CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11273 vulnerabilities reference this CWE, most recent first.
GHSA-Q7J6-2RXH-QXMX
Vulnerability from github – Published: 2022-05-04 00:02 – Updated: 2022-05-04 00:02In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the SRVLOC dissector could crash. This was addressed in epan/dissectors/packet-srvloc.c by preventing a heap-based buffer under-read.
{
"affected": [],
"aliases": [
"CVE-2019-10899"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-09T04:29:00Z",
"severity": "HIGH"
},
"details": "In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the SRVLOC dissector could crash. This was addressed in epan/dissectors/packet-srvloc.c by preventing a heap-based buffer under-read.",
"id": "GHSA-q7j6-2rxh-qxmx",
"modified": "2022-05-04T00:02:16Z",
"published": "2022-05-04T00:02:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10899"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15546"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b16fea2f175a3297edac118c8844c7987d31c1cb"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00034.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00036.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LYIOOQIMFQ3PA7AFBK4DNXHISTEYUC5"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PU3QA2DUO3XS24QE24CQRP4A4XQQY76R"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3986-1"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2019-10.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00022.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00027.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107834"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q7MR-3QGG-QJXX
Vulnerability from github – Published: 2025-02-25 21:31 – Updated: 2025-02-25 21:31NVIDIA CUDA toolkit for all platforms contains a vulnerability in the nvdisasm binary, where a user could cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. A successful exploit of this vulnerability might lead to a partial denial of service.
{
"affected": [],
"aliases": [
"CVE-2024-53871"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-25T21:15:16Z",
"severity": "LOW"
},
"details": "NVIDIA CUDA toolkit for all platforms contains a vulnerability in the nvdisasm binary, where a user could cause an out-of-bounds read by passing a malformed ELF file to nvdisasm. A successful exploit of this vulnerability might lead to a partial denial of service.",
"id": "GHSA-q7mr-3qgg-qjxx",
"modified": "2025-02-25T21:31:45Z",
"published": "2025-02-25T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53871"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5594"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-Q7PG-XJGF-WR6F
Vulnerability from github – Published: 2026-04-12 06:30 – Updated: 2026-04-27 15:30In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR
maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1.
For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0.
The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access.
Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode.
{
"affected": [],
"aliases": [
"CVE-2026-31413"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-12T06:16:20Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR\n\nmaybe_fork_scalars() is called for both BPF_AND and BPF_OR when the\nsource operand is a constant. When dst has signed range [-1, 0], it\nforks the verifier state: the pushed path gets dst = 0, the current\npath gets dst = -1.\n\nFor BPF_AND this is correct: 0 \u0026 K == 0.\nFor BPF_OR this is wrong: 0 | K == K, not 0.\n\nThe pushed path therefore tracks dst as 0 when the runtime value is K,\nproducing an exploitable verifier/runtime divergence that allows\nout-of-bounds map access.\n\nFix this by passing env-\u003einsn_idx (instead of env-\u003einsn_idx + 1) to\npush_stack(), so the pushed path re-executes the ALU instruction with\ndst = 0 and naturally computes the correct result for any opcode.",
"id": "GHSA-q7pg-xjgf-wr6f",
"modified": "2026-04-27T15:30:33Z",
"published": "2026-04-12T06:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31413"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q7Q9-C33C-P6Q4
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CMP files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-11432.
{
"affected": [],
"aliases": [
"CVE-2020-17436"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-09T18:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CMP files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-11432.",
"id": "GHSA-q7q9-c33c-p6q4",
"modified": "2022-05-24T17:41:26Z",
"published": "2022-05-24T17:41:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17436"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1347"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q7V7-JHXH-RV68
Vulnerability from github – Published: 2025-05-13 12:31 – Updated: 2025-06-10 18:32A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions < V14.3.0.14), Teamcenter Visualization V2312 (All versions < V2312.0010), Teamcenter Visualization V2406 (All versions < V2406.0008), Teamcenter Visualization V2412 (All versions < V2412.0004). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.
