CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11273 vulnerabilities reference this CWE, most recent first.
GHSA-QC6F-VG59-3945
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-07-07 18:30In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Bound VBIOS record-chain walk loops
[Why & How] All record-chain walk loops in bios_parser.c and bios_parser2.c use for(;;) and only terminate on a 0xFF record_type sentinel or zero record_size. A malformed VBIOS image missing the terminator record causes unbounded iteration at probe time, potentially hundreds of thousands of iterations with record_size=1. In the final iterations near the BIOS image boundary, struct casts beyond the 2-byte header validated by GET_IMAGE can also read out of bounds.
Cap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256) iterations. The atombios.h defines up to 22 distinct record types and atomfirmware.h has 13. Assuming an average of less than 10 records per type (which is reasonable since most are connector- based) 256 is a generous upper bound.
(cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)
{
"affected": [],
"aliases": [
"CVE-2026-53138"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:31Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Bound VBIOS record-chain walk loops\n\n[Why \u0026 How]\nAll record-chain walk loops in bios_parser.c and bios_parser2.c use\nfor(;;) and only terminate on a 0xFF record_type sentinel or zero\nrecord_size. A malformed VBIOS image missing the terminator record\ncauses unbounded iteration at probe time, potentially hundreds of\nthousands of iterations with record_size=1. In the final iterations\nnear the BIOS image boundary, struct casts beyond the 2-byte header\nvalidated by GET_IMAGE can also read out of bounds.\n\nCap all 14 record-chain walk loops to BIOS_MAX_NUM_RECORD (256)\niterations. The atombios.h defines up to 22 distinct record types\nand atomfirmware.h has 13. Assuming an average of less than 10\nrecords per type (which is reasonable since most are connector-\nbased) 256 is a generous upper bound.\n\n(cherry picked from commit 95700a3d660287ed657d6892f7be9ffc0e294a93)",
"id": "GHSA-qc6f-vg59-3945",
"modified": "2026-07-07T18:30:28Z",
"published": "2026-06-25T09:31:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53138"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/04e271a952b8863bbafc99bd51aca4c32bff0e0d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0e56f460bddb397fa9a8e6faf7ae7eaa86953eb1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2645e3caf7e013189da9c6ff621d006cca5a538b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/499c6b43a79dd684bddbd18fe8b2235aa2764db4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6173cfea2f916e01c4f98e29cd654384a05e32a3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6723188c42ca3b34a9fce634d7a0ecc9ccd5cd56"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e94f5323c41f32a74160378c3b19850d1f203ad5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ff287df16a1a58aca78b08d1f3ee09fc44da0351"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QC6X-2435-2VFR
Vulnerability from github – Published: 2023-03-28 21:30 – Updated: 2023-03-28 21:30Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-26346"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-28T20:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-qc6x-2435-2vfr",
"modified": "2023-03-28T21:30:18Z",
"published": "2023-03-28T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26346"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/dimension/apsb23-20.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QC9F-6X66-H8C3
Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-02 21:31An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. Parsing a file may lead to disclosure of user information.
{
"affected": [],
"aliases": [
"CVE-2024-44279"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-28T21:15:08Z",
"severity": "MODERATE"
},
"details": "An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7.1, macOS Sonoma 14.7.1. Parsing a file may lead to disclosure of user information.",
"id": "GHSA-qc9f-6x66-h8c3",
"modified": "2026-04-02T21:31:59Z",
"published": "2024-10-28T21:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44279"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121564"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121568"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121570"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QCC5-J37H-W6F4
Vulnerability from github – Published: 2022-03-17 00:00 – Updated: 2022-03-17 00:00Adobe Character Animator version 4.4 (and earlier versions) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2021-40766"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-16T15:15:00Z",
"severity": "LOW"
},
"details": "Adobe Character Animator version 4.4 (and earlier versions) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-qcc5-j37h-w6f4",
"modified": "2022-03-17T00:00:33Z",
"published": "2022-03-17T00:00:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40766"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/character_animator/apsb21-95.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QCFP-9C2V-6HQ6
Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2025-12-03 21:30The HNCP parser in tcpdump before 4.9.3 has a buffer over-read in print-hncp.c:print_prefix().
