CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11273 vulnerabilities reference this CWE, most recent first.
GHSA-XHPJ-RHQ5-VR2H
Vulnerability from github – Published: 2022-08-12 00:01 – Updated: 2022-08-12 00:01Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-35671"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-11T15:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Acrobat Reader versions 22.001.20169 (and earlier), 20.005.30362 (and earlier) and 17.012.30249 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-xhpj-rhq5-vr2h",
"modified": "2022-08-12T00:01:23Z",
"published": "2022-08-12T00:01:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35671"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb22-39.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHPR-RJF3-GG6P
Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2026-04-14 15:30There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c
{
"affected": [],
"aliases": [
"CVE-2022-2785"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-23T11:15:00Z",
"severity": "MODERATE"
},
"details": "There exists an arbitrary memory read within the Linux Kernel BPF - Constants provided to fill pointers in structs passed in to bpf_sys_bpf are not verified and can point anywhere, including memory not owned by BPF. An attacker with CAP_BPF can arbitrarily read memory from anywhere on the system. We recommend upgrading past commit 86f44fcec22c",
"id": "GHSA-xhpr-rjf3-gg6p",
"modified": "2026-04-14T15:30:28Z",
"published": "2022-09-25T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2785"
},
{
"type": "WEB",
"url": "https://git.kernel.org/bpf/bpf/c/86f44fcec22c"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei%40google.com/T/#t"
},
{
"type": "WEB",
"url": "https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei@google.com/T/#t"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XHQ7-864Q-XXJ8
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
libceph: Fix potential out-of-bounds access in osdmap_decode()
When decoding osd_state and osd_weight from an incoming osdmap in osdmap_decode(), both are decoded for each osd, i.e., map->max_osd times. The ceph_decode_need() check only accounts for sizeof(*map->osd_weight) once. This can potentially result in an out-of-bounds memory access if the incoming message is corrupted such that the max_osd value exceeds the actual content of the osdmap message.
This patch fixes the issue by changing the corresponding part in the ceph_decode_need() check to account for map->max_osdsizeof(map->osd_weight).
{
"affected": [],
"aliases": [
"CVE-2026-52958"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:06Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in osdmap_decode()\n\nWhen decoding osd_state and osd_weight from an incoming osdmap in\nosdmap_decode(), both are decoded for each osd, i.e., map-\u003emax_osd\ntimes. The ceph_decode_need() check only accounts for\nsizeof(*map-\u003eosd_weight) once. This can potentially result in an\nout-of-bounds memory access if the incoming message is corrupted such\nthat the max_osd value exceeds the actual content of the osdmap message.\n\nThis patch fixes the issue by changing the corresponding part in the\nceph_decode_need() check to account for\nmap-\u003emax_osd*sizeof(*map-\u003eosd_weight).",
"id": "GHSA-xhq7-864q-xxj8",
"modified": "2026-06-28T09:31:37Z",
"published": "2026-06-24T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52958"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d2dd7e6bb74fd7712aa73457a4a821906c6863a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35d0ed82d03e5ee77ea4f31f20e29562a7721649"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/36a79759a288961b1ff28a68ec2d1f56f6848098"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f2575bb7f955d42569d96c3e04fa958a0dcf4b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/48df98d12b15360cd56af5c1f460307b340c1197"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8713bbc4b2b9ad78f803978e54b7e49dd21bd9be"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7187f33c02488697ec0d01d82bf7a3f8deaba8f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ee933694645dac062d65fc2743f92bc06fa0db6b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHRH-VVGH-PGXR
Vulnerability from github – Published: 2026-06-13 00:34 – Updated: 2026-06-13 00:34Heap buffer out-of-bounds read vulnerability in Avira Antivirus engine when scanning a malformed PDF file may allow Local Execution of Code or Denial-of-Service of the antivirus engine process.
This issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.68.
{
"affected": [],
"aliases": [
"CVE-2025-7002"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T22:16:48Z",
"severity": "HIGH"
},
"details": "Heap buffer out-of-bounds read vulnerability in Avira Antivirus engine when scanning a malformed PDF file may allow Local Execution of Code or Denial-of-Service of the antivirus engine process.\n\nThis issue affects Avira Antivirus on Windows, macOS, and Linux for engine builds before 8.3.70.68.",
"id": "GHSA-xhrh-vvgh-pgxr",
"modified": "2026-06-13T00:34:30Z",
"published": "2026-06-13T00:34:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7002"
},
{
"type": "WEB",
"url": "https://www.gendigital.com/us/en/contact-us/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHRX-96P4-R9WW
Vulnerability from github – Published: 2022-05-17 02:15 – Updated: 2025-04-20 03:42A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse that can cause an out of bounds read operation to occur due to a field within the IOCTL data being used as a length.
