Common Weakness Enumeration

CWE-125

Allowed

Out-of-bounds Read

Abstraction: Base · Status: Draft

The product reads data past the end, or before the beginning, of the intended buffer.

11273 vulnerabilities reference this CWE, most recent first.

GHSA-Q3G3-H9R4-PRRC

Vulnerability from github – Published: 2021-08-25 14:42 – Updated: 2024-11-13 20:53
VLAI
Summary
Reference binding to nullptr and heap OOB in binary cwise ops
Details

Impact

An attacker can cause undefined behavior via binding a reference to null pointer in all binary cwise operations that don't require broadcasting (e.g., gradients of binary cwise operations):

import tensorflow as tf

tf.raw_ops.SqrtGrad(y=[4, 16],dy=[])

The implementation assumes that the two inputs have exactly the same number of elements but does not check that. Hence, when the eigen functor executes it triggers heap OOB reads and undefined behavior due to binding to nullptr.

Patches

We have patched the issue in GitHub commit 93f428fd1768df147171ed674fee1fc5ab8309ec.

The fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported by members of the Aivul Team from Qihoo 360.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.0"
            },
            {
              "fixed": "2.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.5.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2021-37659"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-24T13:19:13Z",
    "nvd_published_at": "2021-08-12T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn attacker can cause undefined behavior via binding a reference to null pointer in all binary cwise operations that don\u0027t require broadcasting (e.g., gradients of binary cwise operations):\n\n```python\nimport tensorflow as tf\n\ntf.raw_ops.SqrtGrad(y=[4, 16],dy=[])\n```\n  \nThe [implementation](https://github.com/tensorflow/tensorflow/blob/84d053187cb80d975ef2b9684d4b61981bca0c41/tensorflow/core/kernels/cwise_ops_common.h#L264) assumes that the two inputs have exactly the same number of elements but does not check that. Hence, when the eigen functor executes it triggers heap OOB reads and undefined behavior due to binding to nullptr.\n\n### Patches\nWe have patched the issue in GitHub commit [93f428fd1768df147171ed674fee1fc5ab8309ec](https://github.com/tensorflow/tensorflow/commit/93f428fd1768df147171ed674fee1fc5ab8309ec).\n\nThe fix will be included in TensorFlow 2.6.0. We will also cherrypick this commit on TensorFlow 2.5.1, TensorFlow 2.4.3, and TensorFlow 2.3.4, as these are also affected and still in supported range.\n  \n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution \nThis vulnerability has been reported by members of the Aivul Team from Qihoo  360.",
  "id": "GHSA-q3g3-h9r4-prrc",
  "modified": "2024-11-13T20:53:28Z",
  "published": "2021-08-25T14:42:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-q3g3-h9r4-prrc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37659"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/93f428fd1768df147171ed674fee1fc5ab8309ec"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-572.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-770.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-281.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Reference binding to nullptr and heap OOB in binary cwise ops"
}

GHSA-Q3G8-363Q-G9QQ

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

An issue was discovered in picoTCP 1.7.0. The code for processing the IPv6 headers does not validate whether the IPv6 payload length field is equal to the actual size of the payload, which leads to an Out-of-Bounds read during the ICMPv6 checksum calculation, resulting in either Denial-of-Service or Information Disclosure. This affects pico_ipv6_extension_headers and pico_checksum_adder (in pico_ipv6.c and pico_frame.c).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-17441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-11T23:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in picoTCP 1.7.0. The code for processing the IPv6 headers does not validate whether the IPv6 payload length field is equal to the actual size of the payload, which leads to an Out-of-Bounds read during the ICMPv6 checksum calculation, resulting in either Denial-of-Service or Information Disclosure. This affects pico_ipv6_extension_headers and pico_checksum_adder (in pico_ipv6.c and pico_frame.c).",
  "id": "GHSA-q3g8-363q-g9qq",
  "modified": "2022-05-24T17:36:09Z",
  "published": "2022-05-24T17:36:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17441"
    },
    {
      "type": "WEB",
      "url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/815128"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-Q3GJ-HCPW-3429

Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31
VLAI
Details

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54902"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-09T17:16:01Z",
    "severity": "HIGH"
  },
  "details": "Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-q3gj-hcpw-3429",
  "modified": "2025-09-09T18:31:22Z",
  "published": "2025-09-09T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54902"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54902"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3GM-VP97-W99P

Vulnerability from github – Published: 2022-05-14 00:59 – Updated: 2022-05-14 00:59
VLAI
Details

In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-18849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-21T16:00:00Z",
    "severity": "MODERATE"
  },
  "details": "In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value.",
  "id": "GHSA-q3gm-vp97-w99p",
  "modified": "2022-05-14T00:59:50Z",
  "published": "2022-05-14T00:59:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18849"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00010.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LQIBTGNRDQEXGAAYHE4JIWFAYFNHZ6QP"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg06401.html"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/bugtraq/2019/May/76"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190411-0006"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3826-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2019/dsa-4454"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2018-12/msg00043.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2018/11/01/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3HH-QH22-77X8

Vulnerability from github – Published: 2025-02-10 18:30 – Updated: 2025-11-03 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/platform: check the bounds of read/write syscalls

count and offset are passed from user space and not checked, only offset is capped to 40 bits, which can be used to read/write out of bounds of the device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21687"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-10T16:15:38Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/platform: check the bounds of read/write syscalls\n\ncount and offset are passed from user space and not checked, only\noffset is capped to 40 bits, which can be used to read/write out of\nbounds of the device.",
  "id": "GHSA-q3hh-qh22-77x8",
  "modified": "2025-11-03T21:32:35Z",
  "published": "2025-02-10T18:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21687"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f65ce06387f8c1fb54bd59e18a8428248ec68eaf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f21636f24b6786c8b13f1af4319fa75ffcf17f38"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ed81d82bb6e9df3a137f2c343ed689e6c68268ef"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d19a8650fd3d7aed8d1af1d9a77f979a8430eba1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ce9ff21ea89d191e477a02ad7eabf4f996b80a69"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c981c32c38af80737a2fedc16e270546d139ccdd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a20fcaa230f7472456d12cf761ed13938e320ac3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9377cdc118cf327248f1a9dde7b87de067681dc9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/92340e6c5122d823ad064984ef7513eba9204048"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6bcb8a5b70b80143db9bf12dfa7d53636f824d53"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/665cfd1083866f87301bbd232cb8ba48dcf4acce"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/61ba518195d61c38c6cb86f83135e51f93735442"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/198090eb6f5f094cf3a268c3c30ef1e9c84a6dbe"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1485932496a1b025235af8aa1e21988d6b7ccd54"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/03844b1908114680ca35fa0a0aba3d906a6d78af"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3JF-W4PH-7R73

Vulnerability from github – Published: 2022-09-16 00:00 – Updated: 2025-01-07 21:30
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of NIKON NIS-Elements Viewer 1.2100.1483.0. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF images. Crafted data in a TIF image can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15351.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-40662"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-15T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of NIKON NIS-Elements Viewer 1.2100.1483.0. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of TIF images. Crafted data in a TIF image can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15351.",
  "id": "GHSA-q3jf-w4ph-7r73",
  "modified": "2025-01-07T21:30:53Z",
  "published": "2022-09-16T00:00:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40662"
    },
    {
      "type": "WEB",
      "url": "https://www.software-dl.microscope.healthcare.nikon.com/vuln/index.html"
    },
    {
      "type": "WEB",
      "url": "https://www.software-dl.microscope.healthcare.nikon.com/vuln/pdf/Vulnerabilities_on_NIS-Elements_Freeware_and_L_en_240917_02.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1218"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3JX-MGC3-C89P

