CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11292 vulnerabilities reference this CWE, most recent first.
GHSA-MMV8-63HV-MHRH
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-11-07 00:30In the Linux kernel, the following vulnerability has been resolved:
drm/xe: Fix an out-of-bounds shift when invalidating TLB
When the size of the range invalidated is larger than rounddown_pow_of_two(ULONG_MAX), The function macro roundup_pow_of_two(length) will hit an out-of-bounds shift [1].
Use a full TLB invalidation for such cases. v2: - Use a define for the range size limit over which we use a full TLB invalidation. (Lucas) - Use a better calculation of the limit.
[1]: [ 39.202421] ------------[ cut here ]------------ [ 39.202657] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 [ 39.202673] shift exponent 64 is too large for 64-bit type 'long unsigned int' [ 39.202688] CPU: 8 UID: 0 PID: 3129 Comm: xe_exec_system_ Tainted: G U 6.14.0+ #10 [ 39.202690] Tainted: [U]=USER [ 39.202690] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023 [ 39.202691] Call Trace: [ 39.202692] [ 39.202695] dump_stack_lvl+0x6e/0xa0 [ 39.202699] ubsan_epilogue+0x5/0x30 [ 39.202701] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xe6 [ 39.202705] xe_gt_tlb_invalidation_range.cold+0x1d/0x3a [xe] [ 39.202800] ? find_held_lock+0x2b/0x80 [ 39.202803] ? mark_held_locks+0x40/0x70 [ 39.202806] xe_svm_invalidate+0x459/0x700 [xe] [ 39.202897] drm_gpusvm_notifier_invalidate+0x4d/0x70 [drm_gpusvm] [ 39.202900] __mmu_notifier_release+0x1f5/0x270 [ 39.202905] exit_mmap+0x40e/0x450 [ 39.202912] __mmput+0x45/0x110 [ 39.202914] exit_mm+0xc5/0x130 [ 39.202916] do_exit+0x21c/0x500 [ 39.202918] ? lockdep_hardirqs_on_prepare+0xdb/0x190 [ 39.202920] do_group_exit+0x36/0xa0 [ 39.202922] get_signal+0x8f8/0x900 [ 39.202926] arch_do_signal_or_restart+0x35/0x100 [ 39.202930] syscall_exit_to_user_mode+0x1fc/0x290 [ 39.202932] do_syscall_64+0xa1/0x180 [ 39.202934] ? do_user_addr_fault+0x59f/0x8a0 [ 39.202937] ? lock_release+0xd2/0x2a0 [ 39.202939] ? do_user_addr_fault+0x5a9/0x8a0 [ 39.202942] ? trace_hardirqs_off+0x4b/0xc0 [ 39.202944] ? clear_bhb_loop+0x25/0x80 [ 39.202946] ? clear_bhb_loop+0x25/0x80 [ 39.202947] ? clear_bhb_loop+0x25/0x80 [ 39.202950] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 39.202952] RIP: 0033:0x7fa945e543e1 [ 39.202961] Code: Unable to access opcode bytes at 0x7fa945e543b7. [ 39.202962] RSP: 002b:00007ffca8fb4170 EFLAGS: 00000293 [ 39.202963] RAX: 000000000000003d RBX: 0000000000000000 RCX: 00007fa945e543e3 [ 39.202964] RDX: 0000000000000000 RSI: 00007ffca8fb41ac RDI: 00000000ffffffff [ 39.202964] RBP: 00007ffca8fb4190 R08: 0000000000000000 R09: 00007fa945f600a0 [ 39.202965] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 [ 39.202966] R13: 00007fa9460dd310 R14: 00007ffca8fb41ac R15: 0000000000000000 [ 39.202970] [ 39.202970] ---[ end trace ]---
(cherry picked from commit b88f48f86500bc0b44b4f73ac66d500a40d320ad)
{
"affected": [],
"aliases": [
"CVE-2025-37761"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T14:15:38Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix an out-of-bounds shift when invalidating TLB\n\nWhen the size of the range invalidated is larger than\nrounddown_pow_of_two(ULONG_MAX),\nThe function macro roundup_pow_of_two(length) will hit an out-of-bounds\nshift [1].\n\nUse a full TLB invalidation for such cases.\nv2:\n- Use a define for the range size limit over which we use a full\n TLB invalidation. (Lucas)\n- Use a better calculation of the limit.