___        /  /\    
      /__/\      /  /::\   
      \__\:\    /  /:/\:\  
      /  /::\  /  /:/  \:\ 
   __/  /:/\/ /__/:/ \__\:\
  /__/\/:/~~  \  \:\ /  /:/
  \  \::/      \  \:\  /:/ 
   \  \:\       \  \:\/:/  
    \__\/        \  \::/   
This page somewhat cynically celebrates the relatively new trend of giving bugs more memorable names and logo designs.

Logo bugs

heartbleed         apr 2014 CVE-2014-0160  OpenSSL rarely used heartbeat functionality leaks memory which can include private keys
shellshock         sep 2014 CVE-2014-6271+ bash: controlling an env variable equals code execution due to parse error
GHOST              jan 2015 CVE-2015-0235  glibc gethostbyname
misfortune cookie  feb 2015 CVE-2014-9222  dsl isp router authentication bypass
venom              may 2015 CVE-2015-3456  qemu emulated floppy drive, vm escape
stagefright        jul 2015 CVE-2015-1538+ android, various bug in stagefright library, code execution when viewing untrusted media
drownattack        feb 2016 CVE-2016-0800  openssl bleichenbacher attack on sslv2 leaks private key, often same as tls key
badlock            mar 2016 CVE-2016-2118  smb/samba bug, SAMR and LSA mitm
ImageTragick       may 2016 CVE-2016-3714  ImageMagick, possible to craft files which when converted execute code
phwned             may 2016 none           privilege escalation admin->root in specific android VOIP devices.
httpoxy            jul 2016 CVE-2016-5385+ CGI HTTP_PROXY env var conflicts 
sweet32            aug 2016 CVE-2016-2183+ Birthday attacks on 64-bit block ciphers in TLS and OpenVPN
dirtycow           oct 2016 CVE-2016-5195  Linux kernel privilege escalation
blacknurse         nov 2016 none           icmp type 3 code 3 DoS attack
pwnscriptum        dec 2016 CVE-2016-10033 PHPMailer - Remote Code Execution (possibly/probably miscredited)
ticketbleed        feb 2017 CVE-2016-9244  heartbleed like vulnerability in BIG-IP appliances
shattered          feb 2017                full sha1 collision
cloudbleed         feb 2017                cloudflare leaking PII customer data to the internet
biterrant          mar 2017                pointing out sha1 is used in bittorrent. The actual threat is exagerated.
riddle             mar 2017 CVE-2017-3305  mysql ssl client/server connections are mitm'able
DoubleAgent        mar 2017 CVE-2017-5567+ microsoft application verifier hijack, allowing to misappropriate AV

Named bugs

named bugs without logo:
BEAST           sep 2011 CVE-2011-3389 ssl cbc weakness, made people use rc4
CRIME           sep 2012 CVE-2012-4929 ssl info leakage by using chosen plain text and compression size
lucky13         feb 2013 CVE-2013-0169 ssl cbc timing oracle (the fix caused the worse bug: CVE-2016-2107)
BREACH          aug 2013 CVE-2013-3587 ssl compression info leakage
POODLE          oct 2014 CVE-2014-3566 ssl cbc mitm force downgrade to sslv3
rc4nomore       aug 2015               stop people using rc4
FREAK           may 2015 CVE-2015-0204 ssl mitm force use "exportgrade rsa" 512 bit keys.
logjam          may 2015 CVE-2015-4000 dh a lot of software only used one of a small set of weak (<=1024 bit) primes
rowhammer       jul 2015 CVE-2015-0565 induce faults in physically nearby rows of DRAM possibly belonging to higher priv process
cachebleed      mar 2016 CVE-2016-0702 ssl sidechannel using cache-banks pre haswell cpus
badTunnel       jun 2016 CVE-2016-3236 MS16-077 massive WPAD privilege escalation
HEIST           aug 2016               BREACH/CRIME from browser using malicious javascript (allegedly)
quadrooter      aug 2016               android rooting bugs(provisional)
drammer         oct 2016 CVE-2016-6728 rowhammer for ARM/mobile
LOBSTER         nov 2016 CVE-2016-1000031 serialisation in apache remote exec 

Satire bugs

This new trend, and in particular the mismatch between hype and severity of some of these bugs has drawn a lot of criticism. and spawned satirical bugs.

BACKRONYM NoToken sadlock

Please let us know if any of these are POE-days [(c) brainsmoke].


This list does not make any claims about the noteworthyness of these bugs. It also strongly refutes the notion that all bugs with a logo are overhyped. Some have won a pwnie for best bug, some for most overhyped bug.

The license of these logos is not always clear, it is however our understanding that the inclusion on this page falls under fair use. More importantly even intended use. However, if you own any of the rights on one of these logos and would like to see it removed contact us at blapost@gmail.com and it will be removed immediately.

The list is incomplete, and may contain flaws.