CVE Watch
Every published CVE, mapped to engagement reality.
Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authe...
Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers. AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, `EVP_DecryptFinal_ex()` is documented to return success only if the tag is verified succesfully. In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls `EVP_DecryptFinal_ex()` without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value. When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key. AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2. No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives. The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.
CWE-325Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied...
Issue summary: When an application drives an AES-OCB context through the public EVP_Cipher() one-shot interface, the application-supplied initialisation vector (IV) is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV supplied by the caller, resulting in (key, nonce) reuse and loss of confidentiality. If the same code path is used to compute the authentication tag, the tag depends only on the (key, IV) pair and not on the plaintext or ciphertext, allowing universal forgery of arbitrary ciphertext from a single captured message. OpenSSL provides two ways to drive a cipher: the documented streaming interface (EVP_CipherUpdate / EVP_CipherFinal_ex) and a lower-level one-shot, EVP_Cipher(), whose documentation explicitly recommends against use by applications in favour of EVP_CipherUpdate() and EVP_CipherFinal_ex(). The OCB provider's streaming handler flushes the application-supplied IV into the OCB context before processing data; the one-shot handler did not. Every call to EVP_Cipher() on an AES-OCB context therefore ran with the all-zero key-derived offset state left by cipher initialisation, regardless of the caller's IV. If EVP_EncryptFinal_ex() is subsequently used to obtain the authentication tag, the deferred IV setup runs at that point and clears the running checksum that should have been accumulated over the plaintext. The resulting tag is a function of (key, IV) only and verifies against any ciphertext produced under the same (key, IV) pair. The OpenSSL SSL/TLS implementation is not affected: AES-OCB is not a TLS cipher suite, and libssl does not call EVP_Cipher() in any case. Applications that drive AES-OCB through the documented streaming AEAD API (EVP_CipherUpdate / EVP_CipherFinal_ex) are not affected. Only applications that combine the AES-OCB cipher with the EVP_Cipher() one-shot API are vulnerable. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as AES-OCB is outside the OpenSSL FIPS module boundary.
CWE-325Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
microsoftCWE-122Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CWE-197CWE-416Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information over a network.
microsoftCWE-125Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
microsoftCWE-125Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
microsoftCWE-125Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
microsoftCWE-122Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
microsoftCWE-362Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally
Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
microsoftCWE-843Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network
Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.
microsoftCWE-121Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally
Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
CWE-122CWE-125Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CWE-416Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally
Integer overflow or wraparound in Windows Win32K - GRFX allows an unauthorized attacker to execute code locally.
CWE-190Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CWE-122CWE-20Improper authentication in Windows Cryptographic Services allows an unauthorized attacker to elevate privileges locally
Improper authentication in Windows Cryptographic Services allows an unauthorized attacker to elevate privileges locally.
microsoftCWE-287Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally
Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
microsoftCWE-416Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CWE-122CWE-125Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally
Use after free in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CWE-416Use after free in Windows Network Controller (NC) Host Agent allows an authorized attacker to deny service locally
Use after free in Windows Network Controller (NC) Host Agent allows an authorized attacker to deny service locally.
microsoftCWE-416CWE-822
4.8 MEDIUM
7.5 HIGH
9.8 CRITICALWeekly digest
Get the curated CVE digest every Monday
One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.
Pipe the CVE feed into your stack.
CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.