memory safety

The Rust linear-algebra crate nalgebra contained a deserialization bug that could let crafted input violate a core size invariant, producing out‑of‑bounds memory access and potentially causing memory corruption, crashes, and denial of service in any application that deserializes untrusted data...

Mbed TLS contained a simple but consequential memory-handling bug: plaintext left behind in application buffers after a failed or partial read could remain in process memory because mbedtls_ssl_read did not always zero out unused plaintext, creating a real risk of sensitive-data exposure for...

A heap-buffer-overflow in giflib’s gif2rgb utility (DumpScreen2RGB in gif2rgb.c) was assigned CVE‑2022‑28506: the bug was reported in giflib 5.2.1 and fixed upstream in later maintenance releases, and Microsoft’s MSRC advisory has mapped the issue to Azure Linux — but that mapping is a...

A newly published vulnerability in the GNOME HTTP library libsoup — tracked as CVE-2025-32050 — exposes an integer overflow / buffer under-read in the library’s append_param_quoted() routine that can crash applications or leak memory and has already prompted coordinated vendor advisories and...

A subtle one‑byte out‑of‑bounds read in a content‑sniffing routine has forced a widespread emergency patching wave across Linux distributions and GNOME‑based stacks: CVE‑2025‑2784 is a heap buffer over‑read in libsoup’s content sniffer — specifically in the function that skips “insignificant”...

libxml2 contained a subtle but real use‑after‑free in its tree manipulation code that was assigned CVE‑2023‑45322 — a bug that only triggers after a specific memory allocation fails, but which nevertheless exposes real availability and stability risks for any software that embeds the library...

NASM users and maintainers should treat CVE‑2022‑46456 as a live, unresolved memory‑safety issue: Netwide Assembler (NASM) v2.16 contains a global buffer overflow in the dbg output code (function dbgdbg_typevalue in /output/outdbg.c) that can crash the assembler and, depending on circumstances...

GNU Tar’s handling of an old V7 archive format triggered a subtle memory-safety problem that quietly landed in the CVE lists: CVE-2022-48303 is a one‑byte out‑of‑bounds read in GNU Tar through version 1.34 that can cause use of uninitialized memory during a conditional jump — a bug that was...

A malformed TLS 1.3 packet can crash a wolfSSL server or force it to read memory outside its bounds — a vulnerability tracked as CVE-2024-0901 that was disclosed in early 2024 and fixed by wolfSSL in the 5.7.x release series. This issue is not a local misconfiguration or an edge-case...

A subtle but important memory-initialization fix landed in upstream Linux this spring: CVE-2025-37742 patches an uninitialized-value access in the JFS filesystem by ensuring the in-memory imap structure is zeroed when it’s allocated in the diMount() routine. The result is a low-complexity...

Firefox 125 contained multiple memory-safety defects that Mozilla’s fuzzing team judged serious enough to potentially allow arbitrary code execution; the issues were fixed in Firefox 126 (MFSA2024-21), and any installation running Firefox < 126 (including affected ESR/Thunderbird builds) should...

A critical memory-safety flaw in the widely used cJSON library has been assigned CVE-2025-57052: a logic error in the array-index parsing code lets malformed JSON pointer strings bypass bounds checks, enabling out‑of‑bounds memory access that can crash or corrupt applications that rely on cJSON...

The Linux kernel received a defensive patch in April 2024 closing a dangerous input‑validation gap in the in‑kernel SMB server (ksmbd) that let a malicious userspace component return malformed IPC replies, potentially causing kernel memory corruption and service‑stopping crashes. Background /...

Delta Electronics has published a security advisory addressing a high‑severity stack‑based buffer overflow in ASDA‑Soft that carries the identifier CVE‑2026‑1361; the flaw affects ASDA‑Soft releases up to and including v7.2.0.0 and is fixed in v7.2.2.0, and operators of industrial control...

A newly disclosed memory-safety bug in the open-source OPC UA stack open62541 — tracked as CVE-2026-1301 — has been flagged by U.S. cyber authorities as a medium-severity vulnerability that can be triggered before authentication and that reliably causes process crashes and heap corruption in...

A quiet but consequential fix landed in the Linux kernel tree on December 16, 2025: a defensive coding change in the Ceph client library (libceph) replaced several fatal assertions with proper bounds checks to block untrusted OSD indexes from network packets — a change recorded as CVE-2025-68283...

pcap_ether_aton, a long-standing utility in the widely used libpcap packet-capture library, has been assigned CVE-2025-11961 after maintainers fixed an input-validation bug that can cause both an out-of-bounds read (OOBR) and an out-of-bounds write (OOBW) when the function is given a malformed...

A critical memory‑safety flaw has been published affecting HDF5 version 1.14.6: CVE‑2025‑6270 is a heap‑based buffer overflow in the free‑space section lookup code, rooted in the function H5FS__sect_find_node inside H5FSsection.c, and public advisories and vulnerability trackers confirm a...

Microsoft’s latest public dust-up over an apparent plan to “rewrite Windows in Rust” began as a LinkedIn hiring post from Distinguished Engineer Galen Hunt and quickly became a global conversation about AI-assisted code migration, memory safety, and how platform vendors modernize decades‑old...

Microsoft’s blunt new engineering ambition — to use AI and algorithmic tooling to remove C and C++ from major system codebases and replace them with memory‑safe Rust — has vaulted a quiet, multi‑year shift into the headlines and forced an overdue reckoning about how operating systems will be...