CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11291 vulnerabilities reference this CWE, most recent first.
GHSA-HR47-GGX3-938X
Vulnerability from github – Published: 2022-05-13 01:54 – Updated: 2022-05-13 01:54rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds Read in the function process_demand_active() that results in a Denial of Service (segfault).
{
"affected": [],
"aliases": [
"CVE-2018-20178"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-15T18:29:00Z",
"severity": "HIGH"
},
"details": "rdesktop versions up to and including v1.8.3 contain an Out-Of-Bounds Read in the function process_demand_active() that results in a Denial of Service (segfault).",
"id": "GHSA-hr47-ggx3-938x",
"modified": "2022-05-13T01:54:13Z",
"published": "2022-05-13T01:54:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20178"
},
{
"type": "WEB",
"url": "https://github.com/rdesktop/rdesktop/commit/4dca546d04321a610c1835010b5dad85163b65e1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00030.html"
},
{
"type": "WEB",
"url": "https://research.checkpoint.com/reverse-rdp-attack-code-execution-on-rdp-clients"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201903-06"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4394"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00040.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106938"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HR55-H2PW-295R
Vulnerability from github – Published: 2023-02-16 21:30 – Updated: 2023-03-01 21:30Out-of-bounds read in the Intel(R) Trace Analyzer and Collector software before version 2021.5 may allow an authenticated user to potentially enable escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2022-34864"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-16T21:15:00Z",
"severity": "HIGH"
},
"details": "Out-of-bounds read in the Intel(R) Trace Analyzer and Collector software before version 2021.5 may allow an authenticated user to potentially enable escalation of privilege via local access.",
"id": "GHSA-hr55-h2pw-295r",
"modified": "2023-03-01T21:30:19Z",
"published": "2023-02-16T21:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34864"
},
{
"type": "WEB",
"url": "http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00733.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HR57-5GV4-MVPW
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31PDF-XChange Editor PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. his vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20889.
{
"affected": [],
"aliases": [
"CVE-2023-42044"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:15:37Z",
"severity": "HIGH"
},
"details": "PDF-XChange Editor PDF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. his vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-20889.",
"id": "GHSA-hr57-5gv4-mvpw",
"modified": "2024-05-03T03:31:00Z",
"published": "2024-05-03T03:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42044"
},
{
"type": "WEB",
"url": "https://www.tracker-software.com/support/security-bulletins.html"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1360"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HR7M-H86M-PPMR
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50There is a heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2018-20098"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-12-12T10:29:00Z",
"severity": "MODERATE"
},
"details": "There is a heap-based buffer over-read in Exiv2::Jp2Image::encodeJp2Header of jp2image.cpp in Exiv2 0.27-RC3. A crafted input will lead to a remote denial of service attack.",
"id": "GHSA-hr7m-h86m-ppmr",
"modified": "2022-05-13T01:50:57Z",
"published": "2022-05-13T01:50:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20098"
},
{
"type": "WEB",
"url": "https://github.com/Exiv2/exiv2/issues/590"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2101"
},
{
"type": "WEB",
"url": "https://github.com/TeamSeri0us/pocs/tree/master/exiv2/20181206"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXCEKTYF7HLM6VH2WCWO2HXTJH37MBLA"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HR7Q-X7XM-Q959
Vulnerability from github – Published: 2022-05-13 01:09 – Updated: 2025-04-12 13:03The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via 64 bytes of input.
{
"affected": [],
"aliases": [
"CVE-2016-6261"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-07T20:59:00Z",
"severity": "HIGH"
},
"details": "The idna_to_ascii_4i function in lib/idna.c in libidn before 1.33 allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via 64 bytes of input.",
"id": "GHSA-hr7q-x7xm-q959",
"modified": "2025-04-12T13:03:54Z",
"published": "2022-05-13T01:09:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6261"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/help-libidn/2015-07/msg00016.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/help-libidn/2016-07/msg00009.html"
},
{
"type": "WEB",
"url": "http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=f20ce1128fb7f4d33297eee307dddaf0f92ac72d"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2016-08/msg00098.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2016/dsa-3658"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/07/20/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/07/21/4"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92070"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3068-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HR85-Q7C6-3J62
Vulnerability from github – Published: 2025-07-03 09:30 – Updated: 2025-12-18 21:31In the Linux kernel, the following vulnerability has been resolved:
net: usb: aqc111: fix error handling of usbnet read calls
Syzkaller, courtesy of syzbot, identified an error (see report [1]) in aqc111 driver, caused by incomplete sanitation of usb read calls' results. This problem is quite similar to the one fixed in commit 920a9fa27e78 ("net: asix: add proper error handling of usb read errors").
For instance, usbnet_read_cmd() may read fewer than 'size' bytes, even if the caller expected the full amount, and aqc111_read_cmd() will not check its result properly. As [1] shows, this may lead to MAC address in aqc111_bind() being only partly initialized, triggering KMSAN warnings.
Fix the issue by verifying that the number of bytes read is as expected and not less.
[1] Partial syzbot report: BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 is_valid_ether_addr include/linux/etherdevice.h:208 [inline] usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x4d1/0xd90 drivers/base/dd.c:658 __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 ...
Uninit was stored to memory at: dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 __dev_addr_set include/linux/netdevice.h:4874 [inline] eth_hw_addr_set include/linux/etherdevice.h:325 [inline] aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 ...
