{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/integer-overflow/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-25990"}],"_cs_exploited":false,"_cs_products":["Pillow (\u003e= 10.3.0, \u003c 12.2.0)"],"_cs_severities":["high"],"_cs_tags":["pillow","oob-write","integer-overflow","psd","memory-corruption"],"_cs_type":"advisory","_cs_vendors":["Python"],"content_html":"\u003cp\u003ePillow, a popular Python image processing library, is vulnerable to an out-of-bounds write vulnerability (CVE-2026-42311) when processing PSD files. Specifically, versions 10.3.0 up to 12.1.1 contain a flaw in how they handle tile extents in PSD image decoding and encoding. The vulnerability arises from an integer overflow when calculating tile extent sums, which bypasses intended bounds checks. This allows a specially crafted PSD image with malicious tile dimensions to trigger an out-of-bounds write in \u003ccode\u003esrc/decode.c\u003c/code\u003e and \u003ccode\u003esrc/encode.c\u003c/code\u003e. Successful exploitation could lead to memory corruption, resulting in a crash or, more critically, arbitrary code execution. The issue was initially addressed in version 12.1.1 (CVE-2026-25990) but the fix was incomplete due to the integer overflow issue. The vulnerability is resolved in Pillow version 12.2.0 by avoiding the addition of extents before comparison.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PSD image file with specific tile dimensions designed to trigger an integer overflow.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s application, using a vulnerable version of Pillow (10.3.0 - 12.1.1), attempts to process the malicious PSD file.\u003c/li\u003e\n\u003cli\u003eDuring PSD image decoding/encoding, Pillow calculates the tile extent sums.\u003c/li\u003e\n\u003cli\u003eDue to the crafted tile dimensions, the integer overflow occurs, causing the calculated extent sums to wrap around.\u003c/li\u003e\n\u003cli\u003eThe wrapped-around extent sums bypass the bounds checks implemented in Pillow.\u003c/li\u003e\n\u003cli\u003eAn out-of-bounds write operation occurs in \u003ccode\u003esrc/decode.c\u003c/code\u003e or \u003ccode\u003esrc/encode.c\u003c/code\u003e, corrupting memory.\u003c/li\u003e\n\u003cli\u003eThe memory corruption leads to either a crash of the application or, in a more severe scenario, allows the attacker to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the affected system, potentially leading to further malicious activities like data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to denial of service (application crash) or, more critically, arbitrary code execution. If an attacker can execute code on a system, they could potentially gain complete control of the system. This could lead to data theft, system compromise, and further propagation of attacks. The vulnerability affects any application that uses the Pillow library to process PSD files, potentially impacting a wide range of software across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Pillow to version 12.2.0 or later to remediate CVE-2026-42311, which corrects the integer overflow issue and prevents the out-of-bounds write.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for the execution of Python scripts (\u003ccode\u003epython.exe\u003c/code\u003e, \u003ccode\u003epython3\u003c/code\u003e) that process untrusted PSD files. Deploy the Sigma rule \u003ccode\u003eDetect Pillow PSD Processing\u003c/code\u003e to identify potentially malicious PSD processing activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T20:20:31Z","date_published":"2026-05-04T20:20:31Z","id":"/briefs/2024-01-pillow-oob-write/","summary":"Pillow versions 10.3.0 through 12.1.1 are vulnerable to an out-of-bounds write in PSD image decoding/encoding due to an integer overflow when computing tile extent sums, potentially leading to arbitrary code execution.","title":"Pillow Out-of-Bounds Write Vulnerability in PSD Processing (CVE-2026-42311)","url":"https://feed.craftedsignal.io/briefs/2024-01-pillow-oob-write/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-20884"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libraw","integer-overflow","heap-buffer-overflow","cve-2026-20884"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-20884 describes an integer overflow vulnerability affecting LibRaw, specifically within the \u003ccode\u003edeflate_dng_load_raw\u003c/code\u003e function. This flaw resides in commit 8dc68e2 of the LibRaw library. The vulnerability can be exploited by providing a specially crafted DNG (Digital Negative) image file to an application using the affected LibRaw version. Successful exploitation results in a heap buffer overflow, potentially allowing an attacker to execute arbitrary code or cause a denial-of-service condition. This is significant for defenders because LibRaw is a widely used library for handling raw image formats and is often integrated into image processing applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious DNG image file designed to trigger the integer overflow in \u003ccode\u003edeflate_dng_load_raw\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim opens the malicious DNG file using an application that utilizes the vulnerable LibRaw library.\u003c/li\u003e\n\u003cli\u003eLibRaw\u0026rsquo;s \u003ccode\u003edeflate_dng_load_raw\u003c/code\u003e function is called to process the image data.