Common Weakness Enumeration

CWE-125

Allowed

Out-of-bounds Read

Abstraction: Base · Status: Draft

The product reads data past the end, or before the beginning, of the intended buffer.

11291 vulnerabilities reference this CWE, most recent first.

GHSA-QR54-J3CJ-43PG

Vulnerability from github – Published: 2022-03-17 00:00 – Updated: 2022-03-24 00:00
VLAI
Details

In TBD of TBD, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-206472503References: N/A

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39730"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-16T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In TBD of TBD, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-206472503References: N/A",
  "id": "GHSA-qr54-j3cj-43pg",
  "modified": "2022-03-24T00:00:34Z",
  "published": "2022-03-17T00:00:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39730"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2022-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QR6J-94J6-GQ32

Vulnerability from github – Published: 2025-02-03 18:30 – Updated: 2025-02-03 18:30
VLAI
Details

Memory corruption during management frame processing due to mismatch in T2LM info element.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-126"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-03T17:15:20Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption during management frame processing due to mismatch in T2LM info element.",
  "id": "GHSA-qr6j-94j6-gq32",
  "modified": "2025-02-03T18:30:42Z",
  "published": "2025-02-03T18:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49839"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QR79-P6WG-4P8Q

Vulnerability from github – Published: 2025-09-05 18:31 – Updated: 2025-11-25 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

i2c: rtl9300: Fix out-of-bounds bug in rtl9300_i2c_smbus_xfer

The data->block[0] variable comes from user. Without proper check, the variable may be very large to cause an out-of-bounds bug.

Fix this bug by checking the value of data->block[0] first.

  1. commit 39244cc75482 ("i2c: ismt: Fix an out-of-bounds bug in ismt_access()")
  2. commit 92fbb6d1296f ("i2c: xgene-slimpro: Fix out-of-bounds bug in xgene_slimpro_i2c_xfer()")
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39680"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-05T18:15:44Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: rtl9300: Fix out-of-bounds bug in rtl9300_i2c_smbus_xfer\n\nThe data-\u003eblock[0] variable comes from user. Without proper check,\nthe variable may be very large to cause an out-of-bounds bug.\n\nFix this bug by checking the value of data-\u003eblock[0] first.\n\n1. commit 39244cc75482 (\"i2c: ismt: Fix an out-of-bounds bug in\n   ismt_access()\")\n2. commit 92fbb6d1296f (\"i2c: xgene-slimpro: Fix out-of-bounds bug in\n   xgene_slimpro_i2c_xfer()\")",
  "id": "GHSA-qr79-p6wg-4p8q",
  "modified": "2025-11-25T21:32:03Z",
  "published": "2025-09-05T18:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39680"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/071e43fcba5ddd9a7813e6cc0aa10299eae41b21"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/57f312b955938fc4663f430cb57a71f2414f601b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QR97-X53Q-9M8F

Vulnerability from github – Published: 2024-10-09 21:31 – Updated: 2024-10-17 00:32
VLAI
Details

An Out-of-Bounds Read vulnerability in

the routing protocol daemon (rpd) of

Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.

This issue only affects systems with BGP traceoptions enabled. Systems without BGP traceoptions enabled are not affected by this issue.

This issue affects iBGP and eBGP with

any address family

configured.

This issue affects:

Junos OS: 

  • All versions before 21.4R3-S8,
  • 22.2 before 22.2R3-S5, 
  • 22.3 before 22.3R3-S4, 
  • 22.4 before 22.4R3-S3, 
  • 23.2 before 23.2R2-S2, 
  • 23.4 before 23.4R2; 

Junos OS Evolved: 