{
"affected": [],
"aliases": [
"CVE-2017-9770"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-08-02T19:29:00Z",
"severity": "MODERATE"
},
"details": "A specially crafted IOCTL can be issued to the rzpnk.sys driver in Razer Synapse that can cause an out of bounds read operation to occur due to a field within the IOCTL data being used as a length.",
"id": "GHSA-xhrx-96p4-r9ww",
"modified": "2025-04-20T03:42:02Z",
"published": "2022-05-17T02:15:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9770"
},
{
"type": "WEB",
"url": "https://warroom.securestate.com/cve-2017-9770"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHVC-GC4M-9GFW
Vulnerability from github – Published: 2022-05-17 02:46 – Updated: 2022-05-17 02:46coders/sun.c in ImageMagick before 6.9.0-4 Beta allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted SUN file.
{
"affected": [],
"aliases": [
"CVE-2015-8958"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-20T18:59:00Z",
"severity": "MODERATE"
},
"details": "coders/sun.c in ImageMagick before 6.9.0-4 Beta allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted SUN file.",
"id": "GHSA-xhvc-gc4m-9gfw",
"modified": "2022-05-17T02:46:49Z",
"published": "2022-05-17T02:46:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8958"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/1aa0c6dab6dcef4d9bc3571866ae1c1ddbec7d8f"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/6b4aff0f117b978502ee5bcd6e753c17aec5a961"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/8ea44b48a182dd46d018f4b4f09a5e2ee9638105"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/b8f17d08b7418204bf8a05a5c24e87b2fc395b75"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1378736"
},
{
"type": "WEB",
"url": "http://www.imagemagick.org/discourse-server/viewtopic.php?f=3\u0026t=26857"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/09/22/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/93124"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHVX-FPRP-87JR
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49In ImageMagick 7.0.7-23 Q16 x86_64 2018-01-24, there is a heap-based buffer over-read in ReadSUNImage in coders/sun.c, which allows attackers to cause a denial of service (application crash in SetGrayscaleImage in MagickCore/quantize.c) via a crafted SUN image file.
{
"affected": [],
"aliases": [
"CVE-2018-11251"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-18T19:29:00Z",
"severity": "MODERATE"
},
"details": "In ImageMagick 7.0.7-23 Q16 x86_64 2018-01-24, there is a heap-based buffer over-read in ReadSUNImage in coders/sun.c, which allows attackers to cause a denial of service (application crash in SetGrayscaleImage in MagickCore/quantize.c) via a crafted SUN image file.",
"id": "GHSA-xhvx-fprp-87jr",
"modified": "2022-05-13T01:49:10Z",
"published": "2022-05-13T01:49:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11251"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/956"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00004.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4245"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XHW8-7RFW-2FG2
Vulnerability from github – Published: 2023-04-01 06:31 – Updated: 2023-04-07 15:30NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged user can cause improper restriction of operations within the bounds of a memory buffer cause an out-of-bounds read, which may lead to denial of service.
{
"affected": [],
"aliases": [
"CVE-2023-0188"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-01T05:15:00Z",
"severity": "MODERATE"
},
"details": "NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged user can cause improper restriction of operations within the bounds of a memory buffer cause an out-of-bounds read, which may lead to denial of service.",
"id": "GHSA-xhw8-7rfw-2fg2",
"modified": "2023-04-07T15:30:37Z",
"published": "2023-04-01T06:31:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0188"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5452"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202310-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XJ22-JFVR-G3P6
Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16IPPP82.FLT in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PPT file. This is different from CVE-2021-38102.
{
"affected": [],
"aliases": [
"CVE-2021-38105"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-01T23:15:00Z",
"severity": "MODERATE"
},
"details": "IPPP82.FLT in Corel Presentations 2020 20.0.0.200 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PPT file. This is different from CVE-2021-38102.",
"id": "GHSA-xj22-jfvr-g3p6",
"modified": "2022-05-24T19:16:23Z",
"published": "2022-05-24T19:16:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38105"
},
{
"type": "WEB",
"url": "https://www.fortiguard.com/zeroday/FG-VD-21-033"
},
{
"type": "WEB",
"url": "https://www.fortinet.com/blog/threat-research/fortinet-security-researcher-discovers-multiple-vulnerabilities-across-multiple-corel-products"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-XJ35-X9J5-V64P
Vulnerability from github – Published: 2022-05-14 00:52 – Updated: 2022-05-14 00:52Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008.20080 and earlier, 2019.008.20081 and earlier, 2017.011.30106 and earlier version, 2017.011.30105 and earlier version, 2015.006.30457 and earlier, and 2015.006.30456 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2018-16020"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-18T17:29:00Z",
"severity": "MODERATE"
},
"details": "Adobe Acrobat and Reader versions 2019.008.20081 and earlier, 2019.008.20080 and earlier, 2019.008.20081 and earlier, 2017.011.30106 and earlier version, 2017.011.30105 and earlier version, 2015.006.30457 and earlier, and 2015.006.30456 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.",
"id": "GHSA-xj35-x9j5-v64p",
"modified": "2022-05-14T00:52:22Z",
"published": "2022-05-14T00:52:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16020"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb18-41.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106162"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.