{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/heap-overflow/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-29004"}],"_cs_exploited":false,"_cs_products":["BusyBox"],"_cs_severities":["critical"],"_cs_tags":["heap-overflow","dhcpv6","busybox","cve-2026-29004","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["BusyBox"],"content_html":"\u003cp\u003eCVE-2026-29004 is a critical heap buffer overflow vulnerability affecting BusyBox before commit 42202bf. The vulnerability resides in the DHCPv6 client (udhcpc6), specifically within the DNS_SERVERS option handler located in networking/udhcp/d6_dhcpc.c. A network-adjacent attacker can exploit this flaw by sending a malicious DHCPv6 response containing a malformed D6_OPT_DNS_SERVERS option. This manipulation leads to incorrect heap buffer allocation calculations in the option_to_env() function, causing memory corruption. Successful exploitation can result in a denial of service or, more severely, arbitrary code execution on vulnerable embedded systems lacking heap hardening. The scope of impact is potentially broad, given BusyBox\u0026rsquo;s widespread use in embedded devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target embedded system running a vulnerable version of BusyBox with the DHCPv6 client enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DHCPv6 response packet.\u003c/li\u003e\n\u003cli\u003eThe crafted packet includes a D6_OPT_DNS_SERVERS option with a size that exceeds the expected buffer allocation.\u003c/li\u003e\n\u003cli\u003eThe attacker transmits the crafted DHCPv6 response packet to the target system on the local network.\u003c/li\u003e\n\u003cli\u003eThe target system\u0026rsquo;s udhcpc6 client receives the malicious DHCPv6 response.\u003c/li\u003e\n\u003cli\u003eThe udhcpc6 client processes the D6_OPT_DNS_SERVERS option, triggering the vulnerable option_to_env() function.\u003c/li\u003e\n\u003cli\u003eThe option_to_env() function calculates an insufficient buffer size based on the malformed option.\u003c/li\u003e\n\u003cli\u003eA heap buffer overflow occurs when copying the oversized DNS server list, leading to memory corruption, denial-of-service, or arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29004 can have severe consequences. A denial-of-service condition could disrupt the functionality of the affected embedded system. More critically, arbitrary code execution allows attackers to gain complete control over the device, potentially leading to data theft, device compromise, or use in botnet activities. Given BusyBox\u0026rsquo;s prevalence in embedded systems, a large number of devices are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch addressing CVE-2026-29004 by updating to a version of BusyBox after commit 42202bf.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious DHCPv6 DNS Server Option Size\u0026rdquo; to identify potentially malicious DHCPv6 responses in network traffic.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusually large DHCPv6 DNS_SERVERS options as indicated by the Sigma rule and network connection logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:26Z","date_published":"2026-05-04T18:16:26Z","id":"/briefs/2026-05-busybox-dhcpv6-overflow/","summary":"A heap buffer overflow vulnerability in BusyBox's DHCPv6 client allows network-adjacent attackers to trigger memory corruption, denial of service, or arbitrary code execution via crafted DHCPv6 responses.","title":"BusyBox DHCPv6 Client Heap Buffer Overflow Vulnerability (CVE-2026-29004)","url":"https://feed.craftedsignal.io/briefs/2026-05-busybox-dhcpv6-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7339"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["webrtc","heap-overflow","code-execution","cve-2026-7339"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7339 is a critical heap buffer overflow vulnerability affecting the WebRTC (Web Real-Time Communication) component in Google Chrome and Microsoft Edge (Chromium-based). This vulnerability stems from improper memory management within WebRTC, potentially allowing a remote attacker to execute arbitrary code by crafting malicious web content. As Microsoft Edge ingests Chromium, it is also vulnerable. Users of Chrome and Edge are affected. Defenders should apply available patches promptly to mitigate potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious website designed to trigger the WebRTC vulnerability.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious website using a vulnerable version of Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe website uses JavaScript to initiate a WebRTC session.\u003c/li\u003e\n\u003cli\u003eThe crafted WebRTC data triggers a heap buffer overflow during memory allocation within the WebRTC component.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent memory regions on the heap.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow data to overwrite critical program data or function pointers.\u003c/li\u003e\n\u003cli\u003eThe corrupted data leads to arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the user\u0026rsquo;s browser and potentially the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7339 can lead to arbitrary code execution, allowing an attacker to potentially install malware, steal sensitive information, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability could impact a large number of users across various sectors, including individuals, businesses, and government organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge (Chromium-based) to patch CVE-2026-7339.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WebRTC Heap Overflow Attempt\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-7339.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual requests or patterns associated with WebRTC usage that could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2026-05-chromium-webrtc-overflow/","summary":"A heap buffer overflow vulnerability exists in the WebRTC component of Google Chrome and Microsoft Edge (Chromium-based), potentially leading to code execution.","title":"CVE-2026-7339: Heap Buffer Overflow in WebRTC","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-webrtc-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-7353"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["heap overflow","chromium","cve-2026-7353"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7353 is a critical heap buffer overflow vulnerability residing within the Skia graphics library, a core component of the Chromium open-source project. This vulnerability impacts applications that utilize Chromium, including Google Chrome and Microsoft Edge. While the specific details of exploitation are not provided in this brief, the nature of a heap buffer overflow suggests a high potential for arbitrary code execution. Successful exploitation could allow an attacker to gain control of the affected browser process. Given the widespread use of Chromium-based browsers, this vulnerability poses a significant risk to a large user base. Defenders should prioritize patching and consider implementing mitigations to detect and prevent potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious web page or injects malicious content into a trusted website.