This page somewhat cynically celebrates the relatively new trend of giving bugs more memorable names and logo designs.
heartbleed apr 2014 CVE-2014-0160 OpenSSL rarely used heartbeat functionality leaks memory which can include private keys shellshock sep 2014 CVE-2014-6271+ bash: controlling an env variable equals code execution due to parse error GHOST jan 2015 CVE-2015-0235 glibc gethostbyname misfortune cookie feb 2015 CVE-2014-9222 dsl isp router authentication bypass venom may 2015 CVE-2015-3456 qemu emulated floppy drive, vm escape stagefright jul 2015 CVE-2015-1538+ android, various bug in stagefright library, code execution when viewing untrusted media drownattack feb 2016 CVE-2016-0800 openssl bleichenbacher attack on sslv2 leaks private key, often same as tls key badlock mar 2016 CVE-2016-2118 smb/samba bug, SAMR and LSA mitm ImageTragick may 2016 CVE-2016-3714 ImageMagick, possible to craft files which when converted execute code phwned may 2016 none privilege escalation admin->root in specific android VOIP devices. httpoxy jul 2016 CVE-2016-5385+ CGI HTTP_PROXY env var conflicts sweet32 aug 2016 CVE-2016-2183+ Birthday attacks on 64-bit block ciphers in TLS and OpenVPN dirtycow oct 2016 CVE-2016-5195 Linux kernel privilege escalation blacknurse nov 2016 none icmp type 3 code 3 DoS attack pwnscriptum dec 2016 CVE-2016-10033 PHPMailer - Remote Code Execution (possibly/probably miscredited) ticketbleed feb 2017 CVE-2016-9244 heartbleed like vulnerability in BIG-IP appliances shattered feb 2017 full sha1 collision cloudbleed feb 2017 cloudflare leaking PII customer data to the internet biterrant mar 2017 pointing out sha1 is used in bittorrent. The actual threat is exagerated. riddle mar 2017 CVE-2017-3305 mysql ssl client/server connections are mitm'able DoubleAgent mar 2017 CVE-2017-5567+ microsoft application verifier hijack, allowing to misappropriate AV Ring-Road apr 2017 QUIC protocol leaking password length stringbleed apr 2017 CVE 2017-5135 SNMP auth bypass (allegedly) antbleed apr 2017 miner device firmware allows remote disabling ghostbutt apr 2017 CVE-2017-8291 Artifex Ghostscript -dSAFER bypass (allegedly) rtpbleed sep 2017 mitm sip calls, without being in the middle due to how rtp proxies deal with NAT ROBOT dec 2017 CVE-2017-17428+ Bleichenbacher's Oracle, again in pcks1.5 meltdown jan 2018 CVE-2017-5754 speculative execution sidechannel leaking memory from pages marked supervisor via cache spectre jan 2018 CVE-2017-5753+ speculative execution sidechannel leaking memory from a victim process on the same CPU holeybeep apr 2018 CVE-2018-0492 local privilege escalation allegedly. (less common) suid binary beep. sirenjack apr 2018 ati systems' sirens can be activated without encryption efail may 2018 CVE-2017-17688+ two bugs in how pgp is handled in mail clients, and cipher block chaining dynoroot may 2018 CVE-2018-1111 redhat dhcp client remote root code execution by malicious dhcp server zipperdown may 2018 alleged app boundary violation in iOS zipslip jun 2018 CVE-2018-1002203+ zip file overwrite aka the old ..\..\ wavethrough jun 2018 CVE-2018-8235 html media element making no-cors requests in unsafe way RAMPAGE jun 2018 CVE-2018-9442 android app seperation bypass foreshadow aug 2018 CVE-2018-3615 speculative execution bugs allowing to read sgx, smm, .. bleedingbit nov 2018 CVE-2018-16986+ Bugs in bluetooth low energy implementations, alleged rce dragonblood apr 2019 various weaknesses in the uncommon WPA3 standard Thrangrycat may 2019 CVE-2019-1649+ Bypass Cisco's Trust Anchor module zombieload may 2019 CVE-2018-12130 Speculative execution intel leaking sgx and vm from root mds may 2019 CVE-2018-12130+ Speculative execution intel sidechannels rambleed jun 2019 CVE-2019-0174 rowhammer; physical address space plundervolt dec 2019 CVE-2019-11157 undervolting as a means to influence sgx cablehaunt jan 2020 CVE-2019-19494+ cable modem firmware buffer overflow cacheout jun 2020 CVE-2020-0549+ intel sepculative execution bug based on cache eviction boothole jul 2020 CVE-2020-10713 grub2 / uefi bypass secure boot revolte aug 2020 attack to decrypt lte platypus nov 2020 CVE-2020-8694+ power sidechannel, RAPL accessible from unprivileged user, breaks aesni/sgx/etc saddns nov 2020 CVE-2020-25705 icmp global rate limit causes sidechannel exposing source port of dns querry reducing entropy, allowing dns cache poisoining fragattacks may 2021 CVE-2020-24586+ multiple design and implementation flaws in WPA2 and WPA3. m1racles may 2021 CVE-2021-30747 read/writable register on Apple M1 arm cpu that is not properly isolated between processes alpaca jun 2021 CVE-2021-31971 TLS multi protocol confusion with subdomains sequoia jul 2021 CVE-2021-33909 local linux privesc, kernel bug large file path cipherleak aug 2021 CVE-2020-12966 AMD SEV-SNP sidechannel. reading ciphertext leads to infoleak spook.js sep 2021 Spectre mitigation in chrome bypass omigod sep 2021 CVE-2021-38647+ Azure's OpenManagementInterface remote code execution bugs smashex oct 2021 CVE-2021-0186+ intel SGX compromise enclaves
Satire bugsThis new trend, and in particular the mismatch between hype and severity of some of these bugs has drawn a lot of criticism. and spawned satirical bugs.
BACKRONYM NoToken sadlock Twitbleed
Please let us know if any of these are POE-days [(c) brainsmoke].
DisclamerThis list does not make any claims about the noteworthyness of these bugs. It also strongly refutes the notion that all bugs with a logo are overhyped. Some have won a pwnie for best bug, some for most overhyped bug.
The license of these logos is not always clear, it is however our understanding that the inclusion on this page falls under fair use. More importantly even intended use. However, if you own any of the rights on one of these logos and would like to see it removed contact us at email@example.com and it will be removed immediately.
The list is incomplete, and may contain flaws.