CVE-2026-43964
Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced statu
CVSS
3.7
Low
EPSS
0.4%
p34
KEV
—
Exploit Today
10
0-100
Published: May 4, 2026 · Last modified: Jul 15, 2026 · CWE-193
0.4%EPSS · 30 days0.4%
2026-06-302026-07-16
Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.
- www.mail-archive.comhttps://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html
- www.openwall.comhttp://www.openwall.com/lists/oss-security/2026/05/04/30
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25930
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25932
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26205
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-43964
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2466488
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43964.json
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-504976.5 MED55.2%
——17Off-by-one error in Windows Remote Desktop Protocol allows an unauthorized attacker to disclose information over a network.15hCVE-2026-420155.3 MED50.0%
——15A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.2dCVE-2026-124137.5 HIG44.6%
——13An invalidly formatted IKEv2 fragment causes the Libreswan pluto daemon to crash and restart. Continued exploitation would cause a denial of service. The function reassemble_v2_incoming_fragments() would ignore unknown outer payloads but still store these in a fixed size array msg_digest.digest[PAYLIMIT]. An off-by-one error in the assertion PASSERT(logger, md->digest_roof < elemsof(md->digest)) causes the daemon to abort. No remote code execution is possible. Any configuration that allows IKEv2 connections that do not set fragmentation=no are vulnerable. IKEv1 is not affected.8dCVE-2006-100039.8 CRI42.2%
——13XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack.
In the case (stackptr == stacksize - 1), the stack will NOT be expanded. Then the new value will be written at location (++stackptr), which equals stacksize and therefore falls just outside the allocated buffer.
The bug can be observed when parsing an XML file with very deep element nesting2dCVE-2026-78317.6 HIG41.0%
——12UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. In vncviewer/ClientConnection.cpp, when the server-supplied nameLength equals exactly 2024 the code declares a 2024-byte stack buffer _dn[2024] and calls ReadString(_dn, 2024). ReadString writes the NUL terminator at buf[length], i.e., _dn[2024], one byte past the end of the stack buffer. A malicious VNC server can trigger this condition by advertising a desktop name of length 2024 in its ServerInit message. On release builds without stack canaries the single-byte NUL overwrite adjacent stack data. On builds with /GS stack protection the canary is corrupted and the process terminates, resulting in denial of service. User interaction (connecting the viewer to the malicious server) is required.8dCVE-2026-491278.6 HIG40.1%
——12Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.2d