\u003c/li\u003e\n\u003cli\u003eDuring the processing of the DNG file, an integer overflow occurs when calculating the size of a buffer.\u003c/li\u003e\n\u003cli\u003eThe overflow results in allocating a smaller-than-expected buffer on the heap.\u003c/li\u003e\n\u003cli\u003eSubsequently, when decompressing the image data, the \u003ccode\u003edeflate\u003c/code\u003e algorithm writes beyond the allocated buffer, causing a heap buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe heap buffer overflow overwrites adjacent memory regions, potentially corrupting program data or code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to achieve arbitrary code execution or cause the application to crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20884 allows an attacker to potentially execute arbitrary code within the context of the application using the LibRaw library. This could lead to complete system compromise. Alternatively, the heap buffer overflow could cause the application to crash, resulting in a denial-of-service. The impact depends on the privileges of the application using LibRaw. Image processing software, photography workflows, and digital asset management systems are all potential targets.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade to a version of LibRaw that addresses CVE-2026-20884 to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor for applications processing DNG files from untrusted sources (e.g., web downloads or email attachments).\u003c/li\u003e\n\u003cli\u003eConsider implementing file validation and sanitization techniques to detect and prevent malicious DNG files from being processed.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect LibRaw Exploitation via DNG\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to detect applications loading LibRaw library when processing DNG files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T15:17:35Z","date_published":"2026-04-07T15:17:35Z","id":"/briefs/2026-04-libraw-integer-overflow/","summary":"CVE-2026-20884 is an integer overflow vulnerability in LibRaw's deflate_dng_load_raw function that leads to a heap buffer overflow when processing crafted DNG files.","title":"LibRaw Integer Overflow Vulnerability in deflate_dng_load_raw","url":"https://feed.craftedsignal.io/briefs/2026-04-libraw-integer-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["libp2p","gossipsub","denial-of-service","integer overflow","rust"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Rust libp2p Gossipsub implementation, a peer-to-peer networking library, is susceptible to a remote denial-of-service (DoS) vulnerability. This flaw resides in the handling of \u003ccode\u003ebackoff\u003c/code\u003e expiry during heartbeat processing. By sending a specially crafted \u003ccode\u003ePRUNE\u003c/code\u003e control message containing an attacker-controlled, near-maximum \u003ccode\u003ebackoff\u003c/code\u003e value, a remote, unauthenticated peer can trigger an integer overflow. This overflow occurs when the implementation performs unchecked addition of the \u003ccode\u003ebackoff_time\u003c/code\u003e and a \u003ccode\u003eslack\u003c/code\u003e value. This vulnerability affects applications using libp2p-gossipsub versions prior to 0.49.4 and is distinct from CVE-2026-33040, which addressed overflow during backoff insertion. This report highlights a distinct secondary overflow path in heartbeat expiry handling that remained exploitable even after the initial insertion-side hardening. The vulnerability was reported by the Security team of the Ethereum Foundation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker establishes a standard libp2p session with a target node using \u003ccode\u003eTCP + Noise\u003c/code\u003e for encryption.\u003c/li\u003e\n\u003cli\u003eThe attacker negotiates a stream multiplexer protocol such as \u003ccode\u003emplex\u003c/code\u003e or \u003ccode\u003eyamux\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker opens a Gossipsub stream with the target node to initiate communication.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an RPC (Remote Procedure Call) containing a \u003ccode\u003eControlPrune\u003c/code\u003e message.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eControlPrune\u003c/code\u003e message includes a crafted \u003ccode\u003ebackoff\u003c/code\u003e value set near the maximum representable value for an i64 integer (e.g., \u003ccode\u003e9223372036854674580\u003c/code\u003e). The attacker chooses this value relative to the victim\u0026rsquo;s uptime.\u003c/li\u003e\n\u003cli\u003eThe target node parses the \u003ccode\u003ebackoff\u003c/code\u003e value from the protobuf message and processes it using \u003ccode\u003eBehaviour::handle_prune()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebackoff\u003c/code\u003e value is stored after a checked addition to ensure it\u0026rsquo;s valid, however the near-maximum value is still retained.