Common Weakness Enumeration

CWE-125

Allowed

Out-of-bounds Read

Abstraction: Base · Status: Draft

The product reads data past the end, or before the beginning, of the intended buffer.

11291 vulnerabilities reference this CWE, most recent first.

GHSA-QMXP-F2PX-7FCQ

Vulnerability from github – Published: 2023-01-09 09:30 – Updated: 2023-01-13 03:30
VLAI
Details

Transient DOS due to buffer over-read in WLAN while parsing corrupted NAN frames.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33253"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-09T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Transient DOS due to buffer over-read in WLAN while parsing corrupted NAN frames.",
  "id": "GHSA-qmxp-f2px-7fcq",
  "modified": "2023-01-13T03:30:17Z",
  "published": "2023-01-09T09:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33253"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/january-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QP2Q-C955-WF5J

Vulnerability from github – Published: 2022-05-14 01:49 – Updated: 2022-05-14 01:49
VLAI
Details

In process_l2cap_cmd of l2c_main.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-74202041.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-9361"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-11-06T17:29:00Z",
    "severity": "HIGH"
  },
  "details": "In process_l2cap_cmd of l2c_main.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-6.0 Android-6.0.1 Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android ID: A-74202041.",
  "id": "GHSA-qp2q-c955-wf5j",
  "modified": "2022-05-14T01:49:45Z",
  "published": "2022-05-14T01:49:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9361"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-06-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/104461"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QP35-QGF7-937Q

Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-07-09 12:30
VLAI
Details

A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions < V27.1.215). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21577)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-32065"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-14T16:17:01Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in PS/IGES Parasolid Translator Component (All versions \u003c V27.1.215). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted IGS files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-21577)",
  "id": "GHSA-qp35-qgf7-937q",
  "modified": "2024-07-09T12:30:55Z",
  "published": "2024-05-14T18:31:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32065"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-064222.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-976324.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QP48-7H94-95CP

Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-09-24 00:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

HID: uclogic: Fix user-memory-access bug in uclogic_params_ugee_v2_init_event_hooks()

When CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch kernel and then the below user-memory-access bug occurs.

In hid_test_uclogic_params_cleanup_event_hooks(),it call uclogic_params_ugee_v2_init_event_hooks() with the first arg=NULL, so when it calls uclogic_params_ugee_v2_has_battery(), the hid_get_drvdata() will access hdev->dev with hdev=NULL, which will cause below user-memory-access.

So add a fake_device with quirks member and call hid_set_drvdata() to assign hdev->dev->driver_data which avoids the null-ptr-def bug for drvdata->quirks in uclogic_params_ugee_v2_has_battery(). After applying this patch, the below user-memory-access bug never occurs.

general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f] CPU: 5 PID: 2189 Comm: kunit_try_catch Tainted: G B W N 6.6.0-rc2+ #30 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600 Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00 RSP: 0000:ffff88810679fc88 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0 R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92 R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080 FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0 DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6 DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600 PKRU: 55555554 Call Trace: ? die_addr+0x3d/0xa0 ? exc_general_protection+0x144/0x220 ? asm_exc_general_protection+0x22/0x30 ? uclogic_params_ugee_v2_init_event_hooks+0x87/0x600 ? sched_clock_cpu+0x69/0x550 ? uclogic_parse_ugee_v2_desc_gen_params+0x70/0x70 ? load_balance+0x2950/0x2950 ? rcu_trc_cmpxchg_need_qs+0x67/0xa0 hid_test_uclogic_params_cleanup_event_hooks+0x9e/0x1a0 ? uclogic_params_ugee_v2_init_event_hooks+0x600/0x600 ? __switch_to+0x5cf/0xe60 ? migrate_enable+0x260/0x260 ? __kthread_parkme+0x83/0x150 ? kunit_try_run_case_cleanup+0xe0/0xe0 kunit_generic_run_threadfn_adapter+0x4a/0x90 ? kunit_try_catch_throw+0x80/0x80 kthread+0x2b5/0x380 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x2d/0x70 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace 0000000000000000 ]--- RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600 Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 <80> 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00 RSP: 0000:ffff88810679fc88 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000 RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0 R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92 R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080 FS: 0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0 DR0: ffffffff8fdd6cf4 DR1: ---truncated---