{
"affected": [],
"aliases": [
"CVE-2018-16228"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-03T16:15:00Z",
"severity": "MODERATE"
},
"details": "The HNCP parser in tcpdump before 4.9.3 has a buffer over-read in print-hncp.c:print_prefix().",
"id": "GHSA-qcfp-9c2v-6hq6",
"modified": "2025-12-03T21:30:58Z",
"published": "2022-05-24T16:57:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16228"
},
{
"type": "WEB",
"url": "https://github.com/the-tcpdump-group/tcpdump/commit/83a412a5275cac973c5841eca3511c766bed778d"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4547"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4252-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4252-1"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT210788"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20200120-0001"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Oct/28"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Dec/23"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2UDPOSGVJQIYC33SQBXMDXHH4QDSDMU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNYXF3IY2X65IOD422SA6EQUULSGW7FN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/62XY42U6HY3H2APR5EHNWCZ7SAQNMMJN"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/10/msg00015.html"
},
{
"type": "WEB",
"url": "https://github.com/the-tcpdump-group/tcpdump/blob/tcpdump-4.9/CHANGES"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00050.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00053.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Dec/26"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCHV-V695-4M9X
Vulnerability from github – Published: 2022-05-14 01:46 – Updated: 2022-05-14 01:46A heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak private information.
{
"affected": [],
"aliases": [
"CVE-2018-19566"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-26T20:29:00Z",
"severity": "HIGH"
},
"details": "A heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could be used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak private information.",
"id": "GHSA-qchv-v695-4m9x",
"modified": "2022-05-14T01:46:48Z",
"published": "2022-05-14T01:46:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19566"
},
{
"type": "WEB",
"url": "https://seclists.org/oss-sec/2018/q4/165"
},
{
"type": "WEB",
"url": "https://seclists.org/oss-sec/2018/q4/171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QCQG-65G5-53C7
Vulnerability from github – Published: 2022-05-14 03:07 – Updated: 2022-05-14 03:07If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. This can result in an out-of-bounds read with the read memory sent to the originating server in response. This vulnerability affects Firefox < 60.
{
"affected": [],
"aliases": [
"CVE-2018-5153"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T21:29:00Z",
"severity": "HIGH"
},
"details": "If websocket data is sent with mixed text and binary in a single message, the binary data can be corrupted. This can result in an out-of-bounds read with the read memory sent to the originating server in response. This vulnerability affects Firefox \u003c 60.",
"id": "GHSA-qcqg-65g5-53c7",
"modified": "2022-05-14T03:07:09Z",
"published": "2022-05-14T03:07:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5153"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1436809"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3645-1"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-11"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104139"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040896"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QCRC-VPPP-6F29
Vulnerability from github – Published: 2022-05-24 17:48 – Updated: 2022-05-24 17:48CNCSoft-B Versions 1.0.0.3 and prior is vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2021-22660"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-27T13:15:00Z",
"severity": "HIGH"
},
"details": "CNCSoft-B Versions 1.0.0.3 and prior is vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.",
"id": "GHSA-qcrc-vppp-6f29",
"modified": "2022-05-24T17:48:55Z",
"published": "2022-05-24T17:48:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22660"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-110-05"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-445"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-446"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-509"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QCRJ-W7HM-XCRH
Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:07An authorization issue was addressed with improved state management. This issue is fixed in watchOS 9.5, macOS Ventura 13.4, tvOS 16.5, iOS 16.5 and iPadOS 16.5, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. An app may be able to retain access to system configuration files even after its permission is revoked
{
"affected": [],
"aliases": [
"CVE-2023-32357"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T18:15:11Z",
"severity": "HIGH"
},
"details": "An authorization issue was addressed with improved state management. This issue is fixed in watchOS 9.5, macOS Ventura 13.4, tvOS 16.5, iOS 16.5 and iPadOS 16.5, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. An app may be able to retain access to system configuration files even after its permission is revoked",
"id": "GHSA-qcrj-w7hm-xcrh",
"modified": "2024-04-04T05:07:23Z",
"published": "2023-06-23T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32357"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213757"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213758"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213759"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213760"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213761"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213764"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QCVH-FFQ5-55F3
Vulnerability from github – Published: 2023-06-06 09:30 – Updated: 2024-04-04 04:34Transient DOS while parsing WLAN beacon or probe-response frame.
{
"affected": [],
"aliases": [
"CVE-2023-21661"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-06T08:15:12Z",
"severity": "HIGH"
},
"details": "Transient DOS while parsing WLAN beacon or probe-response frame.",
"id": "GHSA-qcvh-ffq5-55f3",
"modified": "2024-04-04T04:34:53Z",
"published": "2023-06-06T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21661"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/june-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.