CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11292 vulnerabilities reference this CWE, most recent first.
GHSA-P6XF-HG96-6WRR
Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2022-03-01 00:00This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DGN files. Crafted data in a DGN file can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15508.
{
"affected": [],
"aliases": [
"CVE-2021-46636"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-18T20:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley MicroStation CONNECT 10.16.0.80. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DGN files. Crafted data in a DGN file can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15508.",
"id": "GHSA-p6xf-hg96-6wrr",
"modified": "2022-03-01T00:00:56Z",
"published": "2022-02-19T00:01:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46636"
},
{
"type": "WEB",
"url": "https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0009"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-223"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P6XW-G5F7-6JXH
Vulnerability from github – Published: 2025-08-12 21:31 – Updated: 2025-08-12 21:31InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-54228"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T21:15:43Z",
"severity": "MODERATE"
},
"details": "InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-p6xw-g5f7-6jxh",
"modified": "2025-08-12T21:31:23Z",
"published": "2025-08-12T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54228"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/indesign/apsb25-79.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P735-2VG8-F9Q2
Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-02 19:00An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Ventura 13. An app may be able to disclose kernel memory.
{
"affected": [],
"aliases": [
"CVE-2022-32936"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-01T20:15:00Z",
"severity": "MODERATE"
},
"details": "An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Ventura 13. An app may be able to disclose kernel memory.",
"id": "GHSA-p735-2vg8-f9q2",
"modified": "2022-11-02T19:00:25Z",
"published": "2022-11-02T12:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32936"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213488"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P744-7X6C-3VVC
Vulnerability from github – Published: 2026-04-14 21:31 – Updated: 2026-04-14 21:31Photoshop Desktop versions 27.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2026-27289"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T20:16:34Z",
"severity": "HIGH"
},
"details": "Photoshop Desktop versions 27.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-p744-7x6c-3vvc",
"modified": "2026-04-14T21:31:47Z",
"published": "2026-04-14T21:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27289"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/photoshop/apsb26-40.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P752-GGP9-5CFX
Vulnerability from github – Published: 2023-11-15 06:30 – Updated: 2024-08-12 18:30Out-of-bounds read vulnerability exists in TELLUS V4.0.17.0 and earlier and TELLUS Lite V4.0.17.0 and earlier. If a user opens a specially crafted file (X1, V8, or V9 file), information may be disclosed and/or arbitrary code may be executed.
{
"affected": [],
"aliases": [
"CVE-2023-47581"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-15T06:15:28Z",
"severity": "HIGH"
},
"details": "Out-of-bounds read vulnerability exists in TELLUS V4.0.17.0 and earlier and TELLUS Lite V4.0.17.0 and earlier. If a user opens a specially crafted file (X1, V8, or V9 file), information may be disclosed and/or arbitrary code may be executed.",
"id": "GHSA-p752-ggp9-5cfx",
"modified": "2024-08-12T18:30:44Z",
"published": "2023-11-15T06:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47581"
},
{
"type": "WEB",
"url": "https://hakko-elec.co.jp/site/download/03tellus_inf/index.php"
},
{
"type": "WEB",
"url": "https://jvn.jp/en/vu/JVNVU93840158"
},
{
"type": "WEB",
"url": "https://monitouch.fujielectric.com/site/download-e/03tellus_inf/index.php"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P75M-894Q-GMXH
Vulnerability from github – Published: 2022-05-17 04:47 – Updated: 2025-09-25 00:30The Modbus slave/outstation driver in the OPC Drivers 1.0.20 and earlier in IOServer OPC Server allows remote attackers to cause a denial of service (out-of-bounds read and daemon crash) via a crafted packet.
{
"affected": [],
"aliases": [
"CVE-2014-0777"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-04-11T16:55:00Z",
"severity": "HIGH"
},
"details": "The Modbus slave/outstation driver in the OPC Drivers 1.0.20 and earlier in IOServer OPC Server allows remote attackers to cause a denial of service (out-of-bounds read and daemon crash) via a crafted packet.",
"id": "GHSA-p75m-894q-gmxh",
"modified": "2025-09-25T00:30:27Z",
"published": "2022-05-17T04:47:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0777"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-100-01"
},
{
"type": "WEB",
"url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-100-01"
},
{
"type": "WEB",
"url": "http://www.ioserver.com"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P762-67Q5-3HRQ
Vulnerability from github – Published: 2025-01-06 12:30 – Updated: 2025-01-06 12:30Memory corruption while processing FIPS encryption or decryption IOCTL call invoked from user-space.
