Common Weakness Enumeration

CWE-125

Allowed

Out-of-bounds Read

Abstraction: Base · Status: Draft

The product reads data past the end, or before the beginning, of the intended buffer.

11291 vulnerabilities reference this CWE, most recent first.

GHSA-PFCM-J5PC-4MX7

Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11
VLAI
Details

The DNS feature in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Out-of-bounds Read. The impact is: a denial of service (remote). The component is: DNS response processing in function: dns_upcall(). The attack vector is: a specific DNS response packet. The code does not check whether the number of queries/responses specified in the DNS packet header corresponds to the query/response data available in the DNS packet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25927"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-18T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "The DNS feature in InterNiche NicheStack TCP/IP 4.0.1 is affected by: Out-of-bounds Read. The impact is: a denial of service (remote). The component is: DNS response processing in function: dns_upcall(). The attack vector is: a specific DNS response packet. The code does not check whether the number of queries/responses specified in the DNS packet header corresponds to the query/response data available in the DNS packet.",
  "id": "GHSA-pfcm-j5pc-4mx7",
  "modified": "2022-05-24T19:11:29Z",
  "published": "2022-05-24T19:11:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25927"
    },
    {
      "type": "WEB",
      "url": "https://www.forescout.com/blog/new-critical-operational-technology-vulnerabilities-found-on-nichestack"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/608209"
    },
    {
      "type": "WEB",
      "url": "http://www.iniche.com/source-code/networking-stack/nichestack.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-PFF3-R4R5-GMXP

Vulnerability from github – Published: 2025-10-16 18:30 – Updated: 2025-10-29 21:30
VLAI
Details

A vulnerability exists in the QuickJS engine's BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure.

  • The function determines the number of characters (n_digits) needed for the string representation by calculating:

$$ \ \text{n_digits} = (\text{n_bits} + \text{log2_radix} - 1) / \text{log2_radix}$$

$$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\text{log2_radix}=5$) is calculated to need $\text{n_digits}=26$.

  • The maximum number of bits actually stored is $\text{n_bits}=127$, which requires only two 64-bit limbs ($\text{JS_LIMB_BITS}=64$).

  • The conversion loop iterates $\text{n_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits.

  • In the final iterations of the loop, the code attempts to read data that spans two limbs:

C

c = (r->tab[pos] >> shift) | (r->tab[pos + 1] << (JS_LIMB_BITS - shift));

  • Since the BigInt was only allocated two limbs, the read operation for r->tab[pos + 1] becomes an Out-of-Bounds Read when pos points to the last valid limb (e.g., $pos=1$).

This vulnerability allows an attacker to cause the engine to read and process data from the memory immediately following the BigInt buffer. This can lead to Information Disclosure of sensitive data stored on the heap adjacent to the BigInt object.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-62493"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-16T16:15:39Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability exists in the QuickJS engine\u0027s BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure.\n\n  *  The function determines the number of characters (n_digits) needed for the string representation by calculating:\n\n$$ \\\\ \\text{n\\_digits} = (\\text{n\\_bits} + \\text{log2\\_radix} - 1) / \\text{log2\\_radix}$$\n\n$$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\\text{log2\\_radix}=5$) is calculated to need $\\text{n\\_digits}=26$.\n\n\n  *  The maximum number of bits actually stored is $\\text{n\\_bits}=127$, which requires only two 64-bit limbs ($\\text{JS\\_LIMB\\_BITS}=64$).\n\n\n  *  The conversion loop iterates $\\text{n\\_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \\times 5 = 130$ bits.\n\n\n  *  In the final iterations of the loop, the code attempts to read data that spans two limbs:\n\nC\n\n\n\nc = (r-\u003etab[pos] \u003e\u003e shift) | (r-\u003etab[pos + 1] \u003c\u003c (JS_LIMB_BITS - shift));\n\n\n\n\n\n\n\n\n\n  *  Since the BigInt was only allocated two limbs, the read operation for r-\u003etab[pos + 1] becomes an Out-of-Bounds Read when pos points to the last valid limb (e.g., $pos=1$).\n\n\nThis vulnerability allows an attacker to cause the engine to read and process data from the memory immediately following the BigInt buffer. This can lead to Information Disclosure of sensitive data stored on the heap adjacent to the BigInt object.",
  "id": "GHSA-pff3-r4r5-gmxp",
  "modified": "2025-10-29T21:30:32Z",
  "published": "2025-10-16T18:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62493"
    },
    {
      "type": "WEB",
      "url": "https://bellard.org/quickjs/Changelog"
    },
    {
      "type": "WEB",
      "url": "https://issuetracker.google.com/434193024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-PFH3-76FP-4978

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25
VLAI
Details

An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-6798"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-17T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Perl 5.22 through 5.26. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure.",
  "id": "GHSA-pfh3-76fp-4978",
  "modified": "2022-05-13T01:25:17Z",
  "published": "2022-05-13T01:25:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6798"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1192"
    },
    {
      "type": "WEB",
      "url": "https://rt.perl.org/Public/Bug/Display.html?id=132063"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201909-01"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3625-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4172"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040681"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFHJ-QJ49-RFQG

