjacent memory locations.\u003c/li\u003e\n\u003cli\u003eIf information disclosure occurs, the attacker may gain insights into the system\u0026rsquo;s memory layout or potentially extract sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition, causing the openFPGALoader application to crash. In certain scenarios, it might also be possible to read sensitive information from the application\u0026rsquo;s memory space. While the exact scope of information disclosure is dependent on memory layout, the vulnerability poses a risk to systems using vulnerable versions of openFPGALoader. The risk is primarily to development environments using this tool rather than production FPGA deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade openFPGALoader to a version greater than 1.1.1 to patch CVE-2026-35176.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect openFPGALoader POF Parsing with Unusual Process Arguments\u0026rdquo; to your SIEM to identify potential exploitation attempts involving the execution of openFPGALoader with \u003ccode\u003e.pof\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eMonitor file system events for the creation or modification of \u003ccode\u003e.pof\u003c/code\u003e files in unusual locations to detect potential attempts to introduce malicious files into the system.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T20:16:25Z","date_published":"2026-04-06T20:16:25Z","id":"/briefs/2026-04-openfpgaloader-heap-overflow/","summary":"A heap-buffer-overflow read vulnerability exists in openFPGALoader 1.1.1 and earlier, allowing out-of-bounds heap memory access via a crafted .pof file, potentially leading to denial of service or information disclosure.","title":"openFPGALoader Heap-Buffer-Overflow Read Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openfpgaloader-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-33982"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["freerdp","heap-buffer-overflow","cve-2026-33982","rdp"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33982 is a heap-buffer-overflow READ vulnerability affecting FreeRDP, a widely used open-source implementation of the Remote Desktop Protocol (RDP). The vulnerability exists in versions prior to 3.24.2 and is located within the \u003ccode\u003ewinpr_aligned_offset_recalloc()\u003c/code\u003e function. Specifically, the flaw occurs due to an out-of-bounds read 24 bytes before the allocated buffer, which could be triggered during specific RDP operations involving memory reallocation. Successful exploitation can lead…\u003c/p\u003e\n","date_modified":"2026-03-30T22:16:19Z","date_published":"2026-03-30T22:16:19Z","id":"/briefs/2026-03-freerdp-heap-overflow/","summary":"A heap-buffer-overflow read vulnerability exists in FreeRDP versions prior to 3.24.2, specifically in the winpr_aligned_offset_recalloc() function, potentially leading to denial of service or information disclosure.","title":"FreeRDP Heap-Buffer-Overflow Vulnerability (CVE-2026-33982)","url":"https://feed.craftedsignal.io/briefs/2026-03-freerdp-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-4675","heap-buffer-overflow","webgl","chrome","remote-code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4675 describes a heap buffer overflow vulnerability affecting the WebGL component of Google Chrome. Specifically, versions prior to 146.0.7680.165 are susceptible. An attacker can exploit this vulnerability by crafting a malicious HTML page that, when rendered by a vulnerable Chrome browser, triggers an out-of-bounds memory read due to the heap buffer overflow in WebGL. The Chromium security team rated this as a \u0026ldquo;High\u0026rdquo; severity issue. Successful exploitation can lead to information…\u003c/p\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-chrome-webgl-heap-overflow/","summary":"A heap buffer overflow vulnerability (CVE-2026-4675) exists in Google Chrome's WebGL implementation prior to version 146.0.7680.165, allowing a remote attacker to perform an out-of-bounds memory read via a specially crafted HTML page, potentially leading to information disclosure or arbitrary code execution.","title":"CVE-2026-4675: Google Chrome WebGL Heap Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-webgl-heap-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Heap-Buffer-Overflow","version":"https://jsonfeed.org/version/1.1"}