{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/oob-write/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-25990"}],"_cs_exploited":false,"_cs_products":["Pillow (\u003e= 10.3.0, \u003c 12.2.0)"],"_cs_severities":["high"],"_cs_tags":["pillow","oob-write","integer-overflow","psd","memory-corruption"],"_cs_type":"advisory","_cs_vendors":["Python"],"content_html":"\u003cp\u003ePillow, a popular Python image processing library, is vulnerable to an out-of-bounds write vulnerability (CVE-2026-42311) when processing PSD files. Specifically, versions 10.3.0 up to 12.1.1 contain a flaw in how they handle tile extents in PSD image decoding and encoding. The vulnerability arises from an integer overflow when calculating tile extent sums, which bypasses intended bounds checks. This allows a specially crafted PSD image with malicious tile dimensions to trigger an out-of-bounds write in \u003ccode\u003esrc/decode.c\u003c/code\u003e and \u003ccode\u003esrc/encode.c\u003c/code\u003e. Successful exploitation could lead to memory corruption, resulting in a crash or, more critically, arbitrary code execution. The issue was initially addressed in version 12.1.1 (CVE-2026-25990) but the fix was incomplete due to the integer overflow issue. The vulnerability is resolved in Pillow version 12.2.0 by avoiding the addition of extents before comparison.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PSD image file with specific tile dimensions designed to trigger an integer overflow.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s application, using a vulnerable version of Pillow (10.3.0 - 12.1.1), attempts to process the malicious PSD file.\u003c/li\u003e\n\u003cli\u003eDuring PSD image decoding/encoding, Pillow calculates the tile extent sums.\u003c/li\u003e\n\u003cli\u003eDue to the crafted tile dimensions, the integer overflow occurs, causing the calculated extent sums to wrap around.\u003c/li\u003e\n\u003cli\u003eThe wrapped-around extent sums bypass the bounds checks implemented in Pillow.\u003c/li\u003e\n\u003cli\u003eAn out-of-bounds write operation occurs in \u003ccode\u003esrc/decode.c\u003c/code\u003e or \u003ccode\u003esrc/encode.c\u003c/code\u003e, corrupting memory.\u003c/li\u003e\n\u003cli\u003eThe memory corruption leads to either a crash of the application or, in a more severe scenario, allows the attacker to inject and execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the affected system, potentially leading to further malicious activities like data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to denial of service (application crash) or, more critically, arbitrary code execution. If an attacker can execute code on a system, they could potentially gain complete control of the system. This could lead to data theft, system compromise, and further propagation of attacks. The vulnerability affects any application that uses the Pillow library to process PSD files, potentially impacting a wide range of software across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Pillow to version 12.2.0 or later to remediate CVE-2026-42311, which corrects the integer overflow issue and prevents the out-of-bounds write.\u003c/li\u003e\n\u003cli\u003eMonitor process creations for the execution of Python scripts (\u003ccode\u003epython.exe\u003c/code\u003e, \u003ccode\u003epython3\u003c/code\u003e) that process untrusted PSD files. Deploy the Sigma rule \u003ccode\u003eDetect Pillow PSD Processing\u003c/code\u003e to identify potentially malicious PSD processing activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T20:20:31Z","date_published":"2026-05-04T20:20:31Z","id":"/briefs/2024-01-pillow-oob-write/","summary":"Pillow versions 10.3.0 through 12.1.1 are vulnerable to an out-of-bounds write in PSD image decoding/encoding due to an integer overflow when computing tile extent sums, potentially leading to arbitrary code execution.","title":"Pillow Out-of-Bounds Write Vulnerability in PSD Processing (CVE-2026-42311)","url":"https://feed.craftedsignal.io/briefs/2024-01-pillow-oob-write/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-6314"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chrome","gpu","oob-write","sandbox-escape"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-6314 is a security vulnerability affecting Google Chrome versions prior to 147.0.7727.101. The vulnerability resides within the GPU process and is classified as an out-of-bounds write. Successful exploitation could allow a remote attacker who has already compromised the GPU process to perform a sandbox escape, potentially gaining broader system access. The vulnerability can be triggered by a crafted HTML page. The Chromium security team has rated this vulnerability as High severity. This vulnerability was patched in the 147.0.7727.101 release.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML page designed to trigger the out-of-bounds write in the GPU process.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious HTML page using a vulnerable version of Google Chrome.\u003c/li\u003e\n\u003cli\u003eThe HTML page leverages JavaScript to initiate a GPU-related operation that triggers the vulnerable code path.\u003c/li\u003e\n\u003cli\u003eThe GPU process attempts to write data outside of the intended memory buffer due to a flaw in the code.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds write corrupts memory within the GPU process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical data structures or code within the GPU process.\u003c/li\u003e\n\u003cli\u003eBy manipulating the GPU process\u0026rsquo;s memory, the attacker attempts to escape the Chrome sandbox.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker gains the ability to execute arbitrary code outside the sandbox, potentially compromising the user\u0026rsquo;s system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6314 allows an attacker to escape the Chrome sandbox. This allows the attacker to potentially execute arbitrary code on the victim\u0026rsquo;s machine. While the exact number of victims is unknown, all users of Google Chrome versions prior to 147.0.7727.101 are potentially vulnerable. A successful sandbox escape could lead to data theft, malware installation, or other malicious activities, depending on the privileges of the compromised user.