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious web page or interacts with the injected content using a Chromium-based browser (Chrome or Edge).\u003c/li\u003e\n\u003cli\u003eThe browser\u0026rsquo;s rendering engine, utilizing the Skia library, processes the malicious content, triggering the heap buffer overflow in Skia.\u003c/li\u003e\n\u003cli\u003eThe overflow allows the attacker to overwrite adjacent memory regions in the heap.\u003c/li\u003e\n\u003cli\u003eBy carefully crafting the overflowed data, the attacker can overwrite critical data structures within the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the execution flow by overwriting function pointers or other control data.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker could then perform actions such as installing malware, stealing sensitive data, or further compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7353 allows for arbitrary code execution within the context of the affected browser process. This can lead to a complete compromise of the user\u0026rsquo;s browser session, potentially enabling the attacker to steal credentials, inject malicious code into other websites, or install malware on the victim\u0026rsquo;s system. Given the widespread use of Chrome and Edge, the potential impact is significant, affecting potentially millions of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7353.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential exploitation attempts based on suspicious process execution originating from the browser (see \u0026ldquo;Detect Suspicious Process Creation from Browser\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable enhanced browser security features such as site isolation to mitigate the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2026-05-chromium-heap-overflow/","summary":"CVE-2026-7353 is a heap buffer overflow vulnerability in the Skia graphics library used by Chromium, affecting both Google Chrome and Microsoft Edge.","title":"Chromium Heap Buffer Overflow Vulnerability (CVE-2026-7353)","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-40706"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ntfs-3g","heap-overflow","privilege-escalation","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-40706 describes a heap buffer overflow vulnerability affecting NTFS-3G, specifically versions 2022.10.3 and earlier, before the patch in version 2026.2.25. The vulnerability lies within the \u003ccode\u003entfs_build_permissions_posix()\u003c/code\u003e function in \u003ccode\u003eacls.c\u003c/code\u003e. An attacker can exploit this flaw by creating a malicious NTFS image. When the affected software attempts to read this specially crafted image, a heap buffer overflow occurs. This is triggered when the software processes a security descriptor containing multiple ACCESS_DENIED Access Control Entries (ACEs), each including WRITE_OWNER permissions, and originating from distinct group Security Identifiers (SIDs). Successful exploitation allows an attacker to corrupt heap memory within the SUID-root ntfs-3g binary, potentially leading to privilege escalation or arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious NTFS image containing a specially designed security descriptor.\u003c/li\u003e\n\u003cli\u003eThe security descriptor includes multiple ACCESS_DENIED ACEs.\u003c/li\u003e\n\u003cli\u003eEach ACE within the descriptor contains WRITE_OWNER permissions.\u003c/li\u003e\n\u003cli\u003eThe ACEs originate from distinct group SIDs, triggering the overflow condition.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the malicious NTFS image to a system running a vulnerable version of NTFS-3G. This may occur through physical media or network shares.\u003c/li\u003e\n\u003cli\u003eThe victim system attempts to read the malicious NTFS image using a vulnerable NTFS-3G version, such as during a \u003ccode\u003estat\u003c/code\u003e, \u003ccode\u003ereaddir\u003c/code\u003e, or \u003ccode\u003eopen\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003entfs_build_permissions_posix()\u003c/code\u003e function is called to process the security descriptor.\u003c/li\u003e\n\u003cli\u003eThe heap buffer overflow occurs during the processing of the malicious ACEs, corrupting heap memory. This can lead to denial of service or potentially arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40706 allows for heap memory corruption in the ntfs-3g binary, which runs with elevated privileges due to its SUID-root configuration. The observed consequence is memory corruption. Depending on the extent of the corruption, this could lead to denial-of-service or arbitrary code execution. Given the wide usage of NTFS-3G for mounting NTFS volumes on Linux and other systems, a successful exploit could affect a large number of systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade NTFS-3G to version 2026.2.25 or later to patch CVE-2026-40706 (reference: \u003ca href=\"https://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25\"\u003ehttps://github.com/tuxera/ntfs-3g/releases/tag/2026.2.25\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor systems for unexpected crashes or errors related to ntfs-3g operations, which may indicate exploitation attempts. Deploy the Sigma rules below to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eConsider implementing stricter access controls and validation measures on NTFS images to prevent the use of malicious images (mitigation based on the vulnerability description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-ntfs3g-heap-overflow/","summary":"A heap buffer overflow vulnerability exists in NTFS-3G versions 2022.10.3 before 2026.2.25 that allows for heap memory corruption by processing a crafted NTFS image with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct group SIDs.","title":"NTFS-3G Heap Buffer Overflow Vulnerability (CVE-2026-40706)","url":"https://feed.craftedsignal.io/briefs/2026-04-ntfs3g-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-40504"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","heap-overflow","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCreolabs Gravity, a scripting language, is susceptible to a heap buffer overflow vulnerability (CVE-2026-40504) affecting versions prior to 0.9.6. The vulnerability resides within the \u003ccode\u003egravity_vm_exec\u003c/code\u003e function and can be triggered by crafting Gravity scripts containing a large number of string literals declared at the global scope. This leads to an out-of-bounds write, potentially corrupting heap metadata. Successful exploitation of this vulnerability can lead to arbitrary code execution within applications that evaluate untrusted Gravity scripts. The root cause is insufficient bounds checking in the \u003ccode\u003egravity_fiber_reassign()\u003c/code\u003e function. Defenders need to ensure they are running version 0.9.6 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Gravity script with numerous string literals defined at the global scope.