CVE-2025-1050
published 2025-04-23CVE-2025-1050: Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on…
PriorityP356high8.8CVSS 3.0
AVAACLPRNUINSUCHIHAH
EPSS
0.35%
27.1th percentile
Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of HLS playlist data. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the anacapa user. Was ZDI-CAN-25606.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| evershop | evershop | 0 – 2.1.0 | — |
| msrc | azl3_libsoup_3.4.4-7_on_azure_linux_3.0 | — | — |
| msrc | azl3_python-tensorboard_2.16.2-6_on_azure_linux_3.0 | — | — |
| msrc | cbl2_libsoup_3.0.4-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_python-tensorboard_2.11.0-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_qemu_6.2.0-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_reaper_3.1.1-8_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_reaper_3.1.1-9_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_samba_4.12.5-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_qemu-kvm_4.2.0-38_on_cbl_mariner_1.0 | — | — |
| msrc | cm2_libsoup_3.0.4-7_on_cbl_mariner_2.0 | — | — |
| sonos | era_300 | — | — |
| sonos | s2 | < 83.1-61240 | 83.1-61240 |
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API
ghsa·2026-01-05
CVE-2025-67419 [HIGH] CWE-1050 evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API
evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API
A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tiles during the processing of SVG files, resulting in unbounded resource consumption and system-wide denial of service.
GHSA
GHSA-2cc5-v43v-fh92: Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability
ghsa_unreviewed·2025-04-23
CVE-2025-1050 [HIGH] CWE-787 GHSA-2cc5-v43v-fh92: Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability
Sonos Era 300 Out-of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Sonos Era 300 speakers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the processing of HLS playlist data. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the anacapa user. Was ZDI-CAN-25606.
Red Hat
llama_index: llama_index: Denial of Service due to uncontrolled memory consumption in SimpleDirectoryReader
vendor_redhat·2026-02-02·CVSS 5.3
CVE-2025-6208 [MEDIUM] CWE-1050 llama_index: llama_index: Denial of Service due to uncontrolled memory consumption in SimpleDirectoryReader
llama_index: llama_index: Denial of Service due to uncontrolled memory consumption in SimpleDirectoryReader
The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41.
A flaw was found in llama_index. The `SimpleDirectoryReader` component loads all files from a specified directory into memory before applying a user-defined file limit. This resource management flaw allows an attacker to cause un
Red Hat
github.com/marshmallow-code/marshmallow: Marshmallow: Denial of Service via crafted request to Schema.load function
vendor_redhat·2025-12-22·CVSS 5.3
CVE-2025-68480 [MEDIUM] CWE-1050 github.com/marshmallow-code/marshmallow: Marshmallow: Denial of Service via crafted request to Schema.load function
github.com/marshmallow-code/marshmallow: Marshmallow: Denial of Service via crafted request to Schema.load function
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.
A flaw was found in Marshmallow. A remote attacker could exploit a vulnerability in the `Schema.load(data, many=True)` function by sending a moderately sized request. This could lead to a denial of service (DoS) due to the disproportionate consumption of CPU time, making the system unavailable
Red Hat
crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
vendor_redhat·2025-12-02·CVSS 7.5
CVE-2025-61729 [HIGH] CWE-1050 crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
crypto/x509: golang: Denial of Service due to excessive resource consumption via crafted certificate
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
A flaw was found in golang. A remote attacker could exploit this vulnerability by providing a specially crafted certificate during the error string construction process within the `HostnameError.Error()` function. This flaw, caused by unbounded string concatenation, leads to excessive resource consumption. Successful exploitation can result in a denial
Red Hat
kernel: usb: dwc3: Remove WARN_ON for device endpoint command timeouts
vendor_redhat·2025-09-15·CVSS 5.5
CVE-2025-39801 [MEDIUM] CWE-1050 kernel: usb: dwc3: Remove WARN_ON for device endpoint command timeouts
kernel: usb: dwc3: Remove WARN_ON for device endpoint command timeouts
In the Linux kernel, the following vulnerability has been resolved:
usb: dwc3: Remove WARN_ON for device endpoint command timeouts
This commit addresses a rarely observed endpoint command timeout
which causes kernel panic due to warn when 'panic_on_warn' is enabled
and unnecessary call trace prints when 'panic_on_warn' is disabled.
It is seen during fast software-controlled connect/disconnect testcases.
