Security Research

Security Blog

Page 15

critical9 min

Critical Buffer Overflow in spdm_emu.c: How strcpy() on argv[1] Enabled Code Execution

A critical buffer overflow vulnerability was discovered in `spdm_emu/spdm_emu_common/spdm_emu.c` at line 638, where an unbounded `strcpy()` call copied a user-supplied command-line argument directly into the fixed-size buffer `m_ip_address_string` without any length validation. An attacker able to invoke the `spdm_emu` binary with an oversized argument could corrupt adjacent memory and potentially achieve arbitrary code execution. The fix replaces the unsafe `strcpy()` with a bounded `strncpy()`

#buffer-overflow#C#memory-safety+4 more
O
orbisai0security
Jun 2, 2026
critical7 min

Shell Injection in mkmultidtb.py: How String Concatenation with os.system() Enabled Arbitrary Code Execution

A critical shell injection vulnerability in `scripts/mkmultidtb.py` allowed attackers to execute arbitrary commands during the kernel build process by injecting shell metacharacters into device tree binary (DTB) filenames. The vulnerability was caused by using `os.system()` with string concatenation instead of proper subprocess argument handling. This fix migrates to `subprocess.run()` with argument lists, eliminating the attack surface entirely.

#shell-injection#os-command-injection#python-security+4 more
O
orbisai0security
Jun 2, 2026
critical6 min

SQL Injection via SQLite's %s Format Specifier in LR2_statlong.cpp ReadPlayerScore()

A critical SQL injection vulnerability was discovered in `LR2/LR2_statlong.cpp` at line 42, where `sqlite3_snprintf` used the `%s` format specifier instead of `%q` to interpolate a player ID into a SQL query. This single-character difference meant that single quotes in the player ID were inserted verbatim, allowing an attacker to break out of the SQL string literal and inject arbitrary commands. The fix changes `%s` to `%q`, which doubles all single quotes to properly escape them.

#sql-injection#sqlite#c+++4 more
O
orbisai0security
Jun 2, 2026
critical7 min

Integer Overflow in edge_detect.c Heap Allocation Enables Camera-Based Exploit

A critical integer overflow vulnerability in `C/filters/edge_detect.c` allowed an attacker controlling a virtual V4L2 camera device to supply manipulated width/height dimensions that would silently wrap around to zero during multiplication, causing a drastically undersized heap allocation. Subsequent writes to this tiny buffer result in heap corruption, potentially enabling arbitrary code execution. The fix replaces the unsafe `malloc(w * h)` pattern with overflow-safe `calloc((size_t)w, (size_t

#c#integer-overflow#heap-overflow+4 more
O
orbisai0security
Jun 2, 2026
critical7 min

Stack Buffer Overflow in nvme-print.c: How sprintf() Threatened NVMe Device Security

A critical stack-based buffer overflow vulnerability was discovered in `nvme-print.c`, where multiple `sprintf()` calls wrote formatted output into fixed-size stack buffers without any bounds checking. The vulnerability was most dangerous in `nvme_pel_event_to_string()` at line 224, where a malicious NVMe device could supply unexpected event type values to trigger a buffer overflow enabling arbitrary code execution. The fix replaces all unsafe `sprintf()` calls with `snprintf()`, enforcing stric

#buffer-overflow#c-security#nvme+4 more
O
orbisai0security
Jun 2, 2026
high7 min

Integer Overflow in wf_cliprdr.c: How Clipboard Data Could Corrupt Memory

A high-severity integer overflow vulnerability (CWE-190) was discovered in `libs/clipboard/src/windows/wf_cliprdr.c` at line 774, where the `m_nStreams` value derived from remote clipboard data was passed directly to `calloc()` without bounds validation. A malicious remote peer could supply a crafted stream count near `SIZE_MAX / sizeof(LPSTREAM)`, causing the size calculation to overflow and producing an undersized allocation that subsequent writes would overflow. The fix adds explicit bounds c

