memory safety

Microsoft’s software stack is on the move: in December 2025 a senior Microsoft engineer publicly framed an audacious plan to remove every line of C and C++ from Microsoft by 2030, using a hybrid of algorithmic program analysis, large‑scale AI agents, and hands‑on engineering to translate legacy...

Microsoft’s engineering gamble — to use AI to rewrite millions of lines of legacy C and C++ into Rust by 2030 — landed squarely in the spotlight this winter after a months‑long string of Windows 11 malfunctions and a formal Microsoft support advisory that traced the outages to XAML registration...

Microsoft Distinguished Engineer Galen Hunt has posted a provocative, highly publicized mandate: use a blend of algorithmic program analysis and AI agents to replace every line of C and C++ inside Microsoft with Rust by 2030, backed by a striking “North Star” productivity claim — “1 engineer, 1...

Microsoft’s latest engineering gambit is as audacious as it is literal: replace the company’s legacy C and C++ estate with Rust by 2030, using a blend of algorithmic tooling and AI to mass‑rewrite code at scale — a plan distilled into an evocative (if headline‑hungry) goal sometimes summarized...

Capstone, the widely used disassembly framework, contains a memory‑safety bug (CVE‑2025‑68114) in SStream_concat where an unchecked return from vsnprintf can drive the stream index negative or past its end — a flaw fixed upstream in a December 2025 commit but one that can produce stack buffer...

A small but important memory-allocation bug in the Linux kernel's ASoC SDCA driver has been assigned CVE-2025-68281 and corrected upstream; the flaw caused a mismatch between the declared type of a control's value array and the size allocated for it, which can trigger kernel crashes when the...

A new Linux-kernel patch closes a narrow but dangerous race in the in‑kernel SMB server (ksmbd) that could lead to a kernel use‑after‑free (UAF) in ipc_msg_send_request. The upstream fix changes how ksmbd validates and frees generic‑netlink reply buffers by taking the global ipc_msg_table_lock...

A heap-based buffer overflow has been reported in HDF5 v1.14.6: the function H5O__mtime_new_encode in src/H5Omtime.c can be manipulated to write past an allocated heap buffer (CVE‑2025‑6750), a defect tracked publicly with a working proof‑of‑concept and tracked by distribution vendors and...

A use-after-free defect in the HDF5 C library — tracked as CVE-2025-6856 and rooted in the H5FL__reg_gc_list routine in src/H5FL.c — has been publicly disclosed and confirmed by multiple independent sources; the flaw affects HDF5 1.14.6, a widely embedded library in scientific, engineering, and...

A critical use‑after‑free defect has been publicly disclosed in the HDF5 library: CVE‑2025‑2913 identifies a flaw in src/H5FL.c (function H5FL__blk_gc_list) that can dereference freed metadata under specific local conditions, creating a realistic denial‑of‑service and memory‑corruption risk for...

A newly assigned CVE, CVE-2025-14512, exposes a critical integer‑overflow bug in GLib’s GIO attribute-escaping routine that can lead to a heap buffer overflow and denial‑of‑service — the defect is fixed upstream in the GLib 2.86.x point releases and is now tracked across multiple vendor...

AzeoTech’s DAQFactory has been the subject of a high‑severity industrial control systems (ICS) advisory: multiple memory‑safety and parsing flaws in DAQFactory Release 20.7 (Build 2555) and earlier can be triggered by specially crafted project files (.ctl), and the vendor has released a...

A newly disclosed memory‑corruption defect in the open‑source Grassroots DiCoM library (GDCM) gives healthcare and imaging tool maintainers a concrete remediation task this quarter: an out‑of‑bounds write when parsing encapsulated PixelData fragments can crash applications that use GDCM and, in...

The 2025 CWE Top 25 Most Dangerous Software Weaknesses arrives as a clear, data-driven wake-up call for developers, security teams, and procurement managers: adversaries continue to exploit a concentrated set of weakness classes, and addressing those root causes is the fastest way to reduce...

A recently published Linux kernel security entry — CVE-2025-40322 — addresses a bounds‑checking defect in the legacy framebuffer (fbdev) text‑blitting code that could let a crafted character value cause an out‑of‑bounds read from the built‑in font table; the upstream fix clamps the computed...

A newly assigned CVE, CVE-2025-40294, identifies an out‑of‑bounds (OOB) access in the Linux kernel’s Bluetooth management path that can cause memory corruption and crashes when userland supplies overly large advertising‑pattern lengths. The defect lives in the MGMT layer’s...

A new Linux-kernel vulnerability, tracked as CVE‑2025‑40314, has been published: a use‑after‑free in the cdns3 USB gadget driver that can occur when the cdnsp gadget fails to initialize or during gadget exit, and upstream kernel maintainers have merged a compact fix into recent stable trees to...

A subtle but important memory-safety bug in the Linux kernel’s Btrfs file-handle encoder has been fixed upstream: CVE-2025-40205 closes an out‑of‑bounds write in btrfs_encode_fh that could, in specific circumstances, write eight bytes past the user-supplied buffer. This is primarily an...

The Linux kernel has received a targeted corrective patch for a resource-consumption weakness in the ext4 filesystem — tracked as CVE‑2025‑40179 — that limits the size of orphan files during replay and changes how block-descriptor arrays are allocated to avoid large-order memory allocations...

The Linux kernel received a targeted fix in November 2025 for a subtle but potentially dangerous memory-handling bug in its TLS decryption path: when asynchronous TLS decryption attempts fail to create a safe clone of incoming packet memory (via tls_strp_msg_hold), the kernel must wait for...