Han Zheng

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 145.0.7632.45 **Description** A use-after-free issue exists in the CSS rendering engine of Google Chrome. This flaw could allow a remote attacker to exploit heap corruption through a specially crafted HTML page. The Chromium security severity is rated as High. **Recommendations** Update Google Chrome to version 145.0.7632.45 or later.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 132.0.6834.83 **Description** The issue is related to an integer overflow in the Skia library of Google Chrome, which could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. The severity of this issue is considered high. **Recommendations** For Google Chrome versions prior to 132.0.6834.83, update to version 132.0.6834.83 or later to resolve the issue. As a temporary workaround, consider avoiding the use of crafted HTML pages that could trigger the integer overflow in the Skia library until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 132.0.6834.83 **Description** The issue is related to a stack buffer overflow in the Tracing component of Google Chrome, which could allow a remote attacker to exploit stack corruption via a crafted HTML page. This could potentially lead to security breaches. The severity of this issue is considered high. **Recommendations** For Google Chrome versions prior to 132.0.6834.83, update to version 132.0.6834.83 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the Tracing component until a patch is applied. Restrict access to potentially vulnerable HTML pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 128.0.6613.84 **Description** The issue is related to a use after free vulnerability in the Autofill function of Google Chrome and Microsoft Edge browsers. This vulnerability can be exploited by a remote attacker who convinces the user to engage in specific UI interactions, potentially allowing the execution of arbitrary code via a crafted HTML page. The exploitation may lead to heap corruption. **Recommendations** For Google Chrome versions prior to 128.0.6613.84, update to version 128.0.6613.84 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the Autofill function until the update is applied. Restrict access to crafted HTML pages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 126.0.6478.54 **Description** The issue is related to a use after free vulnerability in the PDFium component of Google Chrome and Microsoft Edge browsers. This vulnerability can be exploited by a remote attacker using specially crafted PDF files, potentially allowing them to disclose protected information. The exploitation is related to heap corruption. **Recommendations** For Google Chrome versions prior to 126.0.6478.54, update to version 126.0.6478.54 or later to resolve the issue. As a temporary workaround, consider avoiding the use of PDF files from untrusted sources until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 126.0.6478.54 Microsoft Edge (affected versions not specified) **Description** The issue is related to a use after free in PDFium, which can potentially allow a remote attacker to exploit heap corruption via a crafted PDF file. This could lead to the disclosure of protected information. The severity of this issue is classified as Medium by Chromium. **Recommendations** For Google Chrome versions prior to 126.0.6478.54, update to version 126.0.6478.54 or later to resolve the issue. For Microsoft Edge, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wireshark version 4.2.0 **Description** The issue allows for denial of service via packet injection or crafted capture file, specifically affecting the Zigbee TLV dissector in Wireshark. **Recommendations** For Wireshark version 4.2.0, update to a newer version to mitigate the risk. As a temporary workaround, consider disabling the Zigbee TLV dissector until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Wireshark versions 3.6.0 through 3.6.19 Wireshark versions 4.0.0 through 4.0.11 Wireshark version 4.2.0 **Description** The issue is related to the IEEE 1609.2 dissector in Wireshark, which can cause a crash, allowing denial of service via packet injection or crafted capture file. This is due to errors in pointer handling. A remote attacker can exploit this issue to cause a denial of service. **Recommendations** For Wireshark versions 3.6.0 through 3.6.19, update to a newer version to resolve the issue. For Wireshark versions 4.0.0 through 4.0.11, update to a newer version to resolve the issue. For Wireshark version 4.2.0, update to a newer version to resolve the issue. As a temporary workaround, consider disabling the IEEE 1609.2 dissector until a patch is available.

**Name of the Vulnerable Software and Affected Versions** nasm version 2.16 **Description** The issue is a stack-based buffer over-read in the disasm component, which allows attackers to cause a denial of service, resulting in a crash. **Recommendations** For nasm version 2.16, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** nasm version 2.16rc0 **Description** The issue is a null pointer dereference in the `ieee write file` function, which allows attackers to cause a denial of service, resulting in a crash. **Recommendations** For nasm version 2.16rc0, consider disabling the `ieee write file` function as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** nasm version 2.16 **Description** A stack-based buffer over-read issue in the disasm function allows attackers to cause a denial of service. **Recommendations** For nasm version 2.16, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** libtiff (affected versions not specified) **Description** The issue is related to a heap buffer overflow in the libtiff library when processing the `TIFFTAG INKNAMES` and `TIFFTAG NUMBEROFINKS` parameters. This can lead to a denial of service or potentially allow an attacker to execute arbitrary code, causing unexpected application termination. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Axiomatic Bento4 (affected versions not specified) **Description** A problematic issue has been found, affecting the `AP4 File::AP4 File` function of the `Mp42Hevc.cpp` file in the `mp42hevc` component. This issue leads to denial of service and can be initiated remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Axiomatic Bento4 (affected versions not specified) **Description** A problematic issue was found, affecting the `ParseCommandLine` function of the `Mp4Tag/Mp4Tag.cpp` file in the `mp4tag` component. This issue leads to denial of service and can be exploited remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-639 **Description** A memory leak was discovered in Bento4 via the AP4 SttsAtom::Create function in mp42hls. **Recommendations** For version 1.6.0-639, consider restricting the use of the AP4 SttsAtom::Create function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-639 **Description** A memory leak was discovered in the AP4 AvcFrameParser::Feed function in mp4mux. **Recommendations** For Bento4 version 1.6.0-639, consider updating to a newer version that contains a fix for this issue, although at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** nasm version 2.16 **Description** A stack overflow was discovered in the Ndisasm component of nasm. **Recommendations** For version 2.16, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-639 **Description** An issue in Bento4 leads to excessive memory consumption in the `AP4 Array<AP4 ElstEntry>::EnsureCapacity` function, located in Core/Ap4Array.h. **Recommendations** For Bento4 version 1.6.0-639, consider applying a patch or fix that addresses the excessive memory consumption issue in the `AP4 Array<AP4 ElstEntry>::EnsureCapacity` function. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 versions through 1.6.0-639 **Description** A NULL pointer dereference issue occurs in the `AP4 File::ParseStream` function, located in `Core/Ap4File.cpp`, which is called from `AP4 File::AP4 File`. **Recommendations** For versions through 1.6.0-639, consider updating to a version that fixes this issue, as no specific mitigation measures are provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bento4 version 1.6.0-639 **Description** An issue was discovered in the function `AP4 DataBuffer::ReallocateBuffer` in `Core/Ap4DataBuffer.cpp`, which leads to excessive memory consumption. **Recommendations** For Bento4 version 1.6.0-639, consider applying a patch or fix to the `AP4 DataBuffer::ReallocateBuffer` function to prevent excessive memory consumption. At the moment, there is no information about a newer version that contains a fix for this issue.