Total
4009 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-48986 | 1 Arm | 1 Mbed | 2026-06-17 | N/A | 7.5 HIGH |
| An issue was discovered in MBed OS 6.16.0. Its hci parsing software dynamically determines the length of certain hci packets by reading a byte from its header. Certain events cause a callback, the logic for which allocates a buffer (the length of which is determined by looking up the event type in a table). The subsequent write operation, however, copies the amount of data specified in the packet header, which may lead to a buffer overflow. This bug is trivial to exploit for a denial of service but is not certain to suffice to bring the system down and can generally not be exploited further because the exploitable buffer is dynamically allocated. | |||||
| CVE-2024-48985 | 1 Arm | 1 Mbed | 2026-06-17 | N/A | 7.5 HIGH |
| An issue was discovered in MBed OS 6.16.0. During processing of HCI packets, the software dynamically determines the length of the packet data by reading 2 bytes from the packet data. A buffer is then allocated to contain the entire packet, the size of which is calculated as the length of the packet body determined earlier and the header length. If the allocate fails because the specified packet is too large, no exception handling occurs and hciTrSerialRxIncoming continues to write bytes into the 4-byte large temporary header buffer, leading to a buffer overflow. This can be leveraged into an arbitrary write by an attacker. It is possible to overwrite the pointer to the buffer that is supposed to receive the contents of the packet body but which couldn't be allocated. One can then overwrite the state variable used by the function to determine which step of the parsing process is currently being executed. This advances the function to the next state, where it proceeds to copy data to that arbitrary location. The packet body is then written wherever the corrupted data pointer is pointing. | |||||
| CVE-2024-48984 | 1 Arm | 1 Mbed Os | 2026-06-17 | N/A | 9.8 CRITICAL |
| An issue was discovered in MBed OS 6.16.0. When parsing hci reports, the hci parsing software dynamically determines the length of a list of reports by reading a byte from an input stream. It then fetches the length of the first report, uses it to calculate the beginning of the second report, etc. In doing this, it tracks the largest report so it can later allocate a buffer that fits every individual report (but only one at a time). It does not, however, validate that these addresses are all contained within the buffer passed to hciEvtProcessLeExtAdvReport. It is then possible, though unlikely, that the buffer designated to hold the reports is allocated in such a way that one of these out-of-bounds length fields is contained within the new buffer. When the (n-1)th report is copied, it overwrites the length field of the nth report. This now corrupted length field is then used for a memcpy into the new buffer, which may lead to a buffer overflow. | |||||
| CVE-2024-48982 | 1 Arm | 1 Mbed | 2026-06-17 | N/A | 7.5 HIGH |
| An issue was discovered in MBed OS 6.16.0. Its hci parsing software dynamically determines the length of certain hci packets by reading a byte from its header. This value is assumed to be greater than or equal to 3, but the software doesn't ensure that this is the case. Supplying a length less than 3 leads to a buffer overflow in a buffer that is allocated later. It is simultaneously possible to cause another integer overflow by supplying large length values because the provided length value is increased by a few bytes to account for additional information that is supposed to be stored there. This bug is trivial to exploit for a denial of service but is not certain to suffice to bring the system down and can generally not be exploited further because the exploitable buffer is dynamically allocated. | |||||
| CVE-2024-48981 | 1 Arm | 1 Mbed | 2026-06-17 | N/A | 7.5 HIGH |
