Out-of-Bounds Write — CraftedSignal Threat Feed

Samsung Escargot Out-of-Bounds Write Vulnerability (CVE-2026-25207)

hello@craftedsignal.io — Mon, 13 Apr 2026 05:17:17 +0000

CVE-2026-25207 is an out-of-bounds write vulnerability affecting Samsung Open Source Escargot, specifically version 97e8115ab1110bc502b4b5e4a0c689a71520d335. This flaw allows attackers to potentially overwrite memory buffers, leading to denial of service or arbitrary code execution. The vulnerability arises due to insufficient bounds checking when handling specific data inputs within the Escargot software. Successful exploitation of this vulnerability could grant an attacker elevated privileges or control over the affected system. The severity of the vulnerability is rated as HIGH with a CVSS score of 7.4, indicating a significant risk to systems running vulnerable versions of Escargot.

Attack Chain

An attacker crafts a malicious input designed to trigger the out-of-bounds write.
The malicious input is sent to the vulnerable Escargot application. This could involve exploiting a network service that relies on Escargot for data processing.
Escargot processes the malicious input without proper bounds checking.
The lack of bounds checking allows the input to write data beyond the allocated buffer.
The out-of-bounds write overwrites adjacent memory regions, potentially corrupting program data or code.
The memory corruption leads to a crash or allows the attacker to overwrite critical function pointers.
If function pointers are successfully overwritten, the attacker gains control of program execution.
The attacker can execute arbitrary code with the privileges of the Escargot process.

Impact

Successful exploitation of CVE-2026-25207 can lead to arbitrary code execution with the privileges of the Escargot process. This can result in complete system compromise, data loss, or denial of service. Given the potential for remote code execution, this vulnerability poses a significant risk to systems utilizing the vulnerable Escargot version.

Recommendation

Apply the patch provided in the associated GitHub pull request to remediate the vulnerability. (https://github.com/Samsung/escargot/pull/1554)
Monitor systems for unexpected crashes or memory corruption events related to the Escargot process.
Implement input validation and sanitization measures to prevent malicious inputs from reaching the vulnerable code.

Amazon Firecracker Virtio PCI Out-of-Bounds Write Vulnerability (CVE-2026-5747)

hello@craftedsignal.io — Wed, 08 Apr 2026 00:16:05 +0000

CVE-2026-5747 is an out-of-bounds write vulnerability affecting the virtio PCI transport implementation in Amazon Firecracker versions 1.13.0 through 1.14.3 and 1.15.0, specifically on x86_64 and aarch64 architectures. This vulnerability could be exploited by a malicious local guest user who has gained root privileges within the guest operating system. Successful exploitation could lead to a denial-of-service condition by crashing the Firecracker Virtual Machine Monitor (VMM) process. In scenarios where specific preconditions are met, such as the usage of a custom guest kernel or particular snapshot configurations, this vulnerability can also potentially lead to arbitrary code execution on the host system. Defenders should upgrade to Firecracker versions 1.14.4 or 1.15.1 or later to remediate the issue.

Attack Chain

Attacker gains root privileges within a Firecracker guest OS.
Attacker identifies the Firecracker VMM version running on the host, confirming it is within the vulnerable range (1.13.0 - 1.14.3 or 1.15.0).
The attacker modifies virtio queue configuration registers after device activation. This is the trigger point for the vulnerability, exploiting the out-of-bounds write.
The crafted write operation corrupts memory within the Firecracker VMM process.
If the memory corruption is limited, this may cause a denial-of-service by crashing the VMM process.
If specific preconditions are met (custom guest kernel, specific snapshot configurations), the memory corruption allows for arbitrary code execution.
The attacker executes malicious code within the context of the Firecracker VMM process on the host.
The attacker achieves persistence or performs further malicious actions on the host system.

Impact

Successful exploitation of CVE-2026-5747 can lead to a denial-of-service condition, disrupting the services hosted on affected Firecracker instances. In certain circumstances, this vulnerability can escalate to arbitrary code execution on the host, potentially compromising the entire system and any other virtual machines hosted on it. This can lead to data breaches, system instability, and complete loss of control over the compromised host. The severity is dependent on the environment configuration and the attacker’s capabilities, ranging from service disruption to full host compromise.

