Common Weakness Enumeration

CWE-125

Allowed

Out-of-bounds Read

Abstraction: Base · Status: Draft

The product reads data past the end, or before the beginning, of the intended buffer.

11277 vulnerabilities reference this CWE, most recent first.

GHSA-JCW4-9CCQ-G3RH

Vulnerability from github – Published: 2022-12-23 18:30 – Updated: 2025-04-15 06:30
VLAI
Details

An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNNECT.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47938"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-23T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in ksmbd in the Linux kernel before 5.19.2. fs/ksmbd/smb2misc.c has an out-of-bounds read and OOPS for SMB2_TREE_CONNNECT.",
  "id": "GHSA-jcw4-9ccq-g3rh",
  "modified": "2025-04-15T06:30:33Z",
  "published": "2022-12-23T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47938"
    },
    {
      "type": "WEB",
      "url": "https://github.com/torvalds/linux/commit/824d4f64c20093275f72fc8101394d75ff6a249e"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.19.2"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=824d4f64c20093275f72fc8101394d75ff6a249e"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-1689"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2022/12/23/10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JCXP-GMVC-4GGH

Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26
VLAI
Details

The PDF parser in Google Chrome before 16.0.912.63 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-3906"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-12-13T21:55:00Z",
    "severity": "MODERATE"
  },
  "details": "The PDF parser in Google Chrome before 16.0.912.63 allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.",
  "id": "GHSA-jcxp-gmvc-4ggh",
  "modified": "2022-05-13T01:26:56Z",
  "published": "2022-05-13T01:26:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3906"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14548"
    },
    {
      "type": "WEB",
      "url": "http://code.google.com/p/chromium/issues/detail?id=98809"
    },
    {
      "type": "WEB",
      "url": "http://googlechromereleases.blogspot.com/2011/12/stable-channel-update.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-JCXW-4397-C5HH

Vulnerability from github – Published: 2024-11-22 21:32 – Updated: 2024-11-22 21:32
VLAI
Details

PDF-XChange Editor XPS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of XPS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24409.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-8838"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-22T21:15:22Z",
    "severity": "HIGH"
  },
  "details": "PDF-XChange Editor XPS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of XPS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24409.",
  "id": "GHSA-jcxw-4397-c5hh",
  "modified": "2024-11-22T21:32:19Z",
  "published": "2024-11-22T21:32:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8838"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1261"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JF2Q-CW9F-8H9X

Vulnerability from github – Published: 2024-05-16 09:33 – Updated: 2024-05-16 09:33
VLAI
Details

Substance3D - Designer versions 13.1.1 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-30281"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-16T09:15:11Z",
    "severity": "MODERATE"
  },
  "details": "Substance3D - Designer versions 13.1.1 and earlier Answer: are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-jf2q-cw9f-8h9x",
  "modified": "2024-05-16T09:33:07Z",
  "published": "2024-05-16T09:33:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30281"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/substance3d_designer/apsb24-35.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JF35-V6MP-XVP9

Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-08-05 15:30
VLAI
Details

Transient DOS while parsing the received TID-to-link mapping element of the TID-to-link mapping action frame.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33018"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-126"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-05T15:15:50Z",
    "severity": "HIGH"
  },
  "details": "Transient DOS while parsing the received TID-to-link mapping element of the TID-to-link mapping action frame.",
  "id": "GHSA-jf35-v6mp-xvp9",
  "modified": "2024-08-05T15:30:53Z",
  "published": "2024-08-05T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33018"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JF3J-GF83-HHG3

Vulnerability from github – Published: 2025-07-08 18:31 – Updated: 2025-07-08 18:31
VLAI
Details

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49696"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-08T17:15:55Z",
    "severity": "HIGH"
  },
  "details": "Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally.",
  "id": "GHSA-jf3j-gf83-hhg3",
  "modified": "2025-07-08T18:31:48Z",
  "published": "2025-07-08T18:31:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49696"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49696"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JF42-2PW2-333X

Vulnerability from github – Published: 2024-11-18 12:30 – Updated: 2024-11-18 12:30
VLAI
Details

A flaw was found within the parsing of SMB2 requests that have a transform header in the kernel ksmbd module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this to disclose sensitive information on affected installations of Linux. Only systems with ksmbd enabled are vulnerable to this CVE.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39176"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T10:15:04Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found within the parsing of SMB2 requests that have a transform header in the kernel ksmbd module. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this to disclose sensitive information on affected installations of Linux. Only systems with ksmbd enabled are vulnerable to this CVE.",
  "id": "GHSA-jf42-2pw2-333x",
  "modified": "2024-11-18T12:30:41Z",
  "published": "2024-11-18T12:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39176"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-39176"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2326503"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-586"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JF4F-5P54-W3HX

