CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11273 vulnerabilities reference this CWE, most recent first.
GHSA-JJ8F-5M9H-CM73
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44In getNbits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-154076193
{
"affected": [],
"aliases": [
"CVE-2021-0378"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-10T16:15:00Z",
"severity": "MODERATE"
},
"details": "In getNbits of pvmp3_getbits.cpp, there is a possible out of bounds read due to a heap buffer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-154076193",
"id": "GHSA-jj8f-5m9h-cm73",
"modified": "2022-05-24T17:44:07Z",
"published": "2022-05-24T17:44:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0378"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2021-03-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JJ94-VRCQ-56WM
Vulnerability from github – Published: 2022-11-08 12:00 – Updated: 2022-11-08 19:00A vulnerability has been identified in JT2Go (All versions < V14.1.0.4), Teamcenter Visualization V13.3 (All versions < V13.3.0.7), Teamcenter Visualization V14.0 (All versions < V14.0.0.3), Teamcenter Visualization V14.1 (All versions < V14.1.0.4). The affected products contain an out of bounds read vulnerability when parsing a CGM file. An attacker can leverage this vulnerability to execute code in the context of the current process.
{
"affected": [],
"aliases": [
"CVE-2022-41661"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-08T11:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in JT2Go (All versions \u003c V14.1.0.4), Teamcenter Visualization V13.3 (All versions \u003c V13.3.0.7), Teamcenter Visualization V14.0 (All versions \u003c V14.0.0.3), Teamcenter Visualization V14.1 (All versions \u003c V14.1.0.4). The affected products contain an out of bounds read vulnerability when parsing a CGM file. An attacker can leverage this vulnerability to execute code in the context of the current process.",
"id": "GHSA-jj94-vrcq-56wm",
"modified": "2022-11-08T19:00:22Z",
"published": "2022-11-08T12:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41661"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-120378.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJF8-5XJQ-FQ8J
Vulnerability from github – Published: 2022-12-14 21:30 – Updated: 2022-12-19 21:30A vulnerability was found in X.Org. This security flaw occurs because the handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.
{
"affected": [],
"aliases": [
"CVE-2022-46344"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-14T21:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability was found in X.Org. This security flaw occurs because the handler for the XIChangeProperty request has a length-validation issues, resulting in out-of-bounds memory reads and potential information disclosure. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions.",
"id": "GHSA-jjf8-5xjq-fq8j",
"modified": "2022-12-19T21:30:27Z",
"published": "2022-12-14T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46344"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:0045"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2023:0046"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2022-46344"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2151760"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5NELB7YDWRABYYBG4UPTHRBDTKJRV5M2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DXDF2O5PPLE3SVAJJYUOSAD5QZ4TWQ2G"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z67QC4C3I2FI2WRFIUPEHKC36J362MLA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5NELB7YDWRABYYBG4UPTHRBDTKJRV5M2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DXDF2O5PPLE3SVAJJYUOSAD5QZ4TWQ2G"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z67QC4C3I2FI2WRFIUPEHKC36J362MLA"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-30"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5304"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2023/12/13/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJG3-34X3-J6GW
Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
{
"affected": [],
"aliases": [
"CVE-2025-53806"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T17:15:51Z",
"severity": "MODERATE"
},
"details": "Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.",
"id": "GHSA-jjg3-34x3-j6gw",
"modified": "2025-09-09T18:31:20Z",
"published": "2025-09-09T18:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53806"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53806"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JJG4-P57C-87J3
Vulnerability from github – Published: 2025-05-01 15:31 – Updated: 2025-05-07 15:31In the Linux kernel, the following vulnerability has been resolved:
can: dev: fix skb drop check
In commit a6d190f8c767 ("can: skb: drop tx skb if in listen only mode") the priv->ctrlmode element is read even on virtual CAN interfaces that do not create the struct can_priv at startup. This out-of-bounds read may lead to CAN frame drops for virtual CAN interfaces like vcan and vxcan.
This patch mainly reverts the original commit and adds a new helper for CAN interface drivers that provide the required information in struct can_priv.