  • All versions before 21.4R3-S8-EVO, 
  • 22.2-EVO before 22.2R3-S5-EVO, 
  • 22.3-EVO before 22.3R3-S4-EVO, 
  • 22.4-EVO before 22.4R3-S3-EVO, 
  • 23.2-EVO before 23.2R2-S2-EVO, 
  • 23.4-EVO before 23.4R2-EVO.
Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-39516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-09T20:15:08Z",
    "severity": "HIGH"
  },
  "details": "An Out-of-Bounds Read vulnerability in\n\nthe routing protocol daemon (rpd) of \n\n Juniper Networks Junos OS and Junos OS Evolved\u00a0allows an unauthenticated network-based attacker sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.\n\n\n\nThis issue only affects systems with BGP traceoptions enabled.  Systems without BGP traceoptions enabled are not affected by this issue.\n\n\n\n\n\nThis issue affects iBGP and eBGP with \n\nany address family\n\n configured.\n\nThis issue affects:\n\nJunos OS:\u00a0\n\n\n\n  *  All versions before 21.4R3-S8,\n  *  22.2 before 22.2R3-S5,\u00a0\n  *  22.3 before 22.3R3-S4,\u00a0\n  *  22.4 before 22.4R3-S3,\u00a0\n  *  23.2 before 23.2R2-S2,\u00a0\n  *  23.4 before 23.4R2;\u00a0\n\n\n\n\nJunos OS Evolved:\u00a0\n\n\n\n  *  All versions before 21.4R3-S8-EVO,\u00a0\n  *  22.2-EVO before 22.2R3-S5-EVO,\u00a0\n  *  22.3-EVO before 22.3R3-S4-EVO,\u00a0\n  *  22.4-EVO before 22.4R3-S3-EVO,\u00a0\n  *  23.2-EVO before 23.2R2-S2-EVO,\u00a0\n  *  23.4-EVO before 23.4R2-EVO.",
  "id": "GHSA-qr97-x53q-9m8f",
  "modified": "2024-10-17T00:32:35Z",
  "published": "2024-10-09T21:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39516"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA88100"
    },
    {
      "type": "WEB",
      "url": "https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/traceoptions-edit-protocols-bgp.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QRG2-552M-G38P

Vulnerability from github – Published: 2022-05-24 17:20 – Updated: 2025-09-30 15:30
VLAI
Details

The Treck TCP/IP stack before 6.0.1.66 has an ICMPv4 Out-of-bounds Read.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-11910"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-17T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The Treck TCP/IP stack before 6.0.1.66 has an ICMPv4 Out-of-bounds Read.",
  "id": "GHSA-qrg2-552m-g38p",
  "modified": "2025-09-30T15:30:26Z",
  "published": "2022-05-24T17:20:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11910"
    },
    {
      "type": "WEB",
      "url": "https://jsof-tech.com/vulnerability-disclosure-policy"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200625-0006"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/article/de-de/sln321836/dell-response-to-the-ripple20-vulnerabilities"
    },
    {
      "type": "WEB",
      "url": "https://www.jsof-tech.com/ripple20"
    },
    {
      "type": "WEB",
      "url": "https://www.kb.cert.org/vuls/id/257161"
    },
    {
      "type": "WEB",
      "url": "https://www.treck.com"
    },
    {
      "type": "WEB",
      "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-006.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRGQ-QH39-4RQ7

Vulnerability from github – Published: 2024-10-25 12:31 – Updated: 2024-10-25 18:30
VLAI
Details

In ProtocolMiscHwConfigChangeAdapter::GetData() of protocolmiscadapter.cpp, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User Interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-25T11:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In ProtocolMiscHwConfigChangeAdapter::GetData() of protocolmiscadapter.cpp, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User Interaction is not needed for exploitation.",
  "id": "GHSA-qrgq-qh39-4rq7",
  "modified": "2024-10-25T18:30:48Z",
  "published": "2024-10-25T12:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47015"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2024-10-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRQF-2CRR-JVQF

Vulnerability from github – Published: 2023-04-06 06:30 – Updated: 2025-03-05 21:32
VLAI
Details

