CWE-126
AllowedBuffer Over-read
Abstraction: Variant · Status: Draft
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
855 vulnerabilities reference this CWE, most recent first.
GHSA-VVMG-8MJR-G6Q3
Vulnerability from github – Published: 2026-05-18 20:17 – Updated: 2026-06-09 10:58Summary
OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment.
Details
In bpf/logenricher/logenricher.c#L50, __fill_iov resolves only one struct iovec, specifically iov_ctx.iov[0] for ITER_IOVEC. The returned iov therefore describes only the first write segment.
However, __write later uses const size_t count = BPF_CORE_READ(from, count);, which is the total byte count across all segments in the iterator. That total is stored in e->len and used in bpf_probe_read_user(e->log, e->len, iov.iov_base) and bpf_probe_write_user(iov.iov_base, zero, to_write).
If count exceeds iov.iov_len, OBI reads and then zeroes memory past the end of the first segment. In practice, this can corrupt adjacent application buffers, leak memory into log events, and in some layouts destabilize the instrumented process.
PoC
Local testing with a minimal ASan harness reproduced the same out-of-bounds read/write condition as the vulnerable writev path.
Use a vulnerable build with the log enricher enabled.
git checkout v0.7.0
make build
Create a program that performs a two-element writev, where the first buffer is short and the second is large:
// save as /tmp/writev-poc.c
#define _GNU_SOURCE
#include <sys/uio.h>
#include <unistd.h>
#include <string.h>
int main(void) {
char a[8] = "HELLO\n";
char b[256];
memset(b, 'B', sizeof(b));
struct iovec iov[2];
iov[0].iov_base = a;
iov[0].iov_len = sizeof(a);
iov[1].iov_base = b;
iov[1].iov_len = sizeof(b);
for (;;) {
writev(1, iov, 2);
usleep(10000);
}
}
Compile and run it:
cc -O2 -o /tmp/writev-poc /tmp/writev-poc.c
/tmp/writev-poc >/dev/null
Attach OBI with log enrichment enabled to the running process:
PID=$(pgrep -f /tmp/writev-poc)
sudo ./bin/obi --pid "$PID"
On a vulnerable build, OBI copies iov_iter.count bytes starting from iov[0].iov_base, even though iov[0] is only 8 bytes long. Depending on allocator layout, you will see one of the following:
- log events that include bytes beyond
HELLO\n - corrupted stdout content because OBI zeroed memory beyond the first iovec
- process instability or a crash
The issue is easiest to observe under a debugger or with ASan-enabled builds of the target program, but those are not required.
Impact
This is a memory safety flaw in the log-enrichment eBPF path. It affects deployments that enable log injection and instrument applications that write logs through writev. An attacker who can trigger the vulnerable local writev pattern inside the instrumented process can cause memory corruption or disclosure in that process. The most direct effects are corrupted output and adjacent-memory disclosure, with process instability possible if the overwrite lands on sensitive state.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/obi"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45684"
],
"database_specific": {
"cwe_ids": [
"CWE-126",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T20:17:57Z",
"nvd_published_at": "2026-06-02T16:16:43Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nOBI\u0027s log enricher mishandles `writev` buffers by reading only the first `iovec` entry but using the total `iov_iter.count` as the copy length. When log injection is enabled, a crafted multi-segment `writev` call can make OBI read and overwrite memory beyond the first segment.\n\n### Details\n\nIn [bpf/logenricher/logenricher.c#L50](https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/360521f411213566a3b557a1f0c093e6cd68a4de/bpf/logenricher/logenricher.c#L50), `__fill_iov` resolves only one `struct iovec`, specifically `iov_ctx.iov[0]` for `ITER_IOVEC`. The returned `iov` therefore describes only the first write segment.\n\nHowever, `__write` later uses `const size_t count = BPF_CORE_READ(from, count);`, which is the total byte count across all segments in the iterator. That total is stored in `e-\u003elen` and used in `bpf_probe_read_user(e-\u003elog, e-\u003elen, iov.iov_base)` and `bpf_probe_write_user(iov.iov_base, zero, to_write)`.\n\nIf `count` exceeds `iov.iov_len`, OBI reads and then zeroes memory past the end of the first segment. In practice, this can corrupt adjacent application buffers, leak memory into log events, and in some layouts destabilize the instrumented process.