Common Weakness Enumeration

CWE-125

Allowed

Out-of-bounds Read

Abstraction: Base · Status: Draft

The product reads data past the end, or before the beginning, of the intended buffer.

11292 vulnerabilities reference this CWE, most recent first.

GHSA-P37W-XHV5-6C8J

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-29 18:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

smb: client: fix off-by-8 bounds check in check_wsl_eas()

The bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA name and value, but ea_data sits at offset sizeof(struct smb2_file_full_ea_info) = 8 from ea, not at offset 0. The strncmp() later reads ea->ea_data[0..nlen-1] and the value bytes follow at ea_data[nlen+1..nlen+vlen], so the actual end is ea->ea_data + nlen + 1 + vlen. Isn't pointer math fun?

The earlier check (u8 )ea > end - sizeof(ea) only guarantees the 8-byte header is in bounds, but since the last EA is placed within 8 bytes of the end of the response, the name and value bytes are read past the end of iov.

Fix this mess all up by using ea->ea_data as the base for the bounds check.

An "untrusted" server can use this to leak up to 8 bytes of kernel heap into the EA name comparison and influence which WSL xattr the data is interpreted as.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31614"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:40Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix off-by-8 bounds check in check_wsl_eas()\n\nThe bounds check uses (u8 *)ea + nlen + 1 + vlen as the end of the EA\nname and value, but ea_data sits at offset sizeof(struct\nsmb2_file_full_ea_info) = 8 from ea, not at offset 0.  The strncmp()\nlater reads ea-\u003eea_data[0..nlen-1] and the value bytes follow at\nea_data[nlen+1..nlen+vlen], so the actual end is ea-\u003eea_data + nlen + 1\n+ vlen.  Isn\u0027t pointer math fun?\n\nThe earlier check (u8 *)ea \u003e end - sizeof(*ea) only guarantees the\n8-byte header is in bounds, but since the last EA is placed within 8\nbytes of the end of the response, the name and value bytes are read past\nthe end of iov.\n\nFix this mess all up by using ea-\u003eea_data as the base for the bounds\ncheck.\n\nAn \"untrusted\" server can use this to leak up to 8 bytes of kernel heap\ninto the EA name comparison and influence which WSL xattr the data is\ninterpreted as.",
  "id": "GHSA-p37w-xhv5-6c8j",
  "modified": "2026-04-29T18:31:34Z",
  "published": "2026-04-24T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31614"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3d8b9d06bd3ac4c6846f5498800b0f5f8062e53b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5cc0574c84aa73946ade587c41e81757b8b01cb5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a893f1757d9a4009e4a8d7ceb2312142fe29cea4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b2b76d09a64c538c57006180103fc1841e8cfa66"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ba3ad159aa61810bbe0acaf39578b1ebfb6f1a18"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bfbc74df8bbe095b3ed68f6d4487b368af087890"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P38R-QW8R-84C4

Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-05-13 01:47
VLAI
Details

The iwmiffr_convert_row32 function in imagew-miff.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7623"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-10T17:59:00Z",
    "severity": "MODERATE"
  },
  "details": "The iwmiffr_convert_row32 function in imagew-miff.c in libimageworsener.a in ImageWorsener 1.3.0 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted file.",
  "id": "GHSA-p38r-qw8r-84c4",
  "modified": "2022-05-13T01:47:03Z",
  "published": "2022-05-13T01:47:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7623"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jsummers/imageworsener/issues/12"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97577"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P399-7HR5-4W7M

Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26
VLAI
Details

Google Chrome before 16.0.912.63 does not properly parse SVG documents, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-3908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-12-13T21:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Google Chrome before 16.0.912.63 does not properly parse SVG documents, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.",
  "id": "GHSA-p399-7hr5-4w7m",
  "modified": "2022-05-13T01:26:53Z",
  "published": "2022-05-13T01:26:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3908"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/73807"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14791"
    },
    {
      "type": "WEB",
      "url": "http://code.google.com/p/chromium/issues/detail?id=100863"
    },
    {
      "type": "WEB",
      "url": "http://googlechromereleases.blogspot.com/2011/12/stable-channel-update.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2012/Mar/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2012/Mar/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48274"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48288"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48377"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1026774"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P3CR-G43C-99G8

Vulnerability from github – Published: 2026-03-03 15:31 – Updated: 2026-03-03 18:31
VLAI
Details

