MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | 説明 | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|
| CVE-2026-54109 | Integer overflow or wraparound in Windows Resilient File System (ReFS) allows an authorized attacker to execute code locally. | 7.8 | 0.24% | 2026-07-14 | 2026-07-15 |
| CVE-2026-50299 | Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack. | 6.8 | 0.33% | 2026-07-14 | 2026-07-15 |
| CVE-2026-50298 | Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack. | 6.8 | 0.33% | 2026-07-14 | 2026-07-15 |
| CVE-2026-49800 | Integer overflow or wraparound in Windows Web Proxy Auto-Discovery Protocol (WPAD) allows an authorized attacker to elevate privileges locally. | 7.8 | 0.24% | 2026-07-14 | 2026-07-14 |
| CVE-2026-49168 | Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to elevate privileges with a physical attack. | 6.8 | 0.31% | 2026-07-14 | 2026-07-14 |
| CVE-2026-59199 | Pillow is a Python imaging library. Prior to 12.3.0, Pillow public image coordinate APIs can trigger a native heap out-of-bounds write when given coordinates near the signed 32-bit integer limits in Image.paste(), Image.crop(), or Image.alpha_composite(). This issue is fixed in version 12.3.0. | 7.5 | 0.39% | 2026-07-14 | 2026-07-15 |
| CVE-2026-51536 | In OpENer 2.3.0 (commit 76b95cf) when parsing incoming CIP (Common Industrial Protocol) network packets, the length parameter is inconsistently typed across the call stack. Specifically, an upstream length calculated as an int is passed to a downstream function that expects an EipInt16 (a 16-bit signed integer). If a maliciously crafted packet with specific length fields is processed, the length parameter can overflow or be truncated into a negative value. This negative length bypasses subsequen | 9.1 | 0.47% | 2026-07-13 | 2026-07-15 |
| CVE-2026-39042 | An issue in MikroTIk (SIA Mikrotikls, Latvia) RouterOS 7.21.x before v.7.21.4 and 7.22.x before v.7.22.2 allows a remote attacker to cause a denial of service via the unflatten() function in libumsg.so. | 7.5 | 0.41% | 2026-07-13 | 2026-07-15 |
| CVE-2026-57433 | Storable versions before 3.41 for Perl have a signed integer overflow when deserializing a crafted SX_HOOK record. retrieve_hook_common reads a signed 32-bit item count from an SX_HOOK record and calls av_extend with that count plus one. A count of I32_MAX wraps the addition to a negative value. A crafted blob passed to thaw or retrieve triggers the overflow; av_extend receives the negative count and dies with a panic, terminating the deserialization. | 9.8 | 0.34% | 2026-07-13 | 2026-07-14 |
| CVE-2026-57432 | Perl versions through 5.43.10 have an integer overflow in S_measure_struct leading to an out-of-bounds heap read in pack and unpack. S_measure_struct adds each item's size times its repeat count to a running total with no overflow check, so a large repeat count in a pack or unpack template wraps the signed SSize_t total negative. The @, X, and x position codes then guard their moves with a signed length comparison that passes when the length is negative, advancing the buffer pointer out of boun | 8.4 | 0.21% | 2026-07-13 | 2026-07-14 |
| CVE-2026-13221 | Perl versions through 5.43.9 produce silently incorrect regular expression matches when an alternation of more than 65535 fixed string branches is compiled into a trie in Perl_study_chunk. When such branches are combined into a trie, the delta between the first branch and the shared tail is stored in a 16-bit field. A branch count above 65535 overflows the field, and the trie's match decision table is truncated with no warning or error. A pattern of this shape produces false positive matches ( | 9.1 | 0.61% | 2026-07-13 | 2026-07-14 |
| CVE-2026-40469 | Integer overflow vulnerability has been found in "builtin.c" program file of gawk (do_sub() routine). This issue could be used to overwrite gawk heap metadata and objects causing the program to crash. It affects 32-bit builds of gawk in versions 5.4.0 and below. | 5.1 | 0.21% | 2026-07-13 | 2026-07-13 |
| CVE-2026-40468 | Integer overflow vulnerability has been found in "builtin.c" program file of gawk. This issue may lead to memory exhaustion on the hosting operating system and could be used to overwrite gawk heap metadata and objects with attacker-controlled bytes. It affects gawk in versions 5.4.0 and below. | 2.1 | 0.20% | 2026-07-13 | 2026-07-13 |
| CVE-2026-7162 | Successful exploitation of the integer overflow vulnerability could allow an attacker to achieve system-level access to the affected software. | 7.8 | 0.10% | 2026-07-13 | 2026-07-13 |
| CVE-2026-15551 | Integer overflow or wraparound vulnerability in Samsung Open Source rlottie allows Overflow Buffers. This issue affects . | 5.5 | 0.08% | 2026-07-12 | 2026-07-13 |
| CVE-2026-57156 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.28.0 on 32-bit builds, FreeRDP clients contain an integer overflow in update_read_delta_points in libfreerdp/core/orders.c when multiplying an attacker-controlled point count by sizeof(DELTA_POINT), allowing a malicious RDP peer to allocate an undersized heap buffer and then write beyond it during initialization. This issue is fixed in version 3.28.0. | 8.6 | 0.70% | 2026-07-10 | 2026-07-15 |
| CVE-2026-38076 | An integer overflow in the jbig2_arith_iaid_ctx_new() function of Artifex commit cc37d0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 7.5 | 0.43% | 2026-07-09 | 2026-07-10 |
| CVE-2026-15108 | Integer overflow in Extensions API in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. (Chromium security severity: High) | 4.3 | 0.10% | 2026-07-08 | 2026-07-09 |
| CVE-2026-58207 | NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.3 and 2.12.12, a client able to send account-scoped connection monitoring requests could crash the server by supplying Connz pagination Offset and Limit values that overflowed internal arithmetic before the response window was safely bounded. This issue is fixed in versions 2.14.3 and 2.12.12. | 7.7 | 0.56% | 2026-07-08 | 2026-07-09 |
| CVE-2026-59879 | Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in src/List.js, causing an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values. This issue is fixed in versions 4.3.9 and 5.1.8. | 8.7 | 0.37% | 2026-07-08 | 2026-07-10 |