\n\n### PoC\n\nLocal testing with a minimal ASan harness reproduced the same out-of-bounds read/write condition as the vulnerable `writev` path.\n\nUse a vulnerable build with the log enricher enabled.\n\n```bash\ngit checkout v0.7.0\nmake build\n```\n\nCreate a program that performs a two-element `writev`, where the first buffer is short and the second is large:\n\n```c\n// save as /tmp/writev-poc.c\n#define _GNU_SOURCE\n#include \u003csys/uio.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstring.h\u003e\n\nint main(void) {\n char a[8] = \"HELLO\\n\";\n char b[256];\n memset(b, \u0027B\u0027, sizeof(b));\n\n struct iovec iov[2];\n iov[0].iov_base = a;\n iov[0].iov_len = sizeof(a);\n iov[1].iov_base = b;\n iov[1].iov_len = sizeof(b);\n\n for (;;) {\n writev(1, iov, 2);\n usleep(10000);\n }\n}\n```\n\nCompile and run it:\n\n```bash\ncc -O2 -o /tmp/writev-poc /tmp/writev-poc.c\n/tmp/writev-poc \u003e/dev/null\n```\n\nAttach OBI with log enrichment enabled to the running process:\n\n```bash\nPID=$(pgrep -f /tmp/writev-poc)\nsudo ./bin/obi --pid \"$PID\"\n```\n\nOn a vulnerable build, OBI copies `iov_iter.count` bytes starting from `iov[0].iov_base`, even though `iov[0]` is only 8 bytes long. Depending on allocator layout, you will see one of the following:\n\n1. log events that include bytes beyond `HELLO\\n`\n2. corrupted stdout content because OBI zeroed memory beyond the first iovec\n3. process instability or a crash\n\nThe issue is easiest to observe under a debugger or with ASan-enabled builds of the target program, but those are not required.\n\n### Impact\n\nThis is a memory safety flaw in the log-enrichment eBPF path. It affects deployments that enable log injection and instrument applications that write logs through `writev`. An attacker who can trigger the vulnerable local `writev` pattern inside the instrumented process can cause memory corruption or disclosure in that process. The most direct effects are corrupted output and adjacent-memory disclosure, with process instability possible if the overwrite lands on sensitive state.",
"id": "GHSA-vvmg-8mjr-g6q3",
"modified": "2026-06-09T10:58:49Z",
"published": "2026-05-18T20:17:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-vvmg-8mjr-g6q3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45684"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
},
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers"
}
GHSA-VWG8-37H9-G38G
Vulnerability from github – Published: 2026-06-30 15:30 – Updated: 2026-06-30 15:30A flaw was found in GLib. A buffer over-read can occur in the g_regex_replace function when used with the G_REGEX_RAW compile flag and case-change replacement escapes because the string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This vulnerability can cause a minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.
{
"affected": [],
"aliases": [
"CVE-2026-58012"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T13:19:17Z",
"severity": "MODERATE"
},
"details": "A flaw was found in GLib. A buffer over-read can occur in the g_regex_replace function when used with the `G_REGEX_RAW` compile flag and case-change replacement escapes because the string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This vulnerability can cause a minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.",
"id": "GHSA-vwg8-37h9-g38g",
"modified": "2026-06-30T15:30:45Z",
"published": "2026-06-30T15:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58012"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-58012"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492247"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/glib/-/issues/3918"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VWHP-2664-H54X
Vulnerability from github – Published: 2022-12-06 09:30 – Updated: 2022-12-07 18:30In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.
{
"affected": [],
"aliases": [
"CVE-2022-42768"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-06T07:15:00Z",
"severity": "MODERATE"
},
"details": "In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.",
"id": "GHSA-vwhp-2664-h54x",
"modified": "2022-12-07T18:30:27Z",
"published": "2022-12-06T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42768"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1599588060988411006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W36J-HQCC-JVPP
Vulnerability from github – Published: 2024-11-04 12:32 – Updated: 2024-11-04 12:32Transient DOS while processing the CU information from RNR IE.