An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-64736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-03T15:16:15Z",
    "severity": "MODERATE"
  },
  "details": "An out-of-bounds read vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (5462afb0). A specially crafted .abf file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability.",
  "id": "GHSA-p3cr-g43c-99g8",
  "modified": "2026-03-03T18:31:32Z",
  "published": "2026-03-03T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64736"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2323"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2323"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3F6-223C-GJQP

Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2022-03-01 00:00
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DGN file. Crafted data in a DNG file can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15513.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-46641"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-18T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DGN file. Crafted data in a DNG file can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15513.",
  "id": "GHSA-p3f6-223c-gjqp",
  "modified": "2022-03-01T00:00:55Z",
  "published": "2022-02-19T00:01:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46641"
    },
    {
      "type": "WEB",
      "url": "https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0009"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-228"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-P3FQ-9WJ3-H9C3

Vulnerability from github – Published: 2022-05-01 07:33 – Updated: 2025-04-03 18:30
VLAI
Details

wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified user_id parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-6016"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-11-21T23:07:00Z",
    "severity": "MODERATE"
  },
  "details": "wp-admin/user-edit.php in WordPress before 2.0.5 allows remote authenticated users to read the metadata of an arbitrary user via a modified user_id parameter.",
  "id": "GHSA-p3fq-9wj3-h9c3",
  "modified": "2025-04-03T18:30:27Z",
  "published": "2022-05-01T07:33:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-6016"
    },
    {
      "type": "WEB",
      "url": "http://bugs.gentoo.org/show_bug.cgi?id=153303"
    },
    {
      "type": "WEB",
      "url": "http://trac.wordpress.org/ticket/3142"
    },
    {
      "type": "WEB",
      "url": "http://www.gentoo.org/security/en/glsa/glsa-200611-10.xml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3FW-7JPP-FRG7

Vulnerability from github – Published: 2023-11-16 03:30 – Updated: 2023-12-01 21:30
VLAI
Details

Certain WithSecure products have a buffer over-read whereby processing certain fuzz file types may cause a denial of service (DoS). This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, WithSecure Linux Security 64 12.0, WithSecure Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 15 and later.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47264"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-11-16T03:15:07Z",
    "severity": "HIGH"
  },
  "details": "Certain WithSecure products have a buffer over-read whereby processing certain fuzz file types may cause a denial of service (DoS). This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure Elements Endpoint Protection for Mac 17 and later, WithSecure Linux Security 64 12.0, WithSecure Linux Protection 12.0, and WithSecure Atlant (formerly F-Secure Atlant) 15 and later.",
  "id": "GHSA-p3fw-7jpp-frg7",
  "modified": "2023-12-01T21:30:26Z",
  "published": "2023-11-16T03:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47264"
    },
    {
      "type": "WEB",
      "url": "https://www.withsecure.com/en/support/security-advisories/cve-2023-47264"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3JH-MV97-74GV

Vulnerability from github – Published: 2024-02-06 03:33 – Updated: 2024-02-06 03:33
VLAI
Details

Out-of-bounds Read in padmd_vld_ac_prog_refine of libpadm.so prior to SMR Feb-2024 Release 1 allows attacker access unauthorized information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-06T03:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Out-of-bounds Read in padmd_vld_ac_prog_refine of libpadm.so prior to SMR Feb-2024 Release 1 allows attacker access unauthorized information.",
  "id": "GHSA-p3jh-mv97-74gv",
  "modified": "2024-02-06T03:33:00Z",
  "published": "2024-02-06T03:33:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20814"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2024\u0026month=02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3P9-G3MR-HHRX

Vulnerability from github – Published: 2023-05-16 00:30 – Updated: 2024-04-04 04:11
VLAI
Details

In pqframework, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07629583; Issue ID: ALPS07629583.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-20719"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-15T22:15:11Z",
    "severity": "MODERATE"
  },
  "details": "In pqframework, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07629583; Issue ID: ALPS07629583.",
  "id": "GHSA-p3p9-g3mr-hhrx",
  "modified": "2024-04-04T04:11:12Z",
  "published": "2023-05-16T00:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20719"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/May-2023"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-P3QG-G339-WCXC

Vulnerability from github – Published: 2022-05-12 00:00 – Updated: 2022-05-12 00:00
VLAI
Details

Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28245"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-11T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and earlier) are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-p3qg-g339-wcxc",
  "modified": "2022-05-12T00:00:54Z",
  "published": "2022-05-12T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28245"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/acrobat/apsb22-16.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

CAPEC-540: Overread Buffers

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.