\u003c/li\u003e\n\u003cli\u003eThe application using the vulnerable Creolabs Gravity library loads and attempts to execute the crafted script, calling the \u003ccode\u003egravity_vm_exec\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring script execution, the \u003ccode\u003egravity_vm_exec\u003c/code\u003e function allocates memory on the heap to store the string literals.\u003c/li\u003e\n\u003cli\u003eThe sheer number of string literals causes a heap buffer overflow when \u003ccode\u003egravity_fiber_reassign()\u003c/code\u003e is called.\u003c/li\u003e\n\u003cli\u003eThe heap buffer overflow corrupts adjacent heap metadata.\u003c/li\u003e\n\u003cli\u003eThe corruption of heap metadata leads to unpredictable behavior, potentially including crashes or the ability to overwrite critical data structures.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the ability to overwrite heap metadata to gain control of program execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the context of the application running the vulnerable Gravity script.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40504 can lead to arbitrary code execution, potentially allowing attackers to gain full control over systems running applications that execute untrusted Gravity scripts. Given a CVSS v3.1 base score of 9.8, this is a critical vulnerability. The exact number of victims or targeted sectors is unknown, but any application using a vulnerable version of Creolabs Gravity to execute untrusted code is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Creolabs Gravity to version 0.9.6 or later to patch CVE-2026-40504 (Reference: \u003ca href=\"https://github.com/marcobambini/gravity/releases/tag/0.9.6)\"\u003ehttps://github.com/marcobambini/gravity/releases/tag/0.9.6)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization of Gravity scripts to limit the number and size of string literals processed to prevent triggering the heap overflow.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect exploitation attempts by monitoring process creation events that may indicate arbitrary code execution following the heap overflow.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T02:16:11Z","date_published":"2026-04-16T02:16:11Z","id":"/briefs/2026-04-creolabs-gravity-heap-overflow/","summary":"Creolabs Gravity before 0.9.6 is vulnerable to a heap buffer overflow in the gravity_vm_exec function, allowing attackers to achieve arbitrary code execution by crafting scripts with many string literals at global scope that exploit insufficient bounds checking in gravity_fiber_reassign().","title":"Creolabs Gravity Heap Buffer Overflow Vulnerability (CVE-2026-40504)","url":"https://feed.craftedsignal.io/briefs/2026-04-creolabs-gravity-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-34629"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-34629","heap-overflow","adobe-indesign"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAdobe InDesign Desktop versions 20.5.2, 21.2, and earlier are susceptible to a heap-based buffer overflow vulnerability identified as CVE-2026-34629. This vulnerability allows for arbitrary code execution within the security context of the currently logged-in user. To exploit this vulnerability, a user must interact with a specially crafted malicious file. Successful exploitation could allow an attacker to gain control of the affected system, potentially leading to data theft, malware installation, or other malicious activities. Defenders should prioritize patching vulnerable InDesign installations and educating users about the risks of opening untrusted files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious InDesign file designed to trigger a heap-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the malicious file to a target, possibly via email or other file-sharing methods.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious InDesign file using a vulnerable version of Adobe InDesign (20.5.2, 21.2, or earlier).\u003c/li\u003e\n\u003cli\u003eThe application attempts to process the malformed data within the file.\u003c/li\u003e\n\u003cli\u003eDue to the buffer overflow, the application writes data beyond the allocated buffer on the heap.\u003c/li\u003e\n\u003cli\u003eThis overwrites adjacent memory regions, potentially corrupting critical data or function pointers.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the instruction pointer and redirects execution flow to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the InDesign process, achieving code execution on the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34629 allows an attacker to execute arbitrary code on a vulnerable system with the privileges of the logged-in user. This could lead to complete system compromise, data theft, installation of malware, or other malicious activities. The impact is significant due to the widespread use of Adobe InDesign in professional design and publishing environments. If a successful attack occurs within a corporate environment it could compromise sensitive business documents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch Adobe InDesign to the latest version to remediate CVE-2026-34629.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of opening untrusted files, especially those received from unknown sources, to mitigate the initial attack vector.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for suspicious processes spawned by InDesign, as indicated in the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-indesign-heap-overflow/","summary":"Adobe InDesign versions 20.5.2, 21.2 and earlier are vulnerable to a heap-based buffer overflow (CVE-2026-34629) that could lead to arbitrary code execution if a user opens a malicious file.","title":"Adobe InDesign Heap-Based Buffer Overflow Vulnerability (CVE-2026-34629)","url":"https://feed.craftedsignal.io/briefs/2026-04-indesign-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7,"id":"CVE-2026-32087"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","heap-overflow","cve","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32087 describes a heap-based buffer overflow vulnerability affecting the Function Discovery Service, specifically the \u003ccode\u003efdwsd.dll\u003c/code\u003e module. This vulnerability allows a locally authenticated attacker with low privileges to escalate their privileges to a higher level on the targeted Windows system. The vulnerability exists within the handling of specific data structures or function calls within \u003ccode\u003efdwsd.dll\u003c/code\u003e, leading to memory corruption when processing malformed input. Successful exploitation could allow an attacker to execute arbitrary code with elevated privileges, potentially leading to complete system compromise. The scope of the vulnerability is limited to local exploitation, requiring prior access to the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Windows system with low-privileged credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input designed to trigger the heap-based buffer overflow within \u003ccode\u003efdwsd.