\u003c/li\u003e\n\u003cli\u003eOn the next heartbeat, the node attempts to calculate the expiry time by adding a \u003ccode\u003eslack\u003c/code\u003e value to the stored \u003ccode\u003ebackoff_time\u003c/code\u003e using unchecked addition, which results in an integer overflow, causing a panic and crashing the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in a remote, unauthenticated denial of service. Any application exposing an affected \u003ccode\u003elibp2p-gossipsub\u003c/code\u003e listener can be crashed by a network-reachable peer. The crash occurs during heartbeat processing, not immediately upon receiving the \u003ccode\u003ePRUNE\u003c/code\u003e message. The attack can be repeated by reconnecting to the target and replaying the crafted \u003ccode\u003ePRUNE\u003c/code\u003e message. This could lead to service disruptions and potential data loss if the application does not handle crashes gracefully. The number of potential victims is significant, encompassing any application utilizing vulnerable versions of the \u003ccode\u003elibp2p-gossipsub\u003c/code\u003e library.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003elibp2p-gossipsub\u003c/code\u003e dependency to version 0.49.4 or later to patch the unchecked arithmetic operation that causes the overflow.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect libp2p Gossipsub PRUNE with Large Backoff\u0026rdquo; to identify potential exploitation attempts by monitoring network traffic for unusually large \u003ccode\u003ebackoff\u003c/code\u003e values in \u003ccode\u003ePRUNE\u003c/code\u003e messages.\u003c/li\u003e\n\u003cli\u003eEnable network connection logging to capture details of libp2p sessions and identify potential malicious peers attempting to exploit this vulnerability (logsource: network_connection).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T13:04:03Z","date_published":"2026-03-30T13:04:03Z","id":"/briefs/2026-03-libp2p-gossipsub-dos/","summary":"A remote, unauthenticated attacker can crash applications using libp2p-gossipsub versions prior to 0.49.4 by sending a crafted PRUNE control message with a near-maximum backoff value, causing an arithmetic overflow during heartbeat processing.","title":"libp2p-gossipsub Remote Denial of Service via Integer Overflow","url":"https://feed.craftedsignal.io/briefs/2026-03-libp2p-gossipsub-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["tinyproxy","denial-of-service","integer-overflow","cve-2026-3945"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTinyproxy, a lightweight HTTP/HTTPS proxy daemon, is vulnerable to an integer overflow in its chunked transfer encoding parser. This vulnerability, identified as CVE-2026-3945, affects versions up to and including 1.11.3. A remote, unauthenticated attacker can exploit this flaw by sending a specially crafted HTTP request containing an invalid chunk size value, such as 0x7fffffffffffffff. The \u003ccode\u003estrtol()\u003c/code\u003e function is used to parse chunk sizes but fails to properly validate overflow conditions, specifically the \u003ccode\u003eERANGE\u003c/code\u003e error. This bypasses a check designed to prevent negative chunk lengths (\u003ccode\u003echunklen \u0026lt; 0\u003c/code\u003e). The subsequent signed integer overflow during arithmetic operations leads to the proxy attempting to read an excessively large amount of data, exhausting resources and preventing new connections, effectively causing a denial-of-service condition. Although the upstream has addressed the issue in commit bb7edc4, the latest stable release (1.11.3) remains vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the Tinyproxy server.\u003c/li\u003e\n\u003cli\u003eThe HTTP request uses chunked transfer encoding.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a crafted chunk size value, such as 0x7fffffffffffffff (LONG_MAX), within the request headers.\u003c/li\u003e\n\u003cli\u003eThe Tinyproxy server parses the chunk size using \u003ccode\u003estrtol()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003estrtol()\u003c/code\u003e function does not adequately validate the integer overflow (errno == ERANGE).\u003c/li\u003e\n\u003cli\u003eThe crafted chunk size bypasses the initial validation check (\u003ccode\u003echunklen \u0026lt; 0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA signed integer overflow occurs during arithmetic operations (\u003ccode\u003echunklen + 2\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe proxy attempts to read an extremely large amount of request-body data, exhausting available worker slots and preventing new connections, causing a denial of service (DoS).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3945 leads to a denial-of-service condition. The vulnerable Tinyproxy instance becomes unresponsive as it exhausts its available worker slots. This prevents legitimate users from accessing services proxied by the affected server. The impact is significant as it can completely disrupt services reliant on the proxy, affecting all users until the service is manually restarted or patched. The severity is high due to the ease of exploitation (unauthenticated remote attacker) and the potential for widespread service disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tinyproxy to a version patched against CVE-2026-3945 (commit bb7edc4 or later). If an upgrade is not immediately feasible, consider implementing a web application firewall (WAF) rule to filter requests with excessively large chunk sizes to mitigate the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspiciously Large HTTP Chunk Size\u003c/code\u003e to identify requests with abnormally large chunk sizes within HTTP traffic, indicating potential exploitation attempts of CVE-2026-3945.