CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11273 vulnerabilities reference this CWE, most recent first.
GHSA-Q764-R57M-9WP9
Vulnerability from github – Published: 2024-10-16 18:31 – Updated: 2026-05-12 12:32Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes.
Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low.
In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding.
The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions.
Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
{
"affected": [],
"aliases": [
"CVE-2024-9143"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-16T17:15:18Z",
"severity": "MODERATE"
},
"details": "Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted\nexplicit values for the field polynomial can lead to out-of-bounds memory reads\nor writes.\n\nImpact summary: Out of bound memory writes can lead to an application crash or\neven a possibility of a remote code execution, however, in all the protocols\ninvolving Elliptic Curve Cryptography that we\u0027re aware of, either only \"named\ncurves\" are supported, or, if explicit curve parameters are supported, they\nspecify an X9.62 encoding of binary (GF(2^m)) curves that can\u0027t represent\nproblematic input values. Thus the likelihood of existence of a vulnerable\napplication is low.\n\nIn particular, the X9.62 encoding is used for ECC keys in X.509 certificates,\nso problematic inputs cannot occur in the context of processing X.509\ncertificates. Any problematic use-cases would have to be using an \"exotic\"\ncurve encoding.\n\nThe affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),\nand various supporting BN_GF2m_*() functions.\n\nApplications working with \"exotic\" explicit binary (GF(2^m)) curve parameters,\nthat make it possible to represent invalid field polynomials with a zero\nconstant term, via the above or similar APIs, may terminate abruptly as a\nresult of reading or writing outside of array bounds. Remote code execution\ncannot easily be ruled out.\n\nThe FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.",
"id": "GHSA-q764-r57m-9wp9",
"modified": "2026-05-12T12:32:08Z",
"published": "2024-10-16T18:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9143"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4"
},
{
"type": "WEB",
"url": "https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-277137.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-398330.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-769027.html"
},
{
"type": "WEB",
"url": "https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a"
},
{
"type": "WEB",
"url": "https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html"
},
{
"type": "WEB",
"url": "https://openssl-library.org/news/secadv/20241016.txt"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20241101-0001"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/10/16/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/10/23/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/10/24/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q786-F28R-38F4
Vulnerability from github – Published: 2024-09-18 15:30 – Updated: 2024-09-20 21:31Out-of-bounds Read vulnerability in Open Networking Foundation (ONF) libfluid (libfluid_msg module). This vulnerability is associated with program routine fluid_msg::of10::StatsReplyFlow::unpack.
This issue affects libfluid: 0.1.0.
{
"affected": [],
"aliases": [
"CVE-2024-31173"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-18T14:15:14Z",
"severity": "MODERATE"
},
"details": "Out-of-bounds Read vulnerability in Open Networking Foundation (ONF) libfluid (libfluid_msg module). This vulnerability is associated with program routine\u00a0fluid_msg::of10::StatsReplyFlow::unpack.\n\nThis issue affects libfluid: 0.1.0.",
"id": "GHSA-q786-f28r-38f4",
"modified": "2024-09-20T21:31:38Z",
"published": "2024-09-18T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31173"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-31173"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q786-P393-RW6Q
Vulnerability from github – Published: 2022-07-19 00:00 – Updated: 2022-07-24 00:00This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16805.
{
"affected": [],
"aliases": [
"CVE-2022-28678"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-18T19:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-16805.",
"id": "GHSA-q786-p393-rw6q",
"modified": "2022-07-24T00:00:35Z",
"published": "2022-07-19T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28678"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-769"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q792-MFQP-PQ56
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-05-24 16:59Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
{
"affected": [],
"aliases": [
"CVE-2019-8202"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-17T21:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .",
"id": "GHSA-q792-mfqp-pq56",
"modified": "2022-05-24T16:59:23Z",
"published": "2022-05-24T16:59:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8202"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-49.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q7C2-R69F-C8RV
Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43A remote code execution vulnerability in the Android system (bluetooth). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-37160362.
{
"affected": [],
"aliases": [
"CVE-2017-13160"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-06T14:29:00Z",
"severity": "CRITICAL"
},
"details": "A remote code execution vulnerability in the Android system (bluetooth). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-37160362.",
"id": "GHSA-q7c2-r69f-c8rv",
"modified": "2022-05-13T01:43:04Z",
"published": "2022-05-13T01:43:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13160"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-12-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102109"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q7CX-F48P-82M3
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42tcpdump 4.9.0 has a heap-based buffer over-read in the lldp_print function in print-lldp.c, related to util-print.c.
