An improper restriction of operations within the bounds of a memory buffer exists in the CardboardPowered cardboard server implementation. The flaw is located in the world unloading logic, specifically within the WorldImpl.Java module. When a world chunk is unloaded, data is not correctly bounded before being written or read, which can corrupt memory. This vulnerability may allow an attacker to overwrite critical data structures or execute arbitrary code. The description does not explicitly state a confirmed exploit, but the nature of the flaw suggests the potential for remote code execution or denial of service.

The affected product is CardboardPowered cardboard. All versions prior to 1.21.4 are vulnerable. No other vendors or product versions are listed in the CVE record.

The CVSS score of 9.2 indicates a high severity. EPSS is reported as less than 1%, meaning the probability of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves a malicious user triggering the world chunk unloading process through the server’s management interface or by manipulating player movement, which would require access to the server environment. While no active exploits are known, the high CVSS combined with the memory corruption potential means that, if exploited, an attacker could hijack execution flow, gain privileged access, or disrupt service.