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6314.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Chrome GPU Process Crash\u003c/code\u003e to identify potential exploitation attempts based on abnormal process termination.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to suspicious HTML pages (cs-uri-query, cs-uri-stem) that could be used to deliver the exploit.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-gpu-oob-write/","summary":"Google Chrome versions prior to 147.0.7727.101 are vulnerable to an out-of-bounds write in the GPU process (CVE-2026-6314), allowing a remote attacker with GPU process compromise to potentially perform a sandbox escape via a crafted HTML page.","title":"Google Chrome GPU Out-of-Bounds Write Vulnerability (CVE-2026-6314)","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-gpu-oob-write/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","vulnerability","oob-write","dualsensey-v2"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eAn out-of-bounds write vulnerability, identified as CVE-2026-33850, exists in WujekFoliarz DualSenseY-v2 before version 54. This flaw allows an attacker to write data beyond the boundaries of an allocated buffer, potentially leading to arbitrary code execution or a denial-of-service condition. The vulnerability was reported by the Government Technology Agency of Singapore Cyber Security Group (GovTech CSG). Successful exploitation of this vulnerability requires user interaction, as indicated by…\u003c/p\u003e\n","date_modified":"2026-03-24T06:16:22Z","date_published":"2026-03-24T06:16:22Z","id":"/briefs/2026-03-dualsensey-oob-write/","summary":"CVE-2026-33850 is an out-of-bounds write vulnerability in WujekFoliarz DualSenseY-v2 before version 54, potentially allowing an attacker to execute arbitrary code or cause a denial-of-service by writing data outside the allocated buffer.","title":"Out-of-bounds Write Vulnerability in DualSenseY-v2","url":"https://feed.craftedsignal.io/briefs/2026-03-dualsensey-oob-write/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["openssl"],"_cs_severities":["high"],"_cs_tags":["openssl","aes","keywrap","oob-write","memory-corruption"],"_cs_type":"advisory","_cs_vendors":["OpenSSL"],"content_html":"\u003cp\u003eThe rust-openssl crate, specifically versions 0.10.24 through 0.10.77, contains a critical vulnerability in the \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e function. This function is intended to perform AES key wrapping, a process used to securely encrypt cryptographic keys. The vulnerability arises from an inverted bounds check on the output buffer size, where the function incorrectly validates the size of the output buffer against the input buffer size. This flaw allows an attacker to potentially write beyond the allocated memory region, leading to a crash or, in more sophisticated scenarios, arbitrary code execution. Exploitation requires that the vulnerable application utilizes AES keywrap and allows the attacker to control the buffer sizes passed to \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using the vulnerable rust-openssl crate (versions 0.10.24 - 0.10.77) and the \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input with specific sizes for the input and output buffers to trigger the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker provides a crafted input buffer (\u003ccode\u003ein_\u003c/code\u003e) and a smaller-than-required output buffer (\u003ccode\u003eout\u003c/code\u003e) to the vulnerable \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe incorrect bounds assertion \u003ccode\u003eout.len() + 8 \u0026lt;= in_.len()\u003c/code\u003e passes, as the \u003ccode\u003eout\u003c/code\u003e buffer is intentionally smaller than \u003ccode\u003ein_.len() - 8\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e function proceeds with the AES key wrapping process.\u003c/li\u003e\n\u003cli\u003eDuring the key unwrapping process, the function attempts to write \u003ccode\u003ein_.len() - 8 - out.len()\u003c/code\u003e bytes beyond the allocated boundary of the \u003ccode\u003eout\u003c/code\u003e buffer.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds write corrupts adjacent memory regions within the application\u0026rsquo;s address space.\u003c/li\u003e\n\u003cli\u003eDepending on the overwritten memory, the attacker can potentially achieve arbitrary code execution or cause a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to various adverse consequences, including denial of service, information disclosure, or arbitrary code execution. Applications utilizing AES keywrap and accepting attacker-controlled buffer sizes are at the highest risk. The specific impact depends on the application\u0026rsquo;s memory layout and the attacker\u0026rsquo;s ability to control the overwritten memory. Given the widespread use of OpenSSL for cryptographic operations, this vulnerability poses a significant threat to vulnerable applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003erust-openssl\u003c/code\u003e crate to version 0.10.78 or later to patch the vulnerability as indicated in \u003ca href=\"https://github.com/advisories/GHSA-8c75-8mhr-p7r9\"\u003eGHSA-8c75-8mhr-p7r9\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eAudit code using \u003ccode\u003eaes::unwrap_key()\u003c/code\u003e to ensure input and output buffer sizes are validated correctly to prevent out-of-bounds writes.\u003c/li\u003e\n\u003cli\u003eImplement runtime memory protection mechanisms to detect and prevent out-of-bounds writes, mitigating the impact of this and similar vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-openssl-oob-write/","summary":"The rust-openssl package is vulnerable to an out-of-bounds write due to an incorrect bounds assertion in the `aes::unwrap_key()` function, potentially leading to arbitrary code execution if attacker-controlled buffer sizes are permitted.","title":"rust-openssl AES Key Wrap Out-of-Bounds Write Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openssl-oob-write/"}],"language":"en","title":"CraftedSignal Threat Feed — Oob-Write","version":"https://jsonfeed.org/version/1.1"}