Vulnerability from github – Published: 2022-05-14 01:27 – Updated: 2022-05-14 01:27
VLAI
Details

Adobe Flash Player versions 29.0.0.113 and earlier have an exploitable out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4933"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-05-19T17:29:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Flash Player versions 29.0.0.113 and earlier have an exploitable out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.",
  "id": "GHSA-pfhj-qj49-rfqg",
  "modified": "2022-05-14T01:27:35Z",
  "published": "2022-05-14T01:27:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4933"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1119"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/flash-player/apsb18-08.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201804-11"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/103708"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1040648"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFJW-JJ6C-RRV7

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-06 18:30
VLAI
Details

Out of bounds read in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11006"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:04Z",
    "severity": "MODERATE"
  },
  "details": "Out of bounds read in Dawn in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-pfjw-jj6c-rrv7",
  "modified": "2026-06-06T18:30:21Z",
  "published": "2026-06-05T00:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11006"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/495489174"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFP7-R6QM-94J7

Vulnerability from github – Published: 2022-05-14 00:55 – Updated: 2022-05-14 00:55
VLAI
Details

In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-19839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-04T09:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In LibSass prior to 3.5.5, the function handle_error in sass_context.cpp allows attackers to cause a denial-of-service resulting from a heap-based buffer over-read via a crafted sass file.",
  "id": "GHSA-pfp7-r6qm-94j7",
  "modified": "2022-05-14T00:55:57Z",
  "published": "2022-05-14T00:55:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19839"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/libsass/issues/2657"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sass/libsass/pull/2767"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00047.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00051.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00027.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFQ2-8FC8-MRPP

Vulnerability from github – Published: 2023-07-12 12:31 – Updated: 2024-04-04 06:03
VLAI
Details

Adobe Media Encoder versions 22.0, 15.4.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious MOV file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-43760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-12T12:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Adobe Media Encoder versions 22.0, 15.4.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious MOV file.",
  "id": "GHSA-pfq2-8fc8-mrpp",
  "modified": "2024-04-04T06:03:56Z",
  "published": "2023-07-12T12:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43760"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/media-encoder/apsb21-118.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFQF-X57J-QHGM

Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-11 09:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

libceph: prevent potential out-of-bounds reads in process_message_header()

If the message frame is (maliciously) corrupted in a way that the length of the control segment ends up being less than the size of the message header or a different frame is made to look like a message frame, out-of-bounds reads may ensue in process_message_header().

Perform an explicit bounds check before decoding the message header.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43406"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-08T15:16:52Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: prevent potential out-of-bounds reads in process_message_header()\n\nIf the message frame is (maliciously) corrupted in a way that the\nlength of the control segment ends up being less than the size of the\nmessage header or a different frame is made to look like a message\nframe, out-of-bounds reads may ensue in process_message_header().\n\nPerform an explicit bounds check before decoding the message header.",
  "id": "GHSA-pfqf-x57j-qhgm",
  "modified": "2026-05-11T09:30:31Z",
  "published": "2026-05-08T15:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43406"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/035867ae6f18df0aeedb2a57a5b74091bd4e3fe8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/50156622eb0888e62541d715a98584480a1bc7cb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69fb5d91bba44ecf7eb80530b85fa4fb028921d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69fe5af33fa3806f398d21c081d73c66e5523bc2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/75582aaa580c11aed4c7731cad6b068b700e7efb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/76ccf21a12c5f6d6790bc32c7da82446d877b2f4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dbd857a9e1e33ea71eaf3e211877027e533770d1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFR5-Q6HV-M7F4

Vulnerability from github – Published: 2023-01-05 18:30 – Updated: 2023-01-12 00:30
VLAI
Details

A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS PersistenceConfigDxe driver that could allow a local attacker with elevated privileges to cause information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-4432"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-126"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-05T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A buffer over-read vulnerability was reported in the ThinkPadX13s BIOS PersistenceConfigDxe driver that could allow a local attacker with elevated privileges to cause information disclosure.",
  "id": "GHSA-pfr5-q6hv-m7f4",
  "modified": "2023-01-12T00:30:19Z",
  "published": "2023-01-05T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4432"
    },
    {
      "type": "WEB",
      "url": "https://support.lenovo.com/us/en/product_security/LEN-103709"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-PFRF-837W-GW49

Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32
VLAI
Details

Out-of-bounds read in Windows NTFS allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-50388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-14T18:17:40Z",
    "severity": "HIGH"
  },
  "details": "Out-of-bounds read in Windows NTFS allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-pfrf-837w-gw49",
  "modified": "2026-07-14T18:32:19Z",
  "published": "2026-07-14T18:32:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50388"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-50388"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

CAPEC-540: Overread Buffers

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.