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52866"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T16:15:23Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: uclogic: Fix user-memory-access bug in uclogic_params_ugee_v2_init_event_hooks()\n\nWhen CONFIG_HID_UCLOGIC=y and CONFIG_KUNIT_ALL_TESTS=y, launch kernel and\nthen the below user-memory-access bug occurs.\n\nIn hid_test_uclogic_params_cleanup_event_hooks(),it call\nuclogic_params_ugee_v2_init_event_hooks() with the first arg=NULL, so\nwhen it calls uclogic_params_ugee_v2_has_battery(), the hid_get_drvdata()\nwill access hdev-\u003edev with hdev=NULL, which will cause below\nuser-memory-access.\n\nSo add a fake_device with quirks member and call hid_set_drvdata()\nto assign hdev-\u003edev-\u003edriver_data which avoids the null-ptr-def bug\nfor drvdata-\u003equirks in uclogic_params_ugee_v2_has_battery(). After applying\nthis patch, the below user-memory-access bug never occurs.\n\n general protection fault, probably for non-canonical address 0xdffffc0000000329: 0000 [#1] PREEMPT SMP KASAN\n KASAN: probably user-memory-access in range [0x0000000000001948-0x000000000000194f]\n CPU: 5 PID: 2189 Comm: kunit_try_catch Tainted: G    B   W        N 6.6.0-rc2+ #30\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014\n RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600\n Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00\n RSP: 0000:ffff88810679fc88 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000\n RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948\n RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0\n R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92\n R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080\n FS:  0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0\n DR0: ffffffff8fdd6cf4 DR1: ffffffff8fdd6cf5 DR2: ffffffff8fdd6cf6\n DR3: ffffffff8fdd6cf7 DR6: 00000000fffe0ff0 DR7: 0000000000000600\n PKRU: 55555554\n Call Trace:\n  \u003cTASK\u003e\n  ? die_addr+0x3d/0xa0\n  ? exc_general_protection+0x144/0x220\n  ? asm_exc_general_protection+0x22/0x30\n  ? uclogic_params_ugee_v2_init_event_hooks+0x87/0x600\n  ? sched_clock_cpu+0x69/0x550\n  ? uclogic_parse_ugee_v2_desc_gen_params+0x70/0x70\n  ? load_balance+0x2950/0x2950\n  ? rcu_trc_cmpxchg_need_qs+0x67/0xa0\n  hid_test_uclogic_params_cleanup_event_hooks+0x9e/0x1a0\n  ? uclogic_params_ugee_v2_init_event_hooks+0x600/0x600\n  ? __switch_to+0x5cf/0xe60\n  ? migrate_enable+0x260/0x260\n  ? __kthread_parkme+0x83/0x150\n  ? kunit_try_run_case_cleanup+0xe0/0xe0\n  kunit_generic_run_threadfn_adapter+0x4a/0x90\n  ? kunit_try_catch_throw+0x80/0x80\n  kthread+0x2b5/0x380\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork+0x2d/0x70\n  ? kthread_complete_and_exit+0x20/0x20\n  ret_from_fork_asm+0x11/0x20\n  \u003c/TASK\u003e\n Modules linked in:\n Dumping ftrace buffer:\n    (ftrace buffer empty)\n ---[ end trace 0000000000000000 ]---\n RIP: 0010:uclogic_params_ugee_v2_init_event_hooks+0x87/0x600\n Code: f3 f3 65 48 8b 14 25 28 00 00 00 48 89 54 24 60 31 d2 48 89 fa c7 44 24 30 00 00 00 00 48 c7 44 24 28 02 f8 02 01 48 c1 ea 03 \u003c80\u003e 3c 02 00 0f 85 2c 04 00 00 48 8b 9d 48 19 00 00 48 b8 00 00 00\n RSP: 0000:ffff88810679fc88 EFLAGS: 00010202\n RAX: dffffc0000000000 RBX: 0000000000000004 RCX: 0000000000000000\n RDX: 0000000000000329 RSI: ffff88810679fd88 RDI: 0000000000001948\n RBP: 0000000000000000 R08: 0000000000000000 R09: ffffed1020f639f0\n R10: ffff888107b1cf87 R11: 0000000000000400 R12: 1ffff11020cf3f92\n R13: ffff88810679fd88 R14: ffff888100b97b08 R15: ffff8881030bb080\n FS:  0000000000000000(0000) GS:ffff888119e80000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000005286001 CR4: 0000000000770ee0\n DR0: ffffffff8fdd6cf4 DR1: \n---truncated---",
  "id": "GHSA-qp48-7h94-95cp",
  "modified": "2025-09-24T00:30:40Z",
  "published": "2024-05-21T18:31:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52866"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/64da1f6147dac7f8499d4937a0d7ea990bf569e8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6c8f953728d75104d994893f58801c457274335a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/91cfe0bbaa1c434d4271eb6e1d7aaa1fe8d121f6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QP4C-CV95-GWHH