| An issue was discovered in MBed OS 6.16.0. During processing of HCI packets, the software dynamically determines the length of the packet header by looking up the identifying first byte and matching it against a table of possible lengths. The initial parsing function, hciTrSerialRxIncoming does not drop packets with invalid identifiers but also does not set a safe default for the length of unknown packets' headers, leading to a buffer overflow. This can be leveraged into an arbitrary write by an attacker. It is possible to overwrite the pointer to a not-yet-allocated buffer that is supposed to receive the contents of the packet body. One can then overwrite the state variable used by the function to determine which state of packet parsing is currently occurring. Because the buffer is allocated when the last byte of the header has been copied, the combination of having a bad header length variable that will never match the counter variable and being able to overwrite the state variable with the resulting buffer overflow can be used to advance the function to the next step while skipping the buffer allocation and resulting pointer write. The next 16 bytes from the packet body are then written wherever the corrupted data pointer is pointing. | |||||
| CVE-2024-48806 | 2026-06-17 | N/A | 6.8 MEDIUM | ||
| Buffer Overflow vulnerability in Neat Board NFC v.1.20240620.0015 allows a physically proximate attackers to escalate privileges via a crafted payload to the password field | |||||
| CVE-2024-48714 | 1 Tp-link | 2 Tl-wdr7660, Tl-wdr7660 Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| In TP-Link TL-WDR7660 v1.0, the guestRuleJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities. | |||||
| CVE-2024-48713 | 1 Tp-link | 2 Tl-wdr7660, Tl-wdr7660 Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| In TP-Link TL-WDR7660 1.0, the wacWhitelistJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities. | |||||
| CVE-2024-48712 | 1 Tp-link | 2 Tl-wdr7660, Tl-wdr7660 Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| In TP-Link TL-WDR7660 1.0, the rtRuleJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities. | |||||
| CVE-2024-48710 | 1 Tp-link | 2 Tl-wdr7660, Tl-wdr7660 Firmware | 2026-06-17 | N/A | 6.5 MEDIUM |
| In TP-Link TL-WDR7660 1.0, the wlanTimerRuleJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities. | |||||
| CVE-2024-48519 | 2026-06-17 | N/A | 6.2 MEDIUM | ||
| Buffer Overflow vulnerability in Ardupilot rover commit v.c56439b045162058df0ff136afea3081fcd06d38 allows a local attacker to cause a denial of service via the AP_InertialSensor_ADIS1647x.cpp, ArduRover, ADIS1647x Sensor component. | |||||
| CVE-2024-48426 | 1 Assimp | 1 Assimp | 2026-06-17 | N/A | 6.2 MEDIUM |
| A segmentation fault (SEGV) was detected in the SortByPTypeProcess::Execute function in the Assimp library during fuzz testing with AddressSanitizer. The crash occurred due to a read access to an invalid memory address (0x1000c9714971). | |||||
| CVE-2024-48425 | 1 Assimp | 1 Assimp | 2026-06-17 | N/A | 5.5 MEDIUM |
| A segmentation fault (SEGV) was detected in the Assimp::SplitLargeMeshesProcess_Triangle::UpdateNode function within the Assimp library during fuzz testing using AddressSanitizer. The crash occurs due to a read access violation at address 0x000000000460, which points to the zero page, indicating a null or invalid pointer dereference. | |||||
| CVE-2024-48424 | 1 Assimp | 1 Assimp | 2026-06-17 | N/A | 5.5 MEDIUM |
| A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp library, specifically during the processing of OpenGEX files. | |||||
| CVE-2024-48420 | 1 Edimax | 2 Br-6476ac, Br-6476ac Firmware | 2026-06-17 | N/A | 8.8 HIGH |
| Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via /goform/getWifiBasic. | |||||
| CVE-2024-48416 | 1 Edimax | 2 Br-6476ac, Br-6476ac Firmware | 2026-06-17 | N/A | 8.8 HIGH |
| Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via /goform/fromSetLanDhcpsClientbinding. | |||||
| CVE-2024-48406 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Buffer Overflow vulnerability in SunBK201 umicat through v.0.3.2 and fixed in v.0.3.3 allows an attacker to execute arbitrary code via the power(uct_int_t x, uct_int_t n) in src/uct_upstream.c. | |||||
| CVE-2024-48289 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| An issue in the Bluetooth Low Energy implementation of Cypress Bluetooth SDK v3.66 allows attackers to cause a Denial of Service (DoS) via supplying a crafted LL_PAUSE_ENC_REQ packet. | |||||
| CVE-2024-48150 | 1 Dlink | 2 Dir-820l, Dir-820l Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| D-Link DIR-820L 1.05B03 has a stack overflow vulnerability in the sub_451208 function. | |||||
| CVE-2024-47864 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| home 5G HR02, Wi-Fi STATION SH-52B, and Wi-Fi STATION SH-54C contain a buffer overflow vulnerability in the hidden debug function. A remote unauthenticated attacker may get the web console of the product down. | |||||