Common Weakness Enumeration

CWE-125

Allowed

Out-of-bounds Read

Abstraction: Base · Status: Draft

The product reads data past the end, or before the beginning, of the intended buffer.

11291 vulnerabilities reference this CWE, most recent first.

GHSA-XHGX-HX6P-CQP4

Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2023-03-30 03:30
VLAI
Details

In btm_create_conn_cancel_complete of btm_sec.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-260568245

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-24T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In btm_create_conn_cancel_complete of btm_sec.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-260568245",
  "id": "GHSA-xhgx-hx6p-cqp4",
  "modified": "2023-03-30T03:30:38Z",
  "published": "2023-03-24T21:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20973"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2023-03-01"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2023-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHHW-J3H4-3X9R

Vulnerability from github – Published: 2025-04-29 15:31 – Updated: 2025-11-03 21:33
VLAI
Details

Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges. This bug only affects Firefox for macOS. Other versions of Firefox are unaffected. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-29T14:15:34Z",
    "severity": "MODERATE"
  },
  "details": "Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges.\n*This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox \u003c 138, Firefox ESR \u003c 128.10, Firefox ESR \u003c 115.23, Thunderbird \u003c 138, and Thunderbird ESR \u003c 128.10.",
  "id": "GHSA-xhhw-j3h4-3x9r",
  "modified": "2025-11-03T21:33:41Z",
  "published": "2025-04-29T15:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4082"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1937097"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-28"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-29"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-30"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-31"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2025-32"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHMF-MMV2-4HHX

Vulnerability from github – Published: 2022-09-16 20:59 – Updated: 2022-09-16 20:59
VLAI
Summary
Go-CVSS has Out-of-bounds Read vulnerability in ParseVector function
Details

Impact

When a full CVSS v2.0 vector string is parsed using ParseVector, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic.

Patches

The problem is patched in tag v0.4.0, by the commit d9d478ff0c13b8b09ace030db9262f3c2fe031f4.

Workarounds

The only way to avoid it is by parsing CVSS v2.0 vector strings that does not have all attributes defined (e.g. AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M).

References

N/A

CPE v2.3

As stated in SECURITY.md, the CPE v2.3 to refer to this Go module is cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*. The entry has already been requested to the NVD CPE dictionnary.

Exploit example

package main

import (
    "log"

    gocvss20 "github.com/pandatix/go-cvss/20"
)

func main() {
    _, err := gocvss20.ParseVector("AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M")
    if err != nil {
        log.Fatal(err)
    }
}

When ran, the following trace is returned.

panic: runtime error: index out of range [3] with length 3

goroutine 1 [running]:
github.com/pandatix/go-cvss/20.ParseVector({0x4aed6c?, 0x0?})
        /home/lucas/go/pkg/mod/github.com/pandatix/go-cvss@v0.2.0/20/cvss20.go:54 +0x578
main.main()
        /media/lucas/HDD-K/Documents/cve-2022-xxxxx/main.go:10 +0x25
exit status 2

For more information

If you have any questions or comments about this advisory: * Open an issue in pandatix/go-cvss * Email me at lucastesson@protonmail.com

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pandatix/go-cvss"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T20:59:43Z",
    "nvd_published_at": "2022-09-15T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nWhen a full CVSS v2.0 vector string is parsed using `ParseVector`, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic.\n\n### Patches\nThe problem is patched in tag `v0.4.0`, by the commit `d9d478ff0c13b8b09ace030db9262f3c2fe031f4`.\n\n### Workarounds\nThe only way to avoid it is by parsing CVSS v2.0 vector strings that does not have all attributes defined (e.g. `AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M`).\n\n### References\nN/A\n\n### CPE v2.3\nAs stated in [SECURITY.md](https://github.com/pandatix/go-cvss/blob/master/SECURITY.md), the CPE v2.3 to refer to this Go module is `cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*`.\nThe entry has already been requested to the NVD CPE dictionnary.\n\n### Exploit example\n```go\npackage main\n\nimport (\n\t\"log\"\n\n\tgocvss20 \"github.com/pandatix/go-cvss/20\"\n)\n\nfunc main() {\n\t_, err := gocvss20.ParseVector(\"AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M\")\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n}\n```\n\nWhen ran, the following trace is returned.\n```\npanic: runtime error: index out of range [3] with length 3\n\ngoroutine 1 [running]:\ngithub.com/pandatix/go-cvss/20.ParseVector({0x4aed6c?, 0x0?})\n        /home/lucas/go/pkg/mod/github.com/pandatix/go-cvss@v0.2.0/20/cvss20.go:54 +0x578\nmain.main()\n        /media/lucas/HDD-K/Documents/cve-2022-xxxxx/main.go:10 +0x25\nexit status 2\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [pandatix/go-cvss](https://github.com/pandatix/go-cvss/issues)\n* Email me at [lucastesson@protonmail.com](mailto:lucastesson@protonmail.com)\n",
  "id": "GHSA-xhmf-mmv2-4hhx",
  "modified": "2022-09-16T20:59:43Z",
  "published": "2022-09-16T20:59:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39213"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pandatix/go-cvss"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pandatix/go-cvss/blob/master/SECURITY.md"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-1002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Go-CVSS has Out-of-bounds Read vulnerability in ParseVector function"
}

