Common Weakness Enumeration

CWE-125

Allowed

Out-of-bounds Read

Abstraction: Base · Status: Draft

The product reads data past the end, or before the beginning, of the intended buffer.

11292 vulnerabilities reference this CWE, most recent first.

GHSA-RC62-RWRP-9VMJ

Vulnerability from github – Published: 2024-05-03 09:30 – Updated: 2024-05-03 09:30
VLAI
Details

Out-of-bounds Read vulnerability in Merge DICOM Toolkit C/C++ on Windows.

When MC_Open_File() function is used to read a malformed DICOM data, it might result in over-reading memory buffer and could cause memory access violation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T09:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Out-of-bounds Read vulnerability in Merge DICOM Toolkit C/C++ on Windows.\n\nWhen MC_Open_File() function is used to read a malformed DICOM data, it might result in over-reading memory buffer and could cause memory access violation.",
  "id": "GHSA-rc62-rwrp-9vmj",
  "modified": "2024-05-03T09:30:52Z",
  "published": "2024-05-03T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23912"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-23912"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RC7H-3Q8G-VXJC

Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-13 00:01
VLAI
Details

Buffer Over-read in GitHub repository hpjansson/chafa prior to 1.10.3.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-04T11:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Buffer Over-read in GitHub repository hpjansson/chafa prior to 1.10.3.",
  "id": "GHSA-rc7h-3q8g-vxjc",
  "modified": "2022-07-13T00:01:52Z",
  "published": "2022-07-05T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2301"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hpjansson/chafa/commit/56fabfa18a6880b4cb66047fa6557920078048d9"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f6b9114b-671d-4948-b946-ffe5c9aeb816"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RC94-438G-7V38

Vulnerability from github – Published: 2023-04-09 21:30 – Updated: 2024-04-04 03:22
VLAI
Details

Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_dump_is_recursive at src/njs_vmcode.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27728"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-09T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_dump_is_recursive at src/njs_vmcode.c.",
  "id": "GHSA-rc94-438g-7v38",
  "modified": "2024-04-04T03:22:52Z",
  "published": "2023-04-09T21:30:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27728"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nginx/njs/issues/618"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RC9C-W737-83CM

Vulnerability from github – Published: 2024-08-07 03:31 – Updated: 2024-08-07 03:31
VLAI
Details

Out-of-bounds read in applying own binary in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-34626"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-07T02:15:38Z",
    "severity": "MODERATE"
  },
  "details": "Out-of-bounds read in applying own binary in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.",
  "id": "GHSA-rc9c-w737-83cm",
  "modified": "2024-08-07T03:31:28Z",
  "published": "2024-08-07T03:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34626"
    },
    {
      "type": "WEB",
      "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024\u0026month=08"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCGH-H6MP-4G9Q

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:21
VLAI
Details

GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1010180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-24T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "GNU gdb All versions is affected by: Buffer Overflow - Out of bound memory access. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution. The component is: The main gdb module. The attack vector is: Open an ELF for debugging. The fixed version is: Not fixed yet.",
  "id": "GHSA-rcgh-h6mp-4g9q",
  "modified": "2024-04-04T01:21:45Z",
  "published": "2022-05-24T16:51:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010180"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202003-31"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=23657"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00072.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00029.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/109367"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCHX-Q8J2-P9FP

Vulnerability from github – Published: 2022-05-02 03:36 – Updated: 2022-05-02 03:36
VLAI
Details

The License Logging Server (llssrv.exe) in Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via an RPC message containing a string without a null terminator, which triggers a heap-based buffer overflow in the LlsrLicenseRequestW method, aka "License Logging Server Heap Overflow Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2523"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-11-11T19:30:00Z",
    "severity": "HIGH"
  },
  "details": "The License Logging Server (llssrv.exe) in Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via an RPC message containing a string without a null terminator, which triggers a heap-based buffer overflow in the LlsrLicenseRequestW method, aka \"License Logging Server Heap Overflow Vulnerability.\"",
  "id": "GHSA-rchx-q8j2-p9fp",
  "modified": "2022-05-02T03:36:05Z",
  "published": "2022-05-02T03:36:05Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2523"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-064"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6300"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-314A.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RCJJ-4P3M-X9X8

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobility_opt_print().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13024"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-14T06:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-read in print-mobility.c:mobility_opt_print().",
  "id": "GHSA-rcjj-4p3m-x9x8",
  "modified": "2022-05-13T01:14:02Z",
  "published": "2022-05-13T01:14:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13024"
    },
    {
      "type": "WEB",
      "url": "https://github.com/the-tcpdump-group/tcpdump/commit/2e1f6d9320afa83abc1ff716c7981fa504edadf2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/the-tcpdump-group/tcpdump/commit/7d3aba9f06899d0128ef46e8a2fa143c6fad8f62"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHEA-2018:0705"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201709-23"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/HT208221"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3971"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1039307"
    },
    {
      "type": "WEB",
      "url": "http://www.tcpdump.org/tcpdump-changes.txt"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCQ2-MGHH-WCF4

Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-16 15:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ibmasm: fix OOB reads in command_file_write due to missing size checks

The command_file_write() handler allocates a kernel buffer of exactly count bytes and copies user data into it, but does not validate the buffer against the dot command protocol before passing it to get_dot_command_size() and get_dot_command_timeout().