\n\n[1]:\n[ 39.202421] ------------[ cut here ]------------\n[ 39.202657] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n[ 39.202673] shift exponent 64 is too large for 64-bit type \u0027long unsigned int\u0027\n[ 39.202688] CPU: 8 UID: 0 PID: 3129 Comm: xe_exec_system_ Tainted: G U 6.14.0+ #10\n[ 39.202690] Tainted: [U]=USER\n[ 39.202690] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023\n[ 39.202691] Call Trace:\n[ 39.202692] \u003cTASK\u003e\n[ 39.202695] dump_stack_lvl+0x6e/0xa0\n[ 39.202699] ubsan_epilogue+0x5/0x30\n[ 39.202701] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xe6\n[ 39.202705] xe_gt_tlb_invalidation_range.cold+0x1d/0x3a [xe]\n[ 39.202800] ? find_held_lock+0x2b/0x80\n[ 39.202803] ? mark_held_locks+0x40/0x70\n[ 39.202806] xe_svm_invalidate+0x459/0x700 [xe]\n[ 39.202897] drm_gpusvm_notifier_invalidate+0x4d/0x70 [drm_gpusvm]\n[ 39.202900] __mmu_notifier_release+0x1f5/0x270\n[ 39.202905] exit_mmap+0x40e/0x450\n[ 39.202912] __mmput+0x45/0x110\n[ 39.202914] exit_mm+0xc5/0x130\n[ 39.202916] do_exit+0x21c/0x500\n[ 39.202918] ? lockdep_hardirqs_on_prepare+0xdb/0x190\n[ 39.202920] do_group_exit+0x36/0xa0\n[ 39.202922] get_signal+0x8f8/0x900\n[ 39.202926] arch_do_signal_or_restart+0x35/0x100\n[ 39.202930] syscall_exit_to_user_mode+0x1fc/0x290\n[ 39.202932] do_syscall_64+0xa1/0x180\n[ 39.202934] ? do_user_addr_fault+0x59f/0x8a0\n[ 39.202937] ? lock_release+0xd2/0x2a0\n[ 39.202939] ? do_user_addr_fault+0x5a9/0x8a0\n[ 39.202942] ? trace_hardirqs_off+0x4b/0xc0\n[ 39.202944] ? clear_bhb_loop+0x25/0x80\n[ 39.202946] ? clear_bhb_loop+0x25/0x80\n[ 39.202947] ? clear_bhb_loop+0x25/0x80\n[ 39.202950] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[ 39.202952] RIP: 0033:0x7fa945e543e1\n[ 39.202961] Code: Unable to access opcode bytes at 0x7fa945e543b7.\n[ 39.202962] RSP: 002b:00007ffca8fb4170 EFLAGS: 00000293\n[ 39.202963] RAX: 000000000000003d RBX: 0000000000000000 RCX: 00007fa945e543e3\n[ 39.202964] RDX: 0000000000000000 RSI: 00007ffca8fb41ac RDI: 00000000ffffffff\n[ 39.202964] RBP: 00007ffca8fb4190 R08: 0000000000000000 R09: 00007fa945f600a0\n[ 39.202965] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\n[ 39.202966] R13: 00007fa9460dd310 R14: 00007ffca8fb41ac R15: 0000000000000000\n[ 39.202970] \u003c/TASK\u003e\n[ 39.202970] ---[ end trace ]---\n\n(cherry picked from commit b88f48f86500bc0b44b4f73ac66d500a40d320ad)",
"id": "GHSA-mmv8-63hv-mhrh",
"modified": "2025-11-07T00:30:26Z",
"published": "2025-05-01T15:31:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37761"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/28477f701b63922ff88e9fb13f5519c11cd48b86"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7bcfeddb36b77f9fe3b010bb0b282b7618420bba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e4715858f87b78ce58cfa03bbe140321edbbaf20"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MMV9-2RHR-36GF
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2022-05-24 17:26Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2020-9706"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-19T14:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Acrobat and Reader versions 2020.009.20074 and earlier, 2020.001.30002, 2017.011.30171 and earlier, and 2015.006.30523 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.",
"id": "GHSA-mmv9-2rhr-36gf",
"modified": "2022-05-24T17:26:10Z",
"published": "2022-05-24T17:26:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9706"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb20-48.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-988"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MMVP-G66H-P87H
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31PDF-XChange Editor J2K File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of J2K files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20906.