The following is one such endpoint command timeout that we observed:
1. Connect
->dwc3_thread_interrupt
->dwc3_ep0_interrupt
->configfs_composite_setup
->composite_setup
->usb_ep_queue
->dwc3_gadget_ep0_queue
->__dwc3_gadget_ep0_queue
->__dwc3_ep0_do_control_data
->dwc3_send_gadget_ep_cmd
2. Disconnect
->dwc3_thread_int
Red Hat
kernel: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
vendor_redhat·2025-09-11·CVSS 5.5
CVE-2025-39737 [MEDIUM] CWE-1050 kernel: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
kernel: mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
In the Linux kernel, the following vulnerability has been resolved:
mm/kmemleak: avoid soft lockup in __kmemleak_do_cleanup()
A soft lockup warning was observed on a relative small system x86-64
system with 16 GB of memory when running a debug kernel with kmemleak
enabled.
watchdog: BUG: soft lockup - CPU#8 stuck for 33s! [kworker/8:1:134]
The test system was running a workload with hot unplug happening in
parallel. Then kemleak decided to disable itself due to its inability to
allocate more kmemleak objects. The debug kernel has its
CONFIG_DEBUG_KMEMLEAK_MEM_POOL_SIZE set to 40,000.
The soft lockup happened in kmemleak_do_cleanup() when the existing
kmemleak objects were being removed and deleted one-by-one in a loop via a
Red Hat
mod_security: ModSecurity Denial of Service Vulnerability
vendor_redhat·2025-06-02·CVSS 7.5
CVE-2025-48866 [HIGH] CWE-1050 mod_security: ModSecurity Denial of Service Vulnerability
mod_security: ModSecurity Denial of Service Vulnerability
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions prior to 2.9.10 contain a denial of service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The `sanitiseArg` (and `sanitizeArg` - this is the same action but an alias) is vulnerable to adding an excessive number of arguments, thereby leading to denial of service. Version 2.9.10 fixes the issue. As a workaround, avoid using rules that contain the `sanitiseArg` (or `sanitizeArg`) action.
A denial of service flaw was found in ModSecurity. This vulnerability is present in the `sanitiseArg`/`sanitizeArg` function can be overloaded with a large number of arguments which will lead to excessive memory usage
Red Hat
modsecurity: ModSecurity Has Possible DoS Vulnerability
vendor_redhat·2025-05-21·CVSS 7.5
CVE-2025-47947 [HIGH] CWE-1050 modsecurity: ModSecurity Has Possible DoS Vulnerability
modsecurity: ModSecurity Has Possible DoS Vulnerability
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case (in stable released versions): when the payload's content type is `application/json`, and there is at least one rule which does a `sanitiseMatchedBytes` action. A patch is available at pull request 3389 and expected to be part of version 2.9.9. No known workarounds are available.
A flaw was found in the mod_security2 Apache2 module. Versions up to and including 2.9.8 are vulnerable to denial of service in one special case. In stable released versions, when the payload's content type is `application/json`, at least one rule performs a
Red Hat
libsoup: Denial of service in server when client requests a large amount of overlapping ranges with Range header
vendor_redhat·2025-04-14·CVSS 5.3
CVE-2025-32907 [MEDIUM] CWE-1050 libsoup: Denial of service in server when client requests a large amount of overlapping ranges with Range header
libsoup: Denial of service in server when client requests a large amount of overlapping ranges with Range header
A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.
A flaw was found in libsoup. The implementation of HTTP range requests is vulnerable to a resource consumption attack. This flaw allows a malicious client to request the same range many times in a single HTTP request, causing the server to use large amounts of memory. This does not allow for a full denial of service.
Mitigation: Currently, no mitigation was found
Microsoft
Libsoup: denial of service in server when client requests a large amount of overlapping ranges with range header
vendor_msrc·2025-04-08·CVSS 5.3
CVE-2025-32907 [MEDIUM] CWE-1050 Libsoup: denial of service in server when client requests a large amount of overlapping ranges with range header
Libsoup: denial of service in server when client requests a large amount of overlapping ranges with range header
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Microsoft
Memory Exhaustion in braces
vendor_msrc·2024-05-14·CVSS 7.5
CVE-2024-4068 [HIGH] CWE-1050 Memory Exhaustion in braces
Memory Exhaustion in braces
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Checkmarx: Checkmarx
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us
Microsoft
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated potentially le
vendor_msrc·2022-03-08·CVSS 8.8
CVE-2022-1050 [HIGH] CWE-416 A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated potentially le
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated potentially leading to a use-after-free condition.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional produc
Microsoft
All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on s
vendor_msrc·2018-03-13·CVSS 4.3
CVE-2018-1050 [MEDIUM] CWE-476 All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on s
All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this bl
No detection rules found.
No public exploits indexed.
2025-04-23
Published