Recommendation

Upgrade all Firecracker installations to versions 1.14.4 or 1.15.1 or later to patch CVE-2026-5747, as recommended by the vendor.
Monitor Firecracker guest OS instances for unauthorized attempts to modify virtio queue configuration registers to detect potential exploitation attempts related to CVE-2026-5747.
Implement strict access control policies within the guest operating systems to minimize the risk of attackers gaining root privileges, thus reducing the attack surface for CVE-2026-5747.

NI LabVIEW LVLIB File Parsing Memory Corruption Vulnerability (CVE-2026-32860)

hello@craftedsignal.io — Tue, 07 Apr 2026 20:16:24 +0000

CVE-2026-32860 is a vulnerability affecting NI LabVIEW versions 2026 Q1 (26.1.0) and prior. The vulnerability stems from an out-of-bounds write condition encountered during the loading of a corrupted LVLIB (LabVIEW Library) file. An attacker could exploit this flaw by crafting a malicious .lvlib file and enticing a user to open it within LabVIEW. Successful exploitation could lead to memory corruption, potentially enabling information disclosure or the execution of arbitrary code within the context of the LabVIEW application. This poses a significant risk to systems running vulnerable versions of LabVIEW, particularly those handling or processing potentially untrusted LVLIB files.

Attack Chain

Attacker crafts a malicious .lvlib file containing corrupted data designed to trigger the out-of-bounds write.
The attacker uses social engineering or other means to convince a victim to open the malicious .lvlib file in NI LabVIEW.
The victim opens the .lvlib file within NI LabVIEW.
LabVIEW attempts to parse the corrupted data within the .lvlib file.
During the parsing process, the out-of-bounds write vulnerability is triggered due to the malformed data.
Memory corruption occurs, potentially overwriting critical program data or code.
Depending on the overwritten memory, the attacker may achieve information disclosure by reading sensitive data.
Alternatively, the attacker may achieve arbitrary code execution by overwriting code pointers or injecting malicious code into memory.

Impact

Successful exploitation of CVE-2026-32860 can lead to both information disclosure and arbitrary code execution on affected systems. An attacker exploiting this vulnerability could potentially gain unauthorized access to sensitive data processed or stored by LabVIEW, or completely compromise the affected system by executing malicious code. The impact is significant, especially in industrial control systems and other critical infrastructure environments where LabVIEW is commonly used, as it could lead to disruption of services, data breaches, or even physical damage.

Recommendation

Apply the security patch provided by National Instruments as described in the advisory at https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html to remediate CVE-2026-32860.
Implement strict file handling procedures and user awareness training to prevent users from opening untrusted .lvlib files received from external sources.
Monitor process execution for unusual or unexpected activity originating from LabVIEW processes, which could indicate successful exploitation of this or other vulnerabilities.

NI LabVIEW LVCLASS File Parsing Out-of-Bounds Write Vulnerability (CVE-2026-32861)

hello@craftedsignal.io — Tue, 07 Apr 2026 20:16:24 +0000

A memory corruption vulnerability has been identified in NI LabVIEW versions 2026 Q1 (26.1.0) and prior. This vulnerability, tracked as CVE-2026-32861, stems from an out-of-bounds write that occurs when the software attempts to load a malformed LVCLASS file. An attacker could exploit this vulnerability by crafting a malicious .lvclass file and convincing a user to open it within LabVIEW. Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution or disclose sensitive information from the affected system. This poses a significant risk to organizations using LabVIEW for critical applications, as it could lead to system compromise and data breaches.

Attack Chain

The attacker crafts a malicious .lvclass file containing an out-of-bounds write payload.
The attacker delivers the crafted .lvclass file to the victim via social engineering or other delivery methods.
The victim, using a vulnerable version of NI LabVIEW, opens the malicious .lvclass file.
LabVIEW attempts to parse the LVCLASS file, triggering the out-of-bounds write vulnerability.
The out-of-bounds write corrupts memory, potentially overwriting critical data structures or code.
If the overwritten memory contains attacker-controlled code, it could lead to arbitrary code execution.
The attacker gains control of the LabVIEW process and potentially the entire system.
The attacker performs malicious actions, such as data exfiltration, installing backdoors, or further compromising the system.

Impact

Successful exploitation of CVE-2026-32861 can lead to information disclosure and arbitrary code execution on systems running vulnerable versions of NI LabVIEW. This could allow an attacker to steal sensitive data, install malware, or gain complete control of the affected system. The impact of this vulnerability is significant, especially for organizations using LabVIEW in critical infrastructure or industrial control systems, potentially leading to operational disruption, financial loss, and reputational damage.

