A heap‑based buffer overflow exists in the Nicolet WFT parsing functionality of The Biosig Project libbiosig 3.9.2 and the corresponding Master branch. A specially crafted .wft file can overwrite heap memory and lead to arbitrary code execution. The code processes untrusted input without proper bounds checking, which is reflected by the CWE‑122 designation. If exploited, an attacker could execute code with the privileges of the running process and compromise the integrity of the host system.

The vulnerability is present in libbiosig version 3.9.2 and the Master branch as identified by the library name, The Biosig Project libbiosig. Any system or application that incorporates this version and processes .wft files—commonly used in medical and scientific data acquisition contexts—is at risk. The maintainers of The Biosig Project are the vendor responsible for addressing the flaw.

The CVSS base score of 8.1 places this flaw in the high severity range. The EPSS score of less than 1 % indicates that exploitation is currently unlikely, but the potential impact warrants immediate attention. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires an attacker to supply a malicious .wft file to the affected process, either locally or through a compromised component that parses user‑supplied data. The flaw does not require privilege escalation to be triggered, allowing both local and remote attackers who can influence file input to the application to exploit it.