#integer-overflow#cwe-190#clipboard+4 more
O
orbisai0security
Jun 1, 2026
high7 min

Prototype Pollution in defu's Defaults Argument via `__proto__` Key (CVE-2026-35209)

CVE-2026-35209 is a high-severity prototype pollution vulnerability in the `defu` JavaScript library (versions prior to 6.1.5) that allows attackers to inject arbitrary properties onto `Object.prototype` by passing a `__proto__` key in the defaults argument. The vulnerability was present in the `blog-site` project's dependency tree and was resolved by upgrading `defu` to 6.1.5 and adding an explicit `overrides` entry to prevent transitive re-introduction of the vulnerable version.

#prototype-pollution#cve-2026-35209#nodejs+4 more
O
orbisai0security
Jun 1, 2026
high7 min

DoS via Sparse Array Deserialization in devalue: CVE-2026-42570 Fixed

A high-severity Denial of Service vulnerability (CVE-2026-42570) was discovered in the `devalue` library used by the Orbis AppSec blog site, where maliciously crafted sparse arrays during deserialization could exhaust server resources. The fix upgrades `devalue` from version 5.6.4 to 5.8.1 in `blog-site/package-lock.json` and adds an explicit override in `package.json` to ensure the patched version is consistently enforced across the dependency tree. Left unpatched, this vulnerability could have

#cve-2026-42570#denial-of-service#devalue+4 more
O
orbisai0security
Jun 1, 2026
critical8 min

Unbounded strcpy() in FreezeProject/fs.c: How Four Lines Fixed a Critical Buffer Overflow

A critical buffer overflow vulnerability was discovered in `FreezeProject/src/fs.c`, where a custom `strcpy()` implementation was used at four separate call sites to copy user-controlled filenames into fixed-size buffers without any length checking. An attacker could supply a filename longer than the destination buffer to corrupt adjacent memory, potentially hijacking control flow or crashing the filesystem. The fix introduces a bounded `safe_strncpy()` helper that enforces the `MAX_FILENAME` li

#buffer-overflow#c-security#filesystem+4 more
O
orbisai0security
Jun 1, 2026
critical7 min

Guest-Controlled Buffer Overflow in virtio.c: How Four Unsafe memcpy Calls Threatened Host Memory

A critical buffer overflow vulnerability was discovered in `machine.virt/system/libs/arch_virt/src/virtio.c`, where four `memcpy` calls used length values sourced directly from guest-controlled virtio queue descriptor rings without validating them against the destination buffer size. An attacker operating a malicious guest VM could supply an oversized length (e.g., `0xFFFFFFFF`) to corrupt adjacent host heap memory, including function pointers and heap metadata. The fix introduces an explicit bo

#buffer-overflow#virtio#virtualization+4 more
O
orbisai0security
Jun 1, 2026
medium8 min

Unauthenticated Sync Protocol in odl_tb5_daemon_sync_proto.c Fixed with HMAC-SHA256

A medium-severity vulnerability in `daemon/src/odl_tb5_daemon_sync_proto.c` allowed any network entity that could reach the daemon's listening port to send crafted sync protocol messages without any authentication challenge. The fix introduces HMAC-SHA256 message authentication tags stamped directly into the sync header's reserved field, ensuring that only peers with the correct pre-shared key can send messages that the daemon will accept. This closes a significant attack surface that could have

#authentication#hmac#c-security+4 more
O
orbisai0security
Jun 1, 2026
high8 min

Unrevocable Backdoor: Fixing Token Invalidation in PersistentTokenBasedRememberMeServices

A high-severity security flaw in Halo's `PersistentTokenBasedRememberMeServices` allowed stolen remember-me tokens to remain permanently valid — even after expiration was detected. The vulnerable implementation explicitly documented that expired tokens would *not* be removed from storage, meaning an attacker who stole a cookie could retain access indefinitely. The fix ensures expired tokens are immediately deleted from storage the moment they are detected, closing a persistent backdoor.

#java#spring-security#remember-me+4 more
O
orbisai0security
Jun 1, 2026