CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11291 vulnerabilities reference this CWE, most recent first.
GHSA-WX9M-V548-JQ76
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Out-of-bounds read in Microsoft Graphics Component allows an unauthorized attacker to execute code locally.
{
"affected": [],
"aliases": [
"CVE-2026-58609"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T17:17:13Z",
"severity": "HIGH"
},
"details": "Out-of-bounds read in Microsoft Graphics Component allows an unauthorized attacker to execute code locally.",
"id": "GHSA-wx9m-v548-jq76",
"modified": "2026-07-14T18:32:12Z",
"published": "2026-07-14T18:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58609"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-58609"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXC3-3JV6-VX77
Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2023-03-29 18:30In multiple locations of p2p_iface.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-257029915
{
"affected": [],
"aliases": [
"CVE-2023-21010"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-24T20:15:00Z",
"severity": "MODERATE"
},
"details": "In multiple locations of p2p_iface.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-257029915",
"id": "GHSA-wxc3-3jv6-vx77",
"modified": "2023-03-29T18:30:29Z",
"published": "2023-03-24T21:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21010"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2023-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXH8-W4CG-HQJ6
Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2024-11-27 21:32This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18652.
{
"affected": [],
"aliases": [
"CVE-2022-42383"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-26T18:59:00Z",
"severity": "MODERATE"
},
"details": "This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. Crafted data in a U3D file can trigger a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-18652.",
"id": "GHSA-wxh8-w4cg-hqj6",
"modified": "2024-11-27T21:32:37Z",
"published": "2023-01-26T21:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42383"
},
{
"type": "WEB",
"url": "https://www.tracker-software.com/product/pdf-xchange-editor/history"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1374"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXHC-3989-9JQ8
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-23 18:30In the Linux kernel, the following vulnerability has been resolved:
media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()
Fix an 11-year old bug in ngene_command_config_free_buf() while addressing the following warnings caught with -Warray-bounds:
arch/alpha/include/asm/string.h:22:16: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds] arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [12, 16] from the object at 'com' is out of the bounds of referenced subobject 'config' with type 'unsigned char' at offset 10 [-Warray-bounds]
The problem is that the original code is trying to copy 6 bytes of data into a one-byte size member config of the wrong structue FW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a legitimate compiler warning because memcpy() overruns the length of &com.cmd.ConfigureBuffers.config. It seems that the right structure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains 6 more members apart from the header hdr. Also, the name of the function ngene_command_config_free_buf() suggests that the actual intention is to ConfigureFreeBuffers, instead of ConfigureBuffers (which takes place in the function ngene_command_config_buf(), above).
Fix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS into new struct config, and use &com.cmd.ConfigureFreeBuffers.config as the destination address, instead of &com.cmd.ConfigureBuffers.config, when calling memcpy().
This also helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy().
{
"affected": [],
"aliases": [
"CVE-2021-47288"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:16Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()\n\nFix an 11-year old bug in ngene_command_config_free_buf() while\naddressing the following warnings caught with -Warray-bounds:\n\narch/alpha/include/asm/string.h:22:16: warning: \u0027__builtin_memcpy\u0027 offset [12, 16] from the object at \u0027com\u0027 is out of the bounds of referenced subobject \u0027config\u0027 with type \u0027unsigned char\u0027 at offset 10 [-Warray-bounds]\narch/x86/include/asm/string_32.h:182:25: warning: \u0027__builtin_memcpy\u0027 offset [12, 16] from the object at \u0027com\u0027 is out of the bounds of referenced subobject \u0027config\u0027 with type \u0027unsigned char\u0027 at offset 10 [-Warray-bounds]\n\nThe problem is that the original code is trying to copy 6 bytes of\ndata into a one-byte size member _config_ of the wrong structue\nFW_CONFIGURE_BUFFERS, in a single call to memcpy(). This causes a\nlegitimate compiler warning because memcpy() overruns the length\nof \u0026com.cmd.ConfigureBuffers.config. It seems that the right\nstructure is FW_CONFIGURE_FREE_BUFFERS, instead, because it contains\n6 more members apart from the header _hdr_. Also, the name of\nthe function ngene_command_config_free_buf() suggests that the actual\nintention is to ConfigureFreeBuffers, instead of ConfigureBuffers\n(which takes place in the function ngene_command_config_buf(), above).\n\nFix this by enclosing those 6 members of struct FW_CONFIGURE_FREE_BUFFERS\ninto new struct config, and use \u0026com.cmd.ConfigureFreeBuffers.config as\nthe destination address, instead of \u0026com.cmd.ConfigureBuffers.config,\nwhen calling memcpy().\n\nThis also helps with the ongoing efforts to globally enable\n-Warray-bounds and get us closer to being able to tighten the\nFORTIFY_SOURCE routines on memcpy().",
"id": "GHSA-wxhc-3989-9jq8",
"modified": "2024-12-23T18:30:47Z",
"published": "2024-05-21T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47288"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4487b968e5eacd02c493303dc2b61150bb7fe4b2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8d4abca95ecc82fc8c41912fa0085281f19cc29f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9a178f189bb6d75293573e181928735f5e3e070"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6ddeb63dd543b5474b0217c4e47538b7ffd7686"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e617fa62f6cf859a7b042cdd6c73af905ff8fca3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e818f2ff648581a6c553ae2bebc5dcef9a8bb90c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e991457afdcb5f4dbc5bc9d79eaf775be33e7092"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec731c6ef564ee6fc101fc5d73e3a3a953d09a00"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXJ8-FWP7-7C8V
Vulnerability from github – Published: 2026-07-14 18:32 – Updated: 2026-07-14 18:32Out-of-bounds read in Windows TCP/IP allows an authorized attacker to disclose information locally.