An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is a bz3_decode_block out-of-bounds read.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-29419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-06T05:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is a bz3_decode_block out-of-bounds read.",
  "id": "GHSA-qrqf-2crr-jvqf",
  "modified": "2025-03-05T21:32:02Z",
  "published": "2023-04-06T06:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29419"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kspalaiologos/bzip3/issues/92"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kspalaiologos/bzip3/commit/8ec8ce7d3d58bf42dabc47e4cc53aa27051bd602"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kspalaiologos/bzip3/compare/1.2.2...1.2.3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4JLSE25SV7K2NB6FTFT4UHJOJUHBHYHY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NA7S7HDUAINOTCSWQZ5LIW756DYY22V2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMLFV2FJK3CM7NJLVPZI5RUAFQZICPWW"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4JLSE25SV7K2NB6FTFT4UHJOJUHBHYHY"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NA7S7HDUAINOTCSWQZ5LIW756DYY22V2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMLFV2FJK3CM7NJLVPZI5RUAFQZICPWW"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRQW-F8X7-H287

Vulnerability from github – Published: 2022-05-13 01:44 – Updated: 2022-05-13 01:44
VLAI
Details

Adobe Digital Editions versions 4.5.3 and earlier have an exploitable buffer over-read vulnerability. Successful exploitation could lead to information disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2981"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-15T06:59:00Z",
    "severity": "HIGH"
  },
  "details": "Adobe Digital Editions versions 4.5.3 and earlier have an exploitable buffer over-read vulnerability. Successful exploitation could lead to information disclosure.",
  "id": "GHSA-qrqw-f8x7-h287",
  "modified": "2022-05-13T01:44:59Z",
  "published": "2022-05-13T01:44:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2981"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/Digital-Editions/apsb17-05.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96195"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037816"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRVF-HMJQ-6539

Vulnerability from github – Published: 2025-09-22 21:30 – Updated: 2025-09-22 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/gem: add missing boundary check in vm_access

A missing bounds check in vm_access() can lead to an out-of-bounds read or write in the adjacent memory area, since the len attribute is not validated before the memcpy later in the function, potentially hitting:

[ 183.637831] BUG: unable to handle page fault for address: ffffc90000c86000 [ 183.637934] #PF: supervisor read access in kernel mode [ 183.637997] #PF: error_code(0x0000) - not-present page [ 183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0 [ 183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI [ 183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G D 5.17.0-rc6-ci-drm-11296+ #1 [ 183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019 [ 183.638430] RIP: 0010:memcpy_erms+0x6/0x10 [ 183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246 [ 183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc [ 183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004 [ 183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000 [ 183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000 [ 183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000 [ 183.645653] FS: 00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000 [ 183.646570] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0 [ 183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 183.650142] Call Trace: [ 183.650988] [ 183.651793] vm_access+0x1f0/0x2a0 [i915] [ 183.652726] __access_remote_vm+0x224/0x380 [ 183.653561] mem_rw.isra.0+0xf9/0x190 [ 183.654402] vfs_read+0x9d/0x1b0 [ 183.655238] ksys_read+0x63/0xe0 [ 183.656065] do_syscall_64+0x38/0xc0 [ 183.656882] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 183.657663] RIP: 0033:0x7fe5ef725142 [ 183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142 [ 183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005 [ 183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046 [ 183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0 [ 183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000

Changes since v1: - Updated if condition with range_overflows_t [Chris Wilson]

