CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11292 vulnerabilities reference this CWE, most recent first.
GHSA-WVQ2-RQP6-PWMJ
Vulnerability from github – Published: 2024-05-20 12:30 – Updated: 2026-05-12 12:31In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: RFCOMM: Fix not validating setsockopt user input
syzbot reported rfcomm_sock_setsockopt_old() is copying data without checking user input length.
BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old net/bluetooth/rfcomm/sock.c:632 [inline] BUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70 net/bluetooth/rfcomm/sock.c:673 Read of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064
{
"affected": [],
"aliases": [
"CVE-2024-35966"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-20T10:15:11Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: RFCOMM: Fix not validating setsockopt user input\n\nsyzbot reported rfcomm_sock_setsockopt_old() is copying data without\nchecking user input length.\n\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset\ninclude/linux/sockptr.h:49 [inline]\nBUG: KASAN: slab-out-of-bounds in copy_from_sockptr\ninclude/linux/sockptr.h:55 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt_old\nnet/bluetooth/rfcomm/sock.c:632 [inline]\nBUG: KASAN: slab-out-of-bounds in rfcomm_sock_setsockopt+0x893/0xa70\nnet/bluetooth/rfcomm/sock.c:673\nRead of size 4 at addr ffff8880209a8bc3 by task syz-executor632/5064",
"id": "GHSA-wvq2-rqp6-pwmj",
"modified": "2026-05-12T12:31:51Z",
"published": "2024-05-20T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35966"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/00767fbd67af70d7a550caa5b12d9515fa978bab"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ea65e2095e9bd151d0469328dd7fc2858feb546"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a97de7bff13b1cc825c1b1344eaed8d6c2d3e695"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c3f787a3eafe519c93df9abbb0ca5145861c8d0f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d072ea24748189cd8f4a9c3f585ca9af073a0838"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eea40d33bf936a5c7fb03c190e61e0cfee00e872"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVRW-3Q4M-69CH
Vulnerability from github – Published: 2022-05-14 00:54 – Updated: 2022-05-14 00:54An issue was discovered in fs/f2fs/inode.c in the Linux kernel through 4.17.3. A denial of service (slab out-of-bounds read and BUG) can occur for a modified f2fs filesystem image in which FI_EXTRA_ATTR is set in an inode.
{
"affected": [],
"aliases": [
"CVE-2018-13098"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-03T10:29:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in fs/f2fs/inode.c in the Linux kernel through 4.17.3. A denial of service (slab out-of-bounds read and BUG) can occur for a modified f2fs filesystem image in which FI_EXTRA_ATTR is set in an inode.",
"id": "GHSA-wvrw-3q4m-69ch",
"modified": "2022-05-14T00:54:14Z",
"published": "2022-05-14T00:54:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13098"
},
{
"type": "WEB",
"url": "https://bugzilla.kernel.org/show_bug.cgi?id=200173"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76d56d4ab4f2a9e4f085c7d77172194ddaccf7d2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4094-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4118-1"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00033.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVV6-MRFF-RP8J
Vulnerability from github – Published: 2022-05-14 00:58 – Updated: 2022-05-14 00:58An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries.
{
"affected": [],
"aliases": [
"CVE-2019-9022"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-22T23:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries.",
"id": "GHSA-wvv6-mrff-rp8j",
"modified": "2022-05-14T00:58:05Z",
"published": "2022-05-14T00:58:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9022"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2519"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:3299"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=77369"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00043.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190321-0001"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3902-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3922-2"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3922-3"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4398"
},
{
"type": "WEB",
"url": "https://www.tenable.com/security/tns-2019-07"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WVW6-X7X2-94G8
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2023-10-12 21:30An issue was discovered in FNET through 4.6.4. The code for processing the hostname from an LLMNR request doesn't check for '\0' termination. Therefore, the deduced length of the hostname doesn't reflect the correct length of the actual data. This may lead to Information Disclosure in _fnet_llmnr_poll in fnet_llmnr.c during a response to a malicious request of the DNS class IN.
{
"affected": [],
"aliases": [
"CVE-2020-17467"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-11T23:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in FNET through 4.6.4. The code for processing the hostname from an LLMNR request doesn\u0027t check for \u0027\\0\u0027 termination. Therefore, the deduced length of the hostname doesn\u0027t reflect the correct length of the actual data. This may lead to Information Disclosure in _fnet_llmnr_poll in fnet_llmnr.c during a response to a malicious request of the DNS class IN.",
"id": "GHSA-wvw6-x7x2-94g8",
"modified": "2023-10-12T21:30:55Z",
"published": "2022-05-24T17:36:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17467"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-343-01"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/815128"
},
{
"type": "WEB",
"url": "http://fnet.sourceforge.net/manual/fnet_history.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVWJ-8WJW-25QF
Vulnerability from github – Published: 2024-06-14 09:31 – Updated: 2024-06-14 09:31Out-of-bounds read vulnerability in the audio module Impact: Successful exploitation of this vulnerability will affect availability.