Since both the allocation size (count) and the header fields (command_size, data_size) are independently user-controlled, an attacker can cause get_dot_command_size() to return a value exceeding the allocation, triggering OOB reads in get_dot_command_timeout() and an out-of-bounds memcpy_toio() that leaks kernel heap memory to the service processor.

Fix with two guards: reject writes smaller than sizeof(struct dot_command_header) before allocation, then after copying user data reject commands where the buffer is smaller than the total size declared by the header (sizeof(header) + command_size + data_size). This ensures all subsequent header and payload field accesses stay within the buffer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-45994"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-27T14:17:16Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmasm: fix OOB reads in command_file_write due to missing size checks\n\nThe command_file_write() handler allocates a kernel buffer of exactly\ncount bytes and copies user data into it, but does not validate the\nbuffer against the dot command protocol before passing it to\nget_dot_command_size() and get_dot_command_timeout().\n\nSince both the allocation size (count) and the header fields (command_size,\ndata_size) are independently user-controlled, an attacker can cause\nget_dot_command_size() to return a value exceeding the allocation,\ntriggering OOB reads in get_dot_command_timeout() and an out-of-bounds\nmemcpy_toio() that leaks kernel heap memory to the service processor.\n\nFix with two guards: reject writes smaller than sizeof(struct\ndot_command_header) before allocation, then after copying user data\nreject commands where the buffer is smaller than the total size declared\nby the header (sizeof(header) + command_size + data_size). This ensures\nall subsequent header and payload field accesses stay within the buffer.",
  "id": "GHSA-rcq2-mghh-wcf4",
  "modified": "2026-06-16T15:33:40Z",
  "published": "2026-05-27T15:33:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45994"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0eb09f737428e482a32a2e31e5e223f2b35a71d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/44ee19422aa82a6847594866de7e5a31e4ef98b3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7b8a574da5d7ea99b943f7a3458a17a1d95e8838"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a672682d39dd34e2b5ba4feb436723bed65125ff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aefc1a97da17d8309974690c8a03e439a91ebb1c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d0fb4d1dc43f8d5179917a2daaa82680993d4cdf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d50e2019c9d7c433f56d9dff65703eb904aa1fb1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee5737891464030a189837467df3b81a273718ad"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCQH-96HR-HV69

Vulnerability from github – Published: 2024-11-19 03:31 – Updated: 2025-11-04 00:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()

The "*cmd" variable can be controlled by the user via debugfs. That means "new_cam" can be as high as 255 while the size of the uc->updated[] array is UCSI_MAX_ALTMODES (30).

The call tree is: ucsi_cmd() // val comes from simple_attr_write_xsigned() -> ucsi_send_command() -> ucsi_send_command_common() -> ucsi_run_command() // calls ucsi->ops->sync_control() -> ucsi_ccg_sync_control()

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-50268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-19T02:16:28Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()\n\nThe \"*cmd\" variable can be controlled by the user via debugfs.  That means\n\"new_cam\" can be as high as 255 while the size of the uc-\u003eupdated[] array\nis UCSI_MAX_ALTMODES (30).\n\nThe call tree is:\nucsi_cmd() // val comes from simple_attr_write_xsigned()\n-\u003e ucsi_send_command()\n   -\u003e ucsi_send_command_common()\n      -\u003e ucsi_run_command() // calls ucsi-\u003eops-\u003esync_control()\n         -\u003e ucsi_ccg_sync_control()",
  "id": "GHSA-rcqh-96hr-hv69",
  "modified": "2025-11-04T00:32:03Z",
  "published": "2024-11-19T03:31:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50268"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3a2ba841659a0f15102585120dea75d8d5209616"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/604314ecd682913925980dc955caea2d036eab5f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/69e19774f15e12dda6c6c58001d059e30895009b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7dd08a0b4193087976db6b3ee7807de7e8316f96"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f47984b35f3be0cfc652c2ca358d5768ea3456b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d76923164705821aa1b01b8d9d1741f20c654ab4"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RCRG-GRJR-GMC3

Vulnerability from github – Published: 2021-12-15 00:01 – Updated: 2021-12-16 00:02
VLAI
Details

A vulnerability has been identified in JT2Go (All versions < V13.2.0.5), Teamcenter Visualization (All versions < V13.2.0.5). The Tiff_Loader.dll is vulnerable to an out of bounds read past the end of an allocated buffer when parsing TIFF files. An attacker could leverage this vulnerability to leak information in the context of the current process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-44009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-14T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in JT2Go (All versions \u003c V13.2.0.5), Teamcenter Visualization (All versions \u003c V13.2.0.5). The Tiff_Loader.dll is vulnerable to an out of bounds read past the end of an allocated buffer when parsing TIFF files. An attacker could leverage this vulnerability to leak information in the context of the current process.",
  "id": "GHSA-rcrg-grjr-gmc3",
  "modified": "2021-12-16T00:02:32Z",
  "published": "2021-12-15T00:01:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44009"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-595101.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

CAPEC-540: Overread Buffers

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.