{
"affected": [],
"aliases": [
"CVE-2017-11541"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-23T03:29:00Z",
"severity": "CRITICAL"
},
"details": "tcpdump 4.9.0 has a heap-based buffer over-read in the lldp_print function in print-lldp.c, related to util-print.c.",
"id": "GHSA-q7cx-f48p-82m3",
"modified": "2022-05-13T01:42:24Z",
"published": "2022-05-13T01:42:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11541"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHEA-2018:0705"
},
{
"type": "WEB",
"url": "https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/heap-buffer-overflow/util-print"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201709-23"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208221"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3971"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99941"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039307"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q7G6-F64X-77FJ
Vulnerability from github – Published: 2024-10-21 21:30 – Updated: 2024-11-22 21:32In the Linux kernel, the following vulnerability has been resolved:
ice: Fix increasing MSI-X on VF
Increasing MSI-X value on a VF leads to invalid memory operations. This is caused by not reallocating some arrays.
Reproducer: modprobe ice echo 0 > /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe echo 1 > /sys/bus/pci/devices/$PF_PCI/sriov_numvfs echo 17 > /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count
Default MSI-X is 16, so 17 and above triggers this issue.
KASAN reports:
BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] Read of size 8 at addr ffff8888b937d180 by task bash/28433 (...)
Call Trace: (...) ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] kasan_report+0xed/0x120 ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice] ice_vsi_cfg_def+0x3360/0x4770 [ice] ? mutex_unlock+0x83/0xd0 ? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice] ? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice] ice_vsi_cfg+0x7f/0x3b0 [ice] ice_vf_reconfig_vsi+0x114/0x210 [ice] ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice] sriov_vf_msix_count_store+0x21c/0x300 (...)
Allocated by task 28201: (...) ice_vsi_cfg_def+0x1c8e/0x4770 [ice] ice_vsi_cfg+0x7f/0x3b0 [ice] ice_vsi_setup+0x179/0xa30 [ice] ice_sriov_configure+0xcaa/0x1520 [ice] sriov_numvfs_store+0x212/0x390 (...)
To fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This causes the required arrays to be reallocated taking the new queue count into account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq before ice_vsi_rebuild(), so that realloc uses the newly set queue count.
Additionally, ice_vsi_rebuild() does not remove VSI filters (ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer necessary.
{
"affected": [],
"aliases": [
"CVE-2024-50042"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T20:15:17Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix increasing MSI-X on VF\n\nIncreasing MSI-X value on a VF leads to invalid memory operations. This\nis caused by not reallocating some arrays.\n\nReproducer:\n modprobe ice\n echo 0 \u003e /sys/bus/pci/devices/$PF_PCI/sriov_drivers_autoprobe\n echo 1 \u003e /sys/bus/pci/devices/$PF_PCI/sriov_numvfs\n echo 17 \u003e /sys/bus/pci/devices/$VF0_PCI/sriov_vf_msix_count\n\nDefault MSI-X is 16, so 17 and above triggers this issue.\n\nKASAN reports:\n\n BUG: KASAN: slab-out-of-bounds in ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n Read of size 8 at addr ffff8888b937d180 by task bash/28433\n (...)\n\n Call Trace:\n (...)\n ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n kasan_report+0xed/0x120\n ? ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n ice_vsi_alloc_ring_stats+0x38d/0x4b0 [ice]\n ice_vsi_cfg_def+0x3360/0x4770 [ice]\n ? mutex_unlock+0x83/0xd0\n ? __pfx_ice_vsi_cfg_def+0x10/0x10 [ice]\n ? __pfx_ice_remove_vsi_lkup_fltr+0x10/0x10 [ice]\n ice_vsi_cfg+0x7f/0x3b0 [ice]\n ice_vf_reconfig_vsi+0x114/0x210 [ice]\n ice_sriov_set_msix_vec_count+0x3d0/0x960 [ice]\n sriov_vf_msix_count_store+0x21c/0x300\n (...)\n\n Allocated by task 28201:\n (...)\n ice_vsi_cfg_def+0x1c8e/0x4770 [ice]\n ice_vsi_cfg+0x7f/0x3b0 [ice]\n ice_vsi_setup+0x179/0xa30 [ice]\n ice_sriov_configure+0xcaa/0x1520 [ice]\n sriov_numvfs_store+0x212/0x390\n (...)\n\nTo fix it, use ice_vsi_rebuild() instead of ice_vf_reconfig_vsi(). This\ncauses the required arrays to be reallocated taking the new queue count\ninto account (ice_vsi_realloc_stat_arrays()). Set req_txq and req_rxq\nbefore ice_vsi_rebuild(), so that realloc uses the newly set queue\ncount.\n\nAdditionally, ice_vsi_rebuild() does not remove VSI filters\n(ice_fltr_remove_all()), so ice_vf_init_host_cfg() is no longer\nnecessary.",
