{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/out-of-bounds-write/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-25207"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-25207","out-of-bounds write","buffer overflow","samsung","escargot"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-25207 is an out-of-bounds write vulnerability affecting Samsung Open Source Escargot, specifically version 97e8115ab1110bc502b4b5e4a0c689a71520d335. This flaw allows attackers to potentially overwrite memory buffers, leading to denial of service or arbitrary code execution. The vulnerability arises due to insufficient bounds checking when handling specific data inputs within the Escargot software. Successful exploitation of this vulnerability could grant an attacker elevated privileges or control over the affected system. The severity of the vulnerability is rated as HIGH with a CVSS score of 7.4, indicating a significant risk to systems running vulnerable versions of Escargot.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious input designed to trigger the out-of-bounds write.\u003c/li\u003e\n\u003cli\u003eThe malicious input is sent to the vulnerable Escargot application. This could involve exploiting a network service that relies on Escargot for data processing.\u003c/li\u003e\n\u003cli\u003eEscargot processes the malicious input without proper bounds checking.\u003c/li\u003e\n\u003cli\u003eThe lack of bounds checking allows the input to write data beyond the allocated buffer.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds write overwrites adjacent memory regions, potentially corrupting program data or code.\u003c/li\u003e\n\u003cli\u003eThe memory corruption leads to a crash or allows the attacker to overwrite critical function pointers.\u003c/li\u003e\n\u003cli\u003eIf function pointers are successfully overwritten, the attacker gains control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker can execute arbitrary code with the privileges of the Escargot process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-25207 can lead to arbitrary code execution with the privileges of the Escargot process. This can result in complete system compromise, data loss, or denial of service. Given the potential for remote code execution, this vulnerability poses a significant risk to systems utilizing the vulnerable Escargot version.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided in the associated GitHub pull request to remediate the vulnerability. (\u003ca href=\"https://github.com/Samsung/escargot/pull/1554\"\u003ehttps://github.com/Samsung/escargot/pull/1554\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eMonitor systems for unexpected crashes or memory corruption events related to the Escargot process.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent malicious inputs from reaching the vulnerable code.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T05:17:17Z","date_published":"2026-04-13T05:17:17Z","id":"/briefs/2026-04-samsung-escargot-overflow/","summary":"CVE-2026-25207 is an out-of-bounds write vulnerability in Samsung Open Source Escargot that allows for buffer overflows, potentially leading to arbitrary code execution.","title":"Samsung Escargot Out-of-Bounds Write Vulnerability (CVE-2026-25207)","url":"https://feed.craftedsignal.io/briefs/2026-04-samsung-escargot-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5747"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-5747","firecracker","out-of-bounds write","vmm","virtio"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5747 is an out-of-bounds write vulnerability affecting the virtio PCI transport implementation in Amazon Firecracker versions 1.13.0 through 1.14.3 and 1.15.0, specifically on x86_64 and aarch64 architectures. This vulnerability could be exploited by a malicious local guest user who has gained root privileges within the guest operating system. Successful exploitation could lead to a denial-of-service condition by crashing the Firecracker Virtual Machine Monitor (VMM) process. In scenarios where specific preconditions are met, such as the usage of a custom guest kernel or particular snapshot configurations, this vulnerability can also potentially lead to arbitrary code execution on the host system. Defenders should upgrade to Firecracker versions 1.14.4 or 1.15.1 or later to remediate the issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains root privileges within a Firecracker guest OS.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the Firecracker VMM version running on the host, confirming it is within the vulnerable range (1.13.0 - 1.14.3 or 1.15.0).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies virtio queue configuration registers after device activation. This is the trigger point for the vulnerability, exploiting the out-of-bounds write.\u003c/li\u003e\n\u003cli\u003eThe crafted write operation corrupts memory within the Firecracker VMM process.\u003c/li\u003e\n\u003cli\u003eIf the memory corruption is limited, this may cause a denial-of-service by crashing the VMM process.\u003c/li\u003e\n\u003cli\u003eIf specific preconditions are met (custom guest kernel, specific snapshot configurations), the memory corruption allows for arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious code within the context of the Firecracker VMM process on the host.