GHSA-XHMX-2VHP-F3PQ

Vulnerability from github – Published: 2022-07-14 00:00 – Updated: 2022-07-27 00:00
VLAI
Details

In USB driver, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-216825460References: Upstream kernel

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-13T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In USB driver, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-216825460References: Upstream kernel",
  "id": "GHSA-xhmx-2vhp-f3pq",
  "modified": "2022-07-27T00:00:47Z",
  "published": "2022-07-14T00:00:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20227"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2022-07-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHMX-JV3J-5WF8

Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-08-05 15:30
VLAI
Details

Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-126"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-05T15:15:48Z",
    "severity": "HIGH"
  },
  "details": "Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero.",
  "id": "GHSA-xhmx-jv3j-5wf8",
  "modified": "2024-08-05T15:30:53Z",
  "published": "2024-08-05T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33011"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHPJ-269V-VQ2Q

Vulnerability from github – Published: 2026-05-31 21:30 – Updated: 2026-06-01 21:30
VLAI
Details

Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.

In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8796"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-31T20:16:30Z",
    "severity": "HIGH"
  },
  "details": "Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.\n\nIn Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag\u0027s own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).",
  "id": "GHSA-xhpj-269v-vq2q",
  "modified": "2026-06-01T21:30:41Z",
  "published": "2026-05-31T21:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8796"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3.patch"
    },
    {
      "type": "WEB",
      "url": "https://metacpan.org/release/YVES/Sereal-Decoder-5.005/changes"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/01/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHPJ-R5XJ-F4J3

Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2026-02-20 21:31
VLAI
Details

An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka 'Microsoft Graphics Component Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1078, CVE-2019-1148.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1153"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-08-14T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka \u0027Microsoft Graphics Component Information Disclosure Vulnerability\u0027. This CVE ID is unique from CVE-2019-1078, CVE-2019-1148.",
  "id": "GHSA-xhpj-r5xj-f4j3",
  "modified": "2026-02-20T21:31:09Z",
  "published": "2022-05-24T16:53:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1153"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1153"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/154098/Microsoft-Font-Subsetting-DLL-FixSbitSubTableFormat1-Out-Of-Bounds-Read.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHPJ-RHQ5-VR2H

Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-12 00:01
VLAI
Details

Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35671"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-11T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-xhpj-rhq5-vr2h",
  "modified": "2022-08-12T00:01:23Z",
  "published": "2022-08-12T00:01:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35671"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb22-39.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHPR-RJF3-GG6P

Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2026-04-14 15:30
VLAI
Details

There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-23T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c",
  "id": "GHSA-xhpr-rjf3-gg6p",
  "modified": "2026-04-14T15:30:28Z",
  "published": "2022-09-25T00:00:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2785"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/bpf/bpf/c/86f44fcec22c"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei%40google.com/T/#t"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei@google.com/T/#t"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHQ7-864Q-XXJ8

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

libceph: Fix potential out-of-bounds access in osdmap_decode()

When decoding osd_state and osd_weight from an incoming osdmap in osdmap_decode(), both are decoded for each osd, i.e., map->max_osd times. The ceph_decode_need() check only accounts for sizeof(*map->osd_weight) once. This can potentially result in an out-of-bounds memory access if the incoming message is corrupted such that the max_osd value exceeds the actual content of the osdmap message.

This patch fixes the issue by changing the corresponding part in the ceph_decode_need() check to account for map->max_osdsizeof(map->osd_weight).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-52958"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:06Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in osdmap_decode()\n\nWhen decoding osd_state and osd_weight from an incoming osdmap in\nosdmap_decode(), both are decoded for each osd, i.e., map-\u003emax_osd\ntimes. The ceph_decode_need() check only accounts for\nsizeof(*map-\u003eosd_weight) once. This can potentially result in an\nout-of-bounds memory access if the incoming message is corrupted such\nthat the max_osd value exceeds the actual content of the osdmap message.\n\nThis patch fixes the issue by changing the corresponding part in the\nceph_decode_need() check to account for\nmap-\u003emax_osd*sizeof(*map-\u003eosd_weight).",
  "id": "GHSA-xhq7-864q-xxj8",
  "modified": "2026-06-28T09:31:37Z",
  "published": "2026-06-24T18:32:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52958"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0d2dd7e6bb74fd7712aa73457a4a821906c6863a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/35d0ed82d03e5ee77ea4f31f20e29562a7721649"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/36a79759a288961b1ff28a68ec2d1f56f6848098"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3f2575bb7f955d42569d96c3e04fa958a0dcf4b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/48df98d12b15360cd56af5c1f460307b340c1197"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8713bbc4b2b9ad78f803978e54b7e49dd21bd9be"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e7187f33c02488697ec0d01d82bf7a3f8deaba8f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee933694645dac062d65fc2743f92bc06fa0db6b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

CAPEC-540: Overread Buffers

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.