Threats Tagged 'cwe-191'

libnfs through 6.0.2 before 935b8db has an xid integer underflow in READ_IOVEC in rpc_read_from_socket in lib/socket.c during a connection to a crafted NFS server, when the expected pdu size exceeds the absolute pdu size from the xid/record-marker.

Integer Underflow (Wrap or Wraparound) vulnerability in RTI Connext Micro (Core Libraries) allows Overread Buffers.This issue affects Connext Micro: from 4.0.0 before 4.3.0.

A security update for Red Hat Hardened Images RPMs addresses a vulnerability identified as CVE-2026-11850 affecting multiple krb5 packages. The vulnerability is related to an integer overflow (CWE-191) and impacts confidentiality and availability. The update includes patched versions of krb5 components for aarch64 and x86_64 architectures. No known exploits are reported in the wild. The advisory does not explicitly state fixed versions or detailed exploitation methods.

CVE-2026-54413 is an integer underflow vulnerability in the driftregion iso14229 library version 0.9.0 and earlier. It occurs in the Handle_0x27_SecurityAccess() function, which improperly handles the length of a SecurityAccess request, allowing a remote unauthenticated attacker to cause a crash or potentially read memory beyond the receive buffer. This vulnerability affects UDS servers deployed on automotive ECUs, industrial controllers, and IoT devices using this library. The flaw arises because the function does not validate that the received message length is at least two bytes before accessing the buffer, leading to an underflow and out-of-bounds read. The vulnerability has a high severity score of 7.8 and is exploitable remotely without authentication.

LiamBindle MQTT-C versions up to 1.1.6 contain a heap-based out-of-bounds read and integer underflow vulnerability in the mqtt_unpack_publish_response() function. This flaw allows a remote unauthenticated attacker controlling an MQTT broker or able to inject MQTT traffic into an unencrypted session to crash a subscribed MQTT-C client and potentially disclose adjacent heap memory by sending a crafted PUBLISH packet. The vulnerability arises from improper validation of the topic_name_size field relative to the remaining packet length, leading to an out-of-bounds read and a large memmove() operation that crashes the process.

NanaZip versions from 3.0.1000.0 up to but not including 6.0.1698.0 contain a heap out-of-bounds read vulnerability in the Android Verified Boot (AVB) vbmeta image parser. This is caused by an unsigned integer underflow in a bounds check, allowing a crafted .avb or .img file to trigger a read beyond the allocated buffer, leading to a deterministic crash (denial of service). The issue has been patched in version 6.0.1698.0 and later.

TDengine is an open source, time-series database optimized for Internet of Things devices. In versions 3.4.0.0 through 3.4.1.5, an unauthenticated remote attacker can crash the taosd server process by sending a single crafted RPC packet. No credentials or prior session state are required. Version 3.4.1.6 fixes the issue.

Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

Integer underflow (wrap or wraparound) in Windows Performance Monitor allows an unauthorized attacker to execute code over a network.