These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A heap-based buffer overflow vulnerability exists in GNU libredwg through version 0.13.4.8160, specifically within the bit_read_RC function in bits.c, which is part of the Dwgbmp Utility component. The vulnerability is remotely exploitable and has been assigned a CVSS 4.0 score of 5.5 (MEDIUM). The issue was published on 2026-05-27. A proof-of-concept exploit has been made publicly available, increasing t [truncated]
A local out-of-bounds read vulnerability exists in GNU LibreDWG through version 0.14, specifically within the read_2004_compressed_section function in src/decode.c. The vulnerability affects the Dwgbmp Utility component and can be triggered through manipulation of DWG file processing. The issue was disclosed publicly on 2026-05-26 with a CVSS 4.0 score of 1.9 (LOW severity), reflecting the local attack ve [truncated]
A local out-of-bounds read vulnerability exists in GNU LibreDWG through version 0.14, specifically within the `bit_convert_TU` function in `programs/dwggrep.c` of the Dwggrep utility. The vulnerability allows a local attacker to trigger an out-of-bounds read condition. The CVSS 4.0 score of 1.9 (LOW severity) reflects the local attack vector and limited impact scope. A patch is available via commit `be996 [truncated]
A heap-based buffer overflow vulnerability exists in GNU LibreDWG through version 0.14, specifically within the `decompress_R2004_section` function in `src/decode.c`. The vulnerability affects the Dwgread Utility component and requires local access to exploit. The CVSS 4.0 score of 1.9 reflects low severity due to local attack vector and low privileges required, though the exploit is publicly available. A [truncated]
A local-only assertion failure vulnerability exists in GNU LibreDWG versions up to 0.14, specifically within the decompress_R2004_section function in src/decode.c. The vulnerability allows a local attacker to trigger a reachable assertion through crafted input to the Dwgread Utility. The CVSS 4.0 score of 1.9 (LOW) reflects the local attack vector and limited availability impact. The vulnerability was pub [truncated]
A heap-based buffer overflow vulnerability exists in GNU LibreDWG versions up to 0.14, specifically within the `read_2004_compressed_section` function in `src/decode.c`. The vulnerability is triggered when processing malformed DWG files through the Dwgread Utility. The CVSS 4.0 score of 1.9 (LOW severity) reflects the local attack vector and low privileges required, with limited impacts on confidentiality [truncated]
A NULL pointer dereference vulnerability exists in GNU SASL versions prior to 2.2.3, specifically within the DIGEST-MD5 authentication mechanism implementation. The flaw resides in lib/digest-md5/getsubopt.c and is triggered when parsing a known token that lacks an accompanying '=' character. This vulnerability affects both client and server implementations, allowing remote unauthenticated attackers to ca [truncated]
A race condition vulnerability exists in GNU sed when invoked with both the -i (in-place edit) and --follow-symlinks options. The function open_next_file() performs two separate, non-atomic filesystem operations: first resolving a symlink to its target path for determining output location, then opening the original symlink path to read content. An attacker who can atomically replace the symlink between th [truncated]
CVE-2026-24061 is an argument injection vulnerability in GNU InetUtils that CISA added to its Known Exploited Vulnerabilities catalog on 2026-01-26. Because it is listed in KEV, organizations that use or bundle InetUtils should treat remediation as time-sensitive and follow the official vendor guidance and CISA instructions.
CVE-2025-61662 is a high-severity use-after-free in GRUB2’s gettext module. The issue arises when the gettext command remains registered after its module is unloaded, leaving an orphaned command that can access freed memory. The published record centers on crash/denial of service, while the CVSS vector also reflects possible confidentiality and integrity impact.
A Use-after-Free vulnerability in the GRUB2 bootloader's network module allows attackers with local access to trigger system instability and denial of service. The flaw occurs because the `net_set_vlan` command remains registered after the network module is unloaded, enabling access to freed memory. Published November 18, 2025, and last modified May 19, 2026.
CISA lists CVE-2014-6278 as a GNU Bash OS command injection vulnerability and includes it in the Known Exploited Vulnerabilities catalog. That means defenders should treat it as actively abused in the wild and prioritize remediation for any system that uses GNU Bash directly or embeds it through downstream products.
CVE-2023-4911 affects the GNU C Library and was added to CISA’s Known Exploited Vulnerabilities catalog on 2023-11-21. CISA set a remediation due date of 2023-12-12, so organizations should treat this as an immediate priority and verify whether any affected Linux distributions, appliances, containers, or applications include the vulnerable library version.
CVE-2016-10228 is a glibc iconv availability issue: under the right option combination, invalid multibyte input can send the conversion logic into an infinite loop and hang the process. The supplied record describes impact in terms of denial of service, and NVD classifies it as medium severity with availability-only impact. This matters most for software that invokes iconv on untrusted or attacker-influen [truncated]
CVE-2014-7169 is a GNU Bourne-Again Shell (Bash) arbitrary code execution vulnerability that CISA includes in its Known Exploited Vulnerabilities catalog. Because it is in KEV, defenders should treat remediation as a priority and follow vendor update guidance for affected systems.
