CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11292 vulnerabilities reference this CWE, most recent first.
GHSA-WMW2-PM8R-7XV5
Vulnerability from github – Published: 2022-05-13 01:01 – Updated: 2025-04-20 03:36An exploitable arbitrary read exists in the XLS parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted XLS document can lead to a arbitrary read resulting in memory disclosure. The vulnerability was confirmed on versions 11.3.0.2228 and 11.3.0.2400
{
"affected": [],
"aliases": [
"CVE-2017-2806"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-20T18:59:00Z",
"severity": "MODERATE"
},
"details": "An exploitable arbitrary read exists in the XLS parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted XLS document can lead to a arbitrary read resulting in memory disclosure. The vulnerability was confirmed on versions 11.3.0.2228 and 11.3.0.2400",
"id": "GHSA-wmw2-pm8r-7xv5",
"modified": "2025-04-20T03:36:21Z",
"published": "2022-05-13T01:01:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2806"
},
{
"type": "WEB",
"url": "http://www.talosintelligence.com/reports/TALOS-2017-0302"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WMWJ-946W-3M8W
Vulnerability from github – Published: 2026-06-23 15:32 – Updated: 2026-06-23 15:32An out-of-bounds read vulnerability exists in dnsmasq's find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions.
{
"affected": [],
"aliases": [
"CVE-2026-12969"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-23T14:17:22Z",
"severity": "MODERATE"
},
"details": "An out-of-bounds read vulnerability exists in dnsmasq\u0027s find_soa() function in src/rfc1035.c. When parsing NS section records, extract_name() is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can exploit this via a crafted NXDOMAIN response to cause a 10-byte heap out-of-bounds read, potentially accessing stale data from prior transactions.",
"id": "GHSA-wmwj-946w-3m8w",
"modified": "2026-06-23T15:32:37Z",
"published": "2026-06-23T15:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12969"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-12969"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491663"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WP24-29MC-PM2X
Vulnerability from github – Published: 2026-03-13 21:31 – Updated: 2026-03-13 21:31There is a memory corruption vulnerability due to an out-of-bounds read when loading a corrupted file in Digilent DASYLab. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted file. This vulnerability affects all versions of Digilent DASYLab.
{
"affected": [],
"aliases": [
"CVE-2026-0955"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-13T19:53:57Z",
"severity": "HIGH"
},
"details": "There is a memory corruption vulnerability due to an out-of-bounds read when loading a corrupted file in Digilent DASYLab. \u00a0This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted file. This vulnerability affects all versions of Digilent DASYLab.",
"id": "GHSA-wp24-29mc-pm2x",
"modified": "2026-03-13T21:31:45Z",
"published": "2026-03-13T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0955"
},
{
"type": "WEB",
"url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/out-of-bounds-read-vulnerabilities-in-digilent-dasylab.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WP4M-4W7Q-MQPJ
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17libmobi is vulnerable to Out-of-bounds Read
{
"affected": [],
"aliases": [
"CVE-2021-3881"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-15T14:15:00Z",
"severity": "CRITICAL"
},
"details": "libmobi is vulnerable to Out-of-bounds Read",
"id": "GHSA-wp4m-4w7q-mqpj",
"modified": "2022-05-24T19:17:42Z",
"published": "2022-05-24T19:17:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3881"
},
{
"type": "WEB",
"url": "https://github.com/bfabiszewski/libmobi/commit/bec783e6212439a335ba6e8df7ab8ed610ca9a21"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/540fd115-7de4-4e19-a918-5ee61f5157c1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WP5Q-XCPM-22JF
Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-25 00:00Out of bounds read in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.120 may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2021-23179"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-18T20:15:00Z",
"severity": "HIGH"
},
"details": "Out of bounds read in firmware for some Intel(R) Wireless Bluetooth(R) and Killer(TM) Bluetooth(R) products before version 22.120 may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-wp5q-xcpm-22jf",
"modified": "2022-08-25T00:00:26Z",
"published": "2022-08-19T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23179"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00628.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WP6P-MQ3V-VXF9
Vulnerability from github – Published: 2022-02-17 00:00 – Updated: 2022-02-17 00:00Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-23194"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-16T17:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Illustrator versions 25.4.3 (and earlier) and 26.0.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-wp6p-mq3v-vxf9",
"modified": "2022-02-17T00:00:29Z",
"published": "2022-02-17T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23194"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/illustrator/apsb22-07.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WP6V-HMRG-73Q2
Vulnerability from github – Published: 2022-05-13 01:35 – Updated: 2022-05-13 01:35CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has two out-of-bounds read vulnerabilities could cause the software to crash due to lacking user input validation for processing project files. Which may allow an attacker to gain remote code execution with administrator privileges if exploited.
{
"affected": [],
"aliases": [
"CVE-2018-10598"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-13T21:47:00Z",
"severity": "HIGH"
},
"details": "CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 has two out-of-bounds read vulnerabilities could cause the software to crash due to lacking user input validation for processing project files. Which may allow an attacker to gain remote code execution with administrator privileges if exploited.",
"id": "GHSA-wp6v-hmrg-73q2",
"modified": "2022-05-13T01:35:00Z",
"published": "2022-05-13T01:35:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10598"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-219-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105032"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WP9W-GQPP-FXXM
Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2023-03-28 21:30In BtaAvCo::GetNextSourceDataPacket of bta_av_co.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-259939364
{
"affected": [],
"aliases": [
"CVE-2023-20979"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-24T20:15:00Z",
"severity": "MODERATE"
},
"details": "In BtaAvCo::GetNextSourceDataPacket of bta_av_co.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-259939364",
"id": "GHSA-wp9w-gqpp-fxxm",
"modified": "2023-03-28T21:30:17Z",
"published": "2023-03-24T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20979"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2023-03-01"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2023-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WPFG-7XQ2-MV49
Vulnerability from github – Published: 2023-08-22 21:30 – Updated: 2024-03-14 00:31File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: "File" is the name of an Open Source project.
{
"affected": [],
"aliases": [
"CVE-2022-48554"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-22T19:16:31Z",
"severity": "MODERATE"
},
"details": "File before 5.43 has an stack-based buffer over-read in file_copystr in funcs.c. NOTE: \"File\" is the name of an Open Source project.",
"id": "GHSA-wpfg-7xq2-mv49",
"modified": "2024-03-14T00:31:02Z",
"published": "2023-08-22T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48554"
},
{
"type": "WEB",
"url": "https://bugs.astron.com/view.php?id=310"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231116-0002"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214081"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214084"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214086"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT214088"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5489"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/21"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/24"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Mar/25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPFG-JWV3-5XQC
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14In radare2 prior to 3.1.1, r_bin_dyldcache_extract in libr/bin/format/mach0/dyldcache.c may allow attackers to cause a denial-of-service (application crash caused by out-of-bounds read) by crafting an input file.
{
"affected": [],
"aliases": [
"CVE-2018-20458"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-25T19:29:00Z",
"severity": "MODERATE"
},
"details": "In radare2 prior to 3.1.1, r_bin_dyldcache_extract in libr/bin/format/mach0/dyldcache.c may allow attackers to cause a denial-of-service (application crash caused by out-of-bounds read) by crafting an input file.",
"id": "GHSA-wpfg-jwv3-5xqc",
"modified": "2022-05-13T01:14:36Z",
"published": "2022-05-13T01:14:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20458"
},
{
"type": "WEB",
"url": "https://github.com/radare/radare2/issues/12374"
},
{
"type": "WEB",
"url": "https://github.com/radareorg/radare2/commit/30f4c7b52a4e2dc0d0b1bae487d90f5437c69d19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.