CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11273 vulnerabilities reference this CWE, most recent first.
GHSA-JHP8-F6XC-JFFQ
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03An issue, also known as DW201703-001, was discovered in libdwarf 2017-03-21. In dwarf_formsdata() a few data types were not checked for being in bounds, leading to a heap-based buffer over-read.
{
"affected": [],
"aliases": [
"CVE-2017-9055"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-05-18T06:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue, also known as DW201703-001, was discovered in libdwarf 2017-03-21. In dwarf_formsdata() a few data types were not checked for being in bounds, leading to a heap-based buffer over-read.",
"id": "GHSA-jhp8-f6xc-jffq",
"modified": "2022-05-13T01:03:22Z",
"published": "2022-05-13T01:03:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9055"
},
{
"type": "WEB",
"url": "https://www.prevanders.net/dwarfbug.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHPP-6C5P-C4VJ
Vulnerability from github – Published: 2022-05-24 17:36 – Updated: 2022-05-24 17:36An arbitrary memory read vulnerability in Asylo versions up to 0.6.0 allows an untrusted attacker to make a call to enc_untrusted_recvfrom whose return size was not validated against the requested size. The parameter size is unchecked allowing the attacker to read memory locations outside of the intended buffer size including memory addresses within the secure enclave. We recommend upgrading past commit 6e158d558abd3c29a0208e30c97c9a8c5bd4230f
{
"affected": [],
"aliases": [
"CVE-2020-8943"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-12-15T15:15:00Z",
"severity": "MODERATE"
},
"details": "An arbitrary memory read vulnerability in Asylo versions up to 0.6.0 allows an untrusted attacker to make a call to enc_untrusted_recvfrom whose return size was not validated against the requested size. The parameter size is unchecked allowing the attacker to read memory locations outside of the intended buffer size including memory addresses within the secure enclave. We recommend upgrading past commit 6e158d558abd3c29a0208e30c97c9a8c5bd4230f",
"id": "GHSA-jhpp-6c5p-c4vj",
"modified": "2022-05-24T17:36:37Z",
"published": "2022-05-24T17:36:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8943"
},
{
"type": "WEB",
"url": "https://github.com/google/asylo/commit/6e158d558abd3c29a0208e30c97c9a8c5bd4230f"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JHQQ-VCX8-RP7Q
Vulnerability from github – Published: 2025-04-08 21:31 – Updated: 2025-04-08 21:31Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-30302"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T19:15:50Z",
"severity": "MODERATE"
},
"details": "Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-jhqq-vcx8-rp7q",
"modified": "2025-04-08T21:31:40Z",
"published": "2025-04-08T21:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30302"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/framemaker/apsb25-33.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JHXM-H53P-JM7W
Vulnerability from github – Published: 2026-04-09 20:23 – Updated: 2026-04-15 20:55Impact
Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference in address being operated on means that a guest module can pass a bounds check but then load a different address. Combined together this enables an arbitrary read/write primitive for guest WebAssembly when accesssing host memory. This is a sandbox escape as guests are able to read/write arbitrary host memory.
This vulnerability has a few ingredients, all of which must be met, for this situation to occur and bypass the sandbox restrictions:
- This miscompiled shape of load only occurs on 64-bit WebAssembly linear memories, or when
Config::wasm_memory64is enabled. 32-bit WebAssembly is not affected. - Spectre mitigations or signals-based-traps must be disabled. When spectre mitigations are enabled then the offending shape of load is not generated. When signals-based-traps are disabled then spectre mitigations are also automatically disabled.
The specific bug in Cranelift is a miscompile of a load of the shape load(iadd(base, ishl(index, amt))) where amt is a constant. The amt value is masked incorrectly to test if it's a certain value, and this incorrect mask means that Cranelift can pattern-match this lowering rule during instruction selection erroneously, diverging from WebAssembly's and Cranelift's semantics. This incorrect lowering would, for example, load an address much further away than intended as the correct address's computation would have wrapped around to a smaller value insetad.
Patches
Wasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.
