Page 4
A critical buffer overflow vulnerability was discovered in `uv-common.c`, where a hardcoded 40-byte buffer was used to store IPv6 addresses — 6 bytes too small for the maximum valid IPv6 string length of 46 characters. An attacker supplying a crafted, oversized IP address string could trigger a stack or heap buffer overflow, potentially leading to remote code execution or application crashes. The fix replaces the magic number with the platform-defined `INET6_ADDRSTRLEN` constant, ensuring the bu
A critical stack buffer overflow vulnerability was discovered in `ftm_file.cpp`, where unchecked `strcpy()` calls allowed attacker-controlled filenames from crafted FTM files to overwrite stack memory, including the saved return address, enabling arbitrary code execution on ESP32 devices. The fix replaces both dangerous `strcpy()` calls with bounds-checked `strncpy()` plus explicit null-termination, eliminating the overflow vector entirely. This is a textbook reminder that unsafe C string functi
A critical buffer overflow vulnerability (CWE-120) was discovered and patched in `module/x86/bpf_x86_native_lab.c`, where a bounds check on BPF blob length was only performed inside an `emit` conditional branch — leaving a window for kernel memory corruption when `emit` was false. The fix relocates the length validation before any branching logic, ensuring no code path can proceed with an oversized blob. This type of kernel-level vulnerability is particularly dangerous because successful exploit
A critical heap buffer overflow vulnerability was discovered in the `lwip_hosted_rx_input` function of the lwIP hosted wireless driver, where raw network frames from an ESP-hosted interface were copied into packet buffers without validating the frame length against the buffer's maximum capacity. Because `pbuf_alloc` uses an unsigned 16-bit integer for size, an attacker on the same wireless network could craft a packet with an oversized length field, causing silent integer truncation and subseque
A critical buffer overflow vulnerability was discovered in the OpenCC C library's configuration reader, where an unbounded `sprintf()` call could allow attackers to overflow a fixed-size buffer by supplying malformed configuration files with excessively long path components. The fix replaces `sprintf()` with `snprintf()` and adds proper line-length validation to prevent memory corruption attacks. Left unpatched, this vulnerability could have allowed attackers to overwrite return addresses and fu
A critical null pointer dereference vulnerability was discovered in `source/input.c`, where the `GetIRPointer()` function accessed WPAD controller data without first verifying the pointer was valid. An attacker or unexpected hardware state could trigger this flaw to crash the application or, in more sophisticated scenarios, redirect execution flow. The fix adds a single but essential NULL check before dereferencing the pointer, closing the door on this class of vulnerability entirely.
A series of unbounded `sprintf()` calls in `src/mainmenu.c` created a realistic buffer overflow attack chain, allowing an attacker to craft a malicious campaign file that triggers arbitrary code execution when loaded by a victim. The fix replaces each unsafe `sprintf()` with `snprintf()`, enforcing strict buffer size limits and eliminating the overflow conditions. Because campaign files are routinely shared in game communities, this vulnerability required no special access and posed a significan
A critical heap buffer overflow vulnerability was discovered and patched in `src/aux.c`, where two `memcpy` calls in a path normalization function copied data into buffers without verifying sufficient capacity. An attacker capable of influencing the current working directory path — through deeply nested directories or crafted symlinks — could trigger heap corruption with potentially severe consequences. The fix introduces an integer overflow guard that ensures buffer allocation math cannot wrap
A critical set of memory safety vulnerabilities was discovered and patched in `src/try_to_guess_image_fov.c`, a C-based FITS astronomical image processing pipeline. The vulnerabilities — including unsafe string operations, improper memory allocation, and potential integer overflows — created a comprehensive attack surface that could allow an attacker to craft a malicious FITS file and achieve arbitrary code execution. The fix replaces dangerous patterns like `strncpy` with `snprintf`, switches `
CVE-2026-41676 is a high-severity vulnerability in the rust-openssl crate, which provides OpenSSL bindings for Rust applications. The fix involves upgrading the dependency from version 0.10.75 to 0.10.78 in the project's Cargo.lock file, closing a security gap that could expose applications to adversarial exploitation. Keeping cryptographic dependencies current is one of the most impactful and straightforward security practices any Rust team can adopt.
A critical buffer overflow vulnerability was discovered in `gravier/gravier-str.h`, where a subtle typo in the `next_power_of_2()` function combined with off-by-one allocation errors and unchecked `strcpy()` calls created a dangerous memory corruption pathway. Because this code was directly reachable from user-facing menu text input and the s7 scripting engine, an attacker could potentially exploit it to crash the application or execute arbitrary code. The fix corrects the broken bit-shift opera
A critical buffer overflow vulnerability was discovered in RapidSpeech's `audio_processor.cpp`, where multiple `memcpy` calls used externally-influenced size parameters without validating destination buffer capacity. An attacker supplying crafted audio or model input could trigger out-of-bounds memory writes, potentially leading to crashes, memory corruption, or arbitrary code execution. The fix introduces explicit bounds checking before each copy operation, ensuring offsets never exceed allocat