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence or performs further malicious actions on the host system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5747 can lead to a denial-of-service condition, disrupting the services hosted on affected Firecracker instances. In certain circumstances, this vulnerability can escalate to arbitrary code execution on the host, potentially compromising the entire system and any other virtual machines hosted on it. This can lead to data breaches, system instability, and complete loss of control over the compromised host. The severity is dependent on the environment configuration and the attacker\u0026rsquo;s capabilities, ranging from service disruption to full host compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all Firecracker installations to versions 1.14.4 or 1.15.1 or later to patch CVE-2026-5747, as recommended by the vendor.\u003c/li\u003e\n\u003cli\u003eMonitor Firecracker guest OS instances for unauthorized attempts to modify virtio queue configuration registers to detect potential exploitation attempts related to CVE-2026-5747.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies within the guest operating systems to minimize the risk of attackers gaining root privileges, thus reducing the attack surface for CVE-2026-5747.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T00:16:05Z","date_published":"2026-04-08T00:16:05Z","id":"/briefs/2026-04-firecracker-oob-write/","summary":"An out-of-bounds write vulnerability in Amazon Firecracker's virtio PCI transport (CVE-2026-5747) allows a local guest user with root privileges to potentially crash the VMM process or execute arbitrary code on the host.","title":"Amazon Firecracker Virtio PCI Out-of-Bounds Write Vulnerability (CVE-2026-5747)","url":"https://feed.craftedsignal.io/briefs/2026-04-firecracker-oob-write/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-32860"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32860","labview","memory corruption","out-of-bounds write","lvlib"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32860 is a vulnerability affecting NI LabVIEW versions 2026 Q1 (26.1.0) and prior. The vulnerability stems from an out-of-bounds write condition encountered during the loading of a corrupted LVLIB (LabVIEW Library) file. An attacker could exploit this flaw by crafting a malicious .lvlib file and enticing a user to open it within LabVIEW. Successful exploitation could lead to memory corruption, potentially enabling information disclosure or the execution of arbitrary code within the context of the LabVIEW application. This poses a significant risk to systems running vulnerable versions of LabVIEW, particularly those handling or processing potentially untrusted LVLIB files.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious .lvlib file containing corrupted data designed to trigger the out-of-bounds write.\u003c/li\u003e\n\u003cli\u003eThe attacker uses social engineering or other means to convince a victim to open the malicious .lvlib file in NI LabVIEW.\u003c/li\u003e\n\u003cli\u003eThe victim opens the .lvlib file within NI LabVIEW.\u003c/li\u003e\n\u003cli\u003eLabVIEW attempts to parse the corrupted data within the .lvlib file.\u003c/li\u003e\n\u003cli\u003eDuring the parsing process, the out-of-bounds write vulnerability is triggered due to the malformed data.\u003c/li\u003e\n\u003cli\u003eMemory corruption occurs, potentially overwriting critical program data or code.\u003c/li\u003e\n\u003cli\u003eDepending on the overwritten memory, the attacker may achieve information disclosure by reading sensitive data.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker may achieve arbitrary code execution by overwriting code pointers or injecting malicious code into memory.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32860 can lead to both information disclosure and arbitrary code execution on affected systems. An attacker exploiting this vulnerability could potentially gain unauthorized access to sensitive data processed or stored by LabVIEW, or completely compromise the affected system by executing malicious code. The impact is significant, especially in industrial control systems and other critical infrastructure environments where LabVIEW is commonly used, as it could lead to disruption of services, data breaches, or even physical damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by National Instruments as described in the advisory at \u003ca href=\"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html\"\u003ehttps://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html\u003c/a\u003e to remediate CVE-2026-32860.\u003c/li\u003e\n\u003cli\u003eImplement strict file handling procedures and user awareness training to prevent users from opening untrusted .lvlib files received from external sources.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for unusual or unexpected activity originating from LabVIEW processes, which could indicate successful exploitation of this or other vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T20:16:24Z","date_published":"2026-04-07T20:16:24Z","id":"/briefs/2026-04-labview-lvlib-vuln/","summary":"A memory corruption vulnerability exists in NI LabVIEW due to an out-of-bounds write when loading a corrupted LVLIB file, potentially leading to information disclosure or arbitrary code execution if a user opens a specially crafted .lvlib file.","title":"NI LabVIEW LVLIB File Parsing Memory Corruption Vulnerability (CVE-2026-32860)","url":"https://feed.craftedsignal.io/briefs/2026-04-labview-lvlib-vuln/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-32861"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-32861","labview","out-of-bounds write","memory corruption"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA memory corruption vulnerability has been identified in NI LabVIEW versions 2026 Q1 (26.1.0) and prior. This vulnerability, tracked as CVE-2026-32861, stems from an out-of-bounds write that occurs when the software attempts to load a malformed LVCLASS file. An attacker could exploit this vulnerability by crafting a malicious .lvclass file and convincing a user to open it within LabVIEW. Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution or disclose sensitive information from the affected system. This poses a significant risk to organizations using LabVIEW for critical applications, as it could lead to system compromise and data breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious .lvclass file containing an out-of-bounds write payload.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers the crafted .lvclass file to the victim via social engineering or other delivery methods.\u003c/li\u003e\n\u003cli\u003eThe victim, using a vulnerable version of NI LabVIEW, opens the malicious .lvclass file.\u003c/li\u003e\n\u003cli\u003eLabVIEW attempts to parse the LVCLASS file, triggering the out-of-bounds write vulnerability.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds write corrupts memory, potentially overwriting critical data structures or code.\u003c/li\u003e\n\u003cli\u003eIf the overwritten memory contains attacker-controlled code, it could lead to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the LabVIEW process and potentially the entire system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as data exfiltration, installing backdoors, or further compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32861 can lead to information disclosure and arbitrary code execution on systems running vulnerable versions of NI LabVIEW. This could allow an attacker to steal sensitive data, install malware, or gain complete control of the affected system. The impact of this vulnerability is significant, especially for organizations using LabVIEW in critical infrastructure or industrial control systems, potentially leading to operational disruption, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by National Instruments to address CVE-2026-32861 on all systems running NI LabVIEW 2026 Q1 (26.1.0) and prior versions. Refer to the NI advisory for download links: \u003ca href=\"https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html\"\u003ehttps://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement user awareness training to educate users about the risks of opening files from untrusted sources to mitigate the initial access vector.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousLvclassFileOpen\u003c/code\u003e to detect suspicious LabVIEW process opening LVCLASS files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-07T20:16:24Z","date_published":"2026-04-07T20:16:24Z","id":"/briefs/2026-04-labview-lvclass-oob-write/","summary":"A memory corruption vulnerability exists in NI LabVIEW due to an out-of-bounds write when loading a corrupted LVCLASS file (CVE-2026-32861), potentially leading to information disclosure or arbitrary code execution if a user opens a specially crafted .lvclass file.","title":"NI LabVIEW LVCLASS File Parsing Out-of-Bounds Write Vulnerability (CVE-2026-32861)","url":"https://feed.craftedsignal.io/briefs/2026-04-labview-lvclass-oob-write/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5190"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-5190","aws-c-event-stream","out-of-bounds write","code execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5190 is a critical security vulnerability affecting the aws-c-event-stream library, specifically versions prior to 0.6.0. The vulnerability is an out-of-bounds write issue in the streaming decoder component. This flaw enables a malicious third-party operating a server to send specially crafted event-stream messages to a client application using the vulnerable library. Successful exploitation could lead to memory corruption, ultimately allowing the attacker to achieve arbitrary code execution on the targeted client system. Organizations utilizing aws-c-event-stream in their client applications should prioritize upgrading to version 0.6.0 or later to mitigate this risk. The vulnerability was reported on March 31, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sets up a malicious server designed to send crafted event-stream messages.\u003c/li\u003e\n\u003cli\u003eA client application utilizing a vulnerable version (prior to 0.6.0) of the aws-c-event-stream library connects to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server transmits a specially crafted event-stream message to the client.\u003c/li\u003e\n\u003cli\u003eThe vulnerable streaming decoder component within the aws-c-event-stream library processes the malicious message.\u003c/li\u003e\n\u003cli\u003eDue to the out-of-bounds write vulnerability (CVE-2026-5190), the processing of the crafted message causes memory corruption on the client system.\u003c/li\u003e\n\u003cli\u003eThe memory corruption leads to a buffer overflow or similar memory safety issue.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to overwrite critical data or inject malicious code into memory.