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker interacts with the Function Discovery Service, providing the crafted malicious input, potentially through a specially crafted application or API call.\u003c/li\u003e\n\u003cli\u003eThe Function Discovery Service attempts to process the attacker-supplied input via \u003ccode\u003efdwsd.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDuring the processing, the heap-based buffer overflow occurs due to insufficient bounds checking, overwriting adjacent memory regions on the heap.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical system data structures or inject malicious code into memory.\u003c/li\u003e\n\u003cli\u003eThe injected code or modified data structures are then executed by the Function Discovery Service, running with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully escalates their privileges and gains control over the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32087 leads to local privilege escalation, granting the attacker elevated privileges on the compromised system. This allows the attacker to perform actions restricted to administrators or system-level accounts, such as installing software, modifying system configurations, accessing sensitive data, or creating new accounts with elevated privileges. The impact is limited to the local system, but a successful privilege escalation is a critical step for attackers aiming to achieve lateral movement or persistence within a network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-32087, as detailed in the Microsoft Security Response Center advisory \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32087\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32087\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious process creations originating from the Function Discovery Service (fdwsd.dll) using process creation logs and deploy the Sigma rule \u003ccode\u003eDetect Suspicious Process Creation from FDWSD\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit local access to systems and reduce the attack surface for this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T18:17:12Z","date_published":"2026-04-14T18:17:12Z","id":"/briefs/2026-04-fdwsd-privesc/","summary":"CVE-2026-32087 is a heap-based buffer overflow vulnerability in the Function Discovery Service (fdwsd.dll) that allows an authorized local attacker to elevate privileges on a Windows system.","title":"CVE-2026-32087 Function Discovery Service Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-04-fdwsd-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-22828"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-22828","fortinet","heap-overflow","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA heap-based buffer overflow vulnerability, identified as CVE-2026-22828, affects Fortinet FortiAnalyzer Cloud and FortiManager Cloud versions 7.6.2 through 7.6.4. The vulnerability allows a remote, unauthenticated attacker to potentially execute arbitrary code or commands. Exploitation necessitates sending specifically crafted requests to the affected systems. The complexity of a successful exploit is amplified by the presence of Address Space Layout Randomization (ASLR) and network segmentation, which impose significant hurdles for attackers in preparing the environment for code execution. This vulnerability poses a risk to organizations utilizing these Fortinet cloud services, potentially allowing for unauthorized access and control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable FortiAnalyzer or FortiManager Cloud instance running versions 7.6.2-7.6.4.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request designed to trigger the heap-based buffer overflow. This involves analyzing the vulnerable application to identify the specific request parameters and data structures that can be manipulated.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the targeted Fortinet Cloud instance.\u003c/li\u003e\n\u003cli\u003eDue to the buffer overflow, the crafted request overwrites adjacent memory on the heap, potentially corrupting data structures used by the application.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to leverage the memory corruption to gain control of program execution. Because of ASLR, this step requires careful planning and potentially multiple attempts to bypass address randomization.\u003c/li\u003e\n\u003cli\u003eUpon successful bypass of ASLR, the attacker overwrites a function pointer or other critical data in memory to redirect program control to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the FortiAnalyzer or FortiManager Cloud process.\u003c/li\u003e\n\u003cli\u003eThe attacker can now execute commands, potentially gaining unauthorized access to sensitive data, modifying system configurations, or deploying further malicious payloads within the cloud environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22828 can allow a remote, unauthenticated attacker to execute arbitrary code on vulnerable Fortinet FortiAnalyzer Cloud and FortiManager Cloud instances (versions 7.6.2 through 7.6.4). While the effort required is considerable, a successful attack can lead to a complete compromise of the affected system, potentially resulting in data breaches, service disruption, or the deployment of malicious software. The absence of specific victim counts or sector targeting details in the original advisory emphasizes the importance of proactive mitigation.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a fixed version of Fortinet FortiAnalyzer Cloud and FortiManager Cloud to address CVE-2026-22828 (\u003ca href=\"https://fortiguard.fortinet.com/psirt/FG-IR-26-121)\"\u003ehttps://fortiguard.fortinet.com/psirt/FG-IR-26-121)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful exploit, as mentioned in the vulnerability description.