[mauld: tidy up the commit message and add Cc: stable] (cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49261"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:03Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gem: add missing boundary check in vm_access\n\nA missing bounds check in vm_access() can lead to an out-of-bounds read\nor write in the adjacent memory area, since the len attribute is not\nvalidated before the memcpy later in the function, potentially hitting:\n\n[  183.637831] BUG: unable to handle page fault for address: ffffc90000c86000\n[  183.637934] #PF: supervisor read access in kernel mode\n[  183.637997] #PF: error_code(0x0000) - not-present page\n[  183.638059] PGD 100000067 P4D 100000067 PUD 100258067 PMD 106341067 PTE 0\n[  183.638144] Oops: 0000 [#2] PREEMPT SMP NOPTI\n[  183.638201] CPU: 3 PID: 1790 Comm: poc Tainted: G      D           5.17.0-rc6-ci-drm-11296+ #1\n[  183.638298] Hardware name: Intel Corporation CoffeeLake Client Platform/CoffeeLake H DDR4 RVP, BIOS CNLSFWR1.R00.X208.B00.1905301319 05/30/2019\n[  183.638430] RIP: 0010:memcpy_erms+0x6/0x10\n[  183.640213] RSP: 0018:ffffc90001763d48 EFLAGS: 00010246\n[  183.641117] RAX: ffff888109c14000 RBX: ffff888111bece40 RCX: 0000000000000ffc\n[  183.642029] RDX: 0000000000001000 RSI: ffffc90000c86000 RDI: ffff888109c14004\n[  183.642946] RBP: 0000000000000ffc R08: 800000000000016b R09: 0000000000000000\n[  183.643848] R10: ffffc90000c85000 R11: 0000000000000048 R12: 0000000000001000\n[  183.644742] R13: ffff888111bed190 R14: ffff888109c14000 R15: 0000000000001000\n[  183.645653] FS:  00007fe5ef807540(0000) GS:ffff88845b380000(0000) knlGS:0000000000000000\n[  183.646570] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[  183.647481] CR2: ffffc90000c86000 CR3: 000000010ff02006 CR4: 00000000003706e0\n[  183.648384] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[  183.649271] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[  183.650142] Call Trace:\n[  183.650988]  \u003cTASK\u003e\n[  183.651793]  vm_access+0x1f0/0x2a0 [i915]\n[  183.652726]  __access_remote_vm+0x224/0x380\n[  183.653561]  mem_rw.isra.0+0xf9/0x190\n[  183.654402]  vfs_read+0x9d/0x1b0\n[  183.655238]  ksys_read+0x63/0xe0\n[  183.656065]  do_syscall_64+0x38/0xc0\n[  183.656882]  entry_SYSCALL_64_after_hwframe+0x44/0xae\n[  183.657663] RIP: 0033:0x7fe5ef725142\n[  183.659351] RSP: 002b:00007ffe1e81c7e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000\n[  183.660227] RAX: ffffffffffffffda RBX: 0000557055dfb780 RCX: 00007fe5ef725142\n[  183.661104] RDX: 0000000000001000 RSI: 00007ffe1e81d880 RDI: 0000000000000005\n[  183.661972] RBP: 00007ffe1e81e890 R08: 0000000000000030 R09: 0000000000000046\n[  183.662832] R10: 0000557055dfc2e0 R11: 0000000000000246 R12: 0000557055dfb1c0\n[  183.663691] R13: 00007ffe1e81e980 R14: 0000000000000000 R15: 0000000000000000\n\nChanges since v1:\n     - Updated if condition with range_overflows_t [Chris Wilson]\n\n[mauld: tidy up the commit message and add Cc: stable]\n(cherry picked from commit 661412e301e2ca86799aa4f400d1cf0bd38c57c6)",
  "id": "GHSA-qrvf-hmjq-6539",
  "modified": "2025-09-22T21:30:16Z",
  "published": "2025-09-22T21:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49261"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/312d3d4f49e12f97260bcf972c848c3562126a18"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3886a86e7e6cc6ce2ce93c440fecd8f42aed0ce7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f6e560e3e86ac053447524224e411034f41f5c7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/89ddcc81914ab58cc203acc844f27d55ada8ec0e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f0ebea8f6e8c474264ed97d7a64c9c09ed4f5aa"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-QRWC-JXF5-G8X6

Vulnerability from github – Published: 2021-08-25 20:48 – Updated: 2023-06-13 20:13
VLAI
Summary
Out of bounds read in ordnung
Details

An issue was discovered in the ordnung crate through version 0.0.1 for Rust. compact::Vec violates memory safety via out-of-bounds access for large capacity.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "ordnung"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-35890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T21:06:35Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the ordnung crate through version 0.0.1 for Rust. compact::Vec violates memory safety via out-of-bounds access for large capacity.",
  "id": "GHSA-qrwc-jxf5-g8x6",
  "modified": "2023-06-13T20:13:46Z",
  "published": "2021-08-25T20:48:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35890"
    },
    {
      "type": "WEB",
      "url": "https://github.com/maciejhirsz/ordnung/issues/8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/maciejhirsz/ordnung"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0038.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Out of bounds read in ordnung"
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

CAPEC-540: Overread Buffers

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.