Workarounds
This bug only affects users of Cranelift on aarch64. Cranelift on other platforms is not affected. Additionally this only affects 64-bit WebAssembly linear memories, so if Config::wasm_memory64 is disabled then hosts are not affected. Note that Config::wasm_memory64 is enabled by default. If spectre mitigations are enabled, which are enabled by default, then hosts are not affected by this issue.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "32.0.0"
},
{
"fixed": "36.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "37.0.0"
},
{
"fixed": "42.0.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "43.0.0"
},
{
"fixed": "43.0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"43.0.0"
]
}
],
"aliases": [
"CVE-2026-34971"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-09T20:23:26Z",
"nvd_published_at": "2026-04-09T19:16:24Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nWasmtime\u0027s Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two diverging computations for the same address: one for the address to bounds-check and one for the address to load. This difference in address being operated on means that a guest module can pass a bounds check but then load a different address. Combined together this enables an arbitrary read/write primitive for guest WebAssembly when accesssing host memory. This is a sandbox escape as guests are able to read/write arbitrary host memory.\n\nThis vulnerability has a few ingredients, all of which must be met, for this situation to occur and bypass the sandbox restrictions:\n\n* This miscompiled shape of load only occurs on 64-bit WebAssembly linear memories, or when `Config::wasm_memory64` is enabled. 32-bit WebAssembly is not affected.\n* Spectre mitigations or signals-based-traps must be disabled. When spectre mitigations are enabled then the offending shape of load is not generated. When signals-based-traps are disabled then spectre mitigations are also automatically disabled.\n\nThe specific bug in Cranelift is a miscompile of a load of the shape `load(iadd(base, ishl(index, amt)))` where `amt` is a constant. The `amt` value is masked incorrectly to test if it\u0027s a certain value, and this incorrect mask means that Cranelift can pattern-match this lowering rule during instruction selection erroneously, diverging from WebAssembly\u0027s and Cranelift\u0027s semantics. This incorrect lowering would, for example, load an address much further away than intended as the correct address\u0027s computation would have wrapped around to a smaller value insetad.\n\n\n\n### Patches\n\nWasmtime 36.0.7, 42.0.2, and 43.0.1 have been issued to fix this bug. Users are recommended to update to these patched versions of Wasmtime.\n\n### Workarounds\n\nThis bug only affects users of Cranelift on aarch64. Cranelift on other platforms is not affected. Additionally this only affects 64-bit WebAssembly linear memories, so if `Config::wasm_memory64` is disabled then hosts are not affected. Note that `Config::wasm_memory64` is enabled by default. If spectre mitigations are enabled, which are enabled by default, then hosts are not affected by this issue.",
"id": "GHSA-jhxm-h53p-jm7w",
"modified": "2026-04-15T20:55:38Z",
"published": "2026-04-09T20:23:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jhxm-h53p-jm7w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34971"
},
{
"type": "PACKAGE",
"url": "https://github.com/bytecodealliance/wasmtime"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0096.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift"
}
GHSA-JJ24-RMRJ-3HR4
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.
The specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20853.
{
"affected": [],
"aliases": [
"CVE-2023-51589"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:16:19Z",
"severity": "MODERATE"
},
"details": "BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information via Bluetooth on affected installations of BlueZ. User interaction is required to exploit this vulnerability in that the target must connect to a malicious device.\n\nThe specific flaw exists within the handling of the AVRCP protocol. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-20853.",
"id": "GHSA-jj24-rmrj-3hr4",
"modified": "2024-05-03T03:31:07Z",
"published": "2024-05-03T03:31:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-51589"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1904"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JJ2R-PR6V-J9G5
Vulnerability from github – Published: 2022-07-16 00:00 – Updated: 2022-07-16 00:00Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 (and earlier) and 17.012.30229 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2022-34239"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-15T16:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Acrobat Reader versions 22.001.20142 (and earlier), 20.005.30334 (and earlier) and 17.012.30229 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-jj2r-pr6v-j9g5",
"modified": "2022-07-16T00:00:29Z",
"published": "2022-07-16T00:00:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34239"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb22-32.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJ37-X4FV-5H8M
Vulnerability from github – Published: 2026-05-26 18:31 – Updated: 2026-05-26 18:31NVIDIA Display Driver for Linux contains a vulnerability where a user could cause an out-of-bounds read. A successful exploit of this vulnerability might lead to denial of service and information disclosure.
{
"affected": [],
"aliases": [
"CVE-2026-24196"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T18:16:38Z",
"severity": "HIGH"
},
"details": "NVIDIA Display Driver for Linux contains a vulnerability where a user could cause an out-of-bounds read. A successful exploit of this vulnerability might lead to denial of service and information disclosure.",
"id": "GHSA-jj37-x4fv-5h8m",
"modified": "2026-05-26T18:31:49Z",
"published": "2026-05-26T18:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24196"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5821"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24196"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJ6R-5JXQ-C8CW
Vulnerability from github – Published: 2023-04-06 18:30 – Updated: 2023-04-12 21:30In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588436.
{
"affected": [],
"aliases": [
"CVE-2023-20677"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-06T18:15:00Z",
"severity": "MODERATE"
},
"details": "In wlan, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07588413; Issue ID: ALPS07588436.",
"id": "GHSA-jj6r-5jxq-c8cw",
"modified": "2023-04-12T21:30:20Z",
"published": "2023-04-06T18:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20677"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2023"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJ76-44FX-5G9W
Vulnerability from github – Published: 2025-01-06 12:30 – Updated: 2025-01-06 12:30Transient DOS can occur when the driver parses the per STA profile IE and tries to access the EXTN element ID without checking the IE length.
{
"affected": [],
"aliases": [
"CVE-2024-45558"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-06T11:15:10Z",
"severity": "HIGH"
},
"details": "Transient DOS can occur when the driver parses the per STA profile IE and tries to access the EXTN element ID without checking the IE length.",
"id": "GHSA-jj76-44fx-5g9w",
"modified": "2025-01-06T12:30:33Z",
"published": "2025-01-06T12:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45558"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJ7M-54FR-VGHG
Vulnerability from github – Published: 2022-05-17 00:19 – Updated: 2022-05-17 00:19In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing a specially crafted cfg80211 vendor command, a buffer over-read can occur.
{
"affected": [],
"aliases": [
"CVE-2017-11058"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-16T22:29:00Z",
"severity": "HIGH"
},
"details": "In android for MSM, Firefox OS for MSM, QRD Android, with all Android releases from CAF using the Linux kernel, while processing a specially crafted cfg80211 vendor command, a buffer over-read can occur.",
"id": "GHSA-jj7m-54fr-vghg",
"modified": "2022-05-17T00:19:34Z",
"published": "2022-05-17T00:19:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11058"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2017-11-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.