CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11292 vulnerabilities reference this CWE, most recent first.
GHSA-R995-X46F-32PV
Vulnerability from github – Published: 2023-06-28 18:30 – Updated: 2024-04-04 05:15In addGroupWithConfigInternal of p2p_iface.cpp, there is a possible out of bounds read due to unsafe deserialization. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-262235736
{
"affected": [],
"aliases": [
"CVE-2023-21214"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-28T18:15:16Z",
"severity": "MODERATE"
},
"details": "In addGroupWithConfigInternal of p2p_iface.cpp, there is a possible out of bounds read due to unsafe deserialization. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-262235736",
"id": "GHSA-r995-x46f-32pv",
"modified": "2024-04-04T05:15:50Z",
"published": "2023-06-28T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21214"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2023-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9C6-JQPC-J4F9
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-05-24 16:54Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability. Successful exploitation could lead to memory leak.
{
"affected": [],
"aliases": [
"CVE-2019-7991"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-26T19:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Photoshop CC versions 19.1.8 and earlier and 20.0.5 and earlier have an out of bound read vulnerability. Successful exploitation could lead to memory leak.",
"id": "GHSA-r9c6-jqpc-j4f9",
"modified": "2022-05-24T16:54:51Z",
"published": "2022-05-24T16:54:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7991"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/photoshop/apsb19-44.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R9CH-HJJ5-V6PR
Vulnerability from github – Published: 2022-05-24 17:41 – Updated: 2022-05-24 17:41This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CR2 files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-11335.
{
"affected": [],
"aliases": [
"CVE-2020-17432"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-09T18:15:00Z",
"severity": "HIGH"
},
"details": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit Studio Photo 3.6.6.922. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CR2 files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated structure. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process. Was ZDI-CAN-11335.",
"id": "GHSA-r9ch-hjj5-v6pr",
"modified": "2022-05-24T17:41:25Z",
"published": "2022-05-24T17:41:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17432"
},
{
"type": "WEB",
"url": "https://www.foxitsoftware.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1343"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R9GC-V2RF-CCGC
Vulnerability from github – Published: 2025-03-13 18:32 – Updated: 2025-08-19 15:31A maliciously crafted SLDPRT file, when parsed through Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
{
"affected": [],
"aliases": [
"CVE-2025-1431"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-13T17:15:35Z",
"severity": "HIGH"
},
"details": "A maliciously crafted SLDPRT file, when parsed through Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.",
"id": "GHSA-r9gc-v2rf-ccgc",
"modified": "2025-08-19T15:31:19Z",
"published": "2025-03-13T18:32:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1431"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/products/autodesk-access/overview"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/support/technical/article/caas/sfdcarticles/sfdcarticles/Where-can-I-download-the-latest-update-of-AutoCAD-AutoCAD-LT-2022.html"
},
{
"type": "WEB",
"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R9HC-HFRH-P2P9
Vulnerability from github – Published: 2023-10-09 18:30 – Updated: 2024-05-22 18:30A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.
{
"affected": [],
"aliases": [
"CVE-2023-39192"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-09T18:15:10Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 module did not validate the fields in the xt_u32 structure. This flaw allows a local privileged attacker to trigger an out-of-bounds read by setting the size fields with a value beyond the array boundaries, leading to a crash or information disclosure.",
"id": "GHSA-r9hc-hfrh-p2p9",
"modified": "2024-05-22T18:30:37Z",
"published": "2023-10-09T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39192"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2950"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:3138"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-39192"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2226784"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-18408"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-R9HF-5VJQ-XMHX
Vulnerability from github – Published: 2026-03-10 18:31 – Updated: 2026-03-10 18:31Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-25175"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-10T18:18:32Z",
"severity": "HIGH"
},
"details": "Out-of-bounds read in Windows NTFS allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-r9hf-5vjq-xmhx",
"modified": "2026-03-10T18:31:20Z",
"published": "2026-03-10T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25175"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25175"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R9HW-H5M4-GFHM
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53The JBIG2Stream::readGenericBitmap function in JBIG2Stream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml.
