CVE-2014-0993

Embarcadero Delphi and C++ Builder XE6 - Buffer Overflow in Vcl.Graphics.TPicture.Bitmap

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-0993. PoCs published by helpsystems.

AI-analyzed exploit summary This repository provides a workaround for CVE-2014-0993 and CVE-2014-0994, which are stack/heap overflow vulnerabilities in the Embarcadero VCL Library. The tools inject a protective 'IF' statement into vulnerable processes to prevent exploitation via crafted BITMAP files.

Description

Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

Exploits (1)

nomisec WORKING POC 1 stars
by helpsystems · poc
https://github.com/helpsystems/Embarcadero-Workaround

This repository provides a workaround for CVE-2014-0993 and CVE-2014-0994, which are stack/heap overflow vulnerabilities in the Embarcadero VCL Library. The tools inject a protective 'IF' statement into vulnerable processes to prevent exploitation via crafted BITMAP files.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: 32-bit software compiled with Delphi and C++ Builder using the VCL library
No auth needed
Prerequisites: Vulnerable process running on the system · Administrative privileges for process injection
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/646748
Patch, Vendor Advisory x_refsource_confirm
http://support.embarcadero.com/article/44015

Scores

EPSS 0.0570
EPSS Percentile 92.1%

Details

CWE
CWE-119
Status published
Products (2)
embarcadero/embarcadero_c\+\+builder_xe6 20.0.15596.9843
embarcadero/embarcadero_delphi_xe6 20.0.15596.9843
Published Sep 15, 2014
Tracked Since Feb 18, 2026