CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11273 vulnerabilities reference this CWE, most recent first.
GHSA-Q9F3-JCG6-9J2X
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-03-06 15:34In the Linux kernel, the following vulnerability has been resolved:
binder: fix OOB in binder_add_freeze_work()
In binder_add_freeze_work() we iterate over the proc->nodes with the proc->inner_lock held. However, this lock is temporarily dropped to acquire the node->lock first (lock nesting order). This can race with binder_deferred_release() which removes the nodes from the proc->nodes rbtree and adds them into binder_dead_nodes list. This leads to a broken iteration in binder_add_freeze_work() as rb_next() will use data from binder_dead_nodes, triggering an out-of-bounds access:
================================================================== BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124 Read of size 8 at addr ffffcb84285f7170 by task freeze/660
CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18 Hardware name: linux,dummy-virt (DT) Call trace: rb_next+0xfc/0x124 binder_add_freeze_work+0x344/0x534 binder_ioctl+0x1e70/0x25ac __arm64_sys_ioctl+0x124/0x190
The buggy address belongs to the variable: binder_dead_nodes+0x10/0x40 [...] ==================================================================
This is possible because proc->nodes (rbtree) and binder_dead_nodes (list) share entries in binder_node through a union:
struct binder_node {
[...]
union {
struct rb_node rb_node;
struct hlist_node dead_node;
};
Fix the race by checking that the proc is still alive. If not, simply break out of the iteration.
{
"affected": [],
"aliases": [
"CVE-2024-56555"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T15:15:14Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinder: fix OOB in binder_add_freeze_work()\n\nIn binder_add_freeze_work() we iterate over the proc-\u003enodes with the\nproc-\u003einner_lock held. However, this lock is temporarily dropped to\nacquire the node-\u003elock first (lock nesting order). This can race with\nbinder_deferred_release() which removes the nodes from the proc-\u003enodes\nrbtree and adds them into binder_dead_nodes list. This leads to a broken\niteration in binder_add_freeze_work() as rb_next() will use data from\nbinder_dead_nodes, triggering an out-of-bounds access:\n\n ==================================================================\n BUG: KASAN: global-out-of-bounds in rb_next+0xfc/0x124\n Read of size 8 at addr ffffcb84285f7170 by task freeze/660\n\n CPU: 8 UID: 0 PID: 660 Comm: freeze Not tainted 6.11.0-07343-ga727812a8d45 #18\n Hardware name: linux,dummy-virt (DT)\n Call trace:\n rb_next+0xfc/0x124\n binder_add_freeze_work+0x344/0x534\n binder_ioctl+0x1e70/0x25ac\n __arm64_sys_ioctl+0x124/0x190\n\n The buggy address belongs to the variable:\n binder_dead_nodes+0x10/0x40\n [...]\n ==================================================================\n\nThis is possible because proc-\u003enodes (rbtree) and binder_dead_nodes\n(list) share entries in binder_node through a union:\n\n\tstruct binder_node {\n\t[...]\n\t\tunion {\n\t\t\tstruct rb_node rb_node;\n\t\t\tstruct hlist_node dead_node;\n\t\t};\n\nFix the race by checking that the proc is still alive. If not, simply\nbreak out of the iteration.",
"id": "GHSA-q9f3-jcg6-9j2x",
"modified": "2025-03-06T15:34:39Z",
"published": "2024-12-27T15:31:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56555"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/011e69a1b23011c0db3af4b8293fdd4522cc97b0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6b1be1da1f8279cf091266e71b5153c5b02aaff6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q9FC-6FVR-WXG5
Vulnerability from github – Published: 2024-06-13 09:31 – Updated: 2024-06-13 09:31Audition versions 24.2, 23.6.4 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2024-30276"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T09:15:09Z",
"severity": "MODERATE"
},
"details": "Audition versions 24.2, 23.6.4 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-q9fc-6fvr-wxg5",
"modified": "2024-06-13T09:31:00Z",
"published": "2024-06-13T09:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30276"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/audition/apsb24-32.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q9GG-5PFC-VVRM
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. Processing a maliciously crafted image may lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2021-1743"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-02T18:15:00Z",
"severity": "HIGH"
},
"details": "An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, watchOS 7.3, tvOS 14.4, iOS 14.4 and iPadOS 14.4. Processing a maliciously crafted image may lead to arbitrary code execution.",
"id": "GHSA-q9gg-5pfc-vvrm",
"modified": "2022-05-24T17:46:16Z",
"published": "2022-05-24T17:46:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1743"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212146"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212147"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212148"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT212149"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q9H5-JH92-4FVH
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:05In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-79883824
{
"affected": [],
"aliases": [
"CVE-2019-9289"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-27T19:15:00Z",
"severity": "MODERATE"
},
"details": "In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-79883824",
"id": "GHSA-q9h5-jh92-4fvh",
"modified": "2024-04-04T02:05:14Z",
"published": "2022-05-24T16:57:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9289"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q9MH-P233-5PVV
Vulnerability from github – Published: 2022-08-26 00:03 – Updated: 2022-08-29 20:06A flaw was found in Samba. Samba AD users can cause the server to access uninitialized data with an LDAP add or modify the request, usually resulting in a segmentation fault.