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious HTTP Requests to Fortinet Cloud Services\u0026rdquo; to identify potential exploitation attempts (see rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T16:16:37Z","date_published":"2026-04-14T16:16:37Z","id":"/briefs/2026-04-fortinet-heap-overflow/","summary":"CVE-2026-22828 is a heap-based buffer overflow in Fortinet FortiAnalyzer and FortiManager Cloud versions 7.6.2 through 7.6.4, potentially allowing a remote unauthenticated attacker to execute arbitrary code with a significant preparation effort due to ASLR and network segmentation.","title":"Fortinet FortiAnalyzer and FortiManager Cloud Heap-Based Buffer Overflow Vulnerability (CVE-2026-22828)","url":"https://feed.craftedsignal.io/briefs/2026-04-fortinet-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5,"id":"CVE-2026-34589"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openexr","heap-overflow","dwaa","cve-2026-34589"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA heap out-of-bounds write vulnerability has been identified in the DWA lossy decoder of OpenEXR versions 3.2.0-3.2.6, 3.3.0-3.3.8, and 3.4.0-3.4.8. The vulnerability stems from an integer overflow in the calculation of per-component block pointers within the \u003ccode\u003einternal_dwa_decoder.h\u003c/code\u003e file. When processing a DWAA compressed image with a large width, the multiplication of \u003ccode\u003enumBlocksX * 64\u003c/code\u003e overflows a signed 32-bit integer, resulting in a wrapped pointer. This wrapped pointer is then used in subsequent decoder operations, leading to out-of-bounds memory access during the lossy DCT execution path. This can be triggered using the \u003ccode\u003eexrcheck\u003c/code\u003e tool, impacting systems where OpenEXR is used to process image files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OpenEXR image file with DWAA compression and a large image width.\u003c/li\u003e\n\u003cli\u003eThe victim uses the \u003ccode\u003eexrcheck\u003c/code\u003e tool or an application linked against a vulnerable OpenEXR library to process the image.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eInputFile\u003c/code\u003e or \u003ccode\u003eScanLineInputFile\u003c/code\u003e class initiates the image decoding process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexr_decoding_run\u003c/code\u003e function is called, which in turn calls \u003ccode\u003eexr_uncompress_chunk\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eexr_uncompress_chunk\u003c/code\u003e calls \u003ccode\u003einternal_exr_undo_dwaa\u003c/code\u003e to decompress the DWAA data.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003einternal_exr_undo_dwaa\u003c/code\u003e invokes \u003ccode\u003eDwaCompressor_uncompress\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003eDwaCompressor_uncompress\u003c/code\u003e, \u003ccode\u003eLossyDctDecoder_execute\u003c/code\u003e is called, triggering the integer overflow when calculating \u003ccode\u003erowBlock\u003c/code\u003e pointers in \u003ccode\u003einternal_dwa_decoder.h\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLossyDctDecoder_execute\u003c/code\u003e attempts to write data to an out-of-bounds memory location, resulting in a crash (SEGV).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition due to a write-side crash, as observed in the \u003ccode\u003eLossyDctDecoder_execute\u003c/code\u003e function. The vulnerability affects applications that utilize the OpenEXR library to process DWAA compressed images. While the source doesn\u0026rsquo;t specify the number of victims or targeted sectors, any system processing untrusted OpenEXR images with affected versions is at risk. This could impact image editing software, rendering pipelines, and other applications that rely on OpenEXR.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenEXR to versions 3.2.7, 3.3.9, or 3.4.9 or later to patch CVE-2026-34589.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect exrcheck crash\u0026rdquo; to identify instances where the \u003ccode\u003eexrcheck\u003c/code\u003e tool crashes due to this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor systems for abnormal program termination signals (e.g., SEGV) originating from OpenEXR libraries during image processing, as these may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eBlock downloads from the URL \u003ccode\u003ehttps://github.com/user-attachments/files/26318786/dwa_scanline_exrcheck.zip\u003c/code\u003e to prevent users from downloading a known malicious test case.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T12:00:00Z","date_published":"2026-04-09T12:00:00Z","id":"/briefs/2026-04-openexr-dwa-oob-write/","summary":"A heap out-of-bounds write vulnerability exists in OpenEXR's DWA lossy decoder due to integer overflow during block pointer calculation, triggered via crafted DWAA files, leading to crashes during DCT execution.","title":"OpenEXR DWA Lossy Decoder Heap Out-of-Bounds Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openexr-dwa-oob-write/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-24660"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libraw","heap-overflow","cve-2026-24660"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA heap-based buffer overflow vulnerability, identified as CVE-2026-24660, has been discovered in LibRaw, specifically affecting the x3f_load_huffman functionality in commit d20315b. The vulnerability arises from improper handling of a crafted input file, leading to a heap buffer overflow condition. An attacker can exploit this vulnerability by providing a malicious file designed to trigger the overflow during the Huffman decoding process. This could potentially allow an attacker to execute arbitrary code or cause a denial-of-service condition. This vulnerability impacts applications that utilize LibRaw for processing image files, particularly those dealing with potentially untrusted or externally sourced image data. Defenders should be aware of this vulnerability and take steps to mitigate the risk by updating to patched versions of LibRaw or implementing input validation measures.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious image file in a format processed by LibRaw. This file is specifically designed to exploit the \u003ccode\u003ex3f_load_huffman\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application using LibRaw processes the malicious image file.\u003c/li\u003e\n\u003cli\u003eDuring the Huffman decoding process within \u003ccode\u003ex3f_load_huffman\u003c/code\u003e, the crafted file triggers an integer overflow, leading to a heap buffer overflow.\u003c/li\u003e\n\u003cli\u003eData is written beyond the allocated buffer on the heap.\u003c/li\u003e\n\u003cli\u003eThis overwrite can corrupt adjacent heap metadata, potentially leading to control over memory allocation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to overwrite function pointers or other critical data structures on the heap.\u003c/li\u003e\n\u003cli\u003eBy manipulating these structures, the attacker can redirect program execution flow.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the context of the application using LibRaw.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-24660 can lead to arbitrary code execution, potentially allowing an attacker to gain full control over the affected system. The vulnerability resides in a widely used library, potentially impacting a large number of applications that depend on LibRaw for image processing. Exploitation could result in data breaches, system compromise, or denial-of-service conditions. Given the CVSS v3.1 base score of 8.1, this vulnerability poses a significant risk and requires prompt attention.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or updates to LibRaw to versions containing the fix for CVE-2026-24660 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures for image files processed by LibRaw to detect and prevent malicious files from triggering the buffer overflow.