Total
528 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-38013 | 1 Linux | 1 Linux Kernel | 2025-11-17 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request
Make sure that n_channels is set after allocating the
struct cfg80211_registered_device::int_scan_req member. Seen with
syzkaller:
UBSAN: array-index-out-of-bounds in net/mac80211/scan.c:1208:5
index 0 is out of range for type 'struct ieee80211_channel *[] __counted_by(n_channels)' (aka 'struct ieee80211_channel *[]')
This was missed in the initial ...
Show More |
|||||
| CVE-2025-47352 | 1 Qualcomm | 28 Fastconnect 7800, Fastconnect 7800 Firmware, Qcc2072 and 25 more | 2025-11-05 | N/A | 7.8 HIGH |
|
Memory corruption while processing audio streaming operations.
|
|||||
| CVE-2025-47361 | 1 Qualcomm | 56 Qam8255p, Qam8255p Firmware, Qam8295p and 53 more | 2025-11-05 | N/A | 7.8 HIGH |
|
Memory corruption when triggering a subsystem crash with an out-of-range identifier.
|
|||||
| CVE-2024-35164 | 1 Apache | 1 Guacamole | 2025-11-04 | N/A | 6.8 MEDIUM |
|
The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed
with the privileges of the running guacd process.
Users are recommended to upgrade to version 1.6.0, which fixes this issue.
|
|||||
| CVE-2023-40477 | 1 Rarlab | 1 Winrar | 2025-11-04 | N/A | 7.8 HIGH |
|
RARLAB WinRAR Recovery Volume Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of recovery volumes. The issue results from the lack of proper validation of user-supplied data, which ca ...
Show More |
|||||
| CVE-2023-31194 | 1 Diagon Project | 1 Diagon | 2025-11-04 | N/A | 5.3 MEDIUM |
|
An improper array index validation vulnerability exists in the GraphPlanar::Write functionality of Diagon v1.0.139. A specially crafted markdown file can lead to memory corruption. A victim would need to open a malicious file to trigger this vulnerability.
|
|||||
| CVE-2023-39235 | 1 Tonybybell | 1 Gtkwave | 2025-11-04 | N/A | 7.8 HIGH |
|
Multiple out-of-bounds write vulnerabilities exist in the VZT vzt_rd_process_block autosort functionality of GTKWave 3.3.115. A specially crafted .vzt file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the out-of-bounds write when looping over `lt->num_time_ticks`.
|
|||||
| CVE-2023-39234 | 1 Tonybybell | 1 Gtkwave | 2025-11-04 | N/A | 7.8 HIGH |
|
Multiple out-of-bounds write vulnerabilities exist in the VZT vzt_rd_process_block autosort functionality of GTKWave 3.3.115. A specially crafted .vzt file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the out-of-bounds write when looping over `lt->numrealfacs`.
|
|||||
| CVE-2023-35997 | 1 Tonybybell | 1 Gtkwave | 2025-11-04 | N/A | 7.8 HIGH |
|
Multiple improper array index validation vulnerabilities exist in the fstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the tdelta indexing when signal_lens is 2 or more.
|
|||||
| CVE-2023-35996 | 1 Tonybybell | 1 Gtkwave | 2025-11-04 | N/A | 7.8 HIGH |
|
Multiple improper array index validation vulnerabilities exist in the fstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the tdelta indexing when signal_lens is 0.
|
|||||
| CVE-2023-35995 | 1 Tonybybell | 1 Gtkwave | 2025-11-04 | N/A | 7.8 HIGH |
|
Multiple improper array index validation vulnerabilities exist in the fstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the tdelta indexing when signal_lens is 1.
|
|||||
| CVE-2023-35994 | 1 Tonybybell | 1 Gtkwave | 2025-11-04 | N/A | 7.8 HIGH |
|
Multiple improper array index validation vulnerabilities exist in the fstReaderIterBlocks2 tdelta functionality of GTKWave 3.3.115. A specially crafted .fst file can lead to arbitrary code execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns the tdelta initialization part.
|
|||||
| CVE-2024-38587 | 1 Linux | 1 Linux Kernel | 2025-11-04 | N/A | 5.3 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
speakup: Fix sizeof() vs ARRAY_SIZE() bug
The "buf" pointer is an array of u16 values. This code should be
using ARRAY_SIZE() (which is 256) instead of sizeof() (which is 512),
otherwise it can the still got out of bounds.
|
|||||
| CVE-2024-38552 | 1 Linux | 1 Linux Kernel | 2025-11-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix potential index out of bounds in color transformation function
Fixes index out of bounds issue in the color transformation function.
