These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2023-6780 is a medium-severity issue in glibc's __vsyslog_internal path, which is used by syslog and vsyslog. According to the CVE record, very long log messages can cause an incorrect buffer-size calculation, leading to undefined behavior. The NVD data maps affected glibc releases to 2.37 through before 2.39, which means 2.37 and 2.38 are in scope in the supplied corpus.
CVE-2023-6779 is an off-by-one heap-based buffer overflow in glibc’s __vsyslog_internal path, which is used by syslog and vsyslog. According to the NVD description, the bug is triggered when these functions process a message larger than INT_MAX bytes, leading to an incorrect buffer-size calculation and potential application crash. NVD rates the issue as HIGH (CVSS 8.2), with no confidentiality impact in t [truncated]
CVE-2023-6246 is a high-severity flaw in glibc’s __vsyslog_internal path. Under a specific set of conditions, an application can trigger a heap-based buffer overflow when syslog/vsyslog is used without a prior openlog call, or when openlog is called with a NULL ident, and the program name derived from argv[0] is longer than 1024 bytes. The reported impact is application crash and, in some contexts, local [truncated]
CVE-2023-46219 is a medium-severity curl issue published on 2023-12-12. According to the advisory summary, saving HSTS data to an excessively long file name can cause curl to remove all contents of that HSTS data file. If that happens, subsequent requests that rely on the file may no longer see the HSTS status they should have used.
CVE-2023-46218 is a curl cookie-handling flaw that can let a malicious HTTP server set "super cookies" by bypassing Public Suffix List checks when the cookie domain case differs from the host case. That can cause cookies to be returned to unrelated origins and domains, creating unintended cross-site cookie exposure. NVD rates the issue CVSS 3.1 6.5 (MEDIUM).
CVE-2016-7972 is a high-severity availability issue in libass versions before 0.13.4. According to the NVD description, the check_allocations function in libass/ass_shaper.c can be driven into a memory allocation failure by remote input, resulting in denial of service. The supplied record rates the issue CVSS 3.0 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), which means it is remotely reachable, requires no [truncated]
CVE-2016-7970 affects libass versions before 0.13.4 and is described as a buffer overflow in calc_coeff within ass_blur.c. NVD rates it HIGH (CVSS 7.5) with network attack vector, no privileges, no user interaction, and availability impact only. The documented fix is in libass 0.13.4, with downstream advisories and package announcements referencing the patch.
CVE-2016-7969 is a high-severity availability issue in libass’s wrap_lines_smart function. According to the CVE record, versions before 0.13.4 can be driven into an out-of-bounds read tied to "0/3 line wrapping equalization," which can let a remote attacker cause a denial of service. The impact is limited to availability, but the attack requires no privileges and no user interaction, so exposed media or s [truncated]
CVE-2017-5885 is a critical memory-safety flaw in gtk-vnc before 0.7.0. A malicious or compromised VNC server can trigger integer overflows in message handling paths, leading to a crash and, in the worst case described by the advisory, possible arbitrary code execution. The issue is tied to SetColorMapEntries processing and buffer overflow conditions, so the main risk is when systems connect to untrusted [truncated]
CVE-2017-5884 is a boundary-check vulnerability in gtk-vnc's handling of subrectangle-containing tiles. According to the CVE record, crafted RRE, Hextile, or CopyRect tile data can cause improper bounds handling for source x/y coordinates and may allow arbitrary code execution. The issue was published on 2017-02-28, with upstream and vendor references in early February 2017 pointing to a fix and follow-on advisories.
CVE-2016-9956 affects FlightGear before 2016.4.4. A crafted Nasal script can abuse the route manager to write arbitrary files remotely, creating a high-severity integrity risk with no privileges or user interaction required. NVD classifies the weakness as CWE-284 and scores it CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
This is a critical client-side memory corruption issue in Teeworlds before 0.6.4. A remote server can influence packet processing in CClient::ProcessServerPacket and, according to NVD, write to arbitrary physical memory locations and possibly execute arbitrary code. The vulnerable path is in client packet handling, so the practical exposure is any user connecting to an untrusted or compromised server.
CVE-2017-5357 is a denial-of-service vulnerability in GNU ed's regex.c handling. According to the CVE record and NVD, a malformed command can trigger an invalid free and crash the program. The issue was publicly disclosed through vendor and mailing-list advisories in January 2017 and published in NVD on 2017-02-17.
