CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11292 vulnerabilities reference this CWE, most recent first.
GHSA-H5JQ-FPPJ-8WRR
Vulnerability from github – Published: 2022-05-24 16:54 – Updated: 2022-06-14 00:00An exploitable out-of-bounds read vulnerability exists in the LabelSst record parser of Aspose Aspose.Cells 19.1.0 library. A specially crafted XLS file can cause an out-of-bounds read, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.
{
"affected": [],
"aliases": [
"CVE-2019-5032"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-21T18:15:00Z",
"severity": "HIGH"
},
"details": "An exploitable out-of-bounds read vulnerability exists in the LabelSst record parser of Aspose Aspose.Cells 19.1.0 library. A specially crafted XLS file can cause an out-of-bounds read, resulting in remote code execution. An attacker needs to provide a malformed file to the victim to trigger the vulnerability.",
"id": "GHSA-h5jq-fppj-8wrr",
"modified": "2022-06-14T00:00:28Z",
"published": "2022-05-24T16:54:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5032"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0794"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5M8-7H93-8WFV
Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2025-04-20 03:44Off-by-one error in the DrawImage function in magick/render.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (DrawDashPolygon heap-based buffer over-read and application crash) via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2017-14314"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-12T00:29:00Z",
"severity": "MODERATE"
},
"details": "Off-by-one error in the DrawImage function in magick/render.c in GraphicsMagick 1.3.26 allows remote attackers to cause a denial of service (DrawDashPolygon heap-based buffer over-read and application crash) via a crafted file.",
"id": "GHSA-h5m8-7h93-8wfv",
"modified": "2025-04-20T03:44:43Z",
"published": "2022-05-13T01:28:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14314"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00009.html"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/graphicsmagick/bugs/448"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4232-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4321"
},
{
"type": "WEB",
"url": "http://hg.code.sf.net/p/graphicsmagick/code/rev/2835184bfb78"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5PC-CX6W-RPGV
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42The ISO ES-IS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c:esis_print().
{
"affected": [],
"aliases": [
"CVE-2017-13016"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-14T06:29:00Z",
"severity": "CRITICAL"
},
"details": "The ISO ES-IS parser in tcpdump before 4.9.2 has a buffer over-read in print-isoclns.c:esis_print().",
"id": "GHSA-h5pc-cx6w-rpgv",
"modified": "2022-05-13T01:42:54Z",
"published": "2022-05-13T01:42:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13016"
},
{
"type": "WEB",
"url": "https://github.com/the-tcpdump-group/tcpdump/commit/c177cb3800a9a68d79b2812f0ffcb9479abd6eb8"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHEA-2018:0705"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201709-23"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT208221"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3971"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039307"
},
{
"type": "WEB",
"url": "http://www.tcpdump.org/tcpdump-changes.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H5R8-FVH2-9QXG
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2025-11-05 00:31In the AAC parser, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-131430997
{
"affected": [],
"aliases": [
"CVE-2020-0279"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-17T21:15:00Z",
"severity": "MODERATE"
},
"details": "In the AAC parser, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-131430997",
"id": "GHSA-h5r8-fvh2-9qxg",
"modified": "2025-11-05T00:31:12Z",
"published": "2022-05-24T17:28:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0279"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/android-11"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/08/13/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H62R-VGRV-M9XV
Vulnerability from github – Published: 2025-10-10 09:30 – Updated: 2025-10-10 09:30Out-of-bounds read in the parsing header for JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to potentially access out-of-bounds memory.
{
"affected": [],
"aliases": [
"CVE-2025-21054"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-10T07:15:41Z",
"severity": "MODERATE"
},
"details": "Out-of-bounds read in the parsing header for JPEG decoding in libpadm.so prior to SMR Oct-2025 Release 1 allows local attackers to potentially access out-of-bounds memory.",
"id": "GHSA-h62r-vgrv-m9xv",
"modified": "2025-10-10T09:30:48Z",
"published": "2025-10-10T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21054"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb?year=2025\u0026month=10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H634-6F45-J5WJ
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
sctp: validate embedded INIT chunk and address list lengths in cookie
sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header.
A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctp_init_chunk). Later, sctp_process_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads.
In addition, raw_addr_list_len is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len and cause sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads.
Fix this by:
- requiring the embedded INIT chunk length to be at least sizeof(struct sctp_init_chunk);
- validating that the INIT chunk and raw address list together fit within the cookie payload;
- verifying sufficient data exists for each address parameter header and payload before parsing it.
Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled. This will be addressed in a separate patch.
