CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11273 vulnerabilities reference this CWE, most recent first.
GHSA-XHC3-W35M-FP4Q
Vulnerability from github – Published: 2026-07-14 18:31 – Updated: 2026-07-14 18:31A out-of-bounds read vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.2, FortiAuthenticator 6.5 all versions may allow a remote unauthenticated attacker to retrieve sensitive information via a specially crafted request.
{
"affected": [],
"aliases": [
"CVE-2025-53379"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-14T16:16:42Z",
"severity": "HIGH"
},
"details": "A out-of-bounds read vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.2, FortiAuthenticator 6.5 all versions may allow a remote unauthenticated attacker to retrieve sensitive information via a specially crafted request.",
"id": "GHSA-xhc3-w35m-fp4q",
"modified": "2026-07-14T18:31:54Z",
"published": "2026-07-14T18:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53379"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-146"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHC7-32VM-6C85
Vulnerability from github – Published: 2023-04-13 09:30 – Updated: 2024-04-04 03:26Information disclosure in modem due to improper check of IP type while processing DNS server query
{
"affected": [],
"aliases": [
"CVE-2022-25730"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-13T07:15:00Z",
"severity": "HIGH"
},
"details": "Information disclosure in modem due to improper check of IP type while processing DNS server query",
"id": "GHSA-xhc7-32vm-6c85",
"modified": "2024-04-04T03:26:59Z",
"published": "2023-04-13T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25730"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/april-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHCG-FX4C-M8Q6
Vulnerability from github – Published: 2023-03-28 21:30 – Updated: 2023-03-28 21:30Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-26352"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-28T20:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-xhcg-fx4c-m8q6",
"modified": "2023-03-28T21:30:17Z",
"published": "2023-03-28T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26352"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/dimension/apsb23-20.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHGX-HX6P-CQP4
Vulnerability from github – Published: 2023-03-24 21:30 – Updated: 2023-03-30 03:30In btm_create_conn_cancel_complete of btm_sec.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-260568245
{
"affected": [],
"aliases": [
"CVE-2023-20973"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-24T20:15:00Z",
"severity": "MODERATE"
},
"details": "In btm_create_conn_cancel_complete of btm_sec.cc, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-260568245",
"id": "GHSA-xhgx-hx6p-cqp4",
"modified": "2023-03-30T03:30:38Z",
"published": "2023-03-24T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20973"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2023-03-01"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2023-06-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHHW-J3H4-3X9R
Vulnerability from github – Published: 2025-04-29 15:31 – Updated: 2025-11-03 21:33Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges. This bug only affects Firefox for macOS. Other versions of Firefox are unaffected. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10.
{
"affected": [],
"aliases": [
"CVE-2025-4082"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T14:15:34Z",
"severity": "MODERATE"
},
"details": "Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges.\n*This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox \u003c 138, Firefox ESR \u003c 128.10, Firefox ESR \u003c 115.23, Thunderbird \u003c 138, and Thunderbird ESR \u003c 128.10.",
"id": "GHSA-xhhw-j3h4-3x9r",
"modified": "2025-11-03T21:33:41Z",
"published": "2025-04-29T15:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4082"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1937097"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00022.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-28"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-29"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-30"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-31"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-32"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHMF-MMV2-4HHX
Vulnerability from github – Published: 2022-09-16 20:59 – Updated: 2022-09-16 20:59Impact
When a full CVSS v2.0 vector string is parsed using ParseVector, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic.
Patches
The problem is patched in tag v0.4.0, by the commit d9d478ff0c13b8b09ace030db9262f3c2fe031f4.
Workarounds
The only way to avoid it is by parsing CVSS v2.0 vector strings that does not have all attributes defined (e.g. AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M).
References
N/A
CPE v2.3
As stated in SECURITY.md, the CPE v2.3 to refer to this Go module is cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*.
The entry has already been requested to the NVD CPE dictionnary.
Exploit example
package main
import (
"log"
gocvss20 "github.com/pandatix/go-cvss/20"
)
func main() {
_, err := gocvss20.ParseVector("AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M")
if err != nil {
log.Fatal(err)
}
}
When ran, the following trace is returned.