The issue could occur when the index 'i' exceeds the number of transfer
function points (TRANSFER_FUNC_POINTS).
The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds, an error message is
logged and the func ...
Show More |
|||||
| CVE-2024-36015 | 1 Linux | 1 Linux Kernel | 2025-11-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ppdev: Add an error check in register_device
In register_device, the return value of ida_simple_get is unchecked,
in witch ida_simple_get will use an invalid index value.
To address this issue, index should be checked after ida_simple_get. When
the index value is abnormal, a warning message should be printed, the port
should be dropped, and the value should be recorded.
|
|||||
| CVE-2024-31581 | 2 Fedoraproject, Ffmpeg | 2 Fedora, Ffmpeg | 2025-11-04 | N/A | 9.8 CRITICAL |
|
FFmpeg version n6.1 was discovered to contain an improper validation of array index vulnerability in libavcodec/cbs_h266_syntax_template.c. This vulnerability allows attackers to cause undefined behavior within the application.
|
|||||
| CVE-2024-26981 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2025-11-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix OOB in nilfs_set_de_type
The size of the nilfs_type_by_mode array in the fs/nilfs2/dir.c file is
defined as "S_IFMT >> S_SHIFT", but the nilfs_set_de_type() function,
which uses this array, specifies the index to read from the array in the
same way as "(mode & S_IFMT) >> S_SHIFT".
static void nilfs_set_de_type(struct nilfs_dir_entry *de, struct inode
*inode)
{
umode_t mode = inode->i_mode;
de->file_type = nilf ...
Show More |
|||||
| CVE-2023-36308 | 1 Disintegration | 1 Imaging | 2025-11-04 | N/A | 5.5 MEDIUM |
|
disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a crafted TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there are common use cases in which this panic could have any security consequence
|
|||||
| CVE-2025-37752 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2025-11-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
net_sched: sch_sfq: move the limit validation
It is not sufficient to directly validate the limit on the data that
the user passes as it can be updated based on how the other parameters
are changed.
Move the check at the end of the configuration update process to also
catch scenarios where the limit is indirectly updated, for example
with the following configurations:
tc qdisc add dev dummy0 handle 1: root sfq limit 2 flows ...
Show More |
|||||
| CVE-2023-27349 | 1 Bluez | 1 Bluez | 2025-11-04 | N/A | 8.0 HIGH |
|
BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.
The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can resu ...
Show More |
|||||
| CVE-2024-50007 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ALSA: asihpi: Fix potential OOB array access
ASIHPI driver stores some values in the static array upon a response
from the driver, and its index depends on the firmware. We shouldn't
trust it blindly.
This patch adds a sanity check of the array index to fit in the array
size.
|
|||||
| CVE-2024-49969 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix index out of bounds in DCN30 color transformation
This commit addresses a potential index out of bounds issue in the
`cm3_helper_translate_curve_to_hw_format` function in the DCN30 color
management module. The issue could occur when the index 'i' exceeds the
number of transfer function points (TRANSFER_FUNC_POINTS).
The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function ...
Show More |
|||||
| CVE-2024-49930 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath11k: fix array out-of-bound access in SoC stats
Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a
maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx()
function access ath11k_soc_dp_stats::hal_reo_error using the REO
destination SRNG ring ID, which is incorrect. SRNG ring ID differ from
normal ring ID, and this usage leads to out-of-bounds array access. To fix
this issue, mod ...
Show More |
|||||
| CVE-2024-49895 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation
This commit addresses a potential index out of bounds issue in the
`cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30
color management module. The issue could occur when the index 'i'
exceeds the number of transfer function points (TRANSFER_FUNC_POINTS).
The fix adds a check to ensure 'i' is within bounds before access ...
Show More |
|||||
| CVE-2024-49894 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix index out of bounds in degamma hardware format translation
Fixes index out of bounds issue in
`cm_helper_translate_curve_to_degamma_hw_format` function. The issue
could occur when the index 'i' exceeds the number of transfer function
points (TRANSFER_FUNC_POINTS).
The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds the function returns ...
Show More |
|||||
| CVE-2024-46871 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX
[Why & How]
It actually exposes '6' types in enum dmub_notification_type. Not 5. Using smaller
number to create array dmub_callback & dmub_thread_offload has potential to access
item out of array bound. Fix it.
|
|||||
| CVE-2024-46859 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses
The panasonic laptop code in various places uses the SINF array with index
values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array
is big enough.