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests with chunk sizes exceeding a reasonable threshold. Analyze the request patterns to identify potential malicious actors attempting to exploit this vulnerability using the \u003ccode\u003ewebserver\u003c/code\u003e log source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T08:16:17Z","date_published":"2026-03-30T08:16:17Z","id":"/briefs/2026-03-tinyproxy-dos/","summary":"An integer overflow vulnerability in Tinyproxy's HTTP chunked transfer encoding parser (versions \u003c= 1.11.3) allows an unauthenticated remote attacker to cause a denial of service by sending a crafted chunk size that bypasses validation, leading to resource exhaustion.","title":"Tinyproxy HTTP Chunked Encoding Integer Overflow Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-03-tinyproxy-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sandbox escape","integer overflow","mozilla firefox","mozilla thunderbird","cve-2026-4690"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4690 is a critical vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird. The root cause lies in incorrect boundary conditions coupled with an integer overflow within the XPCOM component. Successful exploitation allows an attacker to bypass the sandbox protections, potentially leading to arbitrary code execution outside the confines of the browser\u0026rsquo;s security measures. The vulnerability impacts Firefox versions earlier than 149, Firefox ESR versions prior to 115.34 and…\u003c/p\u003e\n","date_modified":"2026-03-24T13:16:04Z","date_published":"2026-03-24T13:16:04Z","id":"/briefs/2024-01-cve-2026-4690-firefox-sandbox-escape/","summary":"A sandbox escape vulnerability, identified as CVE-2026-4690, exists in the XPCOM component of Mozilla Firefox, Firefox ESR, and Thunderbird due to incorrect boundary conditions and an integer overflow, potentially allowing an attacker to execute arbitrary code outside the sandbox.","title":"CVE-2026-4690: Mozilla Firefox, Firefox ESR, and Thunderbird XPCOM Sandbox Escape","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-4690-firefox-sandbox-escape/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-4679","chrome","integer-overflow","memory-corruption"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4679 is an integer overflow vulnerability affecting the Fonts component in Google Chrome versions prior to 146.0.7680.165. A remote attacker can exploit this vulnerability by crafting a malicious HTML page that, when rendered by a vulnerable Chrome browser, triggers an integer overflow condition, leading to an out-of-bounds memory write. This vulnerability exists because of insufficient validation when handling font data. Successful exploitation could lead to arbitrary code execution…\u003c/p\u003e\n","date_modified":"2026-03-24T01:17:03Z","date_published":"2026-03-24T01:17:03Z","id":"/briefs/2026-03-chrome-font-overflow/","summary":"A remote attacker can perform an out-of-bounds memory write on Google Chrome by exploiting an integer overflow in the Fonts component via a crafted HTML page in versions prior to 146.0.7680.165.","title":"Google Chrome Font Integer Overflow Vulnerability (CVE-2026-4679)","url":"https://feed.craftedsignal.io/briefs/2026-03-chrome-font-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["integer-overflow","denial-of-service","memory-disclosure","glTF","cgltf"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ecgltf is a minimalist C library for loading glTF 2.0 files. Versions 1.15 and earlier are vulnerable to an integer overflow in the \u003ccode\u003ecgltf_validate()\u003c/code\u003e function. This vulnerability occurs during the validation of sparse accessors within glTF/GLB files. An attacker can exploit this by crafting malicious glTF/GLB files with specifically chosen size values that trigger integer overflows in arithmetic operations during sparse accessor validation. Successful exploitation leads to out-of-bounds reads due to heap buffer over-reads in \u003ccode\u003ecgltf_calc_index_bound()\u003c/code\u003e. This results in a denial-of-service condition (application crash) and potentially leads to memory disclosure. Defenders should monitor applications parsing glTF/GLB files for unexpected crashes or abnormal memory access patterns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious glTF or GLB file.\u003c/li\u003e\n\u003cli\u003eThe crafted file contains a sparse accessor with attacker-controlled size values designed to cause an integer overflow.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application uses the cgltf library to parse the malicious glTF/GLB file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecgltf_validate()\u003c/code\u003e function is called to validate the glTF data, including the sparse accessor.\u003c/li\u003e\n\u003cli\u003eDuring sparse accessor validation, unchecked arithmetic operations occur with the attacker-controlled size values, resulting in an integer overflow.\u003c/li\u003e\n\u003cli\u003eThe integer overflow leads to an incorrect calculation of the index bound in the \u003ccode\u003ecgltf_calc_index_bound()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecgltf_calc_index_bound()\u003c/code\u003e attempts to access a heap buffer using the incorrect index bound.