panic: runtime error: index out of range [3] with length 3
goroutine 1 [running]:
github.com/pandatix/go-cvss/20.ParseVector({0x4aed6c?, 0x0?})
/home/lucas/go/pkg/mod/github.com/pandatix/go-cvss@v0.2.0/20/cvss20.go:54 +0x578
main.main()
/media/lucas/HDD-K/Documents/cve-2022-xxxxx/main.go:10 +0x25
exit status 2
For more information
If you have any questions or comments about this advisory: * Open an issue in pandatix/go-cvss * Email me at lucastesson@protonmail.com
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/pandatix/go-cvss"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.0"
},
{
"fixed": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39213"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-16T20:59:43Z",
"nvd_published_at": "2022-09-15T22:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nWhen a full CVSS v2.0 vector string is parsed using `ParseVector`, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic.\n\n### Patches\nThe problem is patched in tag `v0.4.0`, by the commit `d9d478ff0c13b8b09ace030db9262f3c2fe031f4`.\n\n### Workarounds\nThe only way to avoid it is by parsing CVSS v2.0 vector strings that does not have all attributes defined (e.g. `AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M`).\n\n### References\nN/A\n\n### CPE v2.3\nAs stated in [SECURITY.md](https://github.com/pandatix/go-cvss/blob/master/SECURITY.md), the CPE v2.3 to refer to this Go module is `cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*`.\nThe entry has already been requested to the NVD CPE dictionnary.\n\n### Exploit example\n```go\npackage main\n\nimport (\n\t\"log\"\n\n\tgocvss20 \"github.com/pandatix/go-cvss/20\"\n)\n\nfunc main() {\n\t_, err := gocvss20.ParseVector(\"AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M\")\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n}\n```\n\nWhen ran, the following trace is returned.\n```\npanic: runtime error: index out of range [3] with length 3\n\ngoroutine 1 [running]:\ngithub.com/pandatix/go-cvss/20.ParseVector({0x4aed6c?, 0x0?})\n /home/lucas/go/pkg/mod/github.com/pandatix/go-cvss@v0.2.0/20/cvss20.go:54 +0x578\nmain.main()\n /media/lucas/HDD-K/Documents/cve-2022-xxxxx/main.go:10 +0x25\nexit status 2\n```\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [pandatix/go-cvss](https://github.com/pandatix/go-cvss/issues)\n* Email me at [lucastesson@protonmail.com](mailto:lucastesson@protonmail.com)\n",
"id": "GHSA-xhmf-mmv2-4hhx",
"modified": "2022-09-16T20:59:43Z",
"published": "2022-09-16T20:59:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pandatix/go-cvss/security/advisories/GHSA-xhmf-mmv2-4hhx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39213"
},
{
"type": "WEB",
"url": "https://github.com/pandatix/go-cvss/commit/d9d478ff0c13b8b09ace030db9262f3c2fe031f4"
},
{
"type": "PACKAGE",
"url": "https://github.com/pandatix/go-cvss"
},
{
"type": "WEB",
"url": "https://github.com/pandatix/go-cvss/blob/master/SECURITY.md"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2022-1002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Go-CVSS has Out-of-bounds Read vulnerability in ParseVector function"
}
GHSA-XHMX-2VHP-F3PQ
Vulnerability from github – Published: 2022-07-14 00:00 – Updated: 2022-07-27 00:00In USB driver, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-216825460References: Upstream kernel
{
"affected": [],
"aliases": [
"CVE-2022-20227"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-13T19:15:00Z",
"severity": "MODERATE"
},
"details": "In USB driver, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-216825460References: Upstream kernel",
"id": "GHSA-xhmx-2vhp-f3pq",
"modified": "2022-07-27T00:00:47Z",
"published": "2022-07-14T00:00:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20227"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2022-07-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHMX-JV3J-5WF8
Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-08-05 15:30Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero.
{
"affected": [],
"aliases": [
"CVE-2024-33011"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-05T15:15:48Z",
"severity": "HIGH"
},
"details": "Transient DOS while parsing the MBSSID IE from the beacons, when the MBSSID IE length is zero.",
"id": "GHSA-xhmx-jv3j-5wf8",
"modified": "2024-08-05T15:30:53Z",
"published": "2024-08-05T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33011"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHPJ-269V-VQ2Q
Vulnerability from github – Published: 2026-05-31 21:30 – Updated: 2026-06-01 21:30Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.
In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).
{
"affected": [],
"aliases": [
"CVE-2026-8796"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-31T20:16:30Z",
"severity": "HIGH"
},
"details": "Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.\n\nIn Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag\u0027s own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).",
"id": "GHSA-xhpj-269v-vq2q",
"modified": "2026-06-01T21:30:41Z",
"published": "2026-05-31T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8796"
},
{
"type": "WEB",
"url": "https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3.patch"
},
{
"type": "WEB",
"url": "https://metacpan.org/release/YVES/Sereal-Decoder-5.005/changes"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/06/01/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHPJ-R5XJ-F4J3
Vulnerability from github – Published: 2022-05-24 16:53 – Updated: 2026-02-20 21:31An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka 'Microsoft Graphics Component Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1078, CVE-2019-1148.
{
"affected": [],
"aliases": [
"CVE-2019-1153"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-14T21:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka \u0027Microsoft Graphics Component Information Disclosure Vulnerability\u0027. This CVE ID is unique from CVE-2019-1078, CVE-2019-1148.",
"id": "GHSA-xhpj-r5xj-f4j3",
"modified": "2026-02-20T21:31:09Z",
"published": "2022-05-24T16:53:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1153"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1153"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/154098/Microsoft-Font-Subsetting-DLL-FixSbitSubTableFormat1-Out-Of-Bounds-Read.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.