{
"affected": [],
"aliases": [
"CVE-2024-45546"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-06T11:15:09Z",
"severity": "HIGH"
},
"details": "Memory corruption while processing FIPS encryption or decryption IOCTL call invoked from user-space.",
"id": "GHSA-p762-67q5-3hrq",
"modified": "2025-01-06T12:30:33Z",
"published": "2025-01-06T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45546"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P76G-R4XW-JXQ8
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2025-05-05 18:30Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2019-8244"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-14T16:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Media Encoder versions 13.1 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.",
"id": "GHSA-p76g-r4xw-jxq8",
"modified": "2025-05-05T18:30:40Z",
"published": "2022-05-24T17:01:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8244"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/media-encoder/apsb19-52.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-19-906"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P79H-JCRM-6QRC
Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
vlan: enforce underlying device type
Currently, VLAN devices can be created on top of non-ethernet devices.
Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode.
When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device.
As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add.
__dev_mc_add uses dev->addr_len to determine the length of the new multicast address.
This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long.
This behaviour can be reproduced using the following commands:
ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100
Then, the following command will display the address of garp_pdu_rcv:
ip maddr show | grep 01:80:c2:00:00:21
Fix the bug by enforcing the type of the underlying device during VLAN device initialization.
{
"affected": [],
"aliases": [
"CVE-2025-21920"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T16:15:22Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvlan: enforce underlying device type\n\nCurrently, VLAN devices can be created on top of non-ethernet devices.\n\nBesides the fact that it doesn\u0027t make much sense, this also causes a\nbug which leaks the address of a kernel function to usermode.\n\nWhen creating a VLAN device, we initialize GARP (garp_init_applicant)\nand MRP (mrp_init_applicant) for the underlying device.\n\nAs part of the initialization process, we add the multicast address of\neach applicant to the underlying device, by calling dev_mc_add.\n\n__dev_mc_add uses dev-\u003eaddr_len to determine the length of the new\nmulticast address.\n\nThis causes an out-of-bounds read if dev-\u003eaddr_len is greater than 6,\nsince the multicast addresses provided by GARP and MRP are only 6\nbytes long.\n\nThis behaviour can be reproduced using the following commands:\n\nip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo\nip l set up dev gretest\nip link add link gretest name vlantest type vlan id 100\n\nThen, the following command will display the address of garp_pdu_rcv:\n\nip maddr show | grep 01:80:c2:00:00:21\n\nFix the bug by enforcing the type of the underlying device during VLAN\ndevice initialization.",
"id": "GHSA-p79h-jcrm-6qrc",
"modified": "2025-11-03T21:33:23Z",
"published": "2025-04-01T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21920"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0fb7aa04c19eac4417f360a9f7611a60637bdacc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30e8aee77899173a82ae5ed89f536c096f20aaeb"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3561442599804905c3defca241787cd4546e99a7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5a515d13e15536e82c5c7c83eb6cf5bc4827fee5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7f1564b2b2072b7aa1ac75350e9560a07c7a44fd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b33a534610067ade2bdaf2052900aaad99701353"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b6c72479748b7ea09f53ed64b223cee6463dc278"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fa40ebef69234e39ec2d26930d045f2fb9a8cb2b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P79Q-2VJX-GR7P
Vulnerability from github – Published: 2025-05-26 06:30 – Updated: 2025-05-26 06:30A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been rated as problematic. Affected by this issue is the function MDLImporter::ImportUVCoordinate_3DGS_MDL345 of the file assimp/code/AssetLib/MDL/MDLLoader.cpp. The manipulation of the argument iIndex leads to out-of-bounds read. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project decided to collect all Fuzzer bugs in a main-issue to address them in the future.
{
"affected": [],
"aliases": [
"CVE-2025-5168"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-26T04:15:44Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in Open Asset Import Library Assimp 5.4.3. It has been rated as problematic. Affected by this issue is the function MDLImporter::ImportUVCoordinate_3DGS_MDL345 of the file assimp/code/AssetLib/MDL/MDLLoader.cpp. The manipulation of the argument iIndex leads to out-of-bounds read. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The project decided to collect all Fuzzer bugs in a main-issue to address them in the future.",
"id": "GHSA-p79q-2vjx-gr7p",
"modified": "2025-05-26T06:30:29Z",
"published": "2025-05-26T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5168"
},
{
"type": "WEB",
"url": "https://github.com/assimp/assimp/issues/6128"
},
{
"type": "WEB",
"url": "https://github.com/assimp/assimp/issues/6170"
},
{
"type": "WEB",
"url": "https://github.com/user-attachments/files/20208878/reproducer.zip"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.310256"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.310256"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.578003"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.