CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11292 vulnerabilities reference this CWE, most recent first.
GHSA-WF5R-2QWX-C42P
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Concurrent execution using shared resource with improper synchronization ('race condition') in Windows USB Print Driver allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-54991"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:17:06Z",
"severity": "HIGH"
},
"details": "Concurrent execution using shared resource with improper synchronization (\u0027race condition\u0027) in Windows USB Print Driver allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-wf5r-2qwx-c42p",
"modified": "2026-07-14T18:32:08Z",
"published": "2026-07-14T18:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54991"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-54991"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WF5X-Q69X-435X
Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32Tungsten Automation Power PDF OXPS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tungsten Automation Power PDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of OXPS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-24478.
{
"affected": [],
"aliases": [
"CVE-2024-9762"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T21:15:30Z",
"severity": "LOW"
},
"details": "Tungsten Automation Power PDF OXPS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Tungsten Automation Power PDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of OXPS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-24478.",
"id": "GHSA-wf5x-q69x-435x",
"modified": "2024-11-22T21:32:20Z",
"published": "2024-11-22T21:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9762"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1358"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WF79-2H53-8GVP
Vulnerability from github – Published: 2026-05-28 12:30 – Updated: 2026-05-30 12:30In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt
hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access.
When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held.
Fix this by terminating the BIG if in case not all BIS could be setup properly.
{
"affected": [],
"aliases": [
"CVE-2026-46138"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-28T10:16:29Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt\n\nhci_le_create_big_complete_evt() iterates over BT_BOUND connections for\na BIG handle using a while loop, accessing ev-\u003ebis_handle[i++] on each\niteration. However, there is no check that i stays within ev-\u003enum_bis\nbefore the array access.\n\nWhen a controller sends a LE_Create_BIG_Complete event with fewer\nbis_handle entries than there are BT_BOUND connections for that BIG,\nor with num_bis=0, the loop reads beyond the valid bis_handle[] flex\narray into adjacent heap memory. Since the out-of-bounds values\ntypically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle()\nrejects them and the connection remains in BT_BOUND state. The same\nconnection is then found again by hci_conn_hash_lookup_big_state(),\ncreating an infinite loop with hci_dev_lock held.\n\nFix this by terminating the BIG if in case not all BIS could be setup\nproperly.",
"id": "GHSA-wf79-2h53-8gvp",
"modified": "2026-05-30T12:30:25Z",
"published": "2026-05-28T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46138"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/22559ad7654f61727fc270ee4893da9f4b70cf17"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5ddb8014261137cadaf83ab5617a588d80a22586"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/665da0baaf0396f9ed3c86ccb3955dcd0b73e774"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6cb7f67bc28da787499291a562d49a084d9c90cd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/77981a507aa0fc001dc37f0dd6631dd2042fed17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WFFP-GJXV-7H6V
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2024-04-04 02:48In fpc_ta_hw_auth_unwrap_key of fpc_ta_hw_auth_qsee.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-137649599
{
"affected": [],
"aliases": [
"CVE-2020-0042"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-10T20:15:00Z",
"severity": "MODERATE"
},
"details": "In fpc_ta_hw_auth_unwrap_key of fpc_ta_hw_auth_qsee.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-137649599",
"id": "GHSA-wffp-gjxv-7h6v",
"modified": "2024-04-04T02:48:55Z",
"published": "2022-05-24T17:10:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0042"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2020-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WFH3-G987-F73H
Vulnerability from github – Published: 2026-03-24 06:31 – Updated: 2026-03-24 06:31Out-of-bounds Read vulnerability in rizonesoft Notepad3 (scintilla/oniguruma/src modules). This vulnerability is associated with program files regcomp.C.
This issue affects Notepad3: before 6.25.714.1.