{
"affected": [],
"aliases": [
"CVE-2024-36502"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-14T08:15:41Z",
"severity": "HIGH"
},
"details": "Out-of-bounds read vulnerability in the audio module\nImpact: Successful exploitation of this vulnerability will affect availability.",
"id": "GHSA-wvwj-8wjw-25qf",
"modified": "2024-06-14T09:31:17Z",
"published": "2024-06-14T09:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36502"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2024/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WVX4-CW49-456M
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2022-05-24 17:03Accessing data buffer beyond the available data while parsing ogg clip can lead to null-pointer dereference and then memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8939, MSM8953, MSM8996, MSM8996AU, Nicobar, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130
{
"affected": [],
"aliases": [
"CVE-2019-10559"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-12T09:15:00Z",
"severity": "HIGH"
},
"details": "Accessing data buffer beyond the available data while parsing ogg clip can lead to null-pointer dereference and then memory corruption in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables in APQ8009, APQ8017, APQ8053, APQ8064, APQ8096AU, APQ8098, MDM9206, MDM9207C, MDM9607, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8939, MSM8953, MSM8996, MSM8996AU, Nicobar, QCS405, QCS605, QM215, SDA660, SDA845, SDM429, SDM439, SDM450, SDM630, SDM632, SDM636, SDM660, SDX20, SM6150, SM7150, SM8150, SM8250, SXR1130, SXR2130",
"id": "GHSA-wvx4-cw49-456m",
"modified": "2022-05-24T17:03:19Z",
"published": "2022-05-24T17:03:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10559"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/november-2019-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WVXF-4P9H-5VG9
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
libceph: Fix potential out-of-bounds access in __ceph_x_decrypt()
In __ceph_x_decrypt(), a part of the buffer p is interpreted as a ceph_x_encrypt_header, and the magic field of this struct is accessed. This happens without any guarantee that the buffer is large enough to hold this struct. The function parameter ciphertext_len represents the length of the ciphertext to decrypt and is guaranteed to be at most the remaining size of the allocated buffer p. However, this value is not necessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message frame of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold the ciphertext at its end with a ciphertext_len of 8 or less, can trigger an out-of-bounds memory access when accessing hdr->magic.
This patch fixes the issue by adding a check to ensure that the decrypted plaintext in the buffer is large enough to represent at least the ceph_x_encrypt_header.
{
"affected": [],
"aliases": [
"CVE-2026-52956"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:05Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in __ceph_x_decrypt()\n\nIn __ceph_x_decrypt(), a part of the buffer p is interpreted as a\nceph_x_encrypt_header, and the magic field of this struct is accessed.\nThis happens without any guarantee that the buffer is large enough to\nhold this struct. The function parameter ciphertext_len represents the\nlength of the ciphertext to decrypt and is guaranteed to be at most the\nremaining size of the allocated buffer p. However, this value is not\nnecessarily greater than sizeof(ceph_x_encrypt_header). E.g., a message\nframe of type FRAME_TAG_AUTH_REPLY_MORE, that is just as long to hold\nthe ciphertext at its end with a ciphertext_len of 8 or less, can\ntrigger an out-of-bounds memory access when accessing hdr-\u003emagic.\n\nThis patch fixes the issue by adding a check to ensure that the\ndecrypted plaintext in the buffer is large enough to represent at least\nthe ceph_x_encrypt_header.",
"id": "GHSA-wvxf-4p9h-5vg9",
"modified": "2026-06-28T09:31:37Z",
"published": "2026-06-24T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52956"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/821365487aa58d06bda65c676ba215d506ba9768"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c7e9b53aebe401970f1b5f5a01b4e021b18e8bb2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WW36-QXJ8-93P2
Vulnerability from github – Published: 2022-08-18 00:00 – Updated: 2023-01-21 03:30libtiff's tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.
{
"affected": [],
"aliases": [
"CVE-2022-2867"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-17T22:15:00Z",
"severity": "HIGH"
},
"details": "libtiff\u0027s tiffcrop utility has a uint32_t underflow that can lead to out of bounds read and write. An attacker who supplies a crafted file to tiffcrop (likely via tricking a user to run tiffcrop on it with certain parameters) could cause a crash or in some cases, further exploitation.",
"id": "GHSA-ww36-qxj8-93p2",
"modified": "2023-01-21T03:30:28Z",
"published": "2022-08-18T00:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2867"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2118847"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00018.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5333"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WW3M-J46V-9WF2
Vulnerability from github – Published: 2024-08-07 03:31 – Updated: 2024-08-07 03:31Out-of-bounds read in applying binary with data in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.
{
"affected": [],
"aliases": [
"CVE-2024-34621"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-07T02:15:38Z",
"severity": "MODERATE"
},
"details": "Out-of-bounds read in applying binary with data in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially read memory.",
"id": "GHSA-ww3m-j46v-9wf2",
"modified": "2024-08-07T03:31:28Z",
"published": "2024-08-07T03:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34621"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2024\u0026month=08"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WW3Q-XFC6-7G7H
Vulnerability from github – Published: 2022-08-19 00:00 – Updated: 2022-08-20 00:00Out of bounds read for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2021-26254"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-18T20:15:00Z",
"severity": "MODERATE"
},
"details": "Out of bounds read for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi products may allow a privileged user to potentially enable denial of service via local access.",
"id": "GHSA-ww3q-xfc6-7g7h",
"modified": "2022-08-20T00:00:39Z",
"published": "2022-08-19T00:00:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26254"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00621.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.