CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11273 vulnerabilities reference this CWE, most recent first.
GHSA-JJWV-9V54-84JW
Vulnerability from github – Published: 2022-05-14 02:00 – Updated: 2022-05-14 02:00In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Venus HW searches for start code when decoding input bit stream buffers. If start code is not found in entire buffer, there is over-fetch beyond allocation length. This leads to page fault.
{
"affected": [],
"aliases": [
"CVE-2018-11278"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-09-18T18:29:00Z",
"severity": "HIGH"
},
"details": "In all android releases (Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, Venus HW searches for start code when decoding input bit stream buffers. If start code is not found in entire buffer, there is over-fetch beyond allocation length. This leads to page fault.",
"id": "GHSA-jjwv-9v54-84jw",
"modified": "2022-05-14T02:00:09Z",
"published": "2022-05-14T02:00:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11278"
},
{
"type": "WEB",
"url": "https://source.codeaurora.org/quic/la/platform/hardware/qcom/media/commit/?id=6c7dbdb2f067bf844beef2c41d9d67cacc3adfa6"
},
{
"type": "WEB",
"url": "https://www.codeaurora.org/security-bulletin/2018/09/04/september-2018-code-aurora-security-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJX2-6Q4J-CWJX
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18In flv extractor, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05561360; Issue ID: ALPS05561360.
{
"affected": [],
"aliases": [
"CVE-2021-0410"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-25T14:15:00Z",
"severity": "MODERATE"
},
"details": "In flv extractor, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05561360; Issue ID: ALPS05561360.",
"id": "GHSA-jjx2-6q4j-cwjx",
"modified": "2022-05-24T19:18:48Z",
"published": "2022-05-24T19:18:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0410"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/October-2021"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JM22-GR8W-6J8J
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2024-04-04 01:31An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an out of bounds read on iso9660 while parsing System Use Sharing Protocol data in fs/iso9660.c.
{
"affected": [],
"aliases": [
"CVE-2019-14531"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-02T15:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an out of bounds read on iso9660 while parsing System Use Sharing Protocol data in fs/iso9660.c.",
"id": "GHSA-jm22-gr8w-6j8j",
"modified": "2024-04-04T01:31:48Z",
"published": "2022-05-24T16:52:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14531"
},
{
"type": "WEB",
"url": "https://github.com/sleuthkit/sleuthkit/issues/1576"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JM26-2M6V-322R
Vulnerability from github – Published: 2025-11-14 03:30 – Updated: 2025-11-14 18:31Inappropriate implementation in Dawn in Google Chrome on Mac prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2024-11920"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-14T03:15:55Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Dawn in Google Chrome on Mac prior to 130.0.6723.92 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-jm26-2m6v-322r",
"modified": "2025-11-14T18:31:37Z",
"published": "2025-11-14T03:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11920"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_29.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/371840056"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JM45-HJCW-QV8R
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-05-24 17:44Potential out of bound read exception when UE receives unusually large number of padding octets in the beginning of ROHC header in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables
{
"affected": [],
"aliases": [
"CVE-2020-11166"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-17T06:15:00Z",
"severity": "CRITICAL"
},
"details": "Potential out of bound read exception when UE receives unusually large number of padding octets in the beginning of ROHC header in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables",
"id": "GHSA-jm45-hjcw-qv8r",
"modified": "2022-05-24T17:44:39Z",
"published": "2022-05-24T17:44:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11166"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/march-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JM5C-RV3W-W83M
Vulnerability from github – Published: 2021-06-29 21:13 – Updated: 2025-01-30 14:38Impact
Denial-of-service (crash) during block processing
Details
Affected versions suffer from a vulnerability which can be exploited through the MULMOD operation, by specifying a modulo of 0: mulmod(a,b,0), causing a panic in the underlying library.
The crash was in the uint256 library, where a buffer underflowed.
if `d == 0`, `dLen` remains `0`
and https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2c30/uint256.go#L451 will try to access index [-1].
The uint256 library was first merged in this commit, on 2020-06-08.
Exploiting this vulnerabilty would cause all vulnerable nodes to drop off the network.
The issue was brought to our attention through a bug report, showing a panic occurring on sync from genesis on the Ropsten network.
