Attack Chain

1. An attacker crafts a malicious PSD image file with specific tile dimensions designed to trigger an integer overflow.
2. The victim’s application, using a vulnerable version of Pillow (10.3.0 - 12.1.1), attempts to process the malicious PSD file.
3. During PSD image decoding/encoding, Pillow calculates the tile extent sums.
4. Due to the crafted tile dimensions, the integer overflow occurs, causing the calculated extent sums to wrap around.
5. The wrapped-around extent sums bypass the bounds checks implemented in Pillow.
6. An out-of-bounds write operation occurs in src/decode.c or src/encode.c, corrupting memory.
7. The memory corruption leads to either a crash of the application or, in a more severe scenario, allows the attacker to inject and execute arbitrary code.
8. The attacker gains control of the affected system, potentially leading to further malicious activities like data exfiltration or lateral movement.

Impact

Successful exploitation of this vulnerability can lead to denial of service (application crash) or, more critically, arbitrary code execution. If an attacker can execute code on a system, they could potentially gain complete control of the system. This could lead to data theft, system compromise, and further propagation of attacks. The vulnerability affects any application that uses the Pillow library to process PSD files, potentially impacting a wide range of software across various sectors.

Recommendation

• Upgrade Pillow to version 12.2.0 or later to remediate CVE-2026-42311, which corrects the integer overflow issue and prevents the out-of-bounds write.
• Monitor process creations for the execution of Python scripts (python.exe, python3) that process untrusted PSD files. Deploy the Sigma rule Detect Pillow PSD Processing to identify potentially malicious PSD processing activity.

Attack Chain

1. Attacker crafts a malicious DNG image file designed to trigger the integer overflow in deflate_dng_load_raw.
2. The victim opens the malicious DNG file using an application that utilizes the vulnerable LibRaw library.
3. LibRaw’s deflate_dng_load_raw function is called to process the image data.
4. During the processing of the DNG file, an integer overflow occurs when calculating the size of a buffer.
5. The overflow results in allocating a smaller-than-expected buffer on the heap.
6. Subsequently, when decompressing the image data, the deflate algorithm writes beyond the allocated buffer, causing a heap buffer overflow.
7. The heap buffer overflow overwrites adjacent memory regions, potentially corrupting program data or code.
8. The attacker leverages the memory corruption to achieve arbitrary code execution or cause the application to crash.

Impact

Successful exploitation of CVE-2026-20884 allows an attacker to potentially execute arbitrary code within the context of the application using the LibRaw library. This could lead to complete system compromise. Alternatively, the heap buffer overflow could cause the application to crash, resulting in a denial-of-service. The impact depends on the privileges of the application using LibRaw. Image processing software, photography workflows, and digital asset management systems are all potential targets.

Recommendation

• Apply patches or upgrade to a version of LibRaw that addresses CVE-2026-20884 to remediate the vulnerability.
• Monitor for applications processing DNG files from untrusted sources (e.g., web downloads or email attachments).
• Consider implementing file validation and sanitization techniques to detect and prevent malicious DNG files from being processed.
• Deploy the Sigma rule “Detect LibRaw Exploitation via DNG” to identify potential exploitation attempts.
• Enable process creation logging to detect applications loading LibRaw library when processing DNG files.

Attack Chain

1. An attacker establishes a standard libp2p session with a target node using TCP + Noise for encryption.
2. The attacker negotiates a stream multiplexer protocol such as mplex or yamux.
3. The attacker opens a Gossipsub stream with the target node to initiate communication.
4. The attacker sends an RPC (Remote Procedure Call) containing a ControlPrune message.
5. The ControlPrune message includes a crafted backoff value set near the maximum representable value for an i64 integer (e.g., 9223372036854674580). The attacker chooses this value relative to the victim’s uptime.
6. The target node parses the backoff value from the protobuf message and processes it using Behaviour::handle_prune().
7. The backoff value is stored after a checked addition to ensure it’s valid, however the near-maximum value is still retained.
8. On the next heartbeat, the node attempts to calculate the expiry time by adding a slack value to the stored backoff_time using unchecked addition, which results in an integer overflow, causing a panic and crashing the application.

Impact

This vulnerability results in a remote, unauthenticated denial of service. Any application exposing an affected libp2p-gossipsub listener can be crashed by a network-reachable peer. The crash occurs during heartbeat processing, not immediately upon receiving the PRUNE message. The attack can be repeated by reconnecting to the target and replaying the crafted PRUNE message. This could lead to service disruptions and potential data loss if the application does not handle crashes gracefully. The number of potential victims is significant, encompassing any application utilizing vulnerable versions of the libp2p-gossipsub library.

Recommendation

• Upgrade the libp2p-gossipsub dependency to version 0.49.4 or later to patch the unchecked arithmetic operation that causes the overflow.
• Deploy the Sigma rule “Detect libp2p Gossipsub PRUNE with Large Backoff” to identify potential exploitation attempts by monitoring network traffic for unusually large backoff values in PRUNE messages.
• Enable network connection logging to capture details of libp2p sessions and identify potential malicious peers attempting to exploit this vulnerability (logsource: network_connection).

