CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11291 vulnerabilities reference this CWE, most recent first.
GHSA-QJQJ-4CQ6-6F2F
Vulnerability from github – Published: 2024-01-25 18:30 – Updated: 2024-06-10 18:30A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.
{
"affected": [],
"aliases": [
"CVE-2023-40547"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-346",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-25T16:15:07Z",
"severity": "HIGH"
},
"details": "A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise.",
"id": "GHSA-qjqj-4cq6-6f2f",
"modified": "2024-06-10T18:30:51Z",
"published": "2024-01-25T18:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40547"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1834"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1835"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1873"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1876"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1883"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1902"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1903"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:1959"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2086"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-40547"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2234589"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/05/msg00009.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/26/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJWP-FX53-R42V
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the dissection engine could crash. This was addressed in epan/tvbuff_composite.c by preventing a heap-based buffer over-read.
{
"affected": [],
"aliases": [
"CVE-2018-19625"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-29T04:29:00Z",
"severity": "MODERATE"
},
"details": "In Wireshark 2.6.0 to 2.6.4 and 2.4.0 to 2.4.10, the dissection engine could crash. This was addressed in epan/tvbuff_composite.c by preventing a heap-based buffer over-read.",
"id": "GHSA-qjwp-fx53-r42v",
"modified": "2022-05-13T01:27:50Z",
"published": "2022-05-13T01:27:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19625"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14466"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=dc4d209f39132a4ae05675a11609176ae9705cfc"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00010.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4359"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2018-51.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106051"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJXR-J6GG-GH78
Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-08-05 15:30Transient DOS while parsing the multiple MBSSID IEs from the beacon, when the tag length is non-zero value but with end of beacon.
{
"affected": [],
"aliases": [
"CVE-2024-33012"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-05T15:15:49Z",
"severity": "HIGH"
},
"details": "Transient DOS while parsing the multiple MBSSID IEs from the beacon, when the tag length is non-zero value but with end of beacon.",
"id": "GHSA-qjxr-j6gg-gh78",
"modified": "2024-08-05T15:30:53Z",
"published": "2024-08-05T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33012"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QM22-H7GG-WR34
Vulnerability from github – Published: 2022-05-17 02:52 – Updated: 2025-04-20 03:30An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.
{
"affected": [],
"aliases": [
"CVE-2016-2374"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-200"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-06T21:59:00Z",
"severity": "HIGH"
},
"details": "An exploitable memory corruption vulnerability exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT MultiMX message sent via the server can result in an out-of-bounds write leading to memory disclosure and code execution.",
"id": "GHSA-qm22-h7gg-wr34",
"modified": "2025-04-20T03:30:49Z",
"published": "2022-05-17T02:52:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2374"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-38"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3620"
},
{
"type": "WEB",
"url": "http://www.pidgin.im/news/security/?id=107"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91335"
},
{
"type": "WEB",
"url": "http://www.talosintelligence.com/reports/TALOS-2016-0142"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3031-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QM24-FMQW-F5V5
Vulnerability from github – Published: 2024-11-09 12:30 – Updated: 2024-11-13 21:30In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan()
KASAN reported following issue:
BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt] Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11 CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G U 6.11.0+ #1387 Tainted: [U]=USER Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt] Call Trace: dump_stack_lvl+0x6c/0x90 print_report+0xd1/0x630 kasan_report+0xdb/0x110 __asan_report_load4_noabort+0x14/0x20 tb_retimer_scan+0xffe/0x1550 [thunderbolt] tb_scan_port+0xa6f/0x2060 [thunderbolt] tb_handle_hotplug+0x17b1/0x3080 [thunderbolt] process_one_work+0x626/0x1100 worker_thread+0x6c8/0xfa0 kthread+0x2c8/0x3a0 ret_from_fork+0x3a/0x80 ret_from_fork_asm+0x1a/0x30
This happens because the loop variable still gets incremented by one so max becomes 3 instead of 2, and this makes the second loop read past the the array declared on the stack.
Fix this by assigning to max directly in the loop body.