"id": "GHSA-q7g6-f64x-77fj",
"modified": "2024-11-22T21:32:12Z",
"published": "2024-10-21T21:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50042"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bce9af1b030bf59d51bbabf909a3ef164787e44e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cbda6197929418fabf0e45ecf9b7a76360944c70"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q7GC-MPFG-847W
Vulnerability from github – Published: 2022-05-24 19:05 – Updated: 2022-05-24 19:05In RasterIntraUpdate of motion_est.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-176084648
{
"affected": [],
"aliases": [
"CVE-2021-0562"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-22T11:15:00Z",
"severity": "MODERATE"
},
"details": "In RasterIntraUpdate of motion_est.cpp, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-176084648",
"id": "GHSA-q7gc-mpfg-847w",
"modified": "2022-05-24T19:05:56Z",
"published": "2022-05-24T19:05:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0562"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-06-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q7H8-CC9P-3543
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-07-11 00:00Exiv2 0.27.99.0 has a global buffer over-read in Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can result in an information leak.
{
"affected": [],
"aliases": [
"CVE-2020-18771"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-23T22:15:00Z",
"severity": "HIGH"
},
"details": "Exiv2 0.27.99.0 has a global buffer over-read in Exiv2::Internal::Nikon1MakerNote::print0x0088 in nikonmn_int.cpp which can result in an information leak.",
"id": "GHSA-q7h8-cc9p-3543",
"modified": "2022-07-11T00:00:23Z",
"published": "2022-05-24T19:12:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-18771"
},
{
"type": "WEB",
"url": "https://github.com/Exiv2/exiv2/issues/756"
},
{
"type": "WEB",
"url": "https://cwe.mitre.org/data/definitions/126.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202312-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q7H9-PVJ5-G9FP
Vulnerability from github – Published: 2026-04-20 12:32 – Updated: 2026-05-21 15:34In the Linux kernel, the following vulnerability has been resolved:
X.509: Fix out-of-bounds access when parsing extensions
Leo reports an out-of-bounds access when parsing a certificate with empty Basic Constraints or Key Usage extension because the first byte of the extension is read before checking its length. Fix it.
The bug can be triggered by an unprivileged user by submitting a specially crafted certificate to the kernel through the keyrings(7) API. Leo has demonstrated this with a proof-of-concept program responsibly disclosed off-list.
{
"affected": [],
"aliases": [
"CVE-2026-31430"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T10:16:16Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nX.509: Fix out-of-bounds access when parsing extensions\n\nLeo reports an out-of-bounds access when parsing a certificate with\nempty Basic Constraints or Key Usage extension because the first byte of\nthe extension is read before checking its length. Fix it.\n\nThe bug can be triggered by an unprivileged user by submitting a\nspecially crafted certificate to the kernel through the keyrings(7) API.\nLeo has demonstrated this with a proof-of-concept program responsibly\ndisclosed off-list.",
"id": "GHSA-q7h9-pvj5-g9fp",
"modified": "2026-05-21T15:34:02Z",
"published": "2026-04-20T12:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31430"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/206121294b9cf27f0589857f80d64f87e496ffb2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30ab358fad0c7daa1d282ec48089901b21b36a20"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/672b526def1f94c1be8eb11b885b803da0d8c2f1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7fb4dadc2734f4020d7543d688b8d49c8e569c61"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d702c3408213bb12bd570bb97204d8340d141c51"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.