Attack Chain

1. The attacker sends an HTTP request to the Tinyproxy server.
2. The HTTP request uses chunked transfer encoding.
3. The attacker includes a crafted chunk size value, such as 0x7fffffffffffffff (LONG_MAX), within the request headers.
4. The Tinyproxy server parses the chunk size using strtol().
5. The strtol() function does not adequately validate the integer overflow (errno == ERANGE).
6. The crafted chunk size bypasses the initial validation check (chunklen < 0).
7. A signed integer overflow occurs during arithmetic operations (chunklen + 2).
8. The proxy attempts to read an extremely large amount of request-body data, exhausting available worker slots and preventing new connections, causing a denial of service (DoS).

Impact

Successful exploitation of CVE-2026-3945 leads to a denial-of-service condition. The vulnerable Tinyproxy instance becomes unresponsive as it exhausts its available worker slots. This prevents legitimate users from accessing services proxied by the affected server. The impact is significant as it can completely disrupt services reliant on the proxy, affecting all users until the service is manually restarted or patched. The severity is high due to the ease of exploitation (unauthenticated remote attacker) and the potential for widespread service disruption.

Recommendation

• Upgrade Tinyproxy to a version patched against CVE-2026-3945 (commit bb7edc4 or later). If an upgrade is not immediately feasible, consider implementing a web application firewall (WAF) rule to filter requests with excessively large chunk sizes to mitigate the vulnerability.
• Deploy the Sigma rule Detect Suspiciously Large HTTP Chunk Size to identify requests with abnormally large chunk sizes within HTTP traffic, indicating potential exploitation attempts of CVE-2026-3945.
• Monitor web server logs for HTTP requests with chunk sizes exceeding a reasonable threshold. Analyze the request patterns to identify potential malicious actors attempting to exploit this vulnerability using the webserver log source.

Attack Chain

1. The attacker crafts a malicious glTF or GLB file.
2. The crafted file contains a sparse accessor with attacker-controlled size values designed to cause an integer overflow.
3. The vulnerable application uses the cgltf library to parse the malicious glTF/GLB file.
4. The cgltf_validate() function is called to validate the glTF data, including the sparse accessor.
5. During sparse accessor validation, unchecked arithmetic operations occur with the attacker-controlled size values, resulting in an integer overflow.
6. The integer overflow leads to an incorrect calculation of the index bound in the cgltf_calc_index_bound() function.
7. cgltf_calc_index_bound() attempts to access a heap buffer using the incorrect index bound.
8. This results in an out-of-bounds read, causing a denial of service (application crash) or potentially exposing sensitive memory contents.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition, as the application parsing the malicious glTF/GLB file crashes. Furthermore, the out-of-bounds read could potentially expose sensitive information from the application’s memory. The number of potential victims depends on the prevalence of applications using the vulnerable cgltf library to process potentially untrusted glTF/GLB files. Sectors affected could include any application that handles 3D models or scenes using the glTF format, such as game development, CAD software, and visualization tools.

Recommendation

• Upgrade to a patched version of the cgltf library that addresses CVE-2026-32845.
• Implement input validation on glTF/GLB files before parsing them with cgltf to prevent malicious size values from reaching the vulnerable cgltf_validate() function.
• Deploy the Sigma rule “Detect glTF Parsing Process Crash” to identify processes crashing while parsing glTF/GLB files, which can indicate exploitation attempts.
• Enable process crash reporting to collect detailed information about crashes, including memory dumps, which can aid in identifying the root cause and potential memory disclosure.

Attack Chain

While exploitation details are currently unavailable, the following attack chain is inferred from the vulnerability type and function name:

1. An attacker crafts a malicious input with specially designed dimensions to be processed by KissFFT.
2. This malicious input is passed to a function that calls kiss_fftndr_alloc().
3. Within kiss_fftndr_alloc(), the attacker’s input triggers an integer overflow when calculating the buffer size.
4. A smaller-than-required memory buffer is allocated on the heap as a result of the overflow.
5. Subsequent operations attempt to write data larger than the allocated buffer into the undersized heap buffer.
6. This write operation overflows the heap buffer, corrupting adjacent memory regions.
7. The memory corruption leads to a crash or, in some cases, arbitrary code execution depending on the overwritten data.
8. The attacker gains control of the application.

Impact

Successful exploitation of CVE-2026-41445 can lead to denial of service due to application crashes, or potentially arbitrary code execution. Since the vulnerability resides in the KissFFT library, applications that utilize this library for FFT processing are potentially vulnerable. The exact impact depends on the privileges of the application using the library. If exploited in a privileged process, it could lead to system compromise.

Recommendation

• Monitor web server logs (category: webserver, product: linux|windows) for unusual patterns in requests that may be attempting to trigger the vulnerability.
• Deploy the Sigma rule to detect potential attempts to exploit integer overflows in memory allocation functions.
• Apply patches released by Microsoft as soon as they become available to remediate CVE-2026-41445.