Out-of-Bounds Read — CraftedSignal Threat Feed

NVIDIA CUDA-Q Out-of-Bounds Read Vulnerability (CVE-2026-24189)

hello@craftedsignal.io — Tue, 21 Apr 2026 17:16:23 +0000

NVIDIA CUDA-Q contains a vulnerability identified as CVE-2026-24189 that allows an unauthenticated attacker to trigger an out-of-bounds read. This vulnerability exists in an unspecified endpoint of the CUDA-Q software. By sending a maliciously crafted request, an attacker can potentially read sensitive information from memory or cause a denial-of-service condition. This vulnerability has a CVSS v3.1 score of 8.2, indicating a high severity. Successful exploitation can lead to both information disclosure and service disruption, impacting the confidentiality and availability of systems running vulnerable versions of CUDA-Q. This is particularly concerning for systems processing sensitive data or providing critical services.

Attack Chain

The attacker identifies a vulnerable CUDA-Q endpoint exposed over the network.
The attacker crafts a malicious request designed to trigger an out-of-bounds read. This likely involves manipulating request parameters to access memory outside of the intended buffer.
The attacker sends the malicious request to the vulnerable CUDA-Q endpoint.
The CUDA-Q software processes the request without proper bounds checking.
The software attempts to read memory outside of the allocated buffer, triggering an out-of-bounds read condition.
If the out-of-bounds read is successful, the attacker gains access to sensitive information stored in memory.
The attacker may cause a denial-of-service condition by triggering a crash or unexpected behavior due to the memory access violation.

Impact

Successful exploitation of CVE-2026-24189 can lead to a denial of service, rendering the CUDA-Q service unavailable. Additionally, the out-of-bounds read can expose sensitive information stored in memory, potentially leading to further compromise. The severity of the impact depends on the nature of the data accessible via the out-of-bounds read. Sectors relying on CUDA-Q for computationally intensive tasks are at risk.

Recommendation

Monitor web server logs for suspicious requests targeting CUDA-Q endpoints to detect potential exploitation attempts (category: webserver, product: linux).
Apply any available patches or updates from NVIDIA to address the CVE-2026-24189 vulnerability.
Deploy the Sigma rule to detect suspicious HTTP requests (rules).

Microsoft Excel Out-of-Bounds Read Vulnerability (CVE-2026-32188)

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

CVE-2026-32188 describes an out-of-bounds read vulnerability affecting Microsoft Office Excel. According to the NVD, this vulnerability allows an unauthorized attacker to disclose information locally. The CVSS v3.1 score is 7.1, indicating a high severity. The vulnerability resides within how Excel parses certain file formats, potentially allowing a malicious actor to craft a file that, when opened, causes Excel to read memory outside of allocated buffers. This can lead to the disclosure of sensitive information contained in the application’s memory space. While the source doesn’t specify affected versions or a specific attack campaign, successful exploitation requires user interaction to open the malicious file. Defenders should focus on detecting abnormal process behavior in Excel and promptly applying available patches.

Attack Chain

An attacker crafts a malicious Excel file designed to trigger the out-of-bounds read vulnerability (CVE-2026-32188).
The attacker delivers the crafted Excel file to a victim via social engineering or other means.
The victim opens the malicious Excel file.
Excel attempts to parse the malformed data structures within the file.
Due to the vulnerability, Excel reads memory outside the intended buffer boundaries.
The out-of-bounds read results in the disclosure of sensitive information from Excel’s memory.
The attacker retrieves the disclosed information, potentially containing sensitive data or internal application state.
The attacker uses the disclosed information for further malicious activities.

Impact

Successful exploitation of CVE-2026-32188 can lead to the disclosure of sensitive information from the victim’s system. While the vulnerability is local, the disclosed information could include credentials, internal network details, or other sensitive data that could be used for further attacks. The number of potential victims is broad, encompassing any user of Microsoft Office Excel. The impact could range from minor data leaks to more significant compromises depending on the nature of the disclosed information.

