Common Weakness Enumeration

CWE-125

Allowed

Out-of-bounds Read

Abstraction: Base · Status: Draft

The product reads data past the end, or before the beginning, of the intended buffer.

11292 vulnerabilities reference this CWE, most recent first.

GHSA-R29R-G6G3-64QX

Vulnerability from github – Published: 2026-03-24 06:31 – Updated: 2026-03-24 06:31
VLAI
Details

Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof: before woof_15.3.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4750"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-24T06:16:23Z",
    "severity": "CRITICAL"
  },
  "details": "Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof: before woof_15.3.0.",
  "id": "GHSA-r29r-g6g3-64qx",
  "modified": "2026-03-24T06:31:14Z",
  "published": "2026-03-24T06:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4750"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fabiangreffrath/woof/pull/2521"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2CG-CW4R-GCX4

Vulnerability from github – Published: 2022-11-15 12:00 – Updated: 2022-11-15 12:00
VLAI
Details

In PHOENIX CONTACT Automationworx Software Suite up to version 1.89 memory can be read beyond the intended scope due to insufficient validation of input data. Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-15T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "In PHOENIX CONTACT Automationworx Software Suite up to version 1.89 memory can be read beyond the intended scope due to insufficient validation of input data. Availability, integrity, or confidentiality of an application programming workstation might be compromised by attacks using these vulnerabilities.",
  "id": "GHSA-r2cg-cw4r-gcx4",
  "modified": "2022-11-15T12:00:14Z",
  "published": "2022-11-15T12:00:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3737"
    },
    {
      "type": "WEB",
      "url": "https://cert.vde.com/en/advisories/VDE-2022-048"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2CJ-JQQC-J833

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37
VLAI
Details

An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-35448"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-27T04:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.35.1. A heap-based buffer over-read can occur in bfd_getl_signed_32 in libbfd.c because sh_entsize is not validated in _bfd_elf_slurp_secondary_reloc_section in elf.c.",
  "id": "GHSA-r2cj-jqqc-j833",
  "modified": "2022-05-24T17:37:27Z",
  "published": "2022-05-24T17:37:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35448"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202107-24"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210129-0008"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=26574"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8642dafaef21aa6747cec01df1977e9c52eb4679"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2F9-GJRV-W2M3

Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41
VLAI
Details

A vulnerability has been identified in JT2Go (All versions < V13.1.0.1), Teamcenter Visualization (All versions < V13.1.0.1). Affected applications lack proper validation of user-supplied data when parsing of PAR files. This could result in a memory access past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information. (ZDI-CAN-12040)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-26998"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-02-09T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in JT2Go (All versions \u003c V13.1.0.1), Teamcenter Visualization (All versions \u003c V13.1.0.1). Affected applications lack proper validation of user-supplied data when parsing of PAR files. This could result in a memory access past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information. (ZDI-CAN-12040)",
  "id": "GHSA-r2f9-gjrv-w2m3",
  "modified": "2022-05-24T17:41:28Z",
  "published": "2022-05-24T17:41:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26998"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-663999.pdf"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-695540.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-238"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-857"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R2J5-33X7-643H

Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31
VLAI
Details

PDF-XChange Editor EMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of EMF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-22133.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:15:48Z",
    "severity": "LOW"
  },
  "details": "PDF-XChange Editor EMF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of EMF files.\nThe issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-22133.",
  "id": "GHSA-r2j5-33x7-643h",
  "modified": "2024-05-03T03:31:02Z",
  "published": "2024-05-03T03:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42106"
    },
    {
      "type": "WEB",
      "url": "https://www.tracker-software.com/support/security-bulletins.html"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1486"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2JX-GM46-MXG6

Vulnerability from github – Published: 2022-01-14 00:01 – Updated: 2022-01-15 00:02
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JT files. Crafted data in a JT file can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15041.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-34942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-13T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View 10.15.0.75. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JT files. Crafted data in a JT file can trigger a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-15041.",
  "id": "GHSA-r2jx-gm46-mxg6",
  "modified": "2022-01-15T00:02:08Z",
  "published": "2022-01-14T00:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34942"
    },
    {
      "type": "WEB",
      "url": "https://www.bentley.com/en/common-vulnerability-exposure/BE-2021-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-21-1530"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-R2M9-J67M-7GRM

Vulnerability from github – Published: 2025-09-16 18:31 – Updated: 2025-12-10 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one

Eric Dumazet says: nf_conntrack_dccp_packet() has an unique:

dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh);

And nothing more is 'pulled' from the packet, depending on the content. dh->dccph_doff, and/or dh->dccph_x ...) So dccp_ack_seq() is happily reading stuff past the _dh buffer.

BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0 Read of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371 [..]

Fix this by increasing the stack buffer to also include room for the extra sequence numbers and all the known dccp packet type headers, then pull again after the initial validation of the basic header.