\u003c/li\u003e\n\u003cli\u003eThis results in an out-of-bounds read, causing a denial of service (application crash) or potentially exposing sensitive memory contents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, as the application parsing the malicious glTF/GLB file crashes. Furthermore, the out-of-bounds read could potentially expose sensitive information from the application\u0026rsquo;s memory. The number of potential victims depends on the prevalence of applications using the vulnerable cgltf library to process potentially untrusted glTF/GLB files. Sectors affected could include any application that handles 3D models or scenes using the glTF format, such as game development, CAD software, and visualization tools.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of the cgltf library that addresses CVE-2026-32845.\u003c/li\u003e\n\u003cli\u003eImplement input validation on glTF/GLB files before parsing them with cgltf to prevent malicious size values from reaching the vulnerable \u003ccode\u003ecgltf_validate()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect glTF Parsing Process Crash\u0026rdquo; to identify processes crashing while parsing glTF/GLB files, which can indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process crash reporting to collect detailed information about crashes, including memory dumps, which can aid in identifying the root cause and potential memory disclosure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T16:16:48Z","date_published":"2026-03-23T16:16:48Z","id":"/briefs/2026-03-cgltf-overflow/","summary":"cgltf version 1.15 and prior contain an integer overflow vulnerability in the cgltf_validate() function when validating sparse accessors, allowing attackers to trigger out-of-bounds reads via crafted glTF/GLB files, leading to denial of service and potential memory disclosure.","title":"cgltf Integer Overflow Vulnerability in Sparse Accessor Validation","url":"https://feed.craftedsignal.io/briefs/2026-03-cgltf-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-41445"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["integer-overflow","heap-overflow","kissfft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-41445 is a newly reported vulnerability affecting the KissFFT library. The vulnerability is located within the \u003ccode\u003ekiss_fftndr_alloc()\u003c/code\u003e function and results from an integer overflow. Successful exploitation of this vulnerability could allow an attacker to cause a heap buffer overflow, potentially leading to arbitrary code execution. This vulnerability was reported through the Microsoft Security Response Center, indicating a potential impact on Microsoft products or services that utilize the KissFFT library. Defenders should monitor for exploitation attempts and implement mitigations as soon as patches are available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eWhile exploitation details are currently unavailable, the following attack chain is inferred from the vulnerability type and function name:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious input with specially designed dimensions to be processed by KissFFT.\u003c/li\u003e\n\u003cli\u003eThis malicious input is passed to a function that calls \u003ccode\u003ekiss_fftndr_alloc()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin \u003ccode\u003ekiss_fftndr_alloc()\u003c/code\u003e, the attacker\u0026rsquo;s input triggers an integer overflow when calculating the buffer size.\u003c/li\u003e\n\u003cli\u003eA smaller-than-required memory buffer is allocated on the heap as a result of the overflow.\u003c/li\u003e\n\u003cli\u003eSubsequent operations attempt to write data larger than the allocated buffer into the undersized heap buffer.\u003c/li\u003e\n\u003cli\u003eThis write operation overflows the heap buffer, corrupting adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eThe memory corruption leads to a crash or, in some cases, arbitrary code execution depending on the overwritten data.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41445 can lead to denial of service due to application crashes, or potentially arbitrary code execution. Since the vulnerability resides in the KissFFT library, applications that utilize this library for FFT processing are potentially vulnerable. The exact impact depends on the privileges of the application using the library. If exploited in a privileged process, it could lead to system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs (category: \u003ccode\u003ewebserver\u003c/code\u003e, product: \u003ccode\u003elinux|windows\u003c/code\u003e) for unusual patterns in requests that may be attempting to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential attempts to exploit integer overflows in memory allocation functions.\u003c/li\u003e\n\u003cli\u003eApply patches released by Microsoft as soon as they become available to remediate CVE-2026-41445.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T18:23:44Z","date_published":"2024-01-24T18:23:44Z","id":"/briefs/2024-01-cve-2026-41445/","summary":"CVE-2026-41445 is a reported integer overflow vulnerability in the KissFFT library that could lead to a heap buffer overflow.","title":"CVE-2026-41445 KissFFT Integer Overflow leads to Heap Buffer Overflow","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-41445/"}],"language":"en","title":"CraftedSignal Threat Feed — Integer-Overflow","version":"https://jsonfeed.org/version/1.1"}