{
"affected": [],
"aliases": [
"CVE-2024-38405"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T10:15:06Z",
"severity": "HIGH"
},
"details": "Transient DOS while processing the CU information from RNR IE.",
"id": "GHSA-w36j-hqcc-jvpp",
"modified": "2024-11-04T12:32:56Z",
"published": "2024-11-04T12:32:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38405"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W3RX-344F-QXWH
Vulnerability from github – Published: 2025-05-06 09:31 – Updated: 2025-05-06 09:31Memory corruption while processing escape code, when DisplayId is passed with large unsigned value.
{
"affected": [],
"aliases": [
"CVE-2025-21475"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-06T09:15:24Z",
"severity": "HIGH"
},
"details": "Memory corruption while processing escape code, when DisplayId is passed with large unsigned value.",
"id": "GHSA-w3rx-344f-qxwh",
"modified": "2025-05-06T09:31:34Z",
"published": "2025-05-06T09:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21475"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W4Q4-RW8X-3296
Vulnerability from github – Published: 2025-06-03 06:31 – Updated: 2025-06-03 06:31Information disclosure when an invalid RTCP packet is received during a VoLTE/VoWiFi IMS call.
{
"affected": [],
"aliases": [
"CVE-2024-53026"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-03T06:15:25Z",
"severity": "HIGH"
},
"details": "Information disclosure when an invalid RTCP packet is received during a VoLTE/VoWiFi IMS call.",
"id": "GHSA-w4q4-rw8x-3296",
"modified": "2025-06-03T06:31:14Z",
"published": "2025-06-03T06:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53026"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-W576-X7C8-W498
Vulnerability from github – Published: 2024-03-12 18:31 – Updated: 2024-03-12 18:31Windows Kernel Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-26176"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-12T17:15:56Z",
"severity": "HIGH"
},
"details": "Windows Kernel Elevation of Privilege Vulnerability",
"id": "GHSA-w576-x7c8-w498",
"modified": "2024-03-12T18:31:14Z",
"published": "2024-03-12T18:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26176"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26176"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W5F5-53HC-VVMX
Vulnerability from github – Published: 2022-05-30 00:00 – Updated: 2022-06-09 00:00Buffer Over-read in GitHub repository vim/vim prior to 8.2.
{
"affected": [],
"aliases": [
"CVE-2022-1927"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-29T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Buffer Over-read in GitHub repository vim/vim prior to 8.2.",
"id": "GHSA-w5f5-53hc-vvmx",
"modified": "2022-06-09T00:00:22Z",
"published": "2022-05-30T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1927"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/4d97a565ae8be0d4debba04ebd2ac3e75a0c8010"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/945107ef-0b27-41c7-a03c-db99def0e777"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMFHBC5OQXDPV2SDYA2JUQGVCPYASTJB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TYNK6SDCMOLQJOI3B4AOE66P2G2IH4ZM"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-32"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-16"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213488"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Oct/28"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Oct/41"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W66Q-CHX8-5439
Vulnerability from github – Published: 2024-12-02 12:38 – Updated: 2024-12-02 12:38Memory corruption when allocating and accessing an entry in an SMEM partition continuously.
{
"affected": [],
"aliases": [
"CVE-2024-33056"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-02T11:15:08Z",
"severity": "HIGH"
},
"details": "Memory corruption when allocating and accessing an entry in an SMEM partition continuously.",
"id": "GHSA-w66q-chx8-5439",
"modified": "2024-12-02T12:38:27Z",
"published": "2024-12-02T12:38:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33056"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/december-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-W6XJ-4JX7-P88W
Vulnerability from github – Published: 2025-03-07 18:31 – Updated: 2025-03-07 18:31A buffer overread can occur in the CPC application when operating in full duplex SPI upon receiving an invalid packet over the SPI interface.
{
"affected": [],
"aliases": [
"CVE-2024-12975"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-07T17:15:18Z",
"severity": "LOW"
},
"details": "A buffer overread can occur in the CPC application when operating in full duplex SPI upon receiving an invalid packet over the SPI interface.",
"id": "GHSA-w6xj-4jx7-p88w",
"modified": "2025-03-07T18:31:05Z",
"published": "2025-03-07T18:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12975"
},
{
"type": "WEB",
"url": "https://community.silabs.com/069Vm00000LWXMeIAP"
},
{
"type": "WEB",
"url": "https://github.com/SiliconLabs/simplicity_sdk/releases"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:P/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.