{
"affected": [],
"aliases": [
"CVE-2026-4744"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-24T04:17:32Z",
"severity": "CRITICAL"
},
"details": "Out-of-bounds Read vulnerability in rizonesoft Notepad3 (\u200escintilla/oniguruma/src modules). This vulnerability is associated with program files regcomp.C\u200e.\n\nThis issue affects Notepad3: before 6.25.714.1.",
"id": "GHSA-wfh3-g987-f73h",
"modified": "2026-03-24T06:31:13Z",
"published": "2026-03-24T06:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4744"
},
{
"type": "WEB",
"url": "https://github.com/rizonesoft/Notepad3/pull/5392"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-WFJ3-HJP7-62GF
Vulnerability from github – Published: 2024-02-06 06:30 – Updated: 2024-02-06 06:30Transient DOS in Core when DDR memory check is called while DDR is not initialized.
{
"affected": [],
"aliases": [
"CVE-2023-33060"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T06:15:59Z",
"severity": "HIGH"
},
"details": "Transient DOS in Core when DDR memory check is called while DDR is not initialized.",
"id": "GHSA-wfj3-hjp7-62gf",
"modified": "2024-02-06T06:30:31Z",
"published": "2024-02-06T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33060"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WFPV-3M23-C38R
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2024-08-01 15:31An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka 'Microsoft Graphics Component Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1078, CVE-2019-1153.
{
"affected": [],
"aliases": [
"CVE-2019-1148"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-14T21:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka \u0027Microsoft Graphics Component Information Disclosure Vulnerability\u0027. This CVE ID is unique from CVE-2019-1078, CVE-2019-1153.",
"id": "GHSA-wfpv-3m23-c38r",
"modified": "2024-08-01T15:31:14Z",
"published": "2022-05-24T16:53:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1148"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1148"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154084/Microsoft-Font-Subsetting-DLL-GetGlyphId-Out-Of-Bounds-Read.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WFWM-CHJ7-W59R
Vulnerability from github – Published: 2018-03-05 18:29 – Updated: 2023-08-29 14:59In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based buffer over-read in the read_from_str function in sax_buf.c when a crafted input is supplied to sax_parse.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "ox"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-16229"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:00:13Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based buffer over-read in the `read_from_str` function in `sax_buf.c` when a crafted input is supplied to `sax_parse`.",
"id": "GHSA-wfwm-chj7-w59r",
"modified": "2023-08-29T14:59:54Z",
"published": "2018-03-05T18:29:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16229"
},
{
"type": "WEB",
"url": "https://github.com/ohler55/ox/issues/195"
},
{
"type": "PACKAGE",
"url": "https://github.com/ohler55/ox"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ox/CVE-2017-16229.yml"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/ox/versions/2.8.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ox gem stack overflow in sax_parse"
}
GHSA-WFX7-9XJ8-QG53
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16Lack of boundary checking of a buffer in libSPenBase library of Samsung Notes prior to Samsung Note version 4.3.02.61 allows OOB read.
{
"affected": [],
"aliases": [
"CVE-2021-25492"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-06T18:15:00Z",
"severity": "HIGH"
},
"details": "Lack of boundary checking of a buffer in libSPenBase library of Samsung Notes prior to Samsung Note version 4.3.02.61 allows OOB read.",
"id": "GHSA-wfx7-9xj8-qg53",
"modified": "2022-05-24T19:16:42Z",
"published": "2022-05-24T19:16:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25492"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2021\u0026month=10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WFXQ-P22P-779J
Vulnerability from github – Published: 2022-01-01 00:00 – Updated: 2022-03-17 00:06{
"affected": [],
"aliases": [
"CVE-2021-4193"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-31T16:15:00Z",
"severity": "MODERATE"
},
"details": "vim is vulnerable to Out-of-bounds Read",
"id": "GHSA-wfxq-p22p-779j",
"modified": "2022-03-17T00:06:19Z",
"published": "2022-01-01T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4193"
},
{
"type": "WEB",
"url": "https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/92c1940d-8154-473f-84ce-0de43b0c2eb0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00018.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-32"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213183"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213256"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT213343"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Jul/14"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Mar/29"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/May/35"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2022/01/15/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.