\u003c/li\u003e\n\u003cli\u003eThe injected code is executed, granting the attacker arbitrary code execution on the client system. The attacker can then perform actions such as data exfiltration, system compromise, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5190 allows a remote attacker to execute arbitrary code on a client system utilizing a vulnerable version of the aws-c-event-stream library. This could lead to complete system compromise, data theft, or the installation of malware. The potential impact is especially significant for applications that rely on event streams for critical functionality, such as real-time data processing or inter-process communication. While the number of affected applications is unknown, any application using a vulnerable version is at risk until patched.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all installations of the \u003ccode\u003eaws-c-event-stream\u003c/code\u003e library to version 0.6.0 or later to remediate CVE-2026-5190.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect potentially malicious event-stream messages being sent from third-party servers to client applications. Focus on anomalies in message size, structure, or content that could indicate exploitation attempts (requires custom network rules).\u003c/li\u003e\n\u003cli\u003eEnable verbose logging for applications utilizing \u003ccode\u003eaws-c-event-stream\u003c/code\u003e to capture detailed information about event-stream message processing and memory allocation patterns. This will aid in identifying potential exploitation attempts or debugging memory corruption issues.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T18:16:59Z","date_published":"2026-03-31T18:16:59Z","id":"/briefs/2026-03-aws-c-event-stream-oob-write/","summary":"CVE-2026-5190 is an out-of-bounds write vulnerability in the aws-c-event-stream library before version 0.6.0 that allows a malicious third-party server to cause memory corruption and potential arbitrary code execution on client applications.","title":"AWS-C-EventStream Out-of-Bounds Write Vulnerability (CVE-2026-5190)","url":"https://feed.craftedsignal.io/briefs/2026-03-aws-c-event-stream-oob-write/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","out-of-bounds write","android","imagemagick"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33854 is an out-of-bounds write vulnerability affecting MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-10.  This vulnerability stems from improper bounds checking within the image processing logic. The Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) reported this vulnerability. Successful exploitation could lead to a denial of service, information disclosure, or potentially arbitrary code execution on the affected device. Due to the widespread…\u003c/p\u003e\n","date_modified":"2026-03-24T06:16:22Z","date_published":"2026-03-24T06:16:22Z","id":"/briefs/2026-03-android-imagemagick-oob-write/","summary":"An unauthenticated, remote attacker can exploit an out-of-bounds write vulnerability (CVE-2026-33854) in MolotovCherry Android-ImageMagick7 versions before 7.1.2-10 by enticing a user to open a malicious image, potentially leading to arbitrary code execution.","title":"Android-ImageMagick7 Out-of-Bounds Write Vulnerability (CVE-2026-33854)","url":"https://feed.craftedsignal.io/briefs/2026-03-android-imagemagick-oob-write/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ics","denial-of-service","out-of-bounds write"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eYokogawa CENTUM VP is a distributed control system (DCS) used in critical infrastructure sectors such as critical manufacturing, energy, and food and agriculture worldwide. CISA has released an advisory detailing multiple vulnerabilities (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023) affecting the Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300) and R7 (VP7C3300) versions \u0026lt;= R1.07.00. Successful exploitation of these vulnerabilities could allow an attacker to terminate the software stack process, cause a denial-of-service condition, or execute arbitrary code. The vulnerabilities are triggered by receiving maliciously crafted network packets, posing a significant risk to industrial control systems relying on affected versions of Yokogawa CENTUM VP.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Yokogawa CENTUM VP system running Vnet/IP Interface Package for CENTUM VP R6 or R7 (\u0026lt;=R1.07.00) on the network.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious network packet specifically designed to exploit one of the identified vulnerabilities (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023).\u003c/li\u003e\n\u003cli\u003eAttacker sends the malicious packet to the vulnerable system.\u003c/li\u003e\n\u003cli\u003eIf exploiting CVE-2025-1924 (Out-of-bounds Write), the crafted packet triggers an out-of-bounds write, potentially overwriting critical memory regions.\u003c/li\u003e\n\u003cli\u003eIf exploiting CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, or CVE-2025-48022 (Reachable Assertion, Integer Underflow), the crafted packet causes the Vnet/IP software stack process to terminate due to an assertion failure or integer underflow.\u003c/li\u003e\n\u003cli\u003eIf successful, the Vnet/IP communication functions stop, resulting in a denial-of-service condition, impacting the control and monitoring capabilities of the CENTUM VP system.\u003c/li\u003e\n\u003cli\u003e(Potentially, for CVE-2025-1924) By carefully crafting the malicious packet and exploiting the out-of-bounds write, the attacker may achieve arbitrary code execution on the targeted system.