{
"affected": [],
"aliases": [
"CVE-2024-50227"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-09T11:15:08Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Fix KASAN reported stack out-of-bounds read in tb_retimer_scan()\n\nKASAN reported following issue:\n\n BUG: KASAN: stack-out-of-bounds in tb_retimer_scan+0xffe/0x1550 [thunderbolt]\n Read of size 4 at addr ffff88810111fc1c by task kworker/u56:0/11\n CPU: 0 UID: 0 PID: 11 Comm: kworker/u56:0 Tainted: G U 6.11.0+ #1387\n Tainted: [U]=USER\n Workqueue: thunderbolt0 tb_handle_hotplug [thunderbolt]\n Call Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x6c/0x90\n print_report+0xd1/0x630\n kasan_report+0xdb/0x110\n __asan_report_load4_noabort+0x14/0x20\n tb_retimer_scan+0xffe/0x1550 [thunderbolt]\n tb_scan_port+0xa6f/0x2060 [thunderbolt]\n tb_handle_hotplug+0x17b1/0x3080 [thunderbolt]\n process_one_work+0x626/0x1100\n worker_thread+0x6c8/0xfa0\n kthread+0x2c8/0x3a0\n ret_from_fork+0x3a/0x80\n ret_from_fork_asm+0x1a/0x30\n\nThis happens because the loop variable still gets incremented by one so\nmax becomes 3 instead of 2, and this makes the second loop read past the\nthe array declared on the stack.\n\nFix this by assigning to max directly in the loop body.",
"id": "GHSA-qm24-fmqw-f5v5",
"modified": "2024-11-13T21:30:32Z",
"published": "2024-11-09T12:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50227"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/08b2771e9270fbe1ed4fbbe93abe05ac7fe9861d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e9e1b20fae7de06ba36dd3f8dba858157bad233d"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QM26-RXPV-RHXH
Vulnerability from github – Published: 2022-05-13 01:34 – Updated: 2022-05-13 01:34Fuji Electric FRENIC LOADER v3.3 v7.3.4.1a of FRENIC-Mini (C1), FRENIC-Mini (C2), FRENIC-Eco, FRENIC-Multi, FRENIC-MEGA, FRENIC-Ace. The program does not properly parse FNC files that may allow for information disclosure.
{
"affected": [],
"aliases": [
"CVE-2018-14798"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-01T13:29:00Z",
"severity": "MODERATE"
},
"details": "Fuji Electric FRENIC LOADER v3.3 v7.3.4.1a of FRENIC-Mini (C1), FRENIC-Mini (C2), FRENIC-Eco, FRENIC-Multi, FRENIC-MEGA, FRENIC-Ace. The program does not properly parse FNC files that may allow for information disclosure.",
"id": "GHSA-qm26-rxpv-rhxh",
"modified": "2022-05-13T01:34:27Z",
"published": "2022-05-13T01:34:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14798"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-270-03"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105408"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QM35-5R72-GCJC
Vulnerability from github – Published: 2023-06-23 18:30 – Updated: 2024-04-04 05:07An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 16.5 and iPadOS 16.5, watchOS 9.5, tvOS 16.5. An app may be able to disclose kernel memory
{
"affected": [],
"aliases": [
"CVE-2023-32354"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-23T18:15:11Z",
"severity": "MODERATE"
},
"details": "An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 16.5 and iPadOS 16.5, watchOS 9.5, tvOS 16.5. An app may be able to disclose kernel memory",
"id": "GHSA-qm35-5r72-gcjc",
"modified": "2024-04-04T05:07:26Z",
"published": "2023-06-23T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32354"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213757"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213761"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/HT213764"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QM3M-JJVM-9VQR
Vulnerability from github – Published: 2025-11-11 21:30 – Updated: 2025-11-11 21:30Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive memory information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-61841"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T19:15:35Z",
"severity": "MODERATE"
},
"details": "Format Plugins versions 1.1.1 and earlier are affected by an Out-of-bounds Read vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to access sensitive memory information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-qm3m-jjvm-9vqr",
"modified": "2025-11-11T21:30:27Z",
"published": "2025-11-11T21:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61841"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/formatplugins/apsb25-114.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QM3P-8WCX-J539
Vulnerability from github – Published: 2024-04-02 18:31 – Updated: 2024-04-02 18:31Foxit PDF Reader AcroForm Annotation Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of Annotation objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-22641.
{
"affected": [],
"aliases": [
"CVE-2024-30335"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-02T18:15:12Z",
"severity": "LOW"
},
"details": "Foxit PDF Reader AcroForm Annotation Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of Annotation objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-22641.",
"id": "GHSA-qm3p-8wcx-j539",
"modified": "2024-04-02T18:31:17Z",
"published": "2024-04-02T18:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30335"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-304"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QM6J-JQGW-8FCG
Vulnerability from github – Published: 2025-01-14 18:32 – Updated: 2025-01-14 18:32An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.
{
"affected": [],
"aliases": [
"CVE-2024-13169"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-14T18:15:28Z",
"severity": "HIGH"
},
"details": "An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.",
"id": "GHSA-qm6j-jqgw-8fcg",
"modified": "2025-01-14T18:32:02Z",
"published": "2025-01-14T18:32:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-13169"
},
{
"type": "WEB",
"url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.