memory safety

GNU Tar’s handling of an old V7 archive format triggered a subtle memory-safety problem that quietly landed in the CVE lists: CVE-2022-48303 is a one‑byte out‑of‑bounds read in GNU Tar through version 1.34 that can cause use of uninitialized memory during a conditional jump — a bug that was...

A malformed TLS 1.3 packet can crash a wolfSSL server or force it to read memory outside its bounds — a vulnerability tracked as CVE-2024-0901 that was disclosed in early 2024 and fixed by wolfSSL in the 5.7.x release series. This issue is not a local misconfiguration or an edge-case...

A subtle but important memory-initialization fix landed in upstream Linux this spring: CVE-2025-37742 patches an uninitialized-value access in the JFS filesystem by ensuring the in-memory imap structure is zeroed when it’s allocated in the diMount() routine. The result is a low-complexity...

Firefox 125 contained multiple memory-safety defects that Mozilla’s fuzzing team judged serious enough to potentially allow arbitrary code execution; the issues were fixed in Firefox 126 (MFSA2024-21), and any installation running Firefox < 126 (including affected ESR/Thunderbird builds) should...

A critical memory-safety flaw in the widely used cJSON library has been assigned CVE-2025-57052: a logic error in the array-index parsing code lets malformed JSON pointer strings bypass bounds checks, enabling out‑of‑bounds memory access that can crash or corrupt applications that rely on cJSON...

The Linux kernel received a defensive patch in April 2024 closing a dangerous input‑validation gap in the in‑kernel SMB server (ksmbd) that let a malicious userspace component return malformed IPC replies, potentially causing kernel memory corruption and service‑stopping crashes. Background /...

Delta Electronics has published a security advisory addressing a high‑severity stack‑based buffer overflow in ASDA‑Soft that carries the identifier CVE‑2026‑1361; the flaw affects ASDA‑Soft releases up to and including v7.2.0.0 and is fixed in v7.2.2.0, and operators of industrial control...

A newly disclosed memory-safety bug in the open-source OPC UA stack open62541 — tracked as CVE-2026-1301 — has been flagged by U.S. cyber authorities as a medium-severity vulnerability that can be triggered before authentication and that reliably causes process crashes and heap corruption in...

A quiet but consequential fix landed in the Linux kernel tree on December 16, 2025: a defensive coding change in the Ceph client library (libceph) replaced several fatal assertions with proper bounds checks to block untrusted OSD indexes from network packets — a change recorded as CVE-2025-68283...

pcap_ether_aton, a long-standing utility in the widely used libpcap packet-capture library, has been assigned CVE-2025-11961 after maintainers fixed an input-validation bug that can cause both an out-of-bounds read (OOBR) and an out-of-bounds write (OOBW) when the function is given a malformed...

A critical memory‑safety flaw has been published affecting HDF5 version 1.14.6: CVE‑2025‑6270 is a heap‑based buffer overflow in the free‑space section lookup code, rooted in the function H5FS__sect_find_node inside H5FSsection.c, and public advisories and vulnerability trackers confirm a...

Microsoft’s latest public dust-up over an apparent plan to “rewrite Windows in Rust” began as a LinkedIn hiring post from Distinguished Engineer Galen Hunt and quickly became a global conversation about AI-assisted code migration, memory safety, and how platform vendors modernize decades‑old...

Microsoft’s blunt new engineering ambition — to use AI and algorithmic tooling to remove C and C++ from major system codebases and replace them with memory‑safe Rust — has vaulted a quiet, multi‑year shift into the headlines and forced an overdue reckoning about how operating systems will be...

A Microsoft engineer’s LinkedIn post that set off a flurry of headlines — claiming a goal to “eliminate every line of C and C++ from Microsoft by 2030” — has been clarified as a research project rather than an official company edict, but the episode crystallizes a real and accelerating shift...

Microsoft’s rapid retreat from an apparent plan to “rewrite Windows with AI” crystallizes a deeper story about how research, recruitment language, and public perception can collide — and why the difference between research experiment and product roadmap matters for every IT pro who manages...

The Linux kernel received a small but important fix that eliminates an uninitialized-memory warning in the in-kernel NTFS driver (ntfs3): the buffer allocated by __getname was not being zeroed before use, and the upstream remedy initializes that buffer to prevent KMSAN-detected uninitialized...

Microsoft’s most publicized systems‑engineering recruitment post this month crystallized an audacious vision: build AI‑and‑algorithmic tooling that can translate huge amounts of legacy C and C++ into Rust at industrial scale — and aim to “eliminate every line of C and C++ from Microsoft by...

Microsoft’s stated plan to remove “every line of C and C++” from its codebase by 2030 — and to do so by combining algorithmic source analysis with AI-driven translation into Rust — marks one of the most ambitious language-migration bets ever announced by a major platform company. The...

Microsoft’s public clarifications this week laid to rest the most sensational headlines: a LinkedIn hiring post from Distinguished Engineer Galen Hunt set off a firestorm by declaring a goal to “eliminate every line of C and C++ from Microsoft by 2030” and citing a provocative productivity north...

Microsoft engineering leadership has publicly framed an audacious, company-wide program to remove every line of C and C++ from Microsoft’s codebase by 2030 and replace it with Rust, driven by a purpose-built combination of algorithmic program analysis and AI agents that can rewrite and verify...