There is an out-of-bounds read vulnerability, potentially leading to either denial of service or remote information disclosure. It is triggered when libssh2 is used to connect to a malicious SSH server. The overflow occurs when the SSH server sends a disconnect message, which means that the vulnerability can be triggered early in the connection process, before authentication is completed.
VMware ESXi, Workstation and Fusion contain out-of-bounds read/write vulnerabilities in the pixel shader functionality. Exploitation of these issues require an attacker to have access to a virtual machine with 3D graphics enabled. It is not enabled by default on ESXi and is enabled by default on Workstation and Fusion. Successful exploitation of the out-of-bounds read issue (CVE-2019-5521) may lead to information disclosure or may allow attackers with normal user privileges to create a denial-of-service condition on the host. The out-of-bounds write issue (CVE-2019-5684) can be exploited only if the host has an affected NVIDIA graphics driver. Successful exploitation of this issue may lead to code execution on the host.
wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCertExtensions() and DecodeOcspRespExtensions() in wolfcrypt/src/asn.c because reading the ASN_BOOLEAN byte is mishandled for a crafted DER certificate in GetLength_ex().
The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic.
There is a read of out-of-bounds data at nfs_read_reply().
The pci_xhci_device_doorbell() function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read. A misbehaving bhyve guest could crash the system or access memory that it should not be able to.
In libssh2 before 1.9.0, the function kex_method_diffie_hellman_group_exchange_sha256 _key_exchange() in the file kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server.