Recommendation

Apply the security update released by Microsoft to patch CVE-2026-32188 on all affected systems. Reference the Microsoft advisory linked in the references section for specific instructions.
Implement the Sigma rule “Detect Suspicious Excel Process Creation” to identify potentially malicious Excel activity.
Monitor for unusual network connections originating from Excel processes after opening untrusted documents.
Educate users about the risks of opening unsolicited or suspicious Excel files to prevent initial access.

Go Markdown Library Out-of-Bounds Read Vulnerability

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

The go-markdown library, specifically versions prior to 0.0.0-20260411013819-759bbc3e3207, is susceptible to an out-of-bounds read vulnerability. This flaw is triggered when the SmartypantsRenderer processes malformed markdown input containing a < character that is not subsequently closed by a > character within the remaining text. The vulnerability resides within the smartLeftAngle() function in html/smartypants.go. Exploitation of this vulnerability leads to either an out-of-bounds read (if the slice length is less than its capacity) or a panic (if the slice length equals its capacity), ultimately resulting in a denial of service. This issue affects applications utilizing the vulnerable versions of the go-markdown library for markdown processing.

Attack Chain

An attacker crafts a malicious markdown input string containing an unclosed < tag (e.g., ).


The application receives the crafted markdown input for processing.
The application uses the go-markdown library with the SmartypantsRenderer enabled to render the markdown input.
The SmartypantsRenderer calls the smartLeftAngle() function in html/smartypants.go to handle the < character.
The smartLeftAngle() function encounters the unclosed < tag, triggering the out-of-bounds read due to missing > character.
Depending on the slice’s length and capacity, the program either reads an extra byte of data (if length < capacity) or panics (if length == capacity).
The application crashes due to the panic or becomes unstable due to the out-of-bounds read.
Service availability is disrupted, resulting in a denial-of-service condition.


Impact
Successful exploitation of this vulnerability leads to a denial of service. Any service using the vulnerable go-markdown library to process potentially malicious markdown input is susceptible to crashing or becoming unstable. The impact is a loss of availability for the affected service. While the specific number of affected services or sectors is not mentioned in the source, any application relying on go-markdown is potentially vulnerable.
Recommendation

Upgrade the go-markdown library to version 0.0.0-20260411013819-759bbc3e3207 or later to patch the vulnerability as detailed in the overview.
Implement input validation to sanitize or reject markdown input containing unclosed < tags. This mitigates the risk even if the vulnerable library is used.
Monitor application logs for unexpected panics or errors originating from the go-markdown library, specifically around markdown rendering routines.



Adobe Photoshop Out-of-Bounds Read Vulnerability (CVE-2026-27289)
hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000
Adobe Photoshop Desktop versions 27.4 and earlier are vulnerable to an out-of-bounds read vulnerability (CVE-2026-27289). This flaw can be triggered when Photoshop parses a specially crafted file, leading to a read operation beyond the allocated memory boundary. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code within the security context of the user running the application. The vulnerability requires user interaction, as a victim must open a malicious file in Photoshop to initiate the attack. This poses a risk to users who handle files from untrusted sources.
Attack Chain

Attacker crafts a malicious image file specifically designed to trigger the out-of-bounds read vulnerability in Adobe Photoshop.
The attacker delivers the crafted file to the victim via email, shared drive, or other means.
The victim, unaware of the malicious nature of the file, opens it using a vulnerable version of Adobe Photoshop (27.4 or earlier).
Photoshop attempts to parse the crafted image file.
Due to the malformed structure of the file, Photoshop’s parsing routine attempts to read data beyond the allocated buffer.
The out-of-bounds read occurs, potentially exposing sensitive information or causing a crash.
An attacker leverages the out-of-bounds read to gain control of program execution flow.
The attacker executes arbitrary code within the context of the user running Photoshop, potentially leading to system compromise.

Impact
Successful exploitation of CVE-2026-27289 can lead to arbitrary code execution on the victim’s machine.  Since the code runs within the user’s context, the attacker gains the same privileges as the user.  This could enable the attacker to install malware, steal sensitive data, or pivot to other systems on the network. While the specific number of affected users isn’t specified, all users running versions 27.4 and earlier are potentially vulnerable, with the most likely targets being graphic designers, photographers, and other creative professionals.
Recommendation

Upgrade Adobe Photoshop to a version greater than 27.4 to patch CVE-2026-27289.
Implement user awareness training to educate users about the risks of opening files from untrusted sources to mitigate the initial access vector.
Monitor process creation events for suspicious Photoshop processes using the provided Sigma rule to detect potential exploitation attempts.
Enable file access monitoring to identify instances where Photoshop opens unusual or suspicious files, which could be indicative of malicious activity.




