Ron Edgerson

**Name of the Vulnerable Software and Affected Versions** TinyOS versions up to and including 2.1.2 **Description** TinyOS versions up to and including 2.1.2 have a global buffer overflow issue in the `printfUART` formatted output implementation within the ZigBee / IEEE 802.15.4 networking stack. The `printfUART` function uses `strcat()` without checking the remaining buffer capacity when formatting output into a fixed-size global buffer. If `printfUART` is called with a string longer than the buffer size, it can write past the end of the `debugbuf` buffer, leading to global memory corruption. This can result in denial of service, unexpected behavior, or information disclosure through corrupted global state or UART output. **Recommendations** Versions prior to 2.1.2 are vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TinyOS versions up to and including 2.1.2 **Description** TinyOS versions up to and including 2.1.2 have a stack-based buffer overflow issue in the mcp2200gpio utility. This is due to the unsafe use of `strcpy()` and `strcat()` functions when creating device paths during automatic device discovery. A local attacker can exploit this by creating specially crafted filenames under the `/dev/usb/` directory, which can cause stack memory corruption and application crashes. **Recommendations** Update TinyOS to a version later than 2.1.2.

**Name of the Vulnerable Software and Affected Versions** RIOT OS versions up to and including 2026.01-devel-317 **Description** RIOT OS versions up to and including 2026.01-devel-317 have a stack-based buffer overflow issue in the tapslip6 utility. This is due to unsafe string concatenation within the `devopen()` function. The utility utilizes `strcpy()` and `strcat()` to combine a fixed prefix '/dev/' with a user-provided device name from the `-s` command-line option without sufficient bounds checking. An attacker can provide a device name that is excessively long, causing a stack buffer overflow, which can lead to process crashes and memory corruption. **Recommendations** Update to a version of RIOT OS newer than 2026.01-devel-317.

**Name of the Vulnerable Software and Affected Versions** RIOT OS versions up to and including 2026.01-devel-317 **Description** RIOT OS versions up to and including 2026.01-devel-317 have a stack-based buffer overflow issue in the ethos utility. This is due to a lack of bounds checking when handling incoming serial frame data. The issue is present in the ` handle char()` function, where incoming frame bytes are added to a fixed-size stack buffer without ensuring the write index stays within the buffer's limits. An attacker sending specially crafted serial or TCP-framed input can cause the write index to go beyond the buffer size, leading to memory corruption and application crashes. **Recommendations** Update RIOT OS to a version newer than 2026.01-devel-317.

**Name of the Vulnerable Software and Affected Versions** Panda3D versions up to and including 1.10.16 **Description** Panda3D deploy-stub contains a denial of service condition resulting from unbounded stack allocation. The deploy-stub executable uses `alloca()` to allocate `argv copy` and `argv copy2` based on the `argc` value, which is directly controlled by the attacker, without any validation. Providing a large number of command-line arguments can exhaust stack space and lead to a crash and undefined behavior during Python interpreter initialization. **Recommendations** Versions prior to 1.10.16 are not affected. Update to a version later than 1.10.16.

**Name of the Vulnerable Software and Affected Versions** Panda3D versions up to and including 1.10.16 **Description** Panda3D’s egg-mkfont utility contains an uncontrolled format string issue. The `-gp` command-line option is directly used as the format string for the `sprintf()` function with a single argument. Providing additional format specifiers by an attacker may lead to the reading of unintended stack values and writing the formatted output into generated `.egg` and `.png` files, potentially disclosing stack-resident memory and pointer values. **Recommendations** Versions prior to 1.10.16 are not affected. Update Panda3D to a version later than 1.10.16.

**Name of the Vulnerable Software and Affected Versions** Panda3D versions up to and including 1.10.16 **Description** The software contains a stack-based buffer overflow issue because of the use of an unbounded `sprintf()` call with input controlled by an attacker. When creating glyph filenames, the software formats a glyph pattern supplied by the user (`-gp`) into a fixed-size stack buffer without validating the length. Providing a glyph pattern string that is too long can cause the stack buffer to overflow, leading to memory corruption and a crash. Depending on the build configuration and execution environment, this overflow may also allow for arbitrary code execution. **Recommendations** Versions prior to 1.10.16 are not affected. Versions up to and including 1.10.16 are affected.

**Name of the Vulnerable Software and Affected Versions** OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14 **Description** The software contains a heap buffer underflow in the `readline()` function of `mdb load`. Processing malformed input with an embedded NUL byte can cause an unsigned offset calculation to underflow, resulting in an out-of-bounds read of one byte before the allocated heap buffer. This can lead to a denial-of-service condition due to a crash. **Recommendations** Versions prior to 0.9.14 and commit 8e1fda8 should be updated.

**Name of the Vulnerable Software and Affected Versions** Bio-Formats versions up to and including 8.3.0 **Description** Bio-Formats versions up to and including 8.3.0 contain an XML External Entity (XXE) vulnerability in the Leica Microsystems metadata parsing component, such as XLEF. The parser uses an insecurely configured DocumentBuilderFactory when processing Leica XML-based metadata files, allowing external entity expansion and external DTD loading. A crafted metadata file can trigger outbound network requests (SSRF), access local system resources where readable, or cause a denial of service during XML parsing. **Recommendations** Versions prior to 8.3.0 should be used.

**Name of the Vulnerable Software and Affected Versions** Bio-Formats versions up to and including 8.3.0 **Description** Bio-Formats versions up to and including 8.3.0 are susceptible to unsafe Java deserialization of attacker-controlled memoization cache files (.bfmemo) during image processing. The `loci.formats.Memoizer` class automatically loads and deserializes memo files associated with images without validation or trust enforcement. An attacker supplying a crafted .bfmemo file alongside an image can trigger deserialization of untrusted data, potentially leading to denial of service, logic manipulation, or remote code execution if suitable gadget chains are present on the classpath. Java deserialization is a process where a byte stream is converted back into an object. In this case, the lack of validation allows an attacker to control the data being deserialized, potentially executing malicious code. **Recommendations** Versions prior to 8.3.1 should be updated.

**Name of the Vulnerable Software and Affected Versions** zlib versions up to and including 1.3.1.2 **Description** zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the `untgz` utility. The `TGZfname()` function uses an unbounded `strcpy()` call to copy an attacker-supplied archive name from `argv[]` into a fixed-size 1024-byte static global buffer without validating the length. Providing an archive name exceeding 1024 bytes results in an out-of-bounds write, potentially leading to memory corruption, denial of service, and code execution, dependent on compiler, build flags, architecture, and memory layout. This overflow occurs before any archive parsing or validation. **Recommendations** Update to zlib version 1.3.1.3 or higher. Monitor for `untgz` executions involving unusually long filenames in logs.