{
"affected": [],
"aliases": [
"CVE-2026-53224"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:40Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: validate embedded INIT chunk and address list lengths in cookie\n\nsctp_unpack_cookie() only checked that the embedded INIT chunk length\ndid not exceed the remaining cookie payload, but did not ensure that the\nINIT chunk is large enough to contain a complete INIT header.\n\nA malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose\nlength field is smaller than sizeof(struct sctp_init_chunk). Later,\nsctp_process_init() accesses INIT parameters unconditionally, which may\nlead to out-of-bounds reads.\n\nIn addition, raw_addr_list_len is not fully validated against the\nremaining cookie payload. When cookie authentication is disabled, an\nattacker can supply an oversized raw_addr_list_len and cause\nsctp_raw_to_bind_addrs() to read beyond the end of the cookie. The\naddress parser also lacks sufficient bounds checks for parameter headers\nand lengths, allowing malformed address parameters to trigger\nout-of-bounds reads.\n\nFix this by:\n\n- requiring the embedded INIT chunk length to be at least sizeof(struct\n sctp_init_chunk);\n- validating that the INIT chunk and raw address list together fit\n within the cookie payload;\n- verifying sufficient data exists for each address parameter header and\n payload before parsing it.\n\nNote that sctp_verify_init() must be called after sctp_unpack_cookie()\nand before sctp_process_init() when cookie authentication is disabled.\nThis will be addressed in a separate patch.",
"id": "GHSA-h634-6f45-j5wj",
"modified": "2026-06-28T09:31:45Z",
"published": "2026-06-25T09:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53224"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/512a9bb77c04ac9927648ea58af617e472be96e6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6f4c80a2a7e6d06753b89a578b710a2499a5e62b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7560afb8cddafd829e709d7ea09230e45a825557"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H63V-R4P9-395H
Vulnerability from github – Published: 2022-05-14 03:20 – Updated: 2022-05-14 03:20An issue was discovered in LibRaw 0.18.9. There is an out-of-bounds read affecting the X3F property table list implementation in libraw_x3f.cpp and libraw_cxx.cpp.
{
"affected": [],
"aliases": [
"CVE-2018-10529"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-29T03:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in LibRaw 0.18.9. There is an out-of-bounds read affecting the X3F property table list implementation in libraw_x3f.cpp and libraw_cxx.cpp.",
"id": "GHSA-h63v-r4p9-395h",
"modified": "2022-05-14T03:20:39Z",
"published": "2022-05-14T03:20:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10529"
},
{
"type": "WEB",
"url": "https://github.com/LibRaw/LibRaw/issues/144"
},
{
"type": "WEB",
"url": "https://github.com/LibRaw/LibRaw/commit/f0c505a3e5d47989a5f69be2d0d4f250af6b1a6c"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3639-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H64C-HXWF-RM6Q
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2024-04-04 01:23An issue was discovered in Xpdf 4.01.01. There is an out of bounds read in the function GfxPatchMeshShading::parse at GfxState.cc for typeA==6 case 3.
{
"affected": [],
"aliases": [
"CVE-2019-14291"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-27T19:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Xpdf 4.01.01. There is an out of bounds read in the function GfxPatchMeshShading::parse at GfxState.cc for typeA==6 case 3.",
"id": "GHSA-h64c-hxwf-rm6q",
"modified": "2024-04-04T01:23:40Z",
"published": "2022-05-24T16:51:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14291"
},
{
"type": "WEB",
"url": "https://forum.xpdfreader.com/viewtopic.php?f=3\u0026t=41851"
},
{
"type": "WEB",
"url": "https://github.com/TeamSeri0us/pocs/tree/master/xpdf/4.01.01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H65R-H5CF-X7V3
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-11-03 21:31In the Linux kernel, the following vulnerability has been resolved:
jfs: fix shift-out-of-bounds in dbSplit
When dmt_budmin is less than zero, it causes errors in the later stages. Added a check to return an error beforehand in dbAllocCtl itself.
{
"affected": [],
"aliases": [
"CVE-2024-56597"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T15:15:19Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix shift-out-of-bounds in dbSplit\n\nWhen dmt_budmin is less than zero, it causes errors\nin the later stages. Added a check to return an error beforehand\nin dbAllocCtl itself.",
"id": "GHSA-h65r-h5cf-x7v3",
"modified": "2025-11-03T21:31:53Z",
"published": "2024-12-27T15:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56597"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/51a203470f502a64a3da8dcea51c4748e8267a6c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/52756a57e978e2706543a254f88f266cc6702f36"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6676034aa753aa448beb30dbd75630927ba7cd96"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a5f5e4698f8abbb25fe4959814093fb5bfa1aa9d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bbb24ce7f06ef9b7c05beb9340787cbe9fd3d08e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c56245baf3fd1f79145dd7408e3ead034b74255c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df7c76636952670b31bd6c12b3aed3c502122273"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H686-QFR7-3Q37
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31Foxit PDF Reader AcroForm Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of AcroForms. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-22500.
{
"affected": [],
"aliases": [
"CVE-2023-51562"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:16:15Z",
"severity": "LOW"
},
"details": "Foxit PDF Reader AcroForm Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of AcroForms. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-22500.",
"id": "GHSA-h686-qfr7-3q37",
"modified": "2024-05-03T03:31:07Z",
"published": "2024-05-03T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51562"
},
{
"type": "WEB",
"url": "https://www.foxit.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1875"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.