CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11289 vulnerabilities reference this CWE, most recent first.
GHSA-HXQP-3C5H-J6J8
Vulnerability from github – Published: 2024-08-23 00:31 – Updated: 2024-08-23 00:31Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-38210"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-22T23:15:07Z",
"severity": "HIGH"
},
"details": "Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability",
"id": "GHSA-hxqp-3c5h-j6j8",
"modified": "2024-08-23T00:31:39Z",
"published": "2024-08-23T00:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38210"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HXRX-XF7Q-22CR
Vulnerability from github – Published: 2024-11-23 03:31 – Updated: 2024-11-23 03:31IrfanView SID File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of SID files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23277.
{
"affected": [],
"aliases": [
"CVE-2024-9767"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-22T22:15:22Z",
"severity": "HIGH"
},
"details": "IrfanView SID File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of SID files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-23277.",
"id": "GHSA-hxrx-xf7q-22cr",
"modified": "2024-11-23T03:31:59Z",
"published": "2024-11-23T03:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9767"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1371"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HXVF-2523-2JW9
Vulnerability from github – Published: 2023-05-04 21:30 – Updated: 2024-04-04 03:48Out-of-bounds Read vulnerability while processing BC_TUI_CMD_SEND_RESOURCE_DATA_ARRAY command in bc_tui trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to read arbitrary memory.
{
"affected": [],
"aliases": [
"CVE-2023-21507"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-04T21:15:11Z",
"severity": "MODERATE"
},
"details": "Out-of-bounds Read vulnerability while processing BC_TUI_CMD_SEND_RESOURCE_DATA_ARRAY command in bc_tui trustlet from Samsung Blockchain Keystore prior to version 1.3.12.1 allows local attacker to read arbitrary memory.",
"id": "GHSA-hxvf-2523-2jw9",
"modified": "2024-04-04T03:48:53Z",
"published": "2023-05-04T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-21507"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2023\u0026month=05"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HXXH-4JR7-W99W
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-07-08 18:31In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: MGMT: validate advertising TLV before type checks
tlv_data_is_valid() reads each advertising data field length from data[i], then inspects data[i + 1] for managed EIR types before checking that the current field still fits inside the supplied buffer.
A malformed field whose length byte is the last byte of the buffer can therefore make the parser read one byte past the advertising data.
KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING request reached that path:
BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid() Read of size 1 Call trace: tlv_data_is_valid() add_advertising() hci_mgmt_cmd() hci_sock_sendmsg()
Move the existing element-length check before any type-octet inspection so each non-empty element is proven to contain its type byte before the parser looks at data[i + 1].
{
"affected": [],
"aliases": [
"CVE-2026-53255"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:43Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: validate advertising TLV before type checks\n\ntlv_data_is_valid() reads each advertising data field length from\ndata[i], then inspects data[i + 1] for managed EIR types before\nchecking that the current field still fits inside the supplied buffer.\n\nA malformed field whose length byte is the last byte of the buffer can\ntherefore make the parser read one byte past the advertising data.\n\nKASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING\nrequest reached that path:\n\n BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()\n Read of size 1\n Call trace:\n tlv_data_is_valid()\n add_advertising()\n hci_mgmt_cmd()\n hci_sock_sendmsg()\n\nMove the existing element-length check before any type-octet inspection\nso each non-empty element is proven to contain its type byte before the\nparser looks at data[i + 1].",
"id": "GHSA-hxxh-4jr7-w99w",
"modified": "2026-07-08T18:31:32Z",
"published": "2026-06-25T09:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53255"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/06fcbd79c3c360a50f9be9d370769bbd738d0976"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/13ad995071a06570668dd8daab3616c247c72080"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/18fea1cb0c2599752e908c8217490f73ddd33e00"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a3c8ffbb469859b076445af44bdfa6a711d483e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2a3f3ed9e198ae23c15859ace2f9ca6cfdc35b57"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74c08e4db35a476c3462aeb65846f955be732626"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/de23fb62259aa01d294f77238ae3b835eb674413"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7093ac233c1e7f51d125534f46067772a113175"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J22Q-GXCF-M9CQ
Vulnerability from github – Published: 2026-06-09 21:32 – Updated: 2026-06-09 21:32Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2026-47961"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T21:17:24Z",
"severity": "MODERATE"
},
"details": "Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-j22q-gxcf-m9cq",
"modified": "2026-06-09T21:32:39Z",
"published": "2026-06-09T21:32:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47961"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb26-63.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J274-P7F4-XHV4
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-17 00:02abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c.
{
"affected": [],
"aliases": [
"CVE-2021-32434"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:42:00Z",
"severity": "MODERATE"
},
"details": "abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c.",
"id": "GHSA-j274-p7f4-xhv4",
"modified": "2022-03-17T00:02:02Z",
"published": "2022-03-11T00:02:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32434"
},
{
"type": "WEB",
"url": "https://github.com/leesavide/abcm2ps/issues/83"
},
{
"type": "WEB",
"url": "https://github.com/leesavide/abcm2ps/commit/2f56e1179cab6affeb8afa9d6c324008fe40d8e3"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00015.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6333SXWMES3K22DBAOAW34G6EU6WIJEY"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EVGJH4HMXI3TWMHQJQCG3M7KSXJWJM7R"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YTF4FXCW22FFB5HNQO3GK3F4FFBLTZKE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J289-GW35-4875
Vulnerability from github – Published: 2025-07-21 21:31 – Updated: 2025-07-21 21:31IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of CGM files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26171.
{
"affected": [],
"aliases": [
"CVE-2025-7264"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-21T20:15:47Z",
"severity": "HIGH"
},
"details": "IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of CGM files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26171.",
"id": "GHSA-j289-gw35-4875",
"modified": "2025-07-21T21:31:39Z",
"published": "2025-07-21T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7264"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-512"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J29F-PF42-VF2C
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26Google Chrome before 16.0.912.63 does not properly handle PDF documents, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2011-3911"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-12-13T21:55:00Z",
"severity": "MODERATE"
},
"details": "Google Chrome before 16.0.912.63 does not properly handle PDF documents, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.",
"id": "GHSA-j29f-pf42-vf2c",
"modified": "2022-05-13T01:26:53Z",
"published": "2022-05-13T01:26:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3911"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14683"
},
{
"type": "WEB",
"url": "http://code.google.com/p/chromium/issues/detail?id=101779"
},
{
"type": "WEB",
"url": "http://googlechromereleases.blogspot.com/2011/12/stable-channel-update.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-J29H-5X3H-GVV8
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string.
{
"affected": [],
"aliases": [
"CVE-2017-11434"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-25T18:29:00Z",
"severity": "MODERATE"
},
"details": "The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string.",
"id": "GHSA-j29h-5x3h-gvv8",
"modified": "2022-05-13T01:13:43Z",
"published": "2022-05-13T01:13:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11434"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1472611"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3925"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/07/19/2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99923"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J29R-H8WR-V5V8
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24Lua through 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.
{
"affected": [],
"aliases": [
"CVE-2020-15889"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-21T22:15:00Z",
"severity": "HIGH"
},
"details": "Lua through 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient number of list members.",
"id": "GHSA-j29r-h8wr-v5v8",
"modified": "2022-05-24T17:24:02Z",
"published": "2022-05-24T17:24:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15889"
},
{
"type": "WEB",
"url": "https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312"
},
{
"type": "WEB",
"url": "http://lua-users.org/lists/lua-l/2020-07/msg00078.html"
},
{
"type": "WEB",
"url": "http://lua-users.org/lists/lua-l/2020-12/msg00157.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.