CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11291 vulnerabilities reference this CWE, most recent first.
GHSA-QQ7V-CCWW-8WH3
Vulnerability from github – Published: 2022-02-17 00:00 – Updated: 2025-11-04 18:30Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled 'filename' argument may cause an out-of-bounds read when the filename is shorter than 4 characters.
{
"affected": [],
"aliases": [
"CVE-2021-43302"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-16T21:15:00Z",
"severity": "CRITICAL"
},
"details": "Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An attacker-controlled \u0027filename\u0027 argument may cause an out-of-bounds read when the filename is shorter than 4 characters.",
"id": "GHSA-qq7v-ccww-8wh3",
"modified": "2025-11-04T18:30:38Z",
"published": "2022-02-17T00:00:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43302"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00035.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00021.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00030.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5285"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQ7V-PR98-PWCV
Vulnerability from github – Published: 2022-05-17 02:46 – Updated: 2022-05-17 02:46coders/sun.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted sun file.
{
"affected": [],
"aliases": [
"CVE-2014-9829"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-05T17:59:00Z",
"severity": "MODERATE"
},
"details": "coders/sun.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds access) via a crafted sun file.",
"id": "GHSA-qq7v-pr98-pwcv",
"modified": "2022-05-17T02:46:33Z",
"published": "2022-05-17T02:46:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9829"
},
{
"type": "WEB",
"url": "https://anonscm.debian.org/cgit/collab-maint/imagemagick.git/commit/?h=debian-patches/6.8.9.9-4-for-upstream\u0026id=8e72cbfca8db81132319af14d1f33a3e833666d7"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1343485"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/02/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQ9H-6XM2-Q77V
Vulnerability from github – Published: 2025-06-10 21:31 – Updated: 2025-06-10 21:31Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-47112"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T19:15:33Z",
"severity": "MODERATE"
},
"details": "Acrobat Reader versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-qq9h-6xm2-q77v",
"modified": "2025-06-10T21:31:23Z",
"published": "2025-06-10T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47112"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb25-57.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQCC-6HC8-MR5C
Vulnerability from github – Published: 2024-04-11 09:30 – Updated: 2024-04-11 09:30Bridge versions 13.0.6, 14.0.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2024-20771"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-11T09:15:07Z",
"severity": "MODERATE"
},
"details": "Bridge versions 13.0.6, 14.0.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-qqcc-6hc8-mr5c",
"modified": "2024-04-11T09:30:56Z",
"published": "2024-04-11T09:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20771"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/bridge/apsb24-24.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-QQFF-4VW4-F6HX
Vulnerability from github – Published: 2022-12-05 17:58 – Updated: 2022-12-05 17:58The Cap'n Proto library and capnp Rust package are vulnerable to out-of-bounds read due to logic error handling list-of-list. If a message consumer expects data of type "list of pointers", and if the consumer performs certain specific actions on such data, then a message producer can cause the consumer to read out-of-bounds memory. This could trigger a process crash in the consumer, or in some cases could allow exfiltration of private in-memory data.
Impact
- Remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type.
- Possible exfiltration of memory, if the victim performs additional certain actions on a list-of-pointer type.
- To be vulnerable, an application must perform a specific sequence of actions, described below. At present, we are not aware of any vulnerable application, but we advise updating regardless.
Fixed in
Unfortunately, the bug is present in inlined code, therefore the fix will require rebuilding dependent applications.
C++ fix:
- git commit 25d34c67863fd960af34fc4f82a7ca3362ee74b9
- release 0.11 (future)
- release 0.10.3:
- Unix: https://capnproto.org/capnproto-c++-0.10.3.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.10.3.zip
- release 0.9.2:
- Unix: https://capnproto.org/capnproto-c++-0.9.2.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.9.2.zip
- release 0.8.1:
- Unix: https://capnproto.org/capnproto-c++-0.8.1.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.8.1.zip
- release 0.7.1:
- Unix: https://capnproto.org/capnproto-c++-0.7.1.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.7.1.zip
- release 0.5.4:
- Unix: https://capnproto.org/capnproto-c++-0.5.4.tar.gz
- Windows: https://capnproto.org/capnproto-c++-win32-0.5.4.zip
Rust fix:
capnpcrate version0.15.2,0.14.11, or0.13.7
Details
A specially-crafted pointer could escape bounds checking by exploiting inconsistent handling of pointers when a list-of-structs is downgraded to a list-of-pointers.
For an in-depth explanation of how this bug works, see David Renshaw's blog post. This details below focus only on determining whether an application is vulnerable.