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156076070

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-0499"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-15T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-156076070",
  "id": "GHSA-qp4c-cv95-gwhh",
  "modified": "2022-05-24T17:36:27Z",
  "published": "2022-05-24T17:36:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0499"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/33W6XZAAEJYRGU3XYHRO7XSYEA7YACUB"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KNZYTAU5UWBVXVJ4VHDWPR66ZVDLQZRE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VPA5GAEKPXKAHGHHBI4X7AFNI4BMOVG3"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2020-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-QP52-8VGW-VFXC

Vulnerability from github – Published: 2022-09-20 00:00 – Updated: 2022-09-22 00:00
VLAI
Details

Openwrt before v21.02.3 and Openwrt v22.03.0-rc6 were discovered to contain two skip loops in the function header_value(). This vulnerability allows attackers to access sensitive information via a crafted HTTP request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38333"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-19T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Openwrt before v21.02.3 and Openwrt v22.03.0-rc6 were discovered to contain two skip loops in the function header_value(). This vulnerability allows attackers to access sensitive information via a crafted HTTP request.",
  "id": "GHSA-qp52-8vgw-vfxc",
  "modified": "2022-09-22T00:00:21Z",
  "published": "2022-09-20T00:00:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38333"
    },
    {
      "type": "WEB",
      "url": "https://git.openwrt.org/?p=project/cgi-io.git;a=commit;h=901b0f0463c9d16a8cf5b9ed37118d8484bc9176"
    },
    {
      "type": "WEB",
      "url": "https://git.openwrt.org/?p=project/cgi-io.git;a=commitdiff;h=901b0f0463c9d16a8cf5b9ed37118d8484bc9176"
    },
    {
      "type": "WEB",
      "url": "https://git.openwrt.org/?p=project/cgi-io.git;a=patch;h=901b0f0463c9d16a8cf5b9ed37118d8484bc9176"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QP5Q-M8RC-5R2Q

Vulnerability from github – Published: 2023-12-19 03:30 – Updated: 2023-12-19 03:30
VLAI
Details

Out-of-bouds read vulnerability in FPWin Pro version 7.7.0.0 and all previous versions may allow attackers to execute arbitrary code via a specially crafted project file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-6315"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-19T01:15:12Z",
    "severity": "HIGH"
  },
  "details": "Out-of-bouds read vulnerability in FPWin Pro version 7.7.0.0 and all previous versions may allow attackers to execute arbitrary code via a specially crafted project file.",
  "id": "GHSA-qp5q-m8rc-5r2q",
  "modified": "2023-12-19T03:30:17Z",
  "published": "2023-12-19T03:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6315"
    },
    {
      "type": "WEB",
      "url": "https://industry.panasonic.eu/products/automation-devices-solutions/programmable-logic-controllers-plc/plc-software/programming-software-control-fpwin-pro"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QP8G-8MJ4-549C