\u003c/li\u003e\n\u003cli\u003eMonitor applications using LibRaw for unexpected crashes or abnormal behavior that could indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LibRaw Heap Overflow Attempt\u0026rdquo; to detect exploitation attempts by monitoring process creation events.\u003c/li\u003e\n\u003cli\u003eConsider implementing Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to further mitigate the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T15:17:37Z","date_published":"2026-04-07T15:17:37Z","id":"/briefs/2026-04-libraw-heap-overflow/","summary":"A heap-based buffer overflow vulnerability (CVE-2026-24660) exists in the x3f_load_huffman functionality of LibRaw commit d20315b, where a specially crafted malicious file can lead to a heap buffer overflow.","title":"LibRaw Heap-Based Buffer Overflow Vulnerability (CVE-2026-24660)","url":"https://feed.craftedsignal.io/briefs/2026-04-libraw-heap-overflow/"},{"_cs_actors":["Qualcomm"],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-21372"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-21372","memory-corruption","heap-overflow","ioctl"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-21372 describes a memory corruption vulnerability affecting systems that handle IOCTL requests, specifically during memcpy operations. The vulnerability arises when the system does not properly validate buffer sizes, leading to a heap-based buffer overflow (CWE-122). This flaw can be triggered by sending IOCTL requests with invalid buffer sizes, potentially allowing an attacker with local access to execute arbitrary code or cause a denial-of-service condition. Qualcomm reported this vulnerability in their April 2026 security bulletin. Successful exploitation requires the attacker to have the ability to send specifically crafted IOCTL requests to the vulnerable driver or service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to the system.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the vulnerable driver or service that processes IOCTL requests.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious IOCTL request with an invalid buffer size, specifically designed to trigger a buffer overflow during a memcpy operation.\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted IOCTL request to the vulnerable driver or service.\u003c/li\u003e\n\u003cli\u003eThe driver or service attempts to copy data into a buffer using memcpy, without properly validating the size of the input buffer.\u003c/li\u003e\n\u003cli\u003eDue to the invalid buffer size, the memcpy operation writes beyond the allocated buffer, causing a heap-based buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe heap overflow corrupts adjacent memory regions, potentially overwriting critical data structures or code.\u003c/li\u003e\n\u003cli\u003eThe memory corruption leads to a denial-of-service condition or allows the attacker to execute arbitrary code with the privileges of the vulnerable driver or service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-21372 allows a local attacker to cause memory corruption, potentially leading to arbitrary code execution or a denial-of-service condition. This could allow attackers to gain elevated privileges or disrupt the normal operation of the affected system. The impact is significant due to the potential for complete system compromise if code execution is achieved.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate systems which utilize Qualcomm components for vulnerable IOCTL handlers and memcpy operations.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for anomalous memory access patterns associated with drivers that handle IOCTL requests.\u003c/li\u003e\n\u003cli\u003eApply patches or updates provided by Qualcomm to address CVE-2026-21372 as detailed in the Qualcomm security bulletin (\u003ca href=\"https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html)\"\u003ehttps://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation for IOCTL requests to prevent buffer overflows, focusing on buffer size checks before memcpy operations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts by monitoring for processes interacting with device drivers and triggering a memcpy near the IOCTL call.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:29Z","date_published":"2026-04-06T16:16:29Z","id":"/briefs/2026-04-ioctl-memcpy-corruption/","summary":"A memory corruption vulnerability (CVE-2026-21372) exists when processing IOCTL requests with invalid buffer sizes leading to a heap-based buffer overflow, reported by Qualcomm with a CVSS v3.1 score of 7.8.","title":"Qualcomm IOCTL Memory Corruption Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-ioctl-memcpy-corruption/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2024-14033"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2024-14033","denial-of-service","heap-overflow","hilcos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHirschmann Industrial IT products are susceptible to a heap overflow vulnerability identified as CVE-2024-14033 within the HiLCOS web interface. This vulnerability enables unauthenticated remote attackers to trigger a denial-of-service condition by sending specific, crafted requests to the affected web interface. Successful exploitation of this vulnerability results in the crashing of the targeted device, causing service disruption. The risk is heightened in configurations where the Public Spot functionality is activated. This poses a significant threat to industrial networks relying on these devices for critical operations, potentially leading to downtime and operational impacts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable Hirschmann Industrial IT device with the HiLCOS web interface exposed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request specifically designed to trigger the heap overflow vulnerability in the HiLCOS web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the specially crafted HTTP request to the targeted device\u0026rsquo;s web interface (typically over port 80 or 443).\u003c/li\u003e\n\u003cli\u003eThe HiLCOS web interface processes the malicious request without proper bounds checking, leading to a heap overflow.\u003c/li\u003e\n\u003cli\u003eThe heap overflow corrupts memory within the device\u0026rsquo;s system processes, causing instability.\u003c/li\u003e\n\u003cli\u003eThe device\u0026rsquo;s web server or other critical processes crash as a result of the memory corruption.\u003c/li\u003e\n\u003cli\u003eThe device enters a denial-of-service state, becoming unresponsive to legitimate network traffic.