This page somewhat cynically celebrates the relatively new trend of giving bugs more memorable names and logo designs.
heartbleed apr 2014 CVE-2014-0160 OpenSSL rarely used heartbeat functionality leaks memory which can include private keys shellshock sep 2014 CVE-2014-6271+ bash: controlling an env variable equals code execution due to parse error GHOST jan 2015 CVE-2015-0235 glibc gethostbyname misfortune cookie feb 2015 CVE-2014-9222 dsl isp router authentication bypass venom may 2015 CVE-2015-3456 qemu emulated floppy drive, vm escape stagefright jul 2015 CVE-2015-1538+ android, various bug in stagefright library, code execution when viewing untrusted media drownattack feb 2016 CVE-2016-0800 openssl bleichenbacher attack on sslv2 leaks private key, often same as tls key badlock mar 2016 CVE-2016-2118 smb/samba bug, SAMR and LSA mitm ImageTragick may 2016 CVE-2016-3714 ImageMagick, possible to craft files which when converted execute code phwned may 2016 none privilege escalation admin->root in specific android VOIP devices. httpoxy jul 2016 CVE-2016-5385+ CGI HTTP_PROXY env var conflicts sweet32 aug 2016 CVE-2016-2183+ Birthday attacks on 64-bit block ciphers in TLS and OpenVPN dirtycow oct 2016 CVE-2016-5195 Linux kernel privilege escalation blacknurse nov 2016 none icmp type 3 code 3 DoS attack pwnscriptum dec 2016 CVE-2016-10033 PHPMailer - Remote Code Execution (possibly/probably miscredited) ticketbleed feb 2017 CVE-2016-9244 heartbleed like vulnerability in BIG-IP appliances shattered feb 2017 full sha1 collision cloudbleed feb 2017 cloudflare leaking PII customer data to the internet biterrant mar 2017 pointing out sha1 is used in bittorrent. The actual threat is exagerated. riddle mar 2017 CVE-2017-3305 mysql ssl client/server connections are mitm'able DoubleAgent mar 2017 CVE-2017-5567+ microsoft application verifier hijack, allowing to misappropriate AV Ring-Road apr 2017 QUIC protocol leaking password length stringbleed apr 2017 CVE 2017-5135 SNMP auth bypass (allegedly) antbleed apr 2017 miner device firmware allows remote disabling ghostbutt apr 2017 CVE-2017-8291 Artifex Ghostscript -dSAFER bypass (allegedly) rtpbleed sep 2017 mitm sip calls, without being in the middle due to how rtp proxies deal with NAT ROBOT dec 2017 CVE-2017-17428+ Bleichenbacher's Oracle, again in pcks1.5 meltdown jan 2018 CVE-2017-5754 speculative execution sidechannel leaking memory from pages marked supervisor via cache spectre jan 2018 CVE-2017-5753+ speculative execution sidechannel leaking memory from a victim process on the same CPU holeybeep apr 2018 CVE-2018-0492 local privilege escalation allegedly. (less common) suid binary beep. sirenjack apr 2018 ati systems' sirens can be activated without encryption efail may 2018 CVE-2017-17688+ two bugs in how pgp is handled in mail clients, and cipher block chaining dynoroot may 2018 CVE-2018-1111 redhat dhcp client remote root code execution by malicious dhcp server zipperdown may 2018 alleged app boundary violation in iOS zipslip jun 2018 CVE-2018-1002203+ zip file overwrite aka the old ..\..\ wavethrough jun 2018 CVE-2018-8235 html media element making no-cors requests in unsafe way RAMPAGE jun 2018 CVE-2018-9442 android app seperation bypass foreshadow aug 2018 CVE-2018-3615 speculative execution bugs allowing to read sgx, smm, .. bleedingbit nov 2018 CVE-2018-16986+ Bugs in bluetooth low energy implementations, alleged rce
Satire bugsThis new trend, and in particular the mismatch between hype and severity of some of these bugs has drawn a lot of criticism. and spawned satirical bugs.
BACKRONYM NoToken sadlock
Please let us know if any of these are POE-days [(c) brainsmoke].
DisclamerThis list does not make any claims about the noteworthyness of these bugs. It also strongly refutes the notion that all bugs with a logo are overhyped. Some have won a pwnie for best bug, some for most overhyped bug.
The license of these logos is not always clear, it is however our understanding that the inclusion on this page falls under fair use. More importantly even intended use. However, if you own any of the rights on one of these logos and would like to see it removed contact us at firstname.lastname@example.org and it will be removed immediately.
The list is incomplete, and may contain flaws.