In order to be vulnerable, an application must have certain properties.
First, the application must accept messages with a schema in which a field has list-of-pointer type. This includes List(Text), List(Data), List(List(T)), or List(C) where C is an interface type. In the following discussion, we will assume this field is named foo.
Second, the application must accept a message of this schema from a malicious source, where the attacker can maliciously encode the pointer representing the field foo.
Third, the application must call getFoo() to obtain a List<T>::Reader for the field, and then use it in one of the following two ways:
-
Pass it as the parameter to another message's
setFoo(), thus copying the field into a new message. Note that copying the parent struct as a whole will not trigger the bug; the bug only occurs if the specific fieldfoois get/set on its own. -
Convert it into
AnyList::Reader, and then attempt to access it through that. This is much less likely; very few apps use theAnyListAPI.
The dynamic API equivalents of these actions (capnp/dynamic.h) are also affected.
If the application does these steps, the attacker may be able to cause the Cap'n Proto implementation to read beyond the end of the message. This could induce a segmentation fault. Or, worse, data that happened to be in memory immediately after the message might be returned as if it were part of the message. In the latter case, if the application then forwards that data back to the attacker or sends it to another third party, this could result in exfiltration of secrets.
Any exfiltration of data would have the following limitations:
- The attacker could exfiltrate no more than 512 KiB of memory immediately following the message buffer.
- The attacker chooses in advance how far past the end of the message to read.
- The attacker's message itself must be larger than the exfiltrated data. Note that a sufficiently large message buffer will likely be allocated using mmap() in which case the attack will likely segfault.
- The attack can only work if the 8 bytes immediately following the exfiltrated data contains a valid in-bounds Cap'n Proto pointer. The easiest way to achieve this is if the pointer is null, i.e. 8 bytes of zero.
- The attacker must specify exactly how much data to exfiltrate, so must guess exactly where such a valid pointer will exist.
- If the exfiltrated data is not followed by a valid pointer, the attack will throw an exception. If an application has chosen to ignore exceptions (e.g. by compiling with
-fno-exceptionsand not registering an alternative exception callback) then the attack may be able to proceed anyway.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "capnp"
},
"ranges": [
{
"events": [
{
"introduced": "0.15.0"
},
{
"fixed": "0.15.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "capnp"
},
"ranges": [
{
"events": [
{
"introduced": "0.14.0"
},
{
"fixed": "0.14.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "capnp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-46149"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-05T17:58:16Z",
"nvd_published_at": "2022-11-30T17:15:00Z",
"severity": "MODERATE"
},
"details": "The Cap\u0027n Proto library and capnp Rust package are vulnerable to out-of-bounds read due to logic error handling list-of-list. If a message consumer expects data of type \"list of pointers\", and if the consumer performs certain specific actions on such data, then a message producer can cause the consumer to read out-of-bounds memory. This could trigger a process crash in the consumer, or in some cases could allow exfiltration of private in-memory data.\n\nImpact\n======\n\n- Remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type.\n- Possible exfiltration of memory, if the victim performs additional certain actions on a list-of-pointer type.\n- To be vulnerable, an application must perform a specific sequence of actions, described below. At present, **we are not aware of any vulnerable application**, but we advise updating regardless.\n\nFixed in\n========\n\nUnfortunately, the bug is present in inlined code, therefore the fix will require rebuilding dependent applications.\n\nC++ fix:\n\n- git commit [25d34c67863fd960af34fc4f82a7ca3362ee74b9][0]\n- release 0.11 (future)\n- release 0.10.3:\n - Unix: https://capnproto.org/capnproto-c++-0.10.3.tar.gz\n - Windows: https://capnproto.org/capnproto-c++-win32-0.10.3.zip\n- release 0.9.2:\n - Unix: https://capnproto.org/capnproto-c++-0.9.2.tar.gz\n - Windows: https://capnproto.org/capnproto-c++-win32-0.9.2.zip\n- release 0.8.1:\n - Unix: https://capnproto.org/capnproto-c++-0.8.1.tar.gz\n - Windows: https://capnproto.org/capnproto-c++-win32-0.8.1.zip\n- release 0.7.1:\n - Unix: https://capnproto.org/capnproto-c++-0.7.1.tar.gz\n - Windows: https://capnproto.org/capnproto-c++-win32-0.7.1.zip\n- release 0.5.4:\n - Unix: https://capnproto.org/capnproto-c++-0.5.4.tar.gz\n - Windows: https://capnproto.org/capnproto-c++-win32-0.5.4.zip\n\nRust fix:\n\n- `capnp` crate version `0.15.2`, `0.14.11`, or `0.13.7`\n\n[0]: https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9\n\nDetails\n=======\n\nA specially-crafted pointer could escape bounds checking by exploiting inconsistent handling of pointers when a list-of-structs is downgraded to a list-of-pointers.