Total
34 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-15056 | 1 Upx | 1 Upx | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
| p_lx_elf.cpp in UPX 3.94 mishandles ELF headers, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by an Invalid Pointer Read in PackLinuxElf64::unpack(). | |||||
| CVE-2017-16869 | 1 Upx | 1 Upx | 2025-04-20 | 6.8 MEDIUM | 7.8 HIGH |
| ** DISPUTED ** p_mach.cpp in UPX 3.94 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified other impact via a crafted Mach-O file, related to canPack and unpack functions. NOTE: the vendor has stated "there is no security implication whatsoever." | |||||
| CVE-2025-2849 | 1 Upx | 1 Upx | 2025-04-11 | 1.7 LOW | 3.3 LOW |
| A vulnerability, which was classified as problematic, was found in UPX up to 5.0.0. Affected is the function PackLinuxElf64::un_DT_INIT of the file src/p_lx_elf.cpp. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The patch is identified as e0b6ff192412f5bb5364c1948f4f6b27a0cd5ea2. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2020-27796 | 1 Upx | 1 Upx | 2025-04-11 | N/A | 7.8 HIGH |
| A heap-based buffer over-read was discovered in the invert_pt_dynamic function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file. | |||||
| CVE-2020-27788 | 1 Upx | 1 Upx | 2025-04-11 | N/A | 5.5 MEDIUM |
| An out-of-bounds read access vulnerability was discovered in UPX in PackLinuxElf64::canPack() function of p_lx_elf.cpp file. An attacker with a crafted input file could trigger this issue that could cause a crash leading to a denial of service. | |||||
| CVE-2021-43317 | 1 Upx | 1 Upx | 2025-04-11 | N/A | 7.5 HIGH |
| A heap-based buffer overflows was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf64::elf_lookup() at p_lx_elf.cpp:5404 | |||||
| CVE-2018-11243 | 1 Upx | 1 Upx | 2025-04-11 | 6.8 MEDIUM | 7.8 HIGH |
| PackLinuxElf64::unpack in p_lx_elf.cpp in UPX 3.95 allows remote attackers to cause a denial of service (double free), limit the ability of a malware scanner to operate on the entire original data, or possibly have unspecified other impact via a crafted file. | |||||
| CVE-2021-20285 | 1 Upx | 1 Upx | 2025-04-11 | 8.3 HIGH | 6.6 MEDIUM |
| A flaw was found in upx canPack in p_lx_elf.cpp in UPX 3.96. This flaw allows attackers to cause a denial of service (SEGV or buffer overflow and application crash) or possibly have unspecified other impacts via a crafted ELF. The highest threat from this vulnerability is to system availability. | |||||
| CVE-2019-20053 | 2 Opensuse, Upx | 3 Backports, Leap, Upx | 2025-04-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| An invalid memory address dereference was discovered in the canUnpack function in p_mach.cpp in UPX 3.95 via a crafted Mach-O file. | |||||
| CVE-2021-46179 | 1 Upx | 1 Upx | 2025-04-11 | N/A | 6.5 MEDIUM |
| Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function. | |||||
| CVE-2020-27799 | 1 Upx | 1 Upx | 2025-04-11 | N/A | 7.8 HIGH |
| A heap-based buffer over-read was discovered in the acc_ua_get_be32 function in miniacc.h in UPX 4.0.0 via a crafted Mach-O file. | |||||
| CVE-2019-14295 | 1 Upx | 1 Upx | 2025-04-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| An Integer overflow in the getElfSections function in p_vmlinx.cpp in UPX 3.95 allows remote attackers to cause a denial of service (crash) via a skewed offset larger than the size of the PE section in a UPX packed executable, which triggers an allocation of excessive memory. | |||||
| CVE-2023-23456 | 2 Fedoraproject, Upx | 2 Fedora, Upx | 2025-04-11 | N/A | 5.3 MEDIUM |
| A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file. | |||||
| CVE-2021-43314 | 1 Upx | 1 Upx | 2025-04-11 | N/A | 7.5 HIGH |
| A heap-based buffer overflows was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5368 | |||||
| CVE-2020-27802 | 1 Upx | 1 Upx | 2025-04-11 | N/A | 5.5 MEDIUM |
| An floating point exception was discovered in the elf_lookup function in p_lx_elf.cpp in UPX 4.0.0 via a crafted Mach-O file. | |||||
| CVE-2020-24119 | 2 Fedoraproject, Upx | 2 Fedora, Upx | 2025-04-11 | 5.8 MEDIUM | 7.1 HIGH |
| A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect. | |||||
| CVE-2020-27800 | 1 Upx | 1 Upx | 2025-04-11 | N/A | 7.8 HIGH |
| A heap-based buffer over-read was discovered in the get_le32 function in bele.h in UPX 4.0.0 via a crafted Mach-O file. | |||||
| CVE-2021-43313 | 1 Upx | 1 Upx | 2025-04-11 | N/A | 7.5 HIGH |
| A heap-based buffer overflow was discovered in upx, during the variable 'bucket' points to an inaccessible address. The issue is being triggered in the function PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688. | |||||
| CVE-2021-43316 | 1 Upx | 1 Upx | 2025-04-11 | N/A | 7.5 HIGH |
| A heap-based buffer overflow was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le64(). | |||||
| CVE-2019-20805 | 1 Upx | 1 Upx | 2025-04-11 | 4.3 MEDIUM | 5.5 MEDIUM |
| p_lx_elf.cpp in UPX before 3.96 has an integer overflow during unpacking via crafted values in a PT_DYNAMIC segment. | |||||