Total
149 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-10021 | 2026-04-15 | N/A | N/A | ||
| A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior, memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios. | |||||
| CVE-2026-5888 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-13 | N/A | 6.5 MEDIUM |
| Uninitialized Use in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2026-2806 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | N/A | 9.1 CRITICAL |
| Uninitialized memory in the Graphics: Text component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | |||||
| CVE-2025-9181 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | N/A | 6.5 MEDIUM |
| Uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 142, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2. | |||||
| CVE-2025-8027 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-13 | N/A | 6.5 MEDIUM |
| On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1. | |||||
| CVE-2026-4147 | 1 Mongodb | 1 Mongodb | 2026-04-10 | N/A | 6.5 MEDIUM |
| An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command. | |||||
| CVE-2026-34608 | 1 Emqx | 1 Nanomq | 2026-04-10 | N/A | 4.9 MEDIUM |
| NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to version 0.24.10, in NanoMQ's webhook_inproc.c, the hook_work_cb() function processes nng messages by parsing the message body with cJSON_Parse(body). The body is obtained from nng_msg_body(msg), which is a binary buffer without a guaranteed null terminator. This leads to an out-of-bounds read (OOB read) as cJSON_Parse reads until it finds a \0, potentially accessing memory beyond the allocated buffer (e.g., nng_msg metadata or adjacent heap/stack). The issue is often masked by nng's allocation padding (extra 32 bytes of zeros for non-power-of-two sizes <1024 or non-aligned). The overflow is reliably triggered when the JSON payload length is a power-of-two >=1024 (no padding added). This issue has been patched in version 0.24.10. | |||||
| CVE-2024-47540 | 1 Gstreamer | 1 Gstreamer | 2026-03-17 | N/A | 9.8 CRITICAL |
| GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10. | |||||
| CVE-2026-1333 | 1 3ds | 1 Solidworks Edrawings | 2026-02-26 | N/A | 7.8 HIGH |
| A Use of Uninitialized Variable vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS Desktop 2025 through Release SOLIDWORKS Desktop 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. | |||||
| CVE-2025-58466 | 1 Qnap | 2 Qts, Quts Hero | 2026-02-12 | N/A | 4.9 MEDIUM |
| A use of uninitialized variable vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to denial of service conditions, or modify control flow in unexpected ways. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later | |||||
| CVE-2025-47348 | 1 Qualcomm | 408 Aqt1000, Aqt1000 Firmware, Ar8035 and 405 more | 2026-01-28 | N/A | 7.8 HIGH |
| Memory corruption while processing identity credential operations in the trusted application. | |||||
| CVE-2026-21690 | 1 Color | 1 Iccdev | 2026-01-12 | N/A | 6.3 MEDIUM |
| iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTagXmlTagData::ToXml()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available. | |||||
| CVE-2025-20784 | 2 Google, Mediatek | 46 Android, Mt6739, Mt6761 and 43 more | 2026-01-08 | N/A | 6.7 MEDIUM |
| In display, there is a possible memory corruption due to uninitialized data. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182882; Issue ID: MSV-4683. | |||||
| CVE-2025-36935 | 1 Google | 1 Android | 2026-01-05 | N/A | 7.8 HIGH |
| In trusty_ffa_mem_reclaim of shared-mem-smcall.c, there is a possible memory corruption due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-65295 | 1 Aqara | 6 Camera Hub G3, Camera Hub G3 Firmware, Hub M2 and 3 more | 2025-12-17 | N/A | 8.1 HIGH |
| Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory. | |||||
| CVE-2024-29838 | 1 Cs-technologies | 1 Evolution | 2025-12-10 | N/A | 7.5 HIGH |
| The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below does not proper sanitize user input, allowing for an unauthenticated attacker to crash the controller software | |||||
| CVE-2025-64181 | 1 Openexr | 1 Openexr | 2025-12-08 | N/A | 7.5 HIGH |
| OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.0 through 3.3.5 and 3.4.0 through 3.4.2, while fuzzing `openexr_exrcheck_fuzzer`, Valgrind reports a conditional branch depending on uninitialized data inside `generic_unpack`. This indicates a use of uninitialized memory. The issue can result in undefined behavior and/or a potential crash/denial of service. Versions 3.3.6 and 3.4.3 fix the issue. | |||||
| CVE-2025-20766 | 2 Google, Mediatek | 32 Android, Mt2718, Mt6739 and 29 more | 2025-12-03 | N/A | 7.8 HIGH |
| In display, there is a possible memory corruption due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4820. | |||||
| CVE-2025-20771 | 2 Google, Mediatek | 32 Android, Mt2718, Mt6739 and 29 more | 2025-12-03 | N/A | 6.7 MEDIUM |
| In display, there is a possible escalation of privilege due to improper input validation. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4802. | |||||
| CVE-2024-23159 | 1 Autodesk | 9 Advance Steel, Autocad, Autocad Architecture and 6 more | 2025-11-13 | N/A | 7.8 HIGH |
| A maliciously crafted STP file, when parsed in stp_aim_x64_vc15d.dll through Autodesk applications, can be used to uninitialized variables. This vulnerability, along with other vulnerabilities, can lead to code execution in the current process. | |||||