[mkl: patch pch_can, too]
{
"affected": [],
"aliases": [
"CVE-2022-49844"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-01T15:16:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: dev: fix skb drop check\n\nIn commit a6d190f8c767 (\"can: skb: drop tx skb if in listen only\nmode\") the priv-\u003ectrlmode element is read even on virtual CAN\ninterfaces that do not create the struct can_priv at startup. This\nout-of-bounds read may lead to CAN frame drops for virtual CAN\ninterfaces like vcan and vxcan.\n\nThis patch mainly reverts the original commit and adds a new helper\nfor CAN interface drivers that provide the required information in\nstruct can_priv.\n\n[mkl: patch pch_can, too]",
"id": "GHSA-jjg4-p57c-87j3",
"modified": "2025-05-07T15:31:24Z",
"published": "2025-05-01T15:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49844"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/386c49fe31ee748e053860b3bac7794a933ac9ac"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ae64438be1923e3c1102d90fd41db7afcfaf54cc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJGW-PHQ5-5F8W
Vulnerability from github – Published: 2022-05-14 03:35 – Updated: 2022-05-14 03:35GPU driver in Huawei Mate 10 smart phones with the versions before ALP-L09 8.0.0.120(C212); The versions before ALP-L09 8.0.0.127(C900); The versions before ALP-L09 8.0.0.128(402/C02/C109/C346/C432/C652) has a out-of-bounds memory access vulnerability due to the input parameters validation. An attacker tricks a user into installing a malicious application on the smart phone, and the application can call the driver with special parameter and cause accessing out-of-bounds memory. Successful exploit may result in phone crash or arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2017-17227"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-09T17:29:00Z",
"severity": "HIGH"
},
"details": "GPU driver in Huawei Mate 10 smart phones with the versions before ALP-L09 8.0.0.120(C212); The versions before ALP-L09 8.0.0.127(C900); The versions before ALP-L09 8.0.0.128(402/C02/C109/C346/C432/C652) has a out-of-bounds memory access vulnerability due to the input parameters validation. An attacker tricks a user into installing a malicious application on the smart phone, and the application can call the driver with special parameter and cause accessing out-of-bounds memory. Successful exploit may result in phone crash or arbitrary code execution.",
"id": "GHSA-jjgw-phq5-5f8w",
"modified": "2022-05-14T03:35:31Z",
"published": "2022-05-14T03:35:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17227"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180207-01-smartphone-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJGX-WVCC-8XV3
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2025-04-20 03:39The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document, related to missing color-map validation in ImageOutputDev.cc.
{
"affected": [],
"aliases": [
"CVE-2017-9865"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-25T13:29:00Z",
"severity": "MODERATE"
},
"details": "The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted PDF document, related to missing color-map validation in ImageOutputDev.cc.",
"id": "GHSA-jjgx-wvcc-8xv3",
"modified": "2025-04-20T03:39:28Z",
"published": "2022-05-13T01:48:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9865"
},
{
"type": "WEB",
"url": "https://bugs.freedesktop.org/show_bug.cgi?id=100774"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201801-17"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4042-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4079"
},
{
"type": "WEB",
"url": "http://somevulnsofadlab.blogspot.com/2017/06/popplerstack-buffer-overflow-in.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJH3-3P32-PWCX
Vulnerability from github – Published: 2022-05-17 02:53 – Updated: 2025-04-20 03:34The bm_readbody_bmp function in bitmap_io.c in Potrace 1.14 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8698.
{
"affected": [],
"aliases": [
"CVE-2017-7263"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-26T05:59:00Z",
"severity": "HIGH"
},
"details": "The bm_readbody_bmp function in bitmap_io.c in Potrace 1.14 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted BMP image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-8698.",
"id": "GHSA-jjh3-3p32-pwcx",
"modified": "2025-04-20T03:34:50Z",
"published": "2022-05-17T02:53:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7263"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2017/03/03/potrace-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c-incomplete-fix-for-cve-2016-8698"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97112"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJJR-WHRW-JX52
Vulnerability from github – Published: 2022-05-14 01:05 – Updated: 2022-05-14 01:05The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a heap-based buffer over-read vulnerability if an out-of-bounds font dictionary index is encountered, which allows an attacker to launch a denial of service attack.
{
"affected": [],
"aliases": [
"CVE-2017-14976"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-02T01:29:00Z",
"severity": "HIGH"
},
"details": "The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0.59.0 has a heap-based buffer over-read vulnerability if an out-of-bounds font dictionary index is encountered, which allows an attacker to launch a denial of service attack.",
"id": "GHSA-jjjr-whrw-jx52",
"modified": "2022-05-14T01:05:47Z",
"published": "2022-05-14T01:05:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14976"
},
{
"type": "WEB",
"url": "https://bugzilla.freedesktop.org/show_bug.cgi?id=102724"
},
{
"type": "WEB",
"url": "https://cgit.freedesktop.org/poppler/poppler/commit/?id=da63c35549e8852a410946ab016a3f25ac701bdf"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00023.html"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4079"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJM7-P4MP-W379
Vulnerability from github – Published: 2023-03-28 21:30 – Updated: 2023-03-28 21:30Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-26353"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-28T20:15:00Z",
"severity": "MODERATE"
},
"details": "Adobe Dimension versions 3.4.7 (and earlier) is affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-jjm7-p4mp-w379",
"modified": "2023-03-28T21:30:17Z",
"published": "2023-03-28T21:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26353"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/dimension/apsb23-20.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.