{
"affected": [],
"aliases": [
"CVE-2022-32745"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-25T18:15:00Z",
"severity": "HIGH"
},
"details": "A flaw was found in Samba. Samba AD users can cause the server to access uninitialized data with an LDAP add or modify the request, usually resulting in a segmentation fault.",
"id": "GHSA-q9mh-p233-5pvv",
"modified": "2022-08-29T20:06:47Z",
"published": "2022-08-26T00:03:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32745"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202309-06"
},
{
"type": "WEB",
"url": "https://www.samba.org/samba/security/CVE-2022-32745.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q9P5-W2V9-6WXF
Vulnerability from github – Published: 2023-02-01 12:32 – Updated: 2023-02-08 22:42Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7214 to solve it.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.inlong:inlong"
},
"ranges": [
{
"events": [
{
"introduced": "1.1.0"
},
{
"last_affected": "1.5.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-24977"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": true,
"github_reviewed_at": "2023-02-02T17:00:28Z",
"nvd_published_at": "2023-02-01T10:15:00Z",
"severity": "HIGH"
},
"details": "Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong\u0027s latest version or cherry-pick https://github.com/apache/inlong/pull/7214 to solve it.",
"id": "GHSA-q9p5-w2v9-6wxf",
"modified": "2023-02-08T22:42:01Z",
"published": "2023-02-01T12:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24977"
},
{
"type": "WEB",
"url": "https://github.com/apache/inlong/pull/7214"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/inlong"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/ggozxorctn3tdll7bgmpwwcbjnd0s6w7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache InLong contains Out-of-bounds Read vulnerability"
}
GHSA-Q9PG-2G8M-587V
Vulnerability from github – Published: 2022-05-24 16:55 – Updated: 2024-04-04 01:53In the Android kernel in FingerTipS touchscreen driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2019-9449"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-06T22:15:00Z",
"severity": "MODERATE"
},
"details": "In the Android kernel in FingerTipS touchscreen driver there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with system execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-q9pg-2g8m-587v",
"modified": "2024-04-04T01:53:45Z",
"published": "2022-05-24T16:55:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9449"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2019-09-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q9R4-343R-CPHH
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of U3D files embedded in PDF documents. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-13620.
{
"affected": [],
"aliases": [
"CVE-2021-31468"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-07T21:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.3.37598. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of U3D files embedded in PDF documents. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-13620.",
"id": "GHSA-q9r4-343r-cphh",
"modified": "2022-05-24T19:01:42Z",
"published": "2022-05-24T19:01:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31468"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.php"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-557"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q9R8-3FP5-X86X
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10Multiple Buffer Over-read issue can happen due to improper length checks while decoding Service Reject/RAU Reject/PTMSI Realloc cmd in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130
{
"affected": [],
"aliases": [
"CVE-2019-10552"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-05T09:15:00Z",
"severity": "HIGH"
},
"details": "Multiple Buffer Over-read issue can happen due to improper length checks while decoding Service Reject/RAU Reject/PTMSI Realloc cmd in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking in APQ8009, APQ8017, APQ8053, APQ8096, APQ8096AU, APQ8098, MDM9150, MDM9205, MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8939, MSM8940, MSM8953, MSM8996AU, MSM8998, Nicobar, QCM2150, QCS605, QM215, Rennell, SC8180X, SDA660, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDM670, SDM710, SDM845, SDM850, SDX20, SDX24, SDX55, SM6150, SM7150, SM8150, SXR1130",
"id": "GHSA-q9r8-3fp5-x86x",
"modified": "2022-05-24T17:10:10Z",
"published": "2022-05-24T17:10:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10552"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/march-2020-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q9RW-RQ8V-6R3F
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41An out-of-bounds read information disclosure vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security (10.0 SP1 and Services) could allow an attacker to disclose sensitive information about a named pipe.
Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-25248"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-04T20:15:00Z",
"severity": "MODERATE"
},
"details": "An out-of-bounds read information disclosure vulnerability in Trend Micro Apex One (on-prem and SaaS), OfficeScan XG SP1, and Worry-Free Business Security (10.0 SP1 and Services) could allow an attacker to disclose sensitive information about a named pipe.\n\nPlease note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.",
"id": "GHSA-q9rw-rq8v-6r3f",
"modified": "2022-05-24T17:41:08Z",
"published": "2022-05-24T17:41:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25248"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000284202"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000284205"
},
{
"type": "WEB",
"url": "https://success.trendmicro.com/solution/000284206"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-118"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.