NI LabVIEW Out-of-Bounds Read Vulnerability (CVE-2026-32864)
hello@craftedsignal.io — Wed, 08 Apr 2026 12:00:00 +0000
A memory corruption vulnerability, identified as CVE-2026-32864, exists within National Instruments (NI) LabVIEW software. The flaw is triggered by an out-of-bounds read within the mgcore_SH_25_3!aligned_free() function. An attacker can exploit this vulnerability by enticing a user to open a specially crafted VI (Virtual Instrument) file. Successful exploitation could lead to information disclosure, potentially exposing sensitive data handled by LabVIEW, or arbitrary code execution, granting the attacker control over the affected system. This vulnerability affects NI LabVIEW versions 2026 Q1 (26.1.0) and all prior versions, making a wide range of LabVIEW installations susceptible.
Attack Chain

An attacker crafts a malicious LabVIEW VI file designed to trigger the out-of-bounds read in mgcore_SH_25_3!aligned_free().
The attacker uses social engineering to convince a victim to open the specially crafted VI file.
The victim opens the malicious VI file using a vulnerable version of NI LabVIEW (2026 Q1 (26.1.0) and prior).
LabVIEW attempts to process the malformed data within the VI file.
The mgcore_SH_25_3!aligned_free() function is called during the VI file processing.
The out-of-bounds read occurs when aligned_free() attempts to access memory outside of allocated bounds.
Depending on the memory layout, this can lead to information disclosure by leaking memory contents, or arbitrary code execution by overwriting critical data.
If arbitrary code execution is achieved, the attacker can then install malware, exfiltrate data, or perform other malicious actions on the compromised system.

Impact
Successful exploitation of CVE-2026-32864 can have serious consequences. Information disclosure could expose sensitive data processed by LabVIEW, such as measurement data, control algorithms, or proprietary code. Arbitrary code execution would allow an attacker to gain complete control over the affected system, enabling them to install malware, steal data, or disrupt operations. The vulnerability affects a broad range of LabVIEW users, potentially impacting industrial control systems, research and development environments, and other critical applications.
Recommendation

Apply the patch provided by National Instruments for CVE-2026-32864 to remediate the out-of-bounds read vulnerability. Refer to the NI security advisory for specific instructions.
Deploy the Sigma rule LabVIEW_Suspicious_VI_File_Open to detect suspicious LabVIEW VI files being opened based on file path or other attributes.
Monitor process creation events for LabVIEW.exe spawning unusual child processes or accessing unusual network resources after a VI file has been opened, which could indicate successful code execution (see LabVIEW_Suspicious_Child_Process rule).
Educate users about the risks of opening untrusted VI files and emphasize the importance of verifying the source of any VI file before opening it.




NI LabVIEW Out-of-Bounds Read Vulnerability (CVE-2026-32863)
hello@craftedsignal.io — Tue, 07 Apr 2026 20:16:26 +0000
A critical memory corruption vulnerability (CVE-2026-32863) exists in National Instruments (NI) LabVIEW, specifically within the sentry_transaction_context_set_operation() function. This out-of-bounds read vulnerability can be exploited by an attacker who successfully convinces a LabVIEW user to open a malicious, specially crafted VI file. Successful exploitation could lead to information disclosure, potentially exposing sensitive data handled by LabVIEW, or even allow for arbitrary code execution, granting the attacker control over the affected system. The vulnerability affects NI LabVIEW 2026 Q1 (version 26.1.0) and all prior versions, posing a risk to a wide range of users in industrial, scientific, and engineering sectors that rely on LabVIEW for automation and data acquisition.
Attack Chain