\u003c/li\u003e\n\u003cli\u003eNetwork services provided by the affected device are disrupted, impacting dependent systems and users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-14033 results in a denial-of-service condition on affected Hirschmann Industrial IT devices. This can lead to significant disruption of network services, particularly in industrial control systems (ICS) environments. The impact includes loss of network connectivity, control system downtime, and potential cascading failures in dependent systems. The number of affected devices and sectors depends on the prevalence of vulnerable Hirschmann products within critical infrastructure and industrial networks, however any exploitation of this vulnerability would have a detrimental effect.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or firmware updates provided by Hirschmann to remediate CVE-2024-14033, as referenced in the Belden Security Bulletin BSECV-2024-16.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access control policies to limit exposure of the HiLCOS web interface to untrusted networks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious HTTP requests indicative of exploitation attempts targeting CVE-2024-14033. Use the rule titled \u0026ldquo;Detect Suspicious HiLCOS Web Requests\u0026rdquo; as a starting point.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T21:16:39Z","date_published":"2026-04-02T21:16:39Z","id":"/briefs/2026-04-hilcos-heap-overflow/","summary":"A heap overflow vulnerability in the HiLCOS web interface of Hirschmann Industrial IT products (CVE-2024-14033) allows unauthenticated remote attackers to cause a denial-of-service condition by sending specially crafted requests, leading to device crashes and service disruption, particularly when the Public Spot functionality is enabled.","title":"Hirschmann HiLCOS Web Interface Heap Overflow Vulnerability (CVE-2024-14033)","url":"https://feed.craftedsignal.io/briefs/2026-04-hilcos-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-4673","chrome","webaudio","heap overflow","code execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4673 is a heap buffer overflow vulnerability affecting the WebAudio component of Google Chrome. The vulnerability exists in versions prior to 146.0.7680.165. A remote attacker could exploit this vulnerability by crafting a malicious HTML page designed to trigger an out-of-bounds memory write. The Chromium security team has rated this vulnerability as High severity. Successful exploitation could allow an attacker to potentially execute arbitrary code within the context of the Chrome…\u003c/p\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-chrome-webaudio-heap-overflow/","summary":"A remote attacker can exploit a heap buffer overflow vulnerability (CVE-2026-4673) in Google Chrome's WebAudio component before version 146.0.7680.165 by crafting a malicious HTML page, potentially leading to an out-of-bounds memory write and arbitrary code execution.","title":"Google Chrome WebAudio Heap Buffer Overflow Vulnerability (CVE-2026-4673)","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-webaudio-heap-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["virtualization","hypervisor","qemu","virtio-snd","heap overflow","hypervisor escape"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eA recently disclosed vulnerability in the QEMU virtualization platform allows a malicious guest operating system to escape the hypervisor and potentially execute code on the host system. The vulnerability resides in the \u003ccode\u003evirtio-snd\u003c/code\u003e component, which emulates a sound card for virtual machines. The root cause is an uncontrolled heap overflow that can be triggered by a specially crafted audio stream sent from the guest to the host. While specific details of the vulnerability and its exploitation are not provided in the source document, it is important for defenders to understand the potential impact of such a vulnerability and take appropriate measures to mitigate the risk. Successfully exploiting this type of vulnerability would allow an attacker to gain complete control over the underlying host system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a guest virtual machine (VM) through a compromised application or vulnerable service running within the VM.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their access within the guest VM to send a specially crafted audio stream to the emulated \u003ccode\u003evirtio-snd\u003c/code\u003e device.\u003c/li\u003e\n\u003cli\u003eThe crafted audio stream triggers an uncontrolled heap overflow within the QEMU process on the host system.\u003c/li\u003e\n\u003cli\u003eThe heap overflow corrupts memory on the host system, potentially overwriting critical data structures or code.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully manipulates the heap overflow to overwrite function pointers or other execution control data within the QEMU process.\u003c/li\u003e\n\u003cli\u003eWhen the QEMU process attempts to execute the overwritten function pointer, control is redirected to attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code executes within the context of the QEMU process on the host system, allowing them to bypass the VM\u0026rsquo;s isolation.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain root access on the host and compromise the entire system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this QEMU hypervisor escape vulnerability allows a malicious guest operating system to gain complete control over the host system. This can lead to data theft, system compromise, and further lateral movement within the network. The potential impact is significant, especially in cloud environments where multiple VMs share the same physical hardware. Even though specific victim numbers are unavailable, the wide deployment of QEMU implies a broad scope of potential targets across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events on the hypervisor host for QEMU processes spawning child processes with unexpected command-line arguments, as this could indicate exploitation (see rule: \u0026ldquo;Detect QEMU Process Spawning Shell\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable network connection logging for QEMU processes on the hypervisor host to detect connections to unusual or malicious IP addresses, which may be used for command and control after a hypervisor escape (see rule: \u0026ldquo;Detect QEMU Outbound Network Connection\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual or suspicious behavior within guest VMs, such as unexpected resource utilization or network activity, as this may indicate an attempt to exploit the \u003ccode\u003evirtio-snd\u003c/code\u003e vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T05:19:00Z","date_published":"2026-03-19T05:19:00Z","id":"/briefs/2026-03-qemu-escape/","summary":"An unpatched vulnerability in QEMU's virtio-snd component allows for a hypervisor escape due to an uncontrolled heap overflow.","title":"QEMU Hypervisor Escape via virtio-snd 0-Day","url":"https://feed.craftedsignal.io/briefs/2026-03-qemu-escape/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-41445"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["integer-overflow","heap-overflow","kissfft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-41445 is a newly reported vulnerability affecting the KissFFT library. The vulnerability is located within the \u003ccode\u003ekiss_fftndr_alloc()\u003c/code\u003e function and results from an integer overflow. Successful exploitation of this vulnerability could allow an attacker to cause a heap buffer overflow, potentially leading to arbitrary code execution. This vulnerability was reported through the Microsoft Security Response Center, indicating a potential impact on Microsoft products or services that utilize the KissFFT library. Defenders should monitor for exploitation attempts and implement mitigations as soon as patches are available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eWhile exploitation details are currently unavailable, the following attack chain is inferred from the vulnerability type and function name:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious input with specially designed dimensions to be processed by KissFFT.