Vulnerability from github – Published: 2025-09-23 18:30 – Updated: 2025-09-23 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net/tls: fix slab-out-of-bounds bug in decrypt_internal

The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in tls_set_sw_offload(). The return value of crypto_aead_ivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following:

================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911

Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db ? decrypt_internal+0x385/0xc40 [tls] kasan_report+0xab/0x120 ? decrypt_internal+0x385/0xc40 [tls] kasan_check_range+0xf9/0x1e0 memcpy+0x20/0x60 decrypt_internal+0x385/0xc40 [tls] ? tls_get_rec+0x2e0/0x2e0 [tls] ? process_rx_list+0x1a5/0x420 [tls] ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] decrypt_skb_update+0x9d/0x400 [tls] tls_sw_recvmsg+0x3c8/0xb50 [tls]

Allocated by task 10911: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 tls_set_sw_offload+0x2eb/0xa20 [tls] tls_setsockopt+0x68c/0x700 [tls] __sys_setsockopt+0xfe/0x1b0

Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size when memcpy() iv value in TLS_1_3_VERSION scenario.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:46Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix slab-out-of-bounds bug in decrypt_internal\n\nThe memory size of tls_ctx-\u003erx.iv for AES128-CCM is 12 setting in\ntls_set_sw_offload(). The return value of crypto_aead_ivsize()\nfor \"ccm(aes)\" is 16. So memcpy() require 16 bytes from 12 bytes\nmemory space will trigger slab-out-of-bounds bug as following:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls]\nRead of size 16 at addr ffff888114e84e60 by task tls/10911\n\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n ? decrypt_internal+0x385/0xc40 [tls]\n kasan_report+0xab/0x120\n ? decrypt_internal+0x385/0xc40 [tls]\n kasan_check_range+0xf9/0x1e0\n memcpy+0x20/0x60\n decrypt_internal+0x385/0xc40 [tls]\n ? tls_get_rec+0x2e0/0x2e0 [tls]\n ? process_rx_list+0x1a5/0x420 [tls]\n ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls]\n decrypt_skb_update+0x9d/0x400 [tls]\n tls_sw_recvmsg+0x3c8/0xb50 [tls]\n\nAllocated by task 10911:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n tls_set_sw_offload+0x2eb/0xa20 [tls]\n tls_setsockopt+0x68c/0x700 [tls]\n __sys_setsockopt+0xfe/0x1b0\n\nReplace the crypto_aead_ivsize() with prot-\u003eiv_size + prot-\u003esalt_size\nwhen memcpy() iv value in TLS_1_3_VERSION scenario.",
  "id": "GHSA-jf4f-5p54-w3hx",
  "modified": "2025-09-23T18:30:20Z",
  "published": "2025-09-23T18:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49094"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2304660ab6c425df64d95301b601424c6a50f28b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/29be1816cbab9a0dc6243120939fd10a92753756"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b7d14c105dd8f6412eda5a91e1e6154653731e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/589154d0f18945f41d138a5b4e49e518d294474b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6e2f1b033b17dedda51d465861b69e58317d6343"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9381fe8c849cfbe50245ac01fc077554f6eaa0e2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JF4V-FH7C-QHF7

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2024-04-04 02:05
VLAI
Details

In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-78286500

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-9332"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-09-27T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "In Bluetooth, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-78286500",
  "id": "GHSA-jf4v-fh7c-qhf7",
  "modified": "2024-04-04T02:05:45Z",
  "published": "2022-05-24T16:57:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9332"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/android-10"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JF54-XGPW-JRRQ

Vulnerability from github – Published: 2026-02-10 12:30 – Updated: 2026-02-10 12:30
VLAI
Details

A vulnerability has been identified in Simcenter Femap (All versions < V2512), Simcenter Nastran (All versions < V2512). The affected applications contains an out of bounds read vulnerability while parsing specially crafted NDB files. This could allow an attacker to execute code in the context of the current process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-23720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-10T10:15:59Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Simcenter Femap (All versions \u003c V2512), Simcenter Nastran (All versions \u003c V2512). The affected applications contains an out of bounds read vulnerability while parsing specially crafted NDB files. This could allow an attacker to execute code in the context of the current process.",
  "id": "GHSA-jf54-xgpw-jrrq",
  "modified": "2026-02-10T12:30:28Z",
  "published": "2026-02-10T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23720"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-965753.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

CAPEC-540: Overread Buffers

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.