Craft Malicious VI File: The attacker crafts a malicious VI (Virtual Instrument) file designed to trigger the out-of-bounds read in sentry_transaction_context_set_operation(). This likely involves manipulating the structure of the VI file to contain invalid or unexpected data.
Social Engineering: The attacker uses social engineering techniques to convince a LabVIEW user to open the malicious VI file. This could involve sending the file as an email attachment, hosting it on a website, or any other method of tricking the user into opening the file within LabVIEW.
VI File Opened: The user opens the malicious VI file using NI LabVIEW (version 26.1.0 or earlier).
sentry_transaction_context_set_operation() Triggered: When LabVIEW attempts to process the crafted VI file, the sentry_transaction_context_set_operation() function is called with the manipulated data.
Out-of-Bounds Read: The vulnerability in sentry_transaction_context_set_operation() is triggered, leading to an out-of-bounds read. This could involve reading memory outside of the intended buffer or data structure.
Information Disclosure or Code Execution: The out-of-bounds read leads to either information disclosure (leaking sensitive data from memory) or arbitrary code execution (allowing the attacker to execute malicious code on the system), depending on how the memory corruption is handled.
Persistence/Lateral Movement (If Code Execution): If the attacker achieves code execution, they may attempt to establish persistence on the system (e.g., by creating a scheduled task or modifying startup files) and/or move laterally to other systems on the network.
Achieve Objective: The attacker leverages the compromised system to achieve their ultimate objective, which could include stealing data, disrupting operations, or using the system as a launchpad for further attacks.

Impact
Successful exploitation of CVE-2026-32863 can have severe consequences. Information disclosure could expose sensitive data related to industrial processes, research data, or proprietary algorithms. Arbitrary code execution would allow attackers to gain full control over the affected LabVIEW system, potentially disrupting critical operations, manipulating data, or causing physical damage in automated systems. While the exact number of victims is unknown, the wide use of NI LabVIEW across various industries (manufacturing, aerospace, research, etc.) means that a successful, widespread attack could have a significant impact.
Recommendation

Immediately update NI LabVIEW to a version that is not affected by CVE-2026-32863, as detailed in the NI security advisory (https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html).
Implement user awareness training to educate LabVIEW users about the risks of opening untrusted VI files and the potential for social engineering attacks.
Monitor process creation events for LabVIEW (LabVIEW.exe) spawning unusual child processes, as this could indicate successful code execution following exploitation. Deploy a Sigma rule such as the one provided to detect this behavior.
Enable and review process execution logs for LabVIEW.exe and related processes.




V-SFT Out-of-Bounds Read Vulnerability (CVE-2026-32929)
hello@craftedsignal.io — Wed, 01 Apr 2026 23:17:03 +0000
CVE-2026-32929 is an out-of-bounds read vulnerability affecting V-SFT versions 6.2.10.0 and prior. The vulnerability exists within the VS6ComFile!get_macro_mem_COM function. An attacker can exploit this vulnerability by crafting a malicious V7 file. When a user opens the crafted V7 file with a vulnerable version of V-SFT, the out-of-bounds read can be triggered, leading to potential information disclosure. This vulnerability was disclosed on April 1, 2026, and poses a risk to users who rely on V-SFT software for industrial automation and control systems. Organizations should assess their exposure to this vulnerability and take appropriate mitigation steps, including updating to a patched version of V-SFT.
Attack Chain

Attacker identifies a target using V-SFT versions 6.2.10.0 or prior.
Attacker crafts a malicious V7 file specifically designed to trigger the out-of-bounds read in VS6ComFile!get_macro_mem_COM.
Attacker delivers the crafted V7 file to the target, possibly through social engineering or other means.
The target user opens the malicious V7 file using the vulnerable V-SFT software.
V-SFT attempts to parse the crafted V7 file, triggering the VS6ComFile!get_macro_mem_COM function.
Due to the malformed structure of the crafted V7 file, the get_macro_mem_COM function attempts to read data beyond the allocated buffer.
The out-of-bounds read occurs, potentially disclosing sensitive information from the V-SFT process memory.
The attacker may be able to leverage the disclosed information to further compromise the system or network.