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

In radare2 through 3.1.3, the armass_assemble function in libr/asm/arch/arm/armass.c allows attackers to cause a denial-of-service (application crash by out-of-bounds read) by crafting an arm assembly input because a loop uses an incorrect index in armass.c and certain length validation is missing in armass64.c, a related issue to CVE-2018-20457.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-20459"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-12-25T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "In radare2 through 3.1.3, the armass_assemble function in libr/asm/arch/arm/armass.c allows attackers to cause a denial-of-service (application crash by out-of-bounds read) by crafting an arm assembly input because a loop uses an incorrect index in armass.c and certain length validation is missing in armass64.c, a related issue to CVE-2018-20457.",
  "id": "GHSA-q3jx-mgc3-c89p",
  "modified": "2022-05-13T01:14:36Z",
  "published": "2022-05-13T01:14:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20459"
    },
    {
      "type": "WEB",
      "url": "https://github.com/radare/radare2/issues/12418"
    },
    {
      "type": "WEB",
      "url": "https://github.com/radareorg/radare2/commit/e5c14c167b0dcf0a53d76bd50bacbbcc0dfc1ae7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3MH-6XJ2-35CQ

Vulnerability from github – Published: 2022-05-14 00:57 – Updated: 2025-04-20 03:49
VLAI
Details

ReadRGBImage in coders/rgb.c in GraphicsMagick 1.3.26 has a magick/import.c ImportRGBQuantumType heap-based buffer over-read via a crafted file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17500"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-11T02:29:00Z",
    "severity": "HIGH"
  },
  "details": "ReadRGBImage in coders/rgb.c in GraphicsMagick 1.3.26 has a magick/import.c ImportRGBQuantumType heap-based buffer over-read via a crafted file.",
  "id": "GHSA-q3mh-6xj2-35cq",
  "modified": "2025-04-20T03:49:45Z",
  "published": "2022-05-14T00:57:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17500"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF62B5PJA2JDUOCKJGUQO3SPL74BEYSV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WHIKB4TP6KBJWT2UIPWL5MWMG5QXKGEJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF62B5PJA2JDUOCKJGUQO3SPL74BEYSV"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WHIKB4TP6KBJWT2UIPWL5MWMG5QXKGEJ"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/graphicsmagick/bugs/523"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4248-1"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4321"
    },
    {
      "type": "WEB",
      "url": "http://hg.code.sf.net/p/graphicsmagick/code/rev/1366f2dd9931"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102164"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3P7-PJX2-7HJQ

Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2025-11-21 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/mdiobus: Fix potential out-of-bounds clause 45 read/write access

When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write.

Fix that by adding address verification before C45 read/write operation. While this excludes this access from any statistics, it improves security of read/write operation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-03T09:15:24Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mdiobus: Fix potential out-of-bounds clause 45 read/write access\n\nWhen using publicly available tools like \u0027mdio-tools\u0027 to read/write data\nfrom/to network interface and its PHY via C45 (clause 45) mdiobus,\nthere is no verification of parameters passed to the ioctl and\nit accepts any mdio address.\nCurrently there is support for 32 addresses in kernel via PHY_MAX_ADDR define,\nbut it is possible to pass higher value than that via ioctl.\nWhile read/write operation should generally fail in this case,\nmdiobus provides stats array, where wrong address may allow out-of-bounds\nread/write.\n\nFix that by adding address verification before C45 read/write operation.\nWhile this excludes this access from any statistics, it improves security of\nread/write operation.",
  "id": "GHSA-q3p7-pjx2-7hjq",
  "modified": "2025-11-21T00:30:20Z",
  "published": "2025-07-03T09:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38110"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/260388f79e94fb3026c419a208ece8358bb7b555"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/31bf7b2b92563a352788cf9df3698682f659bacc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ded22f7f3ce9714ed72c3e9c68fea1cb9388ae7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/abb0605ca00979a49572a6516f6db22c3dc57223"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-Q3Q2-6MM5-FXCR

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-09-05 18:31
VLAI
Details

In add_attr of sdp_discovery.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-26441"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T18:15:43Z",
    "severity": "MODERATE"
  },
  "details": "In add_attr of sdp_discovery.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-q3q2-6mm5-fxcr",
  "modified": "2025-09-05T18:31:18Z",
  "published": "2025-09-05T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26441"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/packages/modules/Bluetooth/+/5e3953251ab50bcdb6058f5e5afc82d6271c6e1e"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2025-06-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

CAPEC-540: Overread Buffers

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.