\n\nFor an in-depth explanation of how this bug works, see [David Renshaw\u0027s blog post](https://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html). This details below focus only on determining whether an application is vulnerable.\n\nIn order to be vulnerable, an application must have certain properties.\n\nFirst, the application must accept messages with a schema in which a field has list-of-pointer type. This includes `List(Text)`, `List(Data)`, `List(List(T))`, or `List(C)` where `C` is an interface type. In the following discussion, we will assume this field is named `foo`.\n\nSecond, the application must accept a message of this schema from a malicious source, where the attacker can maliciously encode the pointer representing the field `foo`.\n\nThird, the application must call `getFoo()` to obtain a `List\u003cT\u003e::Reader` for the field, and then use it in one of the following two ways:\n\n1. Pass it as the parameter to another message\u0027s `setFoo()`, thus copying the field into a new message. Note that copying the parent struct as a whole will *not* trigger the bug; the bug only occurs if the specific field `foo` is get/set on its own.\n\n2. Convert it into `AnyList::Reader`, and then attempt to access it through that. This is much less likely; very few apps use the `AnyList` API.\n\nThe dynamic API equivalents of these actions (`capnp/dynamic.h`) are also affected.\n\nIf the application does these steps, the attacker may be able to cause the Cap\u0027n Proto implementation to read beyond the end of the message. This could induce a segmentation fault. Or, worse, data that happened to be in memory immediately after the message might be returned as if it were part of the message. In the latter case, if the application then forwards that data back to the attacker or sends it to another third party, this could result in exfiltration of secrets.\n\nAny exfiltration of data would have the following limitations:\n\n* The attacker could exfiltrate no more than 512 KiB of memory immediately following the message buffer.\n * The attacker chooses in advance how far past the end of the message to read.\n * The attacker\u0027s message itself must be larger than the exfiltrated data. Note that a sufficiently large message buffer will likely be allocated using mmap() in which case the attack will likely segfault.\n* The attack can only work if the 8 bytes immediately following the exfiltrated data contains a valid in-bounds Cap\u0027n Proto pointer. The easiest way to achieve this is if the pointer is null, i.e. 8 bytes of zero.\n * The attacker must specify exactly how much data to exfiltrate, so must guess exactly where such a valid pointer will exist.\n * If the exfiltrated data is not followed by a valid pointer, the attack will throw an exception. If an application has chosen to ignore exceptions (e.g. by compiling with `-fno-exceptions` and not registering an alternative exception callback) then the attack may be able to proceed anyway.",
"id": "GHSA-qqff-4vw4-f6hx",
"modified": "2022-12-05T17:58:16Z",
"published": "2022-12-05T17:58:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/capnproto/capnproto/security/advisories/GHSA-qqff-4vw4-f6hx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46149"
},
{
"type": "WEB",
"url": "https://github.com/capnproto/capnproto/commit/25d34c67863fd960af34fc4f82a7ca3362ee74b9"
},
{
"type": "WEB",
"url": "https://dwrensha.github.io/capnproto-rust/2022/11/30/out_of_bounds_memory_access_bug.html"
},
{
"type": "PACKAGE",
"url": "https://github.com/capnproto/capnproto"
},
{
"type": "WEB",
"url": "https://github.com/capnproto/capnproto/tree/master/security-advisories/2022-11-30-0-pointer-list-bounds.md"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EAHKLUMJAXJEV5BPBS5XXWBQ3ZTHGOLY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTS6TWD6K2NKXLEEFBPROQXMOFUTEYWY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WKXM4JAFXLTXU5IQB3OUBQVCIICZWGYX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZOCQQOPMVQOFUWBWAGVGN76OYAV3WXY4"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0068.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Cap\u0027n Proto and its Rust implementation vulnerable to out-of-bounds read due to logic error handling list-of-list"
}
GHSA-QQG5-MC63-W7CH
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06FATEK Automation WinProladder Versions 3.30 and prior are vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2021-32990"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-29T15:15:00Z",
"severity": "CRITICAL"
},
"details": "FATEK Automation WinProladder Versions 3.30 and prior are vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.",
"id": "GHSA-qqg5-mc63-w7ch",
"modified": "2022-05-24T19:06:31Z",
"published": "2022-05-24T19:06:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32990"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-175-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-QQGG-499C-J47V
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-20 18:31In the Linux kernel, the following vulnerability has been resolved:
fs/ntfs3: Validate buffer length while parsing index
indx_read is called when we have some NTFS directory operations that need more information from the index buffers. This adds a sanity check to make sure the returned index buffer length is legit, or we may have some out-of-bound memory accesses.