Uninit was stored to memory at: ether_addr_copy include/linux/etherdevice.h:305 [inline] aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] ...
Local variable buf.i created at: aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772
{
"affected": [],
"aliases": [
"CVE-2025-38153"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-03T09:15:30Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: aqc111: fix error handling of usbnet read calls\n\nSyzkaller, courtesy of syzbot, identified an error (see report [1]) in\naqc111 driver, caused by incomplete sanitation of usb read calls\u0027\nresults. This problem is quite similar to the one fixed in commit\n920a9fa27e78 (\"net: asix: add proper error handling of usb read errors\").\n\nFor instance, usbnet_read_cmd() may read fewer than \u0027size\u0027 bytes,\neven if the caller expected the full amount, and aqc111_read_cmd()\nwill not check its result properly. As [1] shows, this may lead\nto MAC address in aqc111_bind() being only partly initialized,\ntriggering KMSAN warnings.\n\nFix the issue by verifying that the number of bytes read is\nas expected and not less.\n\n[1] Partial syzbot report:\nBUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline]\nBUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830\n is_valid_ether_addr include/linux/etherdevice.h:208 [inline]\n usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:-1 [inline]\n really_probe+0x4d1/0xd90 drivers/base/dd.c:658\n __driver_probe_device+0x268/0x380 drivers/base/dd.c:800\n...\n\nUninit was stored to memory at:\n dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582\n __dev_addr_set include/linux/netdevice.h:4874 [inline]\n eth_hw_addr_set include/linux/etherdevice.h:325 [inline]\n aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n...\n\nUninit was stored to memory at:\n ether_addr_copy include/linux/etherdevice.h:305 [inline]\n aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline]\n aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772\n usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396\n call_driver_probe drivers/base/dd.c:-1 [inline]\n...\n\nLocal variable buf.i created at:\n aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline]\n aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713\n usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772",
"id": "GHSA-hr85-q7c6-3j62",
"modified": "2025-12-18T21:31:33Z",
"published": "2025-07-03T09:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38153"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/11273279012c922f37cfb4dd95d142803fc07b98"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/30a9e834c74e260533b8d0885e3c89f6f32f7993"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/405b0d610745fb5e84fc2961d9b960abb9f3d107"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/60790d287c1a1ced3554d4a87c2f27bf299a932a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7c01863b1c47f040d9674171e77789a423b9b128"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c97655275482ef5384ce0501640630a0fc0f6f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/acb47a40b5e38be03ef659b7bacdddc592ed73b7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f398d2dfe450ce2c031d10b585448862d74a0501"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HR9X-39F7-WRGX
Vulnerability from github – Published: 2023-03-14 12:30 – Updated: 2023-03-14 12:30A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted SPP files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-20334)
{
"affected": [],
"aliases": [
"CVE-2023-27402"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-14T10:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Tecnomatix Plant Simulation (All versions \u003c V2201.0006). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted SPP files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-20334)",
"id": "GHSA-hr9x-39f7-wrgx",
"modified": "2023-03-14T12:30:45Z",
"published": "2023-03-14T12:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27402"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-847261.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRG4-RPR8-864C
Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2025-04-20 03:50In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buffer over-read in ReadNewsProfile in coders/tiff.c, in which LocaleNCompare reads heap data beyond the allocated region.
{
"affected": [],
"aliases": [
"CVE-2017-17912"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-12-27T17:08:00Z",
"severity": "HIGH"
},
"details": "In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buffer over-read in ReadNewsProfile in coders/tiff.c, in which LocaleNCompare reads heap data beyond the allocated region.",
"id": "GHSA-hrg4-rpr8-864c",
"modified": "2025-04-20T03:50:34Z",
"published": "2022-05-13T01:28:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17912"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/01/msg00005.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00009.html"
},
{
"type": "WEB",
"url": "https://sourceforge.net/p/graphicsmagick/bugs/533"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4266-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4321"
},
{
"type": "WEB",
"url": "http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/0d871e813a4f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HRG5-27WV-98C8
Vulnerability from github – Published: 2025-03-06 06:30 – Updated: 2025-03-06 06:30Out-of-bounds read in applying binary of text content in Samsung Notes prior to version 4.4.26.71 allows attackers to read out-of-bounds memory.
{
"affected": [],
"aliases": [
"CVE-2025-20921"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-06T05:15:19Z",
"severity": "MODERATE"
},
"details": "Out-of-bounds read in applying binary of text content in Samsung Notes prior to version 4.4.26.71 allows attackers to read out-of-bounds memory.",
"id": "GHSA-hrg5-27wv-98c8",
"modified": "2025-03-06T06:30:53Z",
"published": "2025-03-06T06:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20921"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2025\u0026month=03"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HRH3-H5HP-C3MG
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg.
{
"affected": [],
"aliases": [
"CVE-2018-19664"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-11-29T08:29:00Z",
"severity": "MODERATE"
},
"details": "libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel_rows function in wrbmp.c, as demonstrated by djpeg.",
"id": "GHSA-hrh3-h5hp-c3mg",
"modified": "2022-05-13T01:30:34Z",
"published": "2022-05-13T01:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-19664"
},
{
"type": "WEB",
"url": "https://github.com/libjpeg-turbo/libjpeg-turbo/issues/305"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4190-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.