\u003c/li\u003e\n\u003cli\u003eThis malicious input is passed to a function that calls \u003ccode\u003ekiss_fftndr_alloc()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin \u003ccode\u003ekiss_fftndr_alloc()\u003c/code\u003e, the attacker\u0026rsquo;s input triggers an integer overflow when calculating the buffer size.\u003c/li\u003e\n\u003cli\u003eA smaller-than-required memory buffer is allocated on the heap as a result of the overflow.\u003c/li\u003e\n\u003cli\u003eSubsequent operations attempt to write data larger than the allocated buffer into the undersized heap buffer.\u003c/li\u003e\n\u003cli\u003eThis write operation overflows the heap buffer, corrupting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe memory corruption leads to a crash or, in some cases, arbitrary code execution depending on the overwritten data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41445 can lead to denial of service due to application crashes, or potentially arbitrary code execution. Since the vulnerability resides in the KissFFT library, applications that utilize this library for FFT processing are potentially vulnerable. The exact impact depends on the privileges of the application using the library. If exploited in a privileged process, it could lead to system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs (category: \u003ccode\u003ewebserver\u003c/code\u003e, product: \u003ccode\u003elinux|windows\u003c/code\u003e) for unusual patterns in requests that may be attempting to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential attempts to exploit integer overflows in memory allocation functions.\u003c/li\u003e\n\u003cli\u003eApply patches released by Microsoft as soon as they become available to remediate CVE-2026-41445.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T18:23:44Z","date_published":"2024-01-24T18:23:44Z","id":"/briefs/2024-01-cve-2026-41445/","summary":"CVE-2026-41445 is a reported integer overflow vulnerability in the KissFFT library that could lead to a heap buffer overflow.","title":"CVE-2026-41445 KissFFT Integer Overflow leads to Heap Buffer Overflow","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-41445/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33846"}],"_cs_exploited":false,"_cs_products":["GnuTLS"],"_cs_severities":["high"],"_cs_tags":["cve-2026-33846","dtls","heap overflow","gnutls","network"],"_cs_type":"advisory","_cs_vendors":["GnuTLS"],"content_html":"\u003cp\u003eA heap buffer overflow vulnerability has been identified in the DTLS handshake fragment reassembly logic of GnuTLS. The vulnerability, tracked as CVE-2026-33846, resides within the \u003ccode\u003emerge_handshake_packet()\u003c/code\u003e function. This function is responsible for matching and merging incoming DTLS handshake fragments. The core issue is the lack of validation for the \u003ccode\u003emessage_length\u003c/code\u003e field across different fragments belonging to the same logical message. An attacker can exploit this flaw by transmitting malicious DTLS fragments that contain inconsistent \u003ccode\u003emessage_length\u003c/code\u003e values. This inconsistency leads the GnuTLS implementation to allocate a buffer based on a smaller, initial fragment but subsequently attempts to write data beyond the allocated buffer\u0026rsquo;s boundaries using the larger, conflicting fragments. This out-of-bounds write on the heap can be triggered remotely without requiring any form of authentication, making it a critical vulnerability. Successful exploitation can lead to application crashes or, potentially, arbitrary memory corruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker initiates a DTLS handshake with a vulnerable GnuTLS server.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a first DTLS handshake fragment with a small \u003ccode\u003emessage_length\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003emerge_handshake_packet()\u003c/code\u003e function allocates a heap buffer based on the initial, smaller \u003ccode\u003emessage_length\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker sends a subsequent DTLS handshake fragment for the same handshake message with a larger, inconsistent \u003ccode\u003emessage_length\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emerge_handshake_packet()\u003c/code\u003e incorrectly merges the second fragment into the allocated buffer without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe write operation overflows the allocated heap buffer, corrupting adjacent memory.\u003c/li\u003e\n\u003cli\u003eThe application crashes due to memory corruption, or the attacker potentially gains further control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33846 can lead to denial-of-service conditions due to application crashes. Memory corruption could allow for arbitrary code execution, but this is a less likely outcome. Given the widespread use of GnuTLS in various applications and systems, a large number of services could be impacted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for DTLS handshakes with inconsistent \u003ccode\u003emessage_length\u003c/code\u003e values in fragmented handshake messages using the provided Sigma rule \u003ccode\u003eDetect DTLS Handshake Fragment Length Mismatch\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eApply available patches from GnuTLS to remediate CVE-2026-33846.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for DTLS handshake requests to mitigate potential denial-of-service attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-gnutls-dtls-overflow/","summary":"A heap buffer overflow vulnerability, CVE-2026-33846, exists in the DTLS handshake fragment reassembly logic of GnuTLS, allowing unauthenticated remote attackers to cause application crashes or potential memory corruption by sending crafted DTLS fragments with conflicting message lengths.","title":"GnuTLS DTLS Handshake Heap Overflow Vulnerability (CVE-2026-33846)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-gnutls-dtls-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Heap-Overflow","version":"https://jsonfeed.org/version/1.1"}