[ 560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320 [ 560.898321] Read of size 2 at addr ffff888009497238 by task exp/245 [ 560.898760] [ 560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37 [ 560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 560.900170] Call Trace: [ 560.900407] [ 560.900732] dump_stack_lvl+0x49/0x63 [ 560.901108] print_report.cold+0xf5/0x689 [ 560.901395] ? hdr_find_e.isra.0+0x10c/0x320 [ 560.901716] kasan_report+0xa7/0x130 [ 560.901950] ? hdr_find_e.isra.0+0x10c/0x320 [ 560.902208] __asan_load2+0x68/0x90 [ 560.902427] hdr_find_e.isra.0+0x10c/0x320 [ 560.902846] ? cmp_uints+0xe0/0xe0 [ 560.903363] ? cmp_sdh+0x90/0x90 [ 560.903883] ? ntfs_bread_run+0x190/0x190 [ 560.904196] ? rwsem_down_read_slowpath+0x750/0x750 [ 560.904969] ? ntfs_fix_post_read+0xe0/0x130 [ 560.905259] ? __kasan_check_write+0x14/0x20 [ 560.905599] ? up_read+0x1a/0x90 [ 560.905853] ? indx_read+0x22c/0x380 [ 560.906096] indx_find+0x2ef/0x470 [ 560.906352] ? indx_find_buffer+0x2d0/0x2d0 [ 560.906692] ? __kasan_kmalloc+0x88/0xb0 [ 560.906977] dir_search_u+0x196/0x2f0 [ 560.907220] ? ntfs_nls_to_utf16+0x450/0x450 [ 560.907464] ? __kasan_check_write+0x14/0x20 [ 560.907747] ? mutex_lock+0x8f/0xe0 [ 560.907970] ? __mutex_lock_slowpath+0x20/0x20 [ 560.908214] ? kmem_cache_alloc+0x143/0x4b0 [ 560.908459] ntfs_lookup+0xe0/0x100 [ 560.908788] __lookup_slow+0x116/0x220 [ 560.909050] ? lookup_fast+0x1b0/0x1b0 [ 560.909309] ? lookup_fast+0x13f/0x1b0 [ 560.909601] walk_component+0x187/0x230 [ 560.909944] link_path_walk.part.0+0x3f0/0x660 [ 560.910285] ? handle_lookup_down+0x90/0x90 [ 560.910618] ? path_init+0x642/0x6e0 [ 560.911084] ? percpu_counter_add_batch+0x6e/0xf0 [ 560.912559] ? __alloc_file+0x114/0x170 [ 560.913008] path_openat+0x19c/0x1d10 [ 560.913419] ? getname_flags+0x73/0x2b0 [ 560.913815] ? kasan_save_stack+0x3a/0x50 [ 560.914125] ? kasan_save_stack+0x26/0x50 [ 560.914542] ? __kasan_slab_alloc+0x6d/0x90 [ 560.914924] ? kmem_cache_alloc+0x143/0x4b0 [ 560.915339] ? getname_flags+0x73/0x2b0 [ 560.915647] ? getname+0x12/0x20 [ 560.916114] ? __x64_sys_open+0x4c/0x60 [ 560.916460] ? path_lookupat.isra.0+0x230/0x230 [ 560.916867] ? __isolate_free_page+0x2e0/0x2e0 [ 560.917194] do_filp_open+0x15c/0x1f0 [ 560.917448] ? may_open_dev+0x60/0x60 [ 560.917696] ? expand_files+0xa4/0x3a0 [ 560.917923] ? __kasan_check_write+0x14/0x20 [ 560.918185] ? _raw_spin_lock+0x88/0xdb [ 560.918409] ? _raw_spin_lock_irqsave+0x100/0x100 [ 560.918783] ? _find_next_bit+0x4a/0x130 [ 560.919026] ? _raw_spin_unlock+0x19/0x40 [ 560.919276] ? alloc_fd+0x14b/0x2d0 [ 560.919635] do_sys_openat2+0x32a/0x4b0 [ 560.920035] ? file_open_root+0x230/0x230 [ 560.920336] ? __rcu_read_unlock+0x5b/0x280 [ 560.920813] do_sys_open+0x99/0xf0 [ 560.921208] ? filp_open+0x60/0x60 [ 560.921482] ? exit_to_user_mode_prepare+0x49/0x180 [ 560.921867] __x64_sys_open+0x4c/0x60 [ 560.922128] do_syscall_64+0x3b/0x90 [ 560.922369] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 560.923030] RIP: 0033:0x7f7dff2e4469 [ 560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088 [ 560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002 [ 560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469 [ 560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ---truncated---
{
"affected": [],
"aliases": [