CVE-2016-6233 is a critical SQL injection vulnerability in Zend Framework’s Zend_Db_Select component. The issue affects the order and group methods in versions before 1.12.19 and is described as involving a regular-expression pattern that can be abused by remote attackers. Because the NVD record rates it CVSS 9.8 with network access, no privileges, and no user interaction required, this should be treated [truncated]
Zend Framework’s Zend_Db_Select order() and group() methods were vulnerable to SQL injection when SQL comments were not removed before validation. NVD rates the issue critical, and the affected range is listed as Zend Framework before 1.12.20.
CVE-2016-8693 describes a double-free in JasPer's mem_close logic that can be triggered by a crafted BMP image handled by the imginfo command. The published record ties the flaw to denial of service and possible code execution, and downstream advisories show it was handled through vendor package updates.
CVE-2016-8690 affects JasPer’s BMP decoding path and can cause a denial of service when a crafted BMP image is processed by the imginfo command. The issue is a NULL pointer dereference in bmp_getdata, which can terminate the application instead of safely rejecting the file. NVD lists the flaw as medium severity and ties it to availability impact rather than code execution or data exposure.
CVE-2016-6866 describes a flaw in slock where an invalid password hash can trigger a NULL pointer dereference. The result is a crash with high availability impact, and the issue is described as allowing screen-lock bypass in the supplied corpus.
CVE-2013-7459 is a critical memory-corruption flaw in the Python Cryptography Toolkit (pycrypto). NVD describes it as a heap-based buffer overflow in ALGnew in block_templace.c that can be triggered with a crafted IV parameter to cryptmsg.py, and the stated impact is remote code execution. The issue was publicly discussed before the CVE record was published, and the available references point to a patch a [truncated]
CVE-2016-4797 is a denial-of-service vulnerability in OpenJPEG’s tile initialization logic. A crafted JP2 file can trigger a divide-by-zero in opj_tcd_init_tile in tcd.c, crashing the application. The issue is notable because it stems from an incorrect fix for CVE-2014-7947. NVD rates the issue as medium severity (CVSS 3.0 5.5).
CVE-2016-4796 describes a heap-based buffer overflow in OpenJPEG’s color_cmyk_to_rgb path. A crafted .j2k file can trigger a crash, making this a denial-of-service issue for software that parses JPEG 2000 content. NVD rates it CVSS 5.5 (MEDIUM).
CVE-2016-9108 is an integer overflow in MuJS's js_regcomp function in regexp.c. A crafted regular expression can trigger an application crash, resulting in denial of service. NVD assigns CVSS 3.1 7.5 High with a network-based, unauthenticated, no-user-interaction impact profile. The NVD record associates the issue with MuJS versions before commit b6de34ac6d8bb7dd5461c57940acfbd3ee7fd93e, and also lists Fe [truncated]
CVE-2016-9085 covers multiple integer overflows in libwebp. The public record ties the issue to libwebp upstream and to affected Fedora packages, with NVD rating the weakness as low severity and limited to availability impact in its CVSS vector. This is primarily a patch-and-rebuild issue for software that ships or embeds libwebp, rather than a high-priority internet-facing emergency.
CVE-2016-8569 is a denial-of-service issue in libgit2 caused by a NULL pointer dereference in git_oid_nfmt inside commit.c. According to the NVD record, the bug is reachable when processing a crafted object file through a cat-file command. The vulnerability is rated medium severity (CVSS 3.0 5.5) and is primarily an availability issue. The supplied NVD data and downstream advisories indicate that libgit2 [truncated]
CVE-2016-8568 is a medium-severity denial-of-service issue in libgit2. The vulnerable code path is git_commit_message in oid.c, where a crafted object file processed through a cat-file command can trigger an out-of-bounds read and crash the application. NVD maps the issue to CWE-125 and rates the impact primarily on availability. The CVE was published on 2017-02-03, while the referenced upstream and distr [truncated]
CVE-2015-8854 describes a denial-of-service issue in the Node.js package marked before 0.3.4. The flaw is a regular expression denial of service (ReDoS) caused by catastrophic backtracking in the em inline rule, which can drive CPU consumption high and reduce service availability. The NVD record rates the issue High with CVSS 3.1 base score 7.5.
CVE-2016-7543 describes a local privilege-escalation issue in Bash where crafted SHELLOPTS and PS4 environment variables can be used to execute arbitrary commands with root privileges. The NVD record classifies the issue as HIGH severity and maps affected GNU Bash versions through 4.3, with additional Fedora package streams called out in the corpus.