CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11289 vulnerabilities reference this CWE, most recent first.
GHSA-XM7R-268R-WW34
Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-15 00:30Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-8541"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T20:17:14Z",
"severity": "MODERATE"
},
"details": "Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-xm7r-268r-ww34",
"modified": "2026-05-15T00:30:29Z",
"published": "2026-05-14T21:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8541"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/496645393"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XM8X-VW7J-573W
Vulnerability from github – Published: 2026-07-16 18:31 – Updated: 2026-07-16 21:30XML::Bare versions through 0.53 for Perl have an unbounded character lookahead.
The parserc_parse function attempts to check for multicharacter strings such as "<![CDATA" or element terminators such as ">" without checking that the offsets are within the buffer.
Truncated strings such as "<a/" can trigger an out-of-bounds read.
{
"affected": [],
"aliases": [
"CVE-2026-57074"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-16T17:16:58Z",
"severity": null
},
"details": "XML::Bare versions through 0.53 for Perl have an unbounded character lookahead.\n\nThe parserc_parse function attempts to check for multicharacter strings such as \"\u003c![CDATA\" or element terminators such as \"\u003e\" without checking that the offsets are within the buffer.\n\nTruncated strings such as \"\u003ca/\" can trigger an out-of-bounds read.",
"id": "GHSA-xm8x-vw7j-573w",
"modified": "2026-07-16T21:30:34Z",
"published": "2026-07-16T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57074"
},
{
"type": "WEB",
"url": "https://github.com/nanoscopic/perl-XML-Bare/pull/1"
},
{
"type": "WEB",
"url": "https://security.metacpan.org/patches/X/XML-Bare/0.53/CVE-2026-57074-r1.patch"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/16/1"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XM98-9QFH-Q6G4
Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31Horner Automation Cscape versions prior to 10.2 SP3 are vulnerable to an Out-of-Bounds Read vulnerability through parsing CSP files. Successful exploitation of this vulnerability could allow an attacker to disclose information and execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2026-12897"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T19:16:35Z",
"severity": "HIGH"
},
"details": "Horner Automation Cscape versions prior to 10.2 SP3 are vulnerable to an Out-of-Bounds Read vulnerability through parsing CSP files. Successful exploitation of this vulnerability could allow an attacker to disclose information and execute arbitrary code.",
"id": "GHSA-xm98-9qfh-q6g4",
"modified": "2026-06-25T21:31:29Z",
"published": "2026-06-25T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12897"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-176-03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XM9F-5XV9-93PC
Vulnerability from github – Published: 2022-05-14 00:53 – Updated: 2022-05-14 00:53Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2018-4951"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T19:29:00Z",
"severity": "MODERATE"
},
"details": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.",
"id": "GHSA-xm9f-5xv9-93pc",
"modified": "2022-05-14T00:53:28Z",
"published": "2022-05-14T00:53:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4951"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb18-09.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104175"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040920"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XM9R-HQ6W-WMG8
Vulnerability from github – Published: 2022-08-29 20:06 – Updated: 2022-09-02 00:01An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.
{
"affected": [],
"aliases": [
"CVE-2022-0400"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-29T15:15:00Z",
"severity": "HIGH"
},
"details": "An out-of-bounds read vulnerability was discovered in linux kernel in the smc protocol stack, causing remote dos.",
"id": "GHSA-xm9r-hq6w-wmg8",
"modified": "2022-09-02T00:01:03Z",
"published": "2022-08-29T20:06:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0400"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-0400"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2040604"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2044575"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XMC6-HHPJ-CP6W
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted WASM file that triggers an incorrect r_hex_bin2str call.
{
"affected": [],
"aliases": [
"CVE-2017-15368"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-16T01:29:00Z",
"severity": "HIGH"
},
"details": "The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted WASM file that triggers an incorrect r_hex_bin2str call.",
"id": "GHSA-xmc6-hhpj-cp6w",
"modified": "2022-05-13T01:43:45Z",
"published": "2022-05-13T01:43:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15368"
},
{
"type": "WEB",
"url": "https://github.com/radare/radare2/issues/8673"
},
{
"type": "WEB",
"url": "https://github.com/radare/radare2/commit/52b1526443c1f433087928291d1c3d37a5600515"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XMCC-CX53-XXG3
Vulnerability from github – Published: 2023-02-14 00:30 – Updated: 2025-03-21 21:31LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.
{
"affected": [],
"aliases": [
"CVE-2023-0798"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-13T23:15:00Z",
"severity": "MODERATE"
},
"details": "LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop.c:3400, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit afaabc3e.",
"id": "GHSA-xmcc-cx53-xxg3",
"modified": "2025-03-21T21:31:32Z",
"published": "2023-02-14T00:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0798"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-0798.json"
},
{
"type": "WEB",
"url": "https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68"
},
{
"type": "WEB",
"url": "https://gitlab.com/libtiff/libtiff/-/issues/492"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/02/msg00026.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-31"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230316-0003"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5361"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XMFQ-QR38-8JW9
Vulnerability from github – Published: 2025-09-16 00:30 – Updated: 2025-11-03 21:34An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Tahoe 26. An app may be able to disclose coprocessor memory.
{
"affected": [],
"aliases": [
"CVE-2025-43366"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-15T23:15:38Z",
"severity": "MODERATE"
},
"details": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Tahoe 26. An app may be able to disclose coprocessor memory.",
"id": "GHSA-xmfq-qr38-8jw9",
"modified": "2025-11-03T21:34:34Z",
"published": "2025-09-16T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43366"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/125110"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Sep/53"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XMFR-FWCW-PC6V
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:04In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-121036603
{
"affected": [],
"aliases": [
"CVE-2019-9241"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-27T19:15:00Z",
"severity": "HIGH"
},
"details": "In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-121036603",
"id": "GHSA-xmfr-fwcw-pc6v",
"modified": "2024-04-04T02:04:39Z",
"published": "2022-05-24T16:57:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9241"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XMGF-HQ76-4VX2
Vulnerability from github – Published: 2026-04-22 21:20 – Updated: 2026-04-27 16:41The *_from_pem_callback APIs did not validate the length returned by the user's callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "openssl"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.0"
},
{
"fixed": "0.10.78"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41677"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-1284"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T21:20:04Z",
"nvd_published_at": "2026-04-24T18:16:29Z",
"severity": "LOW"
},
"details": "The `*_from_pem_callback` APIs did not validate the length returned by the user\u0027s callback. A password callback that returns a value larger than the buffer it was given can cause some versions of OpenSSL to over-read this buffer. OpenSSL 3.x is not affected by this.",
"id": "GHSA-xmgf-hq76-4vx2",
"modified": "2026-04-27T16:41:58Z",
"published": "2026-04-22T21:20:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41677"
},
{
"type": "WEB",
"url": "https://github.com/rust-openssl/rust-openssl/pull/2605"
},
{
"type": "WEB",
"url": "https://github.com/rust-openssl/rust-openssl/commit/5af6895c907773699f37f583f409b862284062b1"
},
{
"type": "PACKAGE",
"url": "https://github.com/rust-openssl/rust-openssl"
},
{
"type": "WEB",
"url": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length"
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.