CVE-2014-6271 is a GNU Bourne-Again Shell (Bash) arbitrary code execution vulnerability that CISA lists in its Known Exploited Vulnerabilities catalog. For defenders, the key takeaway is not just that the issue exists, but that it is recognized as exploited in the wild and should be treated as a high-priority remediation item. CISA’s guidance in the supplied record is to apply updates per vendor instructions.
CVE-2017-6508 is a CRLF injection issue in GNU Wget’s URL parsing logic. A crafted URL containing CRLF sequences in the host subcomponent can cause Wget to emit attacker-controlled HTTP headers when making a request. The published CVSS 3.0 score is 6.1 (medium), reflecting network reachability, low attack complexity, no privileges required, but user interaction is needed.
CVE-2016-4493 affects GNU libiberty's cplus-dem.c demangling code. The supplied description says demangle_template_value_parm and do_hpacc_template_literal can trigger an out-of-bounds read and crash when given a crafted binary. NVD rates the issue CVSS 3.0 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), so the main security impact is denial of service rather than data exposure or code execution.
CVE-2016-4492 describes a buffer overflow in libiberty's do_type function in cplus-dem.c. The issue is tracked as CWE-119 and, per NVD, can lead to a crash/segmentation fault and denial of service in affected GNU libiberty environments. The official NVD CVSS vector rates it as AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H, so the recorded impact is availability-only and requires local, high-privilege conditions.
CVE-2016-4491 is a denial-of-service issue in GNU libiberty's C++ demangling code. The vulnerable d_print_comp function in cp-demangle.c can recurse indefinitely and overflow a buffer when given a crafted binary, leading to a segmentation fault and crash. NVD classifies the issue as medium severity and maps it to CWE-119. The CVE was published on 2017-02-24, while the referenced patch discussion and issue [truncated]
CVE-2016-4490 is an integer overflow in cp-demangle.c within GNU libiberty. Per NVD, a crafted binary can trigger a segmentation fault and crash during demangling because of inconsistent use of long and int lengths. The issue was publicly discussed in an oss-security thread on 2016-05-05, while the CVE record itself was published by NVD on 2017-02-24 and later modified on 2026-05-13.
CVE-2016-4489 describes an integer overflow in GNU libiberty's gnu_special function that can lead to a segmentation fault and crash when processing crafted binaries, including paths related to demangling of virtual tables. The official NVD record classifies the issue as a denial-of-service weakness (CWE-190) with availability impact only. The plain-text description says remote attackers, while NVD's CVSS [truncated]
CVE-2016-4488 is a use-after-free flaw in GNU libiberty, associated with the "ktypevec" code path, that can lead to a crash or denial of service when a crafted binary is processed. NVD classifies the weakness as CWE-416 and rates it Medium (CVSS 5.5). The record was published on 2017-02-24, while the linked discussion and issue tracking references date back to May 2016.
CVE-2016-4487 describes a use-after-free in GNU libiberty tied to the "btypevec" code path. According to the supplied sources, a crafted binary can trigger a segmentation fault and crash, making this a denial-of-service issue rather than a confidentiality or integrity problem. The NVD record rates the issue medium severity, and the CVSS vector supplied by NVD indicates availability impact only.
CVE-2016-2226 is a memory-safety flaw in GNU libiberty’s cplus-dem.c string_appends function. According to NVD, an integer overflow can trigger a buffer overflow, creating a path to arbitrary code execution. The published description frames the issue around a crafted executable, while NVD’s CVSS vector indicates local access with required user interaction.
CVE-2016-5417 is a denial-of-service issue in GNU C Library (glibc) libresolv. The flaw is described as a memory leak in __res_vinit within IPv6 name server management code, where partial initialization of internal resolver data structures can leave allocated memory unreleased. On affected systems, repeated triggering can drive memory consumption high enough to impact availability. NVD lists the vulnerabl [truncated]
CVE-2016-6131 is a denial-of-service vulnerability in GNU Libiberty’s demangler. A crafted cyclic reference in remembered mangled types can drive the demangler into an infinite loop, stack overflow, or crash. The issue is classified as HIGH severity (CVSS 7.5) because it is network-reachable in the general case, requires no privileges or user interaction, and impacts availability.
CVE-2016-2781 describes a local escape issue in GNU coreutils chroot when used with --userspec. According to the CVE description, a crafted TIOCSTI ioctl call can push characters into the terminal input buffer, allowing a local user to break out of the intended chroot/session boundary and affect the parent session. NVD rates the issue as Medium and maps it to a local, low-complexity attack that requires p [truncated]
CVE-2015-8972 describes a stack-based buffer overflow in GNU Chess’s ValidateMove function in frontend/move.cc. According to the CVE record, affected versions are GNU Chess before 6.2.4, and the issue may allow context-dependent attackers to execute arbitrary code when a large input is processed, including in UCI mode. NVD rates the issue as critical (CVSS 3.1 9.8).