Recommendation

Apply the security patch provided by National Instruments to address CVE-2026-32861 on all systems running NI LabVIEW 2026 Q1 (26.1.0) and prior versions. Refer to the NI advisory for download links: https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html.
Implement user awareness training to educate users about the risks of opening files from untrusted sources to mitigate the initial access vector.
Deploy the Sigma rule DetectSuspiciousLvclassFileOpen to detect suspicious LabVIEW process opening LVCLASS files.

AWS-C-EventStream Out-of-Bounds Write Vulnerability (CVE-2026-5190)

hello@craftedsignal.io — Tue, 31 Mar 2026 18:16:59 +0000

CVE-2026-5190 is a critical security vulnerability affecting the aws-c-event-stream library, specifically versions prior to 0.6.0. The vulnerability is an out-of-bounds write issue in the streaming decoder component. This flaw enables a malicious third-party operating a server to send specially crafted event-stream messages to a client application using the vulnerable library. Successful exploitation could lead to memory corruption, ultimately allowing the attacker to achieve arbitrary code execution on the targeted client system. Organizations utilizing aws-c-event-stream in their client applications should prioritize upgrading to version 0.6.0 or later to mitigate this risk. The vulnerability was reported on March 31, 2026.

Attack Chain

Attacker sets up a malicious server designed to send crafted event-stream messages.
A client application utilizing a vulnerable version (prior to 0.6.0) of the aws-c-event-stream library connects to the attacker’s server.
The attacker’s server transmits a specially crafted event-stream message to the client.
The vulnerable streaming decoder component within the aws-c-event-stream library processes the malicious message.
Due to the out-of-bounds write vulnerability (CVE-2026-5190), the processing of the crafted message causes memory corruption on the client system.
The memory corruption leads to a buffer overflow or similar memory safety issue.
The attacker leverages the memory corruption to overwrite critical data or inject malicious code into memory.
The injected code is executed, granting the attacker arbitrary code execution on the client system. The attacker can then perform actions such as data exfiltration, system compromise, or further lateral movement.

Impact

Successful exploitation of CVE-2026-5190 allows a remote attacker to execute arbitrary code on a client system utilizing a vulnerable version of the aws-c-event-stream library. This could lead to complete system compromise, data theft, or the installation of malware. The potential impact is especially significant for applications that rely on event streams for critical functionality, such as real-time data processing or inter-process communication. While the number of affected applications is unknown, any application using a vulnerable version is at risk until patched.

Recommendation

Upgrade all installations of the aws-c-event-stream library to version 0.6.0 or later to remediate CVE-2026-5190.
Implement network monitoring to detect potentially malicious event-stream messages being sent from third-party servers to client applications. Focus on anomalies in message size, structure, or content that could indicate exploitation attempts (requires custom network rules).
Enable verbose logging for applications utilizing aws-c-event-stream to capture detailed information about event-stream message processing and memory allocation patterns. This will aid in identifying potential exploitation attempts or debugging memory corruption issues.

Android-ImageMagick7 Out-of-Bounds Write Vulnerability (CVE-2026-33854)

hello@craftedsignal.io — Tue, 24 Mar 2026 06:16:22 +0000

CVE-2026-33854 is an out-of-bounds write vulnerability affecting MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-10. This vulnerability stems from improper bounds checking within the image processing logic. The Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) reported this vulnerability. Successful exploitation could lead to a denial of service, information disclosure, or potentially arbitrary code execution on the affected device. Due to the widespread…

Yokogawa CENTUM VP R6 and R7 Vulnerabilities Lead to Potential Denial of Service and Arbitrary Code Execution

hello@craftedsignal.io — Fri, 27 Feb 2026 12:00:00 +0000

Yokogawa CENTUM VP is a distributed control system (DCS) used in critical infrastructure sectors such as critical manufacturing, energy, and food and agriculture worldwide. CISA has released an advisory detailing multiple vulnerabilities (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023) affecting the Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300) and R7 (VP7C3300) versions <= R1.07.00. Successful exploitation of these vulnerabilities could allow an attacker to terminate the software stack process, cause a denial-of-service condition, or execute arbitrary code. The vulnerabilities are triggered by receiving maliciously crafted network packets, posing a significant risk to industrial control systems relying on affected versions of Yokogawa CENTUM VP.