{
"affected": [],
"aliases": [
"CVE-2023-42045"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:38Z",
"severity": "HIGH"
},
"details": "PDF-XChange Editor J2K File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of J2K files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20906.",
"id": "GHSA-mmvp-g66h-p87h",
"modified": "2024-05-03T03:31:00Z",
"published": "2024-05-03T03:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42045"
},
{
"type": "WEB",
"url": "https://www.tracker-software.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1354"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MP57-CH79-F567
Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2022-05-13 01:28Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2018-12839"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-12T18:29:00Z",
"severity": "MODERATE"
},
"details": "Adobe Acrobat and Reader versions 2018.011.20063 and earlier, 2017.011.30102 and earlier, and 2015.006.30452 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.",
"id": "GHSA-mp57-ch79-f567",
"modified": "2022-05-13T01:28:13Z",
"published": "2022-05-13T01:28:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12839"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb18-30.html"
},
{
"type": "WEB",
"url": "https://research.checkpoint.com/2018/50-adobe-cves-in-50-days"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105439"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041809"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MP84-3FVX-WP44
Vulnerability from github – Published: 2022-05-14 00:53 – Updated: 2022-05-14 00:53Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2018-4981"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T19:29:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.",
"id": "GHSA-mp84-3fvx-wp44",
"modified": "2022-05-14T00:53:28Z",
"published": "2022-05-14T00:53:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4981"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb18-09.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104175"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040920"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MP8V-HXW5-H796
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
{
"affected": [],
"aliases": [
"CVE-2025-60726"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T18:15:41Z",
"severity": "HIGH"
},
"details": "Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.",
"id": "GHSA-mp8v-hxw5-h796",
"modified": "2025-11-11T18:30:22Z",
"published": "2025-11-11T18:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60726"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60726"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPCR-CPF2-G7X3
Vulnerability from github – Published: 2022-05-24 17:18 – Updated: 2022-09-06 00:00sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.
{
"affected": [],
"aliases": [
"CVE-2020-13253"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-27T15:15:00Z",
"severity": "LOW"
},
"details": "sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process.",
"id": "GHSA-mpcr-cpf2-g7x3",
"modified": "2022-09-06T00:00:28Z",
"published": "2022-05-24T17:18:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13253"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838546"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00013.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05835.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202011-09"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4467-1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/05/27/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPCV-WCV8-6RXW
Vulnerability from github – Published: 2023-10-09 18:30 – Updated: 2024-05-22 18:30A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.
{
"affected": [],
"aliases": [
"CVE-2023-39193"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-09T18:15:10Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Netfilter subsystem in the Linux kernel. The sctp_mt_check did not validate the flag_count field. This flaw allows a local privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading to a crash or information disclosure.",
"id": "GHSA-mpcv-wcv8-6rxw",
"modified": "2024-05-22T18:30:37Z",
"published": "2023-10-09T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39193"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2394"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2950"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3138"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-39193"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2226787"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-18866"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MPFW-9WP5-HFFF
Vulnerability from github – Published: 2022-02-22 00:00 – Updated: 2025-04-23 21:30The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.
{
"affected": [],
"aliases": [
"CVE-2021-44142"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-21T15:15:00Z",
"severity": "HIGH"
},
"details": "The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide \"...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver.\" Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root.",
"id": "GHSA-mpfw-9wp5-hfff",
"modified": "2025-04-23T21:30:30Z",
"published": "2022-02-22T00:00:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44142"
},
{
"type": "WEB",
"url": "https://bugzilla.samba.org/show_bug.cgi?id=14914"
},
{
"type": "WEB",
"url": "https://kb.cert.org/vuls/id/119678"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202309-06"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/119678"
},
{
"type": "WEB",
"url": "https://www.samba.org/samba/security/CVE-2021-44142.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPGP-F7XR-FR3M
Vulnerability from github – Published: 2024-11-13 18:32 – Updated: 2024-11-14 18:30In onActivityResult of EditUserPhotoController.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-43082"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-13T18:15:20Z",
"severity": "MODERATE"
},
"details": "In onActivityResult of EditUserPhotoController.java, there is a possible cross-user media read due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-mpgp-f7xr-fr3m",
"modified": "2024-11-14T18:30:34Z",
"published": "2024-11-13T18:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43082"
},
{
"type": "WEB",
"url": "https://android.googlesource.com/platform/frameworks/base/+/6aa1b4fbf5936a1ff5bdbb79397c94910a6ed8f5"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2024-11-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.