While at it, mark packets invalid that lack 48bit sequence bit but where RFC says the type MUST use them.

Compile tested only.

v2: first skb_header_pointer() now needs to adjust the size to only pull the generic header. (Eric)

Heads-up: I intend to remove dccp conntrack support later this year.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53333"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-16T17:15:39Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one\n\nEric Dumazet says:\n  nf_conntrack_dccp_packet() has an unique:\n\n  dh = skb_header_pointer(skb, dataoff, sizeof(_dh), \u0026_dh);\n\n  And nothing more is \u0027pulled\u0027 from the packet, depending on the content.\n  dh-\u003edccph_doff, and/or dh-\u003edccph_x ...)\n  So dccp_ack_seq() is happily reading stuff past the _dh buffer.\n\nBUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134/0x11c0\nRead of size 4 at addr ffff000128f66e0c by task syz-executor.2/29371\n[..]\n\nFix this by increasing the stack buffer to also include room for\nthe extra sequence numbers and all the known dccp packet type headers,\nthen pull again after the initial validation of the basic header.\n\nWhile at it, mark packets invalid that lack 48bit sequence bit but\nwhere RFC says the type MUST use them.\n\nCompile tested only.\n\nv2: first skb_header_pointer() now needs to adjust the size to\n    only pull the generic header. (Eric)\n\nHeads-up: I intend to remove dccp conntrack support later this year.",
  "id": "GHSA-r2m9-j67m-7grm",
  "modified": "2025-12-10T18:30:21Z",
  "published": "2025-09-16T18:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53333"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/26bd1f210d3783a691052c51d76bb8a8bbd24c67"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/337fdce450637ea663bc816edc2ba81e5cdad02e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5c618daa5038712c4a4ef8923905a2ea1b8836a1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8c0980493beed3a80d6329c44ab293dc8c032927"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9bdcda7abaf22f6453e5b5efb7eb4e524095d5d8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c052797ac36813419ad3bfa54cb8615db4b41f15"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ff0a3a7d52ff7282dbd183e7fc29a1fe386b0c30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2P2-3CX2-XC3R

Vulnerability from github – Published: 2023-06-16 21:30 – Updated: 2024-04-04 04:55
VLAI
Details

An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-16T19:15:14Z",
    "severity": "HIGH"
  },
  "details": "An out of bounds (OOB) memory access flaw was found in the Linux kernel in relay_file_read_start_pos in kernel/relay.c in the relayfs. This flaw could allow a local attacker to crash the system or leak kernel internal information.",
  "id": "GHSA-r2p2-3cx2-xc3r",
  "modified": "2024-04-04T04:55:18Z",
  "published": "2023-06-16T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3268"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=43ec16f1450f4936025a9bdf1a273affdb9732c1"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/lkml/1682238502-1892-1-git-send-email-yangpc%40wangsu.com/T"
    },
    {
      "type": "WEB",
      "url": "https://lore.kernel.org/lkml/1682238502-1892-1-git-send-email-yangpc@wangsu.com/T"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230824-0006"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5448"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5480"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2PC-66Q7-8M6R

Vulnerability from github – Published: 2023-06-19 06:30 – Updated: 2024-04-04 04:56
VLAI
Details

Out-of-bounds read vulnerability exists in TELLUS v4.0.15.0 and TELLUS Lite v4.0.15.0. Opening a specially crafted V8 file may lead to information disclosure and/or arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32542"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-19T05:15:09Z",
    "severity": "HIGH"
  },
  "details": "Out-of-bounds read vulnerability exists in TELLUS v4.0.15.0 and TELLUS Lite v4.0.15.0. Opening a specially crafted V8 file may lead to information disclosure and/or arbitrary code execution.",
  "id": "GHSA-r2pc-66q7-8m6r",
  "modified": "2024-04-04T04:56:16Z",
  "published": "2023-06-19T06:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32542"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/vu/JVNVU98818508"
    },
    {
      "type": "WEB",
      "url": "https://monitouch.fujielectric.com/site/download-e/03tellus_inf/index.php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-R2PG-5XW6-P694

Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36
VLAI
Details

In smp_br_state_machine_event of smp_br_main.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure triggered by a malformed Bluetooth packet, with no additional execution privileges needed. User interaction is not needed for exploitation. Bounds Sanitizer mitigates this in the default configuration.Product: AndroidVersions: Android-11Android ID: A-162327732

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-15T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "In smp_br_state_machine_event of smp_br_main.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure triggered by a malformed Bluetooth packet, with no additional execution privileges needed. User interaction is not needed for exploitation. Bounds Sanitizer mitigates this in the default configuration.Product: AndroidVersions: Android-11Android ID: A-162327732",
  "id": "GHSA-r2pg-5xw6-p694",
  "modified": "2022-05-24T17:36:28Z",
  "published": "2022-05-24T17:36:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27024"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2020-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

CAPEC-540: Overread Buffers

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.