Impact
Successful exploitation of CVE-2026-32929 can lead to information disclosure. An attacker who successfully exploits this vulnerability may be able to read sensitive data from the memory of the V-SFT process. The disclosed information could potentially include configuration settings, credentials, or other sensitive data that could be used to further compromise the affected system. While the NVD does not yet contain scoring data, JPCERT/CC assigned a base score of 7.8 HIGH.
Recommendation

Upgrade V-SFT to a version that patches CVE-2026-32929 to remediate the vulnerability.
Deploy the Sigma rule “Detect V-SFT V7 File Opening” to detect attempts to open V7 files using the vulnerable software.
Monitor systems running V-SFT for unexpected behavior or crashes, which could indicate exploitation attempts.
Educate users about the risks of opening files from untrusted sources to prevent social engineering attacks.




V-SFT Out-of-Bounds Read Vulnerability (CVE-2026-32926)
hello@craftedsignal.io — Wed, 01 Apr 2026 23:17:02 +0000
CVE-2026-32926 is an out-of-bounds read vulnerability affecting V-SFT versions 6.2.10.0 and earlier. The vulnerability exists within the VS6ComFile!load_link_inf function, which is responsible for processing V7 files. An attacker can exploit this vulnerability by crafting a malicious V7 file that, when opened by a vulnerable V-SFT application, triggers an out-of-bounds read. Successful exploitation could lead to information disclosure, potentially exposing sensitive data to the attacker. This vulnerability was reported and disclosed by JPCERT/CC.
Attack Chain

Attacker identifies a vulnerable V-SFT version (6.2.10.0 or prior).
Attacker crafts a malicious V7 file designed to trigger the out-of-bounds read in the VS6ComFile!load_link_inf function.
Attacker delivers the crafted V7 file to a target user, potentially through social engineering or other means.
The target user opens the malicious V7 file using the vulnerable V-SFT application.
The VS6ComFile!load_link_inf function attempts to read data beyond the allocated buffer while processing the crafted V7 file.
This out-of-bounds read allows the attacker to access memory regions outside the intended boundaries.
The attacker gains access to sensitive information stored in the adjacent memory regions due to the information disclosure.
The attacker extracts the disclosed information for malicious purposes.

Impact
Successful exploitation of CVE-2026-32926 can lead to information disclosure, potentially exposing sensitive data to an attacker. While the specific impact depends on the nature of the disclosed information, it could include intellectual property, configuration details, or other confidential data. The vulnerability affects systems running vulnerable versions of V-SFT.
Recommendation

Upgrade V-SFT to a version greater than 6.2.10.0 to patch CVE-2026-32926.
Monitor for attempts to open unusual or suspicious V7 files using V-SFT applications.
Implement the Sigma rule Detect VS-FT opening unusual files to detect suspicious file access patterns.
Review the V-SFT vendor’s advisory for additional mitigation guidance (https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b?region=en-glb).




Critical Vulnerabilities in NetScaler ADC and Gateway Allow Sensitive Data Exposure and Session Hijacking
hello@craftedsignal.io — Wed, 01 Apr 2026 08:44:01 +0000
Citrix NetScaler ADC and Gateway are affected by two critical vulnerabilities, CVE-2026-3055 and CVE-2026-4368. CVE-2026-3055 is an out-of-bounds read vulnerability that allows an unauthenticated attacker to read arbitrary memory content. This could lead to the exfiltration of sensitive data like credentials and session tokens. CVE-2026-4368 is a race condition vulnerability that can lead to user session mix-up, potentially allowing one user to access another user’s session. CISA has added CVE-2026-3055 to its Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild as of March 30, 2026. The affected versions include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-66.59, 13.1 before 13.1-62.23, and NetScaler ADC FIPS and NDcPP before 13.1-37.262. Defenders should prioritize patching and closely monitor affected systems.
Attack Chain

An unauthenticated attacker sends a specially crafted request to a vulnerable NetScaler ADC or Gateway configured as a SAML IDP (for CVE-2026-3055).
Due to insufficient input validation, the appliance attempts to read memory beyond the allocated buffer.
The out-of-bounds read allows the attacker to access sensitive information stored in memory, such as session tokens, credentials, or other confidential data.
The attacker exfiltrates the gleaned sensitive information via network communication.
For CVE-2026-4368, multiple users attempt to authenticate to a NetScaler ADC or Gateway configured as a Gateway or AAA virtual server.
A race condition occurs during session creation or management.
One user’s session is incorrectly associated with another user’s account.
The attacker gains unauthorized access to another user’s session, potentially performing actions on their behalf or accessing sensitive data.

