Lucene search
K

54 matches found

Hacker One
Hacker One
added 2026/01/30 7:5 a.m.43 views

curl: MQTT Protocol Packet Injection via Unchecked CONNACK Remaining Length

I'm not sure if this is a vulnerability or intended behavior, but I noticed that curl MQTT implementation accepts CONNACK packets with Remaining Length values greater than 2, which appears to violate the MQTT v3.1.1 specification. According to the MQTT spec, CONNACK packets should have a Remainin...

5.9AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/01/22 7:22 p.m.7 views

CVE-2025-68137

EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in SdpPacket::parseheader allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining length to read is computed using the current length subtract...

8.3CVSS5.9AI score0.00251EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/01/21 12:0 a.m.8 views

PT-2026-3850

Name of the Vulnerable Software and Affected Versions EVerest versions prior to 2025.10.0 Description EVerest is an EV charging software stack. An integer overflow in the SdpPacket::parse header function can occur when processing data. Specifically, the current buffer length can be set to 7 after...

8.3CVSS5.6AI score0.00251EPSS
Exploits1References8
RedHat Linux
RedHat Linux
added 2026/01/19 3:14 a.m.4 views

kernel: smb: client: let recv_done verify data_offset, data_length and remaining_data_length

In the Linux kernel, the following vulnerability has been resolved: smb: client: let recvdone verify dataoffset, datalength and remainingdatalength This is inspired by the related server fixes...

5.5CVSS5.7AI score0.0012EPSS
Exploits0References5
Hacker One
Hacker One
added 2026/01/06 8:51 a.m.14 views

curl: MQTT: Missing upper bound on incoming Remaining Length allows server-controlled long wait

Curl's MQTT implementation accepts any valid Remaining Length advertised by the server without an explicit upper bound beyond the MQTT spec maximum of 268,435,455 bytes. A malicious server can send a PUBLISH packet claiming this maximum size but provide only minimal payload, causing curl to wait...

6.8AI score
Exploits0
Hacker One
Hacker One
added 2026/01/01 9:51 p.m.16 views

curl: MQTT Protocol Violation & Integer Overflow in libcurl

Executive Summary Vulnerability Type: CWE-190 Component: lib/mqtt.c Function: mqttdecodelen Affected Architectures: - All architectures: Protocol non-compliance leading to stream desynchronization - 32-bit architectures: Deterministic integer overflow in length decoding libcurl does not correctly...

7.8AI score
Exploits0
EUVD
EUVD
added 2025/12/15 12:30 a.m.5 views

EUVD-2025-203316

openrsync through 0.5.0, as used in OpenBSD through 7.8 and on other platforms, allows a client to cause a server SIGSEGV by specifying a length of zero for block data, because the relationship between p-rem and p-len is not checked...

5.3CVSS6.3AI score0.00243EPSS
Exploits0References3
Hacker One
Hacker One
added 2025/10/23 10:29 a.m.11 views

curl: libcurl MQTT PUBLISH length overflow (heap overflow)

Summary: Heap-based buffer overflow in libcurl’s MQTT PUBLISH assembly lib/mqtt.c::mqttpublish due to unchecked sizet arithmetic when computing the MQTT “Remaining Length”. If payloadlen + 2 + topiclen wraps sizet, libcurl allocates a too-small buffer and then memcpy’s payloadlen bytes into it,...

7.5AI score
Exploits0
EUVD
EUVD
added 2025/10/04 9:30 a.m.4 views

EUVD-2025-32400

In the Linux kernel, the following vulnerability has been resolved: smb: client: let recvdone verify dataoffset, datalength and remainingdatalength This is inspired by the related server fixes...

6AI score0.0012EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/10/04 7:30 a.m.12 views

CVE-2025-39933 smb: client: let recv_done verify data_offset, data_length and remaining_data_length

In the Linux kernel, the following vulnerability has been resolved: smb: client: let recvdone verify dataoffset, datalength and remainingdatalength This is inspired by the related server fixes...

0.0012EPSS
Exploits0References2
OSV
OSV
added 2024/05/17 2:15 p.m.9 views

DEBIAN-CVE-2023-52669

In the Linux kernel, the following vulnerability has been resolved: crypto: s390/aes - Fix buffer overread in CTR mode When processing the last block, the s390 ctr code will always read a whole block, even if there isn't a whole block of data left. Fix this by using the actual length left and cop...

7.8CVSS6AI score0.00249EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2017/04/13 9:18 a.m.23 views

CVE-2017-7746

In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SLSK dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-slsk.c by adding checks for the remaining length...

7.5CVSS2.5AI score0.0247EPSS
Exploits0References2
OSV
OSV
added 2017/04/12 11:59 p.m.4 views

UBUNTU-CVE-2017-7746

In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SLSK dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-slsk.c by adding checks for the remaining length...

7.5CVSS7.1AI score0.0247EPSS
Exploits0References5
OSV
OSV
added 2017/04/12 11:59 p.m.1 views

DEBIAN-CVE-2017-7746

In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SLSK dissector could go into an infinite loop, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-slsk.c by adding checks for the remaining length...

7.5CVSS7.5AI score0.0247EPSS
Exploits0References1
Rows per page
Query Builder