{
"affected": [],
"aliases": [
"CVE-2025-32454"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T10:15:24Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Teamcenter Visualization V14.3 (All versions \u003c V14.3.0.14), Teamcenter Visualization V2312 (All versions \u003c V2312.0010), Teamcenter Visualization V2406 (All versions \u003c V2406.0008), Teamcenter Visualization V2412 (All versions \u003c V2412.0004). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted WRL files.\nThis could allow an attacker to execute code in the context of the current process.",
"id": "GHSA-q7v7-jhxh-rv68",
"modified": "2025-06-10T18:32:16Z",
"published": "2025-05-13T12:31:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32454"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-486186.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-542540.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q7VV-6QXP-M67H
Vulnerability from github – Published: 2022-05-24 19:21 – Updated: 2022-05-24 19:21There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash.
{
"affected": [],
"aliases": [
"CVE-2021-37015"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-11-23T16:15:00Z",
"severity": "HIGH"
},
"details": "There is a Out-of-bounds Read vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash.",
"id": "GHSA-q7vv-6qxp-m67h",
"modified": "2022-05-24T19:21:15Z",
"published": "2022-05-24T19:21:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37015"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/cn/docs/security/update/security-bulletins-202108-0000001180965965"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q7W5-5JR2-5XG5
Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32Windows CSC Service Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2025-21374"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T18:16:03Z",
"severity": "MODERATE"
},
"details": "Windows CSC Service Information Disclosure Vulnerability",
"id": "GHSA-q7w5-5jr2-5xg5",
"modified": "2025-01-14T18:32:05Z",
"published": "2025-01-14T18:32:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21374"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21374"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q7WR-WVJ6-35G6
Vulnerability from github – Published: 2022-05-17 00:12 – Updated: 2022-05-17 00:12In HDF5 1.10.1, there is an out of bounds read vulnerability in the function H5T_conv_struct_opt in H5Tconv.c in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file.
{
"affected": [],
"aliases": [
"CVE-2017-17507"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-11T03:29:00Z",
"severity": "MODERATE"
},
"details": "In HDF5 1.10.1, there is an out of bounds read vulnerability in the function H5T_conv_struct_opt in H5Tconv.c in libhdf5.a. For example, h5dump would crash when someone opens a crafted hdf5 file.",
"id": "GHSA-q7wr-wvj6-35g6",
"modified": "2022-05-17T00:12:51Z",
"published": "2022-05-17T00:12:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17507"
},
{
"type": "WEB",
"url": "https://github.com/xiaoqx/pocs/tree/master/hdf5/readme.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q839-JFPH-Q4WX
Vulnerability from github – Published: 2023-08-23 00:30 – Updated: 2024-01-31 18:31Out of bounds memory access in Fonts in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2023-4431"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-23T00:15:09Z",
"severity": "HIGH"
},
"details": "Out of bounds memory access in Fonts in Google Chrome prior to 116.0.5845.110 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-q839-jfph-q4wx",
"modified": "2024-01-31T18:31:19Z",
"published": "2023-08-23T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4431"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2023/08/chrome-desktop-stable-update.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1469348"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27NR3KG553CG6LGPMP6SHWEVHTYPL6RC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T655QF7CQ3DYAMPFV7IECQYGDEUIVVT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUQ7CTX3W372X3UY56VVNAHCH6H2F4X3"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-34"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5483"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q83H-4XVH-FC8W
Vulnerability from github – Published: 2022-03-19 00:00 – Updated: 2022-03-24 00:00An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2022-22603"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-18T18:15:00Z",
"severity": "HIGH"
},
"details": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.",
"id": "GHSA-q83h-4xvh-fc8w",
"modified": "2022-03-24T00:00:24Z",
"published": "2022-03-19T00:00:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22603"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213189"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.