Attack Chain

Attacker identifies a vulnerable Yokogawa CENTUM VP system running Vnet/IP Interface Package for CENTUM VP R6 or R7 (<=R1.07.00) on the network.
Attacker crafts a malicious network packet specifically designed to exploit one of the identified vulnerabilities (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023).
Attacker sends the malicious packet to the vulnerable system.
If exploiting CVE-2025-1924 (Out-of-bounds Write), the crafted packet triggers an out-of-bounds write, potentially overwriting critical memory regions.
If exploiting CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, or CVE-2025-48022 (Reachable Assertion, Integer Underflow), the crafted packet causes the Vnet/IP software stack process to terminate due to an assertion failure or integer underflow.
If successful, the Vnet/IP communication functions stop, resulting in a denial-of-service condition, impacting the control and monitoring capabilities of the CENTUM VP system.
(Potentially, for CVE-2025-1924) By carefully crafting the malicious packet and exploiting the out-of-bounds write, the attacker may achieve arbitrary code execution on the targeted system.
Attacker could then leverage the code execution to gain further control of the system, potentially disrupting industrial processes or exfiltrating sensitive data.

Impact

Successful exploitation of these vulnerabilities in Yokogawa CENTUM VP R6 and R7 could have significant consequences for organizations in critical infrastructure sectors. A denial-of-service condition can disrupt industrial processes, leading to production losses and potential safety hazards. Arbitrary code execution could allow attackers to gain complete control of the system, potentially leading to sabotage, data theft, or further attacks on the network. Given the widespread deployment of Yokogawa CENTUM VP systems globally, the impact could be significant across various industries.

Recommendation

Apply the patch software R1.08.00 provided by Yokogawa to address the vulnerabilities (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023).
Monitor network traffic for unexpected patterns or malformed packets targeting Yokogawa CENTUM VP systems using network intrusion detection systems (NIDS).
Consult Yokogawa advisory YSAR-26-0002 for detailed mitigation steps and implementation guidance: https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0002-E.pdf
Implement network segmentation to isolate critical control systems from the broader network to limit the potential impact of a successful attack.

ksmbd Out-of-Bounds Write Vulnerability in QUERY_INFO (CVE-2026-31432)

hello@craftedsignal.io — Tue, 23 Jan 2024 12:00:00 +0000

CVE-2026-31432 is a critical vulnerability affecting the ksmbd server, a Linux kernel implementation of the SMB/CIFS protocol. The vulnerability is an out-of-bounds write that occurs when processing QUERY_INFO requests within compound SMB requests. An attacker could exploit this vulnerability by sending a specially crafted SMB request to a vulnerable ksmbd server. Successful exploitation could lead to arbitrary code execution in the context of the kernel or a denial-of-service condition. As a kernel-level vulnerability, exploitation can have severe consequences for system stability and security. The vulnerability highlights the ongoing challenges of ensuring the security of complex network protocols implemented within the kernel.

Attack Chain

An attacker identifies a ksmbd server exposed on the network.
The attacker crafts a malicious SMB compound request containing a malformed QUERY_INFO request.
The attacker sends the crafted SMB request to the targeted ksmbd server.
The ksmbd server processes the request, triggering the out-of-bounds write in the QUERY_INFO handling routine.
The out-of-bounds write corrupts adjacent kernel memory.
Depending on the overwritten memory, the system may crash, leading to a denial-of-service condition.
Alternatively, an attacker may carefully craft the payload to overwrite specific kernel structures, potentially leading to arbitrary code execution.
Successful code execution allows the attacker to gain complete control over the affected system.

Impact

Successful exploitation of CVE-2026-31432 could lead to a complete compromise of the affected system. An attacker could gain the ability to execute arbitrary code within the kernel, leading to data theft, system corruption, or the installation of rootkits. In less severe cases, exploitation could result in a denial-of-service condition, disrupting critical services. Given the potential for remote code execution, this vulnerability poses a significant risk to any system running a vulnerable version of ksmbd.

Recommendation

Apply the security update provided by Microsoft to patch CVE-2026-31432 as soon as possible (reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31432).
Deploy the Sigma rule Detect Suspicious SMBv1 Negotiation to identify potentially malicious SMB traffic patterns (reference: rule Detect Suspicious SMBv1 Negotiation).
Monitor network traffic for SMB requests originating from unexpected sources or containing unusual parameters (reference: Attack Chain Step 2).
Implement network segmentation to limit the potential impact of a successful exploit (reference: Attack Chain Step 1).