https://feed.craftedsignal.io/tags/oob-write/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 20:20:31 +0000https://feed.craftedsignal.io/briefs/2024-01-pillow-oob-write/Mon, 04 May 2026 20:20:31 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-pillow-oob-write/Pillow versions 10.3.0 through 12.1.1 are vulnerable to an out-of-bounds write in PSD image decoding/encoding due to an integer overflow when computing tile extent sums, potentially leading to arbitrary code execution.Pillow, a popular Python image processing library, is vulnerable to an out-of-bounds write vulnerability (CVE-2026-42311) when processing PSD files. Specifically, versions 10.3.0 up to 12.1.1 contain a flaw in how they handle tile extents in PSD image decoding and encoding. The vulnerability arises from an integer overflow when calculating tile extent sums, which bypasses intended bounds checks. This allows a specially crafted PSD image with malicious tile dimensions to trigger an out-of-bounds write in src/decode.c and src/encode.c. Successful exploitation could lead to memory corruption, resulting in a crash or, more critically, arbitrary code execution. The issue was initially addressed in version 12.1.1 (CVE-2026-25990) but the fix was incomplete due to the integer overflow issue. The vulnerability is resolved in Pillow version 12.2.0 by avoiding the addition of extents before comparison.

Attack Chain

1. An attacker crafts a malicious PSD image file with specific tile dimensions designed to trigger an integer overflow.
2. The victim’s application, using a vulnerable version of Pillow (10.3.0 - 12.1.1), attempts to process the malicious PSD file.
3. During PSD image decoding/encoding, Pillow calculates the tile extent sums.
4. Due to the crafted tile dimensions, the integer overflow occurs, causing the calculated extent sums to wrap around.
5. The wrapped-around extent sums bypass the bounds checks implemented in Pillow.
6. An out-of-bounds write operation occurs in src/decode.c or src/encode.c, corrupting memory.
7. The memory corruption leads to either a crash of the application or, in a more severe scenario, allows the attacker to inject and execute arbitrary code.
8. The attacker gains control of the affected system, potentially leading to further malicious activities like data exfiltration or lateral movement.

Impact

Successful exploitation of this vulnerability can lead to denial of service (application crash) or, more critically, arbitrary code execution. If an attacker can execute code on a system, they could potentially gain complete control of the system. This could lead to data theft, system compromise, and further propagation of attacks. The vulnerability affects any application that uses the Pillow library to process PSD files, potentially impacting a wide range of software across various sectors.

Recommendation

• Upgrade Pillow to version 12.2.0 or later to remediate CVE-2026-42311, which corrects the integer overflow issue and prevents the out-of-bounds write.
• Monitor process creations for the execution of Python scripts (python.exe, python3) that process untrusted PSD files. Deploy the Sigma rule Detect Pillow PSD Processing to identify potentially malicious PSD processing activity.

]]>highadvisorypillowoob-writeinteger-overflowpsdmemory-corruptionhttps://feed.craftedsignal.io/briefs/2026-04-chrome-gpu-oob-write/Thu, 16 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chrome-gpu-oob-write/Google Chrome versions prior to 147.0.7727.101 are vulnerable to an out-of-bounds write in the GPU process (CVE-2026-6314), allowing a remote attacker with GPU process compromise to potentially perform a sandbox escape via a crafted HTML page.CVE-2026-6314 is a security vulnerability affecting Google Chrome versions prior to 147.0.7727.101. The vulnerability resides within the GPU process and is classified as an out-of-bounds write. Successful exploitation could allow a remote attacker who has already compromised the GPU process to perform a sandbox escape, potentially gaining broader system access. The vulnerability can be triggered by a crafted HTML page. The Chromium security team has rated this vulnerability as High severity. This vulnerability was patched in the 147.0.7727.101 release.

Attack Chain

1. The attacker crafts a malicious HTML page designed to trigger the out-of-bounds write in the GPU process.
2. The victim visits the malicious HTML page using a vulnerable version of Google Chrome.
3. The HTML page leverages JavaScript to initiate a GPU-related operation that triggers the vulnerable code path.
4. The GPU process attempts to write data outside of the intended memory buffer due to a flaw in the code.
5. This out-of-bounds write corrupts memory within the GPU process.
6. The attacker leverages the memory corruption to overwrite critical data structures or code within the GPU process.
7. By manipulating the GPU process’s memory, the attacker attempts to escape the Chrome sandbox.
8. If successful, the attacker gains the ability to execute arbitrary code outside the sandbox, potentially compromising the user’s system.

