Cyber Resilience

CVE-2026-44983

High

Published: 26 May 2026

Published
26 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0015 4.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44983 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

smallbitvec is a growable bit-vector for Rust, optimized for size. From 1.0.1 to 2.6.0, an integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocation, resulting in a heap buffer overflow through safe APIs…

more

only. This allows memory corruption without requiring unsafe code from the caller. This vulnerability is fixed in 2.6.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow via integer overflow enables remote exploitation of public apps or client-side code execution through crafted input to the library.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-49673Shared CWE-122
CVE-2025-21369Shared CWE-122, CWE-190
CVE-2026-33020Shared CWE-122, CWE-190
CVE-2026-23876Shared CWE-122, CWE-190
CVE-2026-32316Shared CWE-122, CWE-190
CVE-2025-53853Shared CWE-122
CVE-2026-44636Shared CWE-122, CWE-190
CVE-2020-37162Shared CWE-122
CVE-2026-48690Shared CWE-122, CWE-190
CVE-2025-21273Shared CWE-122

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References