\u003c/li\u003e\n\u003cli\u003eAttacker could then leverage the code execution to gain further control of the system, potentially disrupting industrial processes or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities in Yokogawa CENTUM VP R6 and R7 could have significant consequences for organizations in critical infrastructure sectors. A denial-of-service condition can disrupt industrial processes, leading to production losses and potential safety hazards. Arbitrary code execution could allow attackers to gain complete control of the system, potentially leading to sabotage, data theft, or further attacks on the network. Given the widespread deployment of Yokogawa CENTUM VP systems globally, the impact could be significant across various industries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch software R1.08.00 provided by Yokogawa to address the vulnerabilities (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unexpected patterns or malformed packets targeting Yokogawa CENTUM VP systems using network intrusion detection systems (NIDS).\u003c/li\u003e\n\u003cli\u003eConsult Yokogawa advisory YSAR-26-0002 for detailed mitigation steps and implementation guidance: \u003ca href=\"https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0002-E.pdf\"\u003ehttps://web-material3.yokogawa.com/1/39281/files/YSAR-26-0002-E.pdf\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to isolate critical control systems from the broader network to limit the potential impact of a successful attack.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-02-27T12:00:00Z","date_published":"2026-02-27T12:00:00Z","id":"/briefs/2026-02-yokogawa-centum-vp-r6-r7/","summary":"Multiple vulnerabilities in Yokogawa CENTUM VP R6 and R7 Vnet/IP Interface Package can be exploited by sending maliciously crafted packets, leading to denial-of-service or arbitrary code execution.","title":"Yokogawa CENTUM VP R6 and R7 Vulnerabilities Lead to Potential Denial of Service and Arbitrary Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-02-yokogawa-centum-vp-r6-r7/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31432"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["ksmbd","smb","out-of-bounds write","cve-2026-31432"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31432 is a critical vulnerability affecting the ksmbd server, a Linux kernel implementation of the SMB/CIFS protocol. The vulnerability is an out-of-bounds write that occurs when processing QUERY_INFO requests within compound SMB requests. An attacker could exploit this vulnerability by sending a specially crafted SMB request to a vulnerable ksmbd server. Successful exploitation could lead to arbitrary code execution in the context of the kernel or a denial-of-service condition. As a kernel-level vulnerability, exploitation can have severe consequences for system stability and security. The vulnerability highlights the ongoing challenges of ensuring the security of complex network protocols implemented within the kernel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a ksmbd server exposed on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SMB compound request containing a malformed QUERY_INFO request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted SMB request to the targeted ksmbd server.\u003c/li\u003e\n\u003cli\u003eThe ksmbd server processes the request, triggering the out-of-bounds write in the QUERY_INFO handling routine.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds write corrupts adjacent kernel memory.\u003c/li\u003e\n\u003cli\u003eDepending on the overwritten memory, the system may crash, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eAlternatively, an attacker may carefully craft the payload to overwrite specific kernel structures, potentially leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eSuccessful code execution allows the attacker to gain complete control over the affected system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31432 could lead to a complete compromise of the affected system. An attacker could gain the ability to execute arbitrary code within the kernel, leading to data theft, system corruption, or the installation of rootkits. In less severe cases, exploitation could result in a denial-of-service condition, disrupting critical services. Given the potential for remote code execution, this vulnerability poses a significant risk to any system running a vulnerable version of ksmbd.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31432 as soon as possible (reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31432)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31432)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious SMBv1 Negotiation\u003c/code\u003e to identify potentially malicious SMB traffic patterns (reference: rule \u003ccode\u003eDetect Suspicious SMBv1 Negotiation\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for SMB requests originating from unexpected sources or containing unusual parameters (reference: Attack Chain Step 2).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a successful exploit (reference: Attack Chain Step 1).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-23-ksmbd-oob-write/","summary":"CVE-2026-31432 is a critical out-of-bounds write vulnerability in ksmbd, specifically within the QUERY_INFO functionality when handling compound requests, potentially leading to code execution or denial of service.","title":"ksmbd Out-of-Bounds Write Vulnerability in QUERY_INFO (CVE-2026-31432)","url":"https://feed.craftedsignal.io/briefs/2024-01-23-ksmbd-oob-write/"}],"language":"en","title":"CraftedSignal Threat Feed — Out-of-Bounds Write","version":"https://jsonfeed.org/version/1.1"}