Impact
Successful exploitation of CVE-2026-3055 allows attackers to steal sensitive information, potentially leading to account compromise, data breaches, and further unauthorized access to internal resources. CVE-2026-4368 can lead to unauthorized access to user accounts, potentially exposing sensitive data or enabling malicious activities under the guise of a legitimate user. Given that CISA has confirmed active exploitation of CVE-2026-3055, organizations using affected NetScaler products are at immediate risk. The impact spans across all sectors utilizing these products for application delivery and secure access.
Recommendation

Immediately patch NetScaler ADC and Gateway to the latest versions: 14.1-66.59 or later, 13.1-62.23 or later, and 13.1-37.262 or later for FIPS and NDcPP to remediate CVE-2026-3055 and CVE-2026-4368 as described in the Citrix advisory (https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300).
Deploy the Sigma rule Detect Netscaler CVE-2026-3055 GET Request to identify potential exploitation attempts of CVE-2026-3055 based on suspicious HTTP GET requests targeting the SAML IDP.
Enable and review NetScaler audit logs for unusual authentication patterns or session activity that could indicate exploitation of CVE-2026-4368.
Monitor web server logs for HTTP requests with abnormally long URIs, which may be indicative of attempts to trigger the out-of-bounds read in CVE-2026-3055.
Apply the Sigma rule Detect Netscaler CVE-2026-4368 POST Request to identify potential exploitation attempts of CVE-2026-4368 based on suspicious HTTP POST requests targeting the Gateway or AAA virtual server




RetroDebugger Out-of-Bounds Read Vulnerability (CVE-2026-4753)
hello@craftedsignal.io — Tue, 24 Mar 2026 06:16:23 +0000
RetroDebugger before version v0.64.72 contains an out-of-bounds read vulnerability, identified as CVE-2026-4753. This flaw could allow an attacker to read sensitive information from memory locations outside of the intended buffer, potentially leading to information disclosure or causing the application to crash, resulting in a denial of service. The vulnerability was reported by the Government Technology Agency of Singapore Cyber Security Group (GovTech CSG). Given the critical CVSS score of…


Out-of-bounds Read Vulnerability in fabiangreffrath woof (CVE-2026-4750)
hello@craftedsignal.io — Tue, 24 Mar 2026 06:16:23 +0000
An out-of-bounds read vulnerability exists in fabiangreffrath woof, a web server for simple file sharing. This vulnerability, identified as CVE-2026-4750, affects woof versions prior to 15.3.0. The vulnerability was reported by the Government Technology Agency of Singapore Cyber Security Group (GovTech CSG). An attacker could potentially exploit this vulnerability to read sensitive information from the server’s memory or cause a denial-of-service condition. This poses a risk to organizations…


Google Chrome WebAudio Out-of-Bounds Read Vulnerability (CVE-2026-4677)
hello@craftedsignal.io — Tue, 24 Mar 2026 01:17:03 +0000
CVE-2026-4677 describes an out-of-bounds memory read vulnerability in the WebAudio component of Google Chrome. Successful exploitation of this vulnerability allows a remote attacker to potentially read sensitive information from the browser’s memory. The vulnerability exists in Google Chrome versions prior to 146.0.7680.165. The attack involves crafting a malicious HTML page that, when opened in a vulnerable version of Chrome, triggers the out-of-bounds read in the WebAudio processing. The…


Google Chrome Out-of-Bounds Read Vulnerability (CVE-2026-4674)
hello@craftedsignal.io — Tue, 24 Mar 2026 01:17:02 +0000
CVE-2026-4674 is an out-of-bounds read vulnerability affecting Google Chrome versions prior to 146.0.7680.165. This vulnerability resides in the CSS processing engine of Chrome. A remote attacker can exploit this vulnerability by crafting a malicious HTML page that, when opened in a vulnerable version of Chrome, triggers an out-of-bounds read. The successful exploitation of this vulnerability allows the attacker to read sensitive information from the browser’s memory, potentially leading to…