Not all panasonic laptops have this many SINF array entries, for example
the Toughbook CF-18 model only has 10 SINF array entries. So it only
supports the AC+DC brightness entries and mute.
Check ...
Show More |
|||||
| CVE-2024-46836 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: aspeed_udc: validate endpoint index for ast udc
We should verify the bound of the array to assure that host
may not manipulate the index to point past endpoint array.
Found by static analysis.
|
|||||
| CVE-2024-46821 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/pm: Fix negative array index read
Avoid using the negative values
for clk_idex as an index into an array pptable->DpmDescriptor.
V2: fix clk_index return check (Tim Huang)
|
|||||
| CVE-2024-46818 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check gpio_id before used as array index
[WHY & HOW]
GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore
should be checked in advance.
This fixes 5 OVERRUN issues reported by Coverity.
|
|||||
| CVE-2024-46814 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check msg_id before processing transcation
[WHY & HOW]
HDCP_MESSAGE_ID_INVALID (-1) is not a valid msg_id nor is it a valid
array index, and it needs checking before used.
This fixes 4 OVERRUN issues reported by Coverity.
|
|||||
| CVE-2024-46804 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Add array index check for hdcp ddc access
[Why]
Coverity reports OVERRUN warning. Do not check if array
index valid.
[How]
Check msg_id valid and valid array index.
|
|||||
| CVE-2024-43858 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
jfs: Fix array-index-out-of-bounds in diFree
|
|||||
| CVE-2024-43842 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw89: Fix array index mistake in rtw89_sta_info_get_iter()
In rtw89_sta_info_get_iter() 'status->he_gi' is compared to array size.
But then 'rate->he_gi' is used as array index instead of 'status->he_gi'.
This can lead to go beyond array boundaries in case of 'rate->he_gi' is
not equal to 'status->he_gi' and is bigger than array size. Looks like
"copy-paste" mistake.
Fix this mistake by replacing 'rate->he_gi' with 'st ...
Show More |
|||||
| CVE-2024-42301 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
dev/parport: fix the array out-of-bounds risk
Fixed array out-of-bounds issues caused by sprintf
by replacing it with snprintf for safer data copying,
ensuring the destination buffer is not overflowed.
Below is the stack trace I encountered during the actual issue:
[ 66.575408s] [pid:5118,cpu4,QThread,4]Kernel panic - not syncing: stack-protector:
Kernel stack is corrupted in: do_hardware_base_addr+0xcc/0xd0 [parport]
[ 66.5 ...
Show More |
|||||
| CVE-2024-42148 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
bnx2x: Fix multiple UBSAN array-index-out-of-bounds
Fix UBSAN warnings that occur when using a system with 32 physical
cpu cores or more, or when the user defines a number of Ethernet
queues greater than or equal to FP_SB_MAX_E1x using the num_queues
module parameter.
Currently there is a read/write out of bounds that occurs on the array
"struct stats_query_entry query" present inside the "bnx2x_fw_stats_req"
struct in "drive ...
Show More |
|||||
| CVE-2024-42121 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check index msg_id before read or write
[WHAT]
msg_id is used as an array index and it cannot be a negative value, and
therefore cannot be equal to MOD_HDCP_MESSAGE_ID_INVALID (-1).
[HOW]
Check whether msg_id is valid before reading and setting.
This fixes 4 OVERRUN issues reported by Coverity.
|
|||||
| CVE-2024-42120 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Check pipe offset before setting vblank
pipe_ctx has a size of MAX_PIPES so checking its index before accessing
the array.
This fixes an OVERRUN issue reported by Coverity.
|
|||||
| CVE-2024-42092 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
gpio: davinci: Validate the obtained number of IRQs
Value of pdata->gpio_unbanked is taken from Device Tree. In case of broken
DT due to any error this value can be any. Without this value validation
there can be out of chips->irqs array boundaries access in
davinci_gpio_probe().
Validate the obtained nirq value so that it won't exceed the maximum
number of IRQs per bank.
Found by Linux Verification Center (linuxtesting.org) ...
Show More |
|||||
| CVE-2024-41028 | 1 Linux | 1 Linux Kernel | 2025-11-03 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: toshiba_acpi: Fix array out-of-bounds access
In order to use toshiba_dmi_quirks[] together with the standard DMI
matching functions, it must be terminated by a empty entry.
Since this entry is missing, an array out-of-bounds access occurs
every time the quirk list is processed.
Fix this by adding the terminating empty entry.
|
|||||