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2022-05-24 16:50
VLAI
Details

njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxt_vsprintf in nxt/nxt_sprintf.c during error handling, as demonstrated by an njs_regexp_literal call that leads to an njs_parser_lexer_error call and then an njs_parser_scope_error call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-13617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-16T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in nxt_vsprintf in nxt/nxt_sprintf.c during error handling, as demonstrated by an njs_regexp_literal call that leads to an njs_parser_lexer_error call and then an njs_parser_scope_error call.",
  "id": "GHSA-qp8g-8mj4-549c",
  "modified": "2022-05-24T16:50:29Z",
  "published": "2022-05-24T16:50:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13617"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nginx/njs/issues/174"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15093"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QP99-C29R-7GCF

Vulnerability from github – Published: 2023-01-13 21:30 – Updated: 2023-01-13 21:30
VLAI
Details

Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-21592"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-13T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-qp99-c29r-7gcf",
  "modified": "2023-01-13T21:30:26Z",
  "published": "2023-01-13T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21592"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/indesign/apsb23-07.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QPC9-3GVW-7VFQ

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-16 18:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp

Patch series "mm/damon/core: validate damos_quota_goal->nid".

node_mem[cg]_{used,free}_bp DAMOS quota goals receive the node id. The node id is used for si_meminfo_node() and NODE_DATA() without proper validation. As a result, privileged users can trigger an out of bounds memory access using DAMON_SYSFS. Fix the issues.

The issue was originally reported [1] with a fix by another author. The original author announced [2] that they will stop working including the fix that was still in the review stage. Hence I'm restarting this.

This patch (of 2):

Users can set damos_quota_goal->nid with arbitrary value for node_mem_{used,free}_bp. But DAMON core is using those for si_meminfo_node() without the validation of the value. This can result in out of bounds memory access. The issue can actually triggered using DAMON user-space tool (damo), like below.

$ sudo ./damo start --damos_action stat \
    --damos_quota_goal node_mem_used_bp 50% -1 \
    --damos_quota_interval 1s
$ sudo dmesg
[...]
[   65.565986] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098

Fix this issue by adding the validation of the given node. If an invalid node id is given, it returns 0% for used memory ratio, and 100% for free memory ratio.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46020"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:20Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/core: validate damos_quota_goal-\u003enid for node_mem_{used,free}_bp\n\nPatch series \"mm/damon/core: validate damos_quota_goal-\u003enid\".\n\nnode_mem[cg]_{used,free}_bp DAMOS quota goals receive the node id.  The\nnode id is used for si_meminfo_node() and NODE_DATA() without proper\nvalidation.  As a result, privileged users can trigger an out of bounds\nmemory access using DAMON_SYSFS.  Fix the issues.\n\nThe issue was originally reported [1] with a fix by another author.  The\noriginal author announced [2] that they will stop working including the\nfix that was still in the review stage.  Hence I\u0027m restarting this.\n\n\nThis patch (of 2):\n\nUsers can set damos_quota_goal-\u003enid with arbitrary value for\nnode_mem_{used,free}_bp.  But DAMON core is using those for\nsi_meminfo_node() without the validation of the value.  This can result in\nout of bounds memory access.  The issue can actually triggered using DAMON\nuser-space tool (damo), like below.\n\n    $ sudo ./damo start --damos_action stat \\\n    \t--damos_quota_goal node_mem_used_bp 50% -1 \\\n    \t--damos_quota_interval 1s\n    $ sudo dmesg\n    [...]\n    [   65.565986] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000098\n\nFix this issue by adding the validation of the given node.  If an invalid\nnode id is given, it returns 0% for used memory ratio, and 100% for free\nmemory ratio.",
  "id": "GHSA-qpc9-3gvw-7vfq",
  "modified": "2026-06-16T18:32:28Z",
  "published": "2026-05-27T15:33:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46020"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/40250b2dded0604a112be605f3828700d80ad7c2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b09958e235f2b9cd3898b85a8529172afa80d212"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bcad74078708f2330a45b55358ebc38f8f4b1127"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

CAPEC-540: Overread Buffers

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.