CVE-2026-31613 SMB Client Out-of-Bounds Read Vulnerability
hello@craftedsignal.io — Mon, 22 Jan 2024 12:00:00 +0000
CVE-2026-31613 is a security vulnerability affecting the SMB (Server Message Block) client. The vulnerability stems from an out-of-bounds read error that occurs during the parsing of symlink error responses. This can potentially allow a malicious SMB server to send crafted responses that, when processed by the client, lead to reading memory outside of allocated buffers. While the specific details of exploitation are not provided in the source, the nature of an out-of-bounds read can lead to information disclosure or a denial-of-service condition. Microsoft has released a security update to address this vulnerability. Defenders should apply the patch to mitigate the risk.
Attack Chain

A malicious SMB server is set up to serve crafted responses.
A client attempts to connect to the malicious SMB server via the SMB protocol.
The server sends a crafted SMB response containing a symlink error.
The client attempts to parse the symlink error response.
Due to the vulnerability, the client reads data beyond the allocated buffer.
The out-of-bounds read could result in information disclosure, where sensitive data is exposed, or cause a denial-of-service.
The attacker leverages the disclosed information for further exploitation (if information disclosure occurs).

Impact
Successful exploitation of CVE-2026-31613 could lead to information disclosure, potentially exposing sensitive data from the affected system’s memory. Alternatively, the vulnerability could be exploited to trigger a denial-of-service condition, disrupting the availability of the SMB client. The scope of impact depends on the specific data accessible via the out-of-bounds read and the system’s role within the network.
Recommendation

Apply the security update provided by Microsoft to patch CVE-2026-31613 on all systems using the SMB client to prevent potential out-of-bounds reads.
Enable SMB logging to monitor for unusual SMB responses or error conditions that may indicate exploitation attempts.




MikroTik RouterOS SCEP Endpoint Out-of-Bounds Read Vulnerability (CVE-2026-7668)
hello@craftedsignal.io — Tue, 02 Jan 2024 14:00:00 +0000
CVE-2026-7668 is an out-of-bounds read vulnerability affecting MikroTik RouterOS version 6.49.8. The vulnerability exists within the SCEP (Simple Certificate Enrollment Protocol) endpoint, specifically in the ASN1_STRING_data function located in the nova/lib/www/scep.p library. A remote attacker can exploit this vulnerability by manipulating the transactionID or messageType arguments. Publicly available exploits exist, increasing the risk of exploitation. The vendor has been notified but has not provided a response. Exploitation could lead to denial of service or information disclosure.
Attack Chain

Attacker identifies a MikroTik RouterOS device running version 6.49.8 with an exposed SCEP endpoint.
The attacker crafts a malicious SCEP request containing a specially crafted transactionID or messageType argument.
The attacker sends the malicious SCEP request to the RouterOS device’s SCEP endpoint.
The ASN1_STRING_data function processes the request and attempts to access memory outside the allocated buffer due to the manipulated argument.
The out-of-bounds read occurs, potentially leading to a crash of the SCEP process or the disclosure of sensitive information from adjacent memory regions.
If the attacker can reliably trigger a crash, they can cause a denial of service.
If sensitive information is disclosed, the attacker might use this to further compromise the device or network.

Impact
Successful exploitation of CVE-2026-7668 can lead to a denial of service condition on the affected MikroTik RouterOS device. An attacker could potentially cause the device to become unresponsive, disrupting network services. Furthermore, the out-of-bounds read could expose sensitive information stored in memory, which an attacker could use to further compromise the device or network. Since an exploit is publicly available, the risk of widespread exploitation is elevated.
Recommendation

Monitor network traffic for SCEP requests with unusually long or malformed transactionID or messageType parameters. Use the network connection rule below.
Implement rate limiting on the SCEP endpoint to mitigate potential denial-of-service attacks.
While no patch is available, consider disabling the SCEP endpoint if it is not required.