In April 2026, GitHub Security Lab disclosed a critical heap‑overflow vulnerability (CVE‑2026‑48095) in 7‑Zip 26.00 that can be triggered by opening a crafted NTFS image, leading to vtable hijacking and remote code execution with a CVSS score of 8.8.
A critical Nginx vulnerability (CVE‑2026‑42945, CVSS 9.2) discovered by depthfirst and F5 allows unauthenticated remote code execution via a single crafted HTTP request, affecting versions 0.6.27‑1.30.0 and roughly one‑third of global websites.
This article reviews five high‑severity Android native vulnerabilities, detailing how missing length checks, unsigned integer wrap‑around, thread‑lifecycle misuse, unlocked vectors, and out‑of‑scope pointers lead to heap overflows or use‑after‑free bugs, and presents the remediation steps recommended by Google.
The new curl 8.4.0 release on October 11 patches a severe SOCKS5 heap buffer overflow (CVE‑2023‑38545), urging all developers and users to upgrade immediately to mitigate the dangerous vulnerability.
A heap‑buffer‑overflow bug in sudo (CVE‑2021‑3156) lets any local user obtain root without a password, existed for a decade before being fixed, and can be tested with a simple sudoedit command on vulnerable Linux distributions.
This article explains the fundamentals of glibc malloc’s unlink mechanism, demonstrates how a heap overflow can be leveraged to overwrite chunk headers and execute arbitrary code, walks through the exploitation steps with code examples, and discusses modern mitigations that render the classic unlink technique ineffective.