{
"affected": [],
"aliases": [
"CVE-2026-49177"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T18:17:23Z",
"severity": "MODERATE"
},
"details": "Out-of-bounds read in Windows TCP/IP allows an authorized attacker to disclose information locally.",
"id": "GHSA-wxj8-fwp7-7c8v",
"modified": "2026-07-14T18:32:14Z",
"published": "2026-07-14T18:32:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49177"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-49177"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXM4-C643-9554
Vulnerability from github – Published: 2022-05-17 02:20 – Updated: 2022-05-17 02:20The GetImageDepth function in MagickCore/attribute.c in ImageMagick 7.0.6-4 might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted Flexible Image Transport System (FITS) file.
{
"affected": [],
"aliases": [
"CVE-2017-11753"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-30T18:29:00Z",
"severity": "MODERATE"
},
"details": "The GetImageDepth function in MagickCore/attribute.c in ImageMagick 7.0.6-4 might allow remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted Flexible Image Transport System (FITS) file.",
"id": "GHSA-wxm4-c643-9554",
"modified": "2022-05-17T02:20:37Z",
"published": "2022-05-17T02:20:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11753"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/629"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXM5-8HJP-CM79
Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-15 15:30Out of bounds read in GPU in Google Chrome on Linux prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-8578"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T20:17:20Z",
"severity": "LOW"
},
"details": "Out of bounds read in GPU in Google Chrome on Linux prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-wxm5-8hjp-cm79",
"modified": "2026-05-15T15:30:40Z",
"published": "2026-05-14T21:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8578"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_12.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/496395450"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXVV-7X57-MJGJ
Vulnerability from github – Published: 2024-04-09 00:30 – Updated: 2024-08-26 21:30JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation.
{
"affected": [],
"aliases": [
"CVE-2024-22949"
],
"database_specific": {
"cwe_ids": [
"CWE-121",
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-08T23:15:07Z",
"severity": "CRITICAL"
},
"details": "JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation.",
"id": "GHSA-wxvv-7x57-mjgj",
"modified": "2024-08-26T21:30:32Z",
"published": "2024-04-09T00:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22949"
},
{
"type": "WEB",
"url": "https://gist.github.com/LLM4IG/35c46e009b205ef6acd0e290e80fb876"
},
{
"type": "WEB",
"url": "https://github.com/jfree/jfreechart"
},
{
"type": "WEB",
"url": "http://jfreechart.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WXW2-J5J7-7387
Vulnerability from github – Published: 2024-10-07 03:30 – Updated: 2024-10-10 18:31In m4u, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08996900; Issue ID: MSV-1635.
{
"affected": [],
"aliases": [
"CVE-2024-20096"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-07T03:15:02Z",
"severity": "MODERATE"
},
"details": "In m4u, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08996900; Issue ID: MSV-1635.",
"id": "GHSA-wxw2-j5j7-7387",
"modified": "2024-10-10T18:31:08Z",
"published": "2024-10-07T03:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20096"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/October-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXX9-PQ23-VG6J
Vulnerability from github – Published: 2024-12-09 21:31 – Updated: 2024-12-11 18:30A Directory Listing issue was found in Kashipara E-Learning Management System v1.0, which allows remote attackers to access sensitive files and directories via /admin/uploads.
{
"affected": [],
"aliases": [
"CVE-2024-54938"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T19:15:17Z",
"severity": "HIGH"
},
"details": "A Directory Listing issue was found in Kashipara E-Learning Management System v1.0, which allows remote attackers to access sensitive files and directories via /admin/uploads.",
"id": "GHSA-wxx9-pq23-vg6j",
"modified": "2024-12-11T18:30:41Z",
"published": "2024-12-09T21:31:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54938"
},
{
"type": "WEB",
"url": "https://github.com/m14r41/Writeups/blob/main/CVE/Kashipara/E-learning%20Management%20System%20project/Directory%20listing%20-%20admin-uploads.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.