bitwize music — Security Advisories

BVE-2026-0006 — Reserved

Wed, 22 Apr 2026 00:00:00 +0000

A local code execution vulnerability discovered on 2026-04-19. It has been reported to the vendor, with a CVE requested on 2026-04-22. Full details will be published here once disclosure is complete.

Status: Reserved. Severity: High.

View advisory

BVE-2026-0005 — Reserved

Wed, 22 Apr 2026 00:00:00 +0000

A critical unauthenticated remote code execution vulnerability discovered on 2026-04-19 and reported to the Zero Day Initiative (ZDI) the same day. Full details will be published here once disclosure is complete.

Status: Reserved. Severity: Critical.

View advisory

BVE-2026-0004 — Reserved

Wed, 22 Apr 2026 00:00:00 +0000

Status: Reserved. Severity: Critical.

View advisory

BVE-2026-0002 — ok_json: heap buffer overread in UTF-8 validation

Wed, 22 Apr 2026 00:00:00 +0000

A heap buffer overread in ok_json's UTF-8 validator. A multi-byte UTF-8 lead byte at the end of input causes the validator to read continuation bytes past the end of the caller-supplied buffer. Fixed upstream on 2026-04-14.

Status: Fixed. Severity: High. Vendor: ionux. Product: ok_json.

View advisory

BVE-2026-0003 — ok_json: heap buffer overread in true/false/null keyword matching

Wed, 22 Apr 2026 00:00:00 +0000

A heap buffer overread in ok_json's keyword matcher. Input shorter than the expected keyword (`true`, `false`, `null`) causes `okj_match` to read past the end of the caller-supplied buffer. Fixed upstream on 2026-04-14.

Status: Fixed. Severity: High. Vendor: ionux. Product: ok_json.

View advisory

BVE-2026-0001 — ok_json: heap buffer overread in \uXXXX escape parsing

Wed, 22 Apr 2026 00:00:00 +0000

A heap buffer overread in ok_json's `\uXXXX` escape parser. A truncated `\u` escape at the end of input causes the parser to read past the end of the caller-supplied buffer while consuming hex digits. Fixed upstream on 2026-04-14.

Status: Fixed. Severity: High. Vendor: ionux. Product: ok_json.

View advisory