"CVE-2022-50442"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:36Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate buffer length while parsing index\n\nindx_read is called when we have some NTFS directory operations that\nneed more information from the index buffers. This adds a sanity check\nto make sure the returned index buffer length is legit, or we may have\nsome out-of-bound memory accesses.\n\n[ 560.897595] BUG: KASAN: slab-out-of-bounds in hdr_find_e.isra.0+0x10c/0x320\n[ 560.898321] Read of size 2 at addr ffff888009497238 by task exp/245\n[ 560.898760]\n[ 560.899129] CPU: 0 PID: 245 Comm: exp Not tainted 6.0.0-rc6 #37\n[ 560.899505] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014\n[ 560.900170] Call Trace:\n[ 560.900407] \u003cTASK\u003e\n[ 560.900732] dump_stack_lvl+0x49/0x63\n[ 560.901108] print_report.cold+0xf5/0x689\n[ 560.901395] ? hdr_find_e.isra.0+0x10c/0x320\n[ 560.901716] kasan_report+0xa7/0x130\n[ 560.901950] ? hdr_find_e.isra.0+0x10c/0x320\n[ 560.902208] __asan_load2+0x68/0x90\n[ 560.902427] hdr_find_e.isra.0+0x10c/0x320\n[ 560.902846] ? cmp_uints+0xe0/0xe0\n[ 560.903363] ? cmp_sdh+0x90/0x90\n[ 560.903883] ? ntfs_bread_run+0x190/0x190\n[ 560.904196] ? rwsem_down_read_slowpath+0x750/0x750\n[ 560.904969] ? ntfs_fix_post_read+0xe0/0x130\n[ 560.905259] ? __kasan_check_write+0x14/0x20\n[ 560.905599] ? up_read+0x1a/0x90\n[ 560.905853] ? indx_read+0x22c/0x380\n[ 560.906096] indx_find+0x2ef/0x470\n[ 560.906352] ? indx_find_buffer+0x2d0/0x2d0\n[ 560.906692] ? __kasan_kmalloc+0x88/0xb0\n[ 560.906977] dir_search_u+0x196/0x2f0\n[ 560.907220] ? ntfs_nls_to_utf16+0x450/0x450\n[ 560.907464] ? __kasan_check_write+0x14/0x20\n[ 560.907747] ? mutex_lock+0x8f/0xe0\n[ 560.907970] ? __mutex_lock_slowpath+0x20/0x20\n[ 560.908214] ? kmem_cache_alloc+0x143/0x4b0\n[ 560.908459] ntfs_lookup+0xe0/0x100\n[ 560.908788] __lookup_slow+0x116/0x220\n[ 560.909050] ? lookup_fast+0x1b0/0x1b0\n[ 560.909309] ? lookup_fast+0x13f/0x1b0\n[ 560.909601] walk_component+0x187/0x230\n[ 560.909944] link_path_walk.part.0+0x3f0/0x660\n[ 560.910285] ? handle_lookup_down+0x90/0x90\n[ 560.910618] ? path_init+0x642/0x6e0\n[ 560.911084] ? percpu_counter_add_batch+0x6e/0xf0\n[ 560.912559] ? __alloc_file+0x114/0x170\n[ 560.913008] path_openat+0x19c/0x1d10\n[ 560.913419] ? getname_flags+0x73/0x2b0\n[ 560.913815] ? kasan_save_stack+0x3a/0x50\n[ 560.914125] ? kasan_save_stack+0x26/0x50\n[ 560.914542] ? __kasan_slab_alloc+0x6d/0x90\n[ 560.914924] ? kmem_cache_alloc+0x143/0x4b0\n[ 560.915339] ? getname_flags+0x73/0x2b0\n[ 560.915647] ? getname+0x12/0x20\n[ 560.916114] ? __x64_sys_open+0x4c/0x60\n[ 560.916460] ? path_lookupat.isra.0+0x230/0x230\n[ 560.916867] ? __isolate_free_page+0x2e0/0x2e0\n[ 560.917194] do_filp_open+0x15c/0x1f0\n[ 560.917448] ? may_open_dev+0x60/0x60\n[ 560.917696] ? expand_files+0xa4/0x3a0\n[ 560.917923] ? __kasan_check_write+0x14/0x20\n[ 560.918185] ? _raw_spin_lock+0x88/0xdb\n[ 560.918409] ? _raw_spin_lock_irqsave+0x100/0x100\n[ 560.918783] ? _find_next_bit+0x4a/0x130\n[ 560.919026] ? _raw_spin_unlock+0x19/0x40\n[ 560.919276] ? alloc_fd+0x14b/0x2d0\n[ 560.919635] do_sys_openat2+0x32a/0x4b0\n[ 560.920035] ? file_open_root+0x230/0x230\n[ 560.920336] ? __rcu_read_unlock+0x5b/0x280\n[ 560.920813] do_sys_open+0x99/0xf0\n[ 560.921208] ? filp_open+0x60/0x60\n[ 560.921482] ? exit_to_user_mode_prepare+0x49/0x180\n[ 560.921867] __x64_sys_open+0x4c/0x60\n[ 560.922128] do_syscall_64+0x3b/0x90\n[ 560.922369] entry_SYSCALL_64_after_hwframe+0x63/0xcd\n[ 560.923030] RIP: 0033:0x7f7dff2e4469\n[ 560.923681] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 088\n[ 560.924451] RSP: 002b:00007ffd41a210b8 EFLAGS: 00000206 ORIG_RAX: 0000000000000002\n[ 560.925168] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7dff2e4469\n[ 560.925655] RDX: 0000000000000000 RSI: 0000000000000002 RDI:\n---truncated---",