{
"affected": [],
"aliases": [
"CVE-2018-8103"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-14T03:29:00Z",
"severity": "MODERATE"
},
"details": "The JBIG2Stream::readGenericBitmap function in JBIG2Stream.cc in xpdf 4.00 allows attackers to launch denial of service (heap-based buffer over-read and application crash) via a specific pdf file, as demonstrated by pdftohtml.",
"id": "GHSA-r9hw-h5m4-gfhm",
"modified": "2022-05-13T01:53:30Z",
"published": "2022-05-13T01:53:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8103"
},
{
"type": "WEB",
"url": "https://forum.xpdfreader.com/viewtopic.php?f=3\u0026t=652"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-R9J6-75C4-VMQG
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Out-of-bounds read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.
{
"affected": [],
"aliases": [
"CVE-2026-57085"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:18:32Z",
"severity": "MODERATE"
},
"details": "Out-of-bounds read in Windows Print Spooler Components allows an authorized attacker to disclose information locally.",
"id": "GHSA-r9j6-75c4-vmqg",
"modified": "2026-07-14T18:32:39Z",
"published": "2026-07-14T18:32:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57085"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-57085"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9JM-JR7P-H85C
Vulnerability from github – Published: 2024-10-07 03:30 – Updated: 2024-10-10 18:31In vdec, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09028313; Issue ID: MSV-1699.
{
"affected": [],
"aliases": [
"CVE-2024-20093"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-07T03:15:02Z",
"severity": "MODERATE"
},
"details": "In vdec, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09028313; Issue ID: MSV-1699.",
"id": "GHSA-r9jm-jr7p-h85c",
"modified": "2024-10-10T18:31:08Z",
"published": "2024-10-07T03:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20093"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/October-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9JV-8H68-MR7C
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-25 21:31In the Linux kernel, the following vulnerability has been resolved:
efi: Fix reservation of unaccepted memory table
The reserve_unaccepted() function incorrectly calculates the size of the memblock reservation for the unaccepted memory table. It aligns the size of the table, but fails to account for cases where the table's starting physical address (efi.unaccepted) is not page-aligned.
If the table starts at an offset within a page and its end crosses into a subsequent page that the aligned size does not cover, the end of the table will not be reserved. This can lead to the table being overwritten or inaccessible, causing a kernel panic in accept_memory().
This issue was observed when starting Intel TDX VMs with specific memory sizes (e.g., > 64GB).
Fix this by calculating the end address first (including the unaligned start) and then aligning it up, ensuring the entire range is covered by the reservation.
{
"affected": [],
"aliases": [
"CVE-2026-45851"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:16:57Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nefi: Fix reservation of unaccepted memory table\n\nThe reserve_unaccepted() function incorrectly calculates the size of the\nmemblock reservation for the unaccepted memory table. It aligns the\nsize of the table, but fails to account for cases where the table\u0027s\nstarting physical address (efi.unaccepted) is not page-aligned.\n\nIf the table starts at an offset within a page and its end crosses into\na subsequent page that the aligned size does not cover, the end of the\ntable will not be reserved. This can lead to the table being overwritten\nor inaccessible, causing a kernel panic in accept_memory().\n\nThis issue was observed when starting Intel TDX VMs with specific memory\nsizes (e.g., \u003e 64GB).\n\nFix this by calculating the end address first (including the unaligned\nstart) and then aligning it up, ensuring the entire range is covered\nby the reservation.",
"id": "GHSA-r9jv-8h68-mr7c",
"modified": "2026-06-25T21:31:18Z",
"published": "2026-05-27T15:33:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45851"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0862438c90487e79822d5647f854977d50381505"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9b18bf59977f5c5bc3b11b210520f62500a7adf3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b7bc182ec1846be437351e44164089d988f9d0dd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba6b6f1502fa55621d1db23f253d54322bdbe4e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e649b5916725c68f44ebf45fb396df563c5dbaf2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.