Impact

Successful exploitation of CVE-2026-6314 allows an attacker to escape the Chrome sandbox. This allows the attacker to potentially execute arbitrary code on the victim’s machine. While the exact number of victims is unknown, all users of Google Chrome versions prior to 147.0.7727.101 are potentially vulnerable. A successful sandbox escape could lead to data theft, malware installation, or other malicious activities, depending on the privileges of the compromised user.

Recommendation

• Upgrade Google Chrome to version 147.0.7727.101 or later to patch CVE-2026-6314.
• Deploy the Sigma rule Detect Chrome GPU Process Crash to identify potential exploitation attempts based on abnormal process termination.
• Monitor web server logs for requests to suspicious HTML pages (cs-uri-query, cs-uri-stem) that could be used to deliver the exploit.

]]>highadvisorychromegpuoob-writesandbox-escapehttps://feed.craftedsignal.io/briefs/2026-03-dualsensey-oob-write/Tue, 24 Mar 2026 06:16:22 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-dualsensey-oob-write/CVE-2026-33850 is an out-of-bounds write vulnerability in WujekFoliarz DualSenseY-v2 before version 54, potentially allowing an attacker to execute arbitrary code or cause a denial-of-service by writing data outside the allocated buffer.<p>An out-of-bounds write vulnerability, identified as CVE-2026-33850, exists in WujekFoliarz DualSenseY-v2 before version 54. This flaw allows an attacker to write data beyond the boundaries of an allocated buffer, potentially leading to arbitrary code execution or a denial-of-service condition. The vulnerability was reported by the Government Technology Agency of Singapore Cyber Security Group (GovTech CSG). Successful exploitation of this vulnerability requires user interaction, as indicated by…</p> highadvisorycvevulnerabilityoob-writedualsensey-v2https://feed.craftedsignal.io/briefs/2024-01-openssl-oob-write/Mon, 29 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-openssl-oob-write/The rust-openssl package is vulnerable to an out-of-bounds write due to an incorrect bounds assertion in the `aes::unwrap_key()` function, potentially leading to arbitrary code execution if attacker-controlled buffer sizes are permitted.The rust-openssl crate, specifically versions 0.10.24 through 0.10.77, contains a critical vulnerability in the aes::unwrap_key() function. This function is intended to perform AES key wrapping, a process used to securely encrypt cryptographic keys. The vulnerability arises from an inverted bounds check on the output buffer size, where the function incorrectly validates the size of the output buffer against the input buffer size. This flaw allows an attacker to potentially write beyond the allocated memory region, leading to a crash or, in more sophisticated scenarios, arbitrary code execution. Exploitation requires that the vulnerable application utilizes AES keywrap and allows the attacker to control the buffer sizes passed to aes::unwrap_key().

Attack Chain

1. An attacker identifies an application using the vulnerable rust-openssl crate (versions 0.10.24 - 0.10.77) and the aes::unwrap_key() function.
2. The attacker crafts a malicious input with specific sizes for the input and output buffers to trigger the vulnerability.
3. The attacker provides a crafted input buffer (in_) and a smaller-than-required output buffer (out) to the vulnerable aes::unwrap_key() function.
4. The incorrect bounds assertion out.len() + 8 <= in_.len() passes, as the out buffer is intentionally smaller than in_.len() - 8.
5. The aes::unwrap_key() function proceeds with the AES key wrapping process.
6. During the key unwrapping process, the function attempts to write in_.len() - 8 - out.len() bytes beyond the allocated boundary of the out buffer.
7. This out-of-bounds write corrupts adjacent memory regions within the application’s address space.
8. Depending on the overwritten memory, the attacker can potentially achieve arbitrary code execution or cause a denial-of-service condition.

Impact

Successful exploitation of this vulnerability can lead to various adverse consequences, including denial of service, information disclosure, or arbitrary code execution. Applications utilizing AES keywrap and accepting attacker-controlled buffer sizes are at the highest risk. The specific impact depends on the application’s memory layout and the attacker’s ability to control the overwritten memory. Given the widespread use of OpenSSL for cryptographic operations, this vulnerability poses a significant threat to vulnerable applications.

Recommendation

• Upgrade the rust-openssl crate to version 0.10.78 or later to patch the vulnerability as indicated in GHSA-8c75-8mhr-p7r9.
• Audit code using aes::unwrap_key() to ensure input and output buffer sizes are validated correctly to prevent out-of-bounds writes.
• Implement runtime memory protection mechanisms to detect and prevent out-of-bounds writes, mitigating the impact of this and similar vulnerabilities.

]]>highadvisoryopensslaeskeywrapoob-writememory-corruption