"id": "GHSA-qqgg-499c-j47v",
"modified": "2026-01-20T18:31:51Z",
"published": "2025-10-01T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50442"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3cd9e5b41b83bb57ac3cf9888f9fef2a6ef8ed96"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f6f75e8863f41c8b3dbfd9d99e3963aaca42601"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d42ecda239cc13738d6fd84d098a32e67b368b9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b15374365c9d10445ea7d66cdf885457a0223fc2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQGJ-G5F7-JQHM
Vulnerability from github – Published: 2026-06-29 09:30 – Updated: 2026-06-29 09:30Eclipse tinydtls before commit b3efd41ad111a4920f599f51ffa4f5e9f1e72221 contains an out-of-bounds read vulnerability in the check_server_certificate() function that allows unauthenticated attackers to trigger reads beyond valid buffer boundaries by crafting a Certificate handshake message with a specific fragment_length value. Attackers can exploit missing buffer length validation before uint24 reads, memcmp, and memcpy operations during DTLS epoch 0 on both client and server paths to cause denial of service on memory-constrained devices.
{
"affected": [],
"aliases": [
"CVE-2026-9267"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-29T09:16:31Z",
"severity": "MODERATE"
},
"details": "Eclipse tinydtls before commit\u00a0b3efd41ad111a4920f599f51ffa4f5e9f1e72221 contains an out-of-bounds read vulnerability in the check_server_certificate() function that allows unauthenticated attackers to trigger reads beyond valid buffer boundaries by crafting a Certificate handshake message with a specific fragment_length value. Attackers can exploit missing buffer length validation before uint24 reads, memcmp, and memcpy operations during DTLS epoch 0 on both client and server paths to cause denial of service on memory-constrained devices.",
"id": "GHSA-qqgj-g5f7-jqhm",
"modified": "2026-06-29T09:30:29Z",
"published": "2026-06-29T09:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9267"
},
{
"type": "WEB",
"url": "https://gitlab.eclipse.org/security/cve-assignment/-/work_items/112"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QQGR-RFQ7-5R38
Vulnerability from github – Published: 2023-04-13 00:30 – Updated: 2023-04-13 00:30Adobe Substance 3D Stager version 2.0.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-26393"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T22:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Substance 3D Stager version 2.0.1 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-qqgr-rfq7-5r38",
"modified": "2023-04-13T00:30:49Z",
"published": "2023-04-13T00:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26393"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb23-26.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QQM5-96X8-Q49R
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2022-05-24 16:46Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2019-7065"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-24T19:29:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.",
"id": "GHSA-qqm5-96x8-q49r",
"modified": "2022-05-24T16:46:42Z",
"published": "2022-05-24T16:46:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7065"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-07.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.