It was estimated that the least obvious way to fix this would be to merge the fix into uint256, make a new release of that library and then update the geth-dependency.
- https://github.com/holiman/uint256/releases/tag/v1.1.1 was made the same day,
- PR to address the issue: https://github.com/holiman/uint256/pull/80
- PR to update geth deps: https://github.com/ethereum/go-ethereum/pull/21368
Patches
Upgrade to v1.9.18 or higher
Workarounds
Not at this time
References
https://blog.ethereum.org/2020/11/12/geth_security_release/
For more information
If you have any questions or comments about this advisory: * Open an issue in go-ethereum * Email us at security@ethereum.org
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ethereum/go-ethereum"
},
"ranges": [
{
"events": [
{
"introduced": "1.9.16"
},
{
"fixed": "1.9.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/holiman/uint256"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26242"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-191",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T21:50:44Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nDenial-of-service (crash) during block processing\n\n### Details\n\nAffected versions suffer from a vulnerability which can be exploited through the `MULMOD` operation, by specifying a modulo of `0`: `mulmod(a,b,0)`, causing a `panic` in the underlying library. \nThe crash was in the `uint256` library, where a buffer [underflowed](https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2c30/uint256.go#L442).\n\n\tif `d == 0`, `dLen` remains `0`\n\nand https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2c30/uint256.go#L451 will try to access index `[-1]`.\n\nThe `uint256` library was first merged in this [commit](https://github.com/ethereum/go-ethereum/commit/cf6674539c589f80031f3371a71c6a80addbe454), on 2020-06-08. \nExploiting this vulnerabilty would cause all vulnerable nodes to drop off the network. \n\nThe issue was brought to our attention through a [bug report](https://github.com/ethereum/go-ethereum/issues/21367), showing a `panic` occurring on sync from genesis on the Ropsten network.\n \nIt was estimated that the least obvious way to fix this would be to merge the fix into `uint256`, make a new release of that library and then update the geth-dependency.\n\n- https://github.com/holiman/uint256/releases/tag/v1.1.1 was made the same day, \n- PR to address the issue: https://github.com/holiman/uint256/pull/80 \n- PR to update geth deps: https://github.com/ethereum/go-ethereum/pull/21368 \n\n\n\n### Patches\n\nUpgrade to v1.9.18 or higher\n\n### Workarounds\n\nNot at this time\n\n### References\n\nhttps://blog.ethereum.org/2020/11/12/geth_security_release/\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)\n",
"id": "GHSA-jm5c-rv3w-w83m",
"modified": "2025-01-30T14:38:53Z",
"published": "2021-06-29T21:13:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26242"
},
{
"type": "WEB",
"url": "https://github.com/holiman/uint256/pull/80"
},
{
"type": "WEB",
"url": "https://github.com/ethereum/go-ethereum/commit/7163a6664ee664df81b9028ab3ba13b9d65a7196"
},
{
"type": "WEB",
"url": "https://github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d"
},
{
"type": "WEB",
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethereum/go-ethereum"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0103"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of service in geth"
}
GHSA-JM6F-224Q-78RJ
Vulnerability from github – Published: 2023-12-13 15:30 – Updated: 2023-12-13 15:30Adobe After Effects versions 24.0.3 (and earlier) and 23.6.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-48635"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-13T14:15:46Z",
"severity": "MODERATE"
},
"details": "Adobe After Effects versions 24.0.3 (and earlier) and 23.6.0 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-jm6f-224q-78rj",
"modified": "2023-12-13T15:30:58Z",
"published": "2023-12-13T15:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48635"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/after_effects/apsb23-75.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JM8P-J9VP-R5HW
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2025-04-20 03:41When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a heap-based buffer over-read in the WritePSImage() function in coders/ps.c.
{
"affected": [],
"aliases": [
"CVE-2017-11535"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-07-23T03:29:00Z",
"severity": "MODERATE"
},
"details": "When ImageMagick 7.0.6-1 processes a crafted file in convert, it can lead to a heap-based buffer over-read in the WritePSImage() function in coders/ps.c.",
"id": "GHSA-jm8p-j9vp-r5hw",
"modified": "2025-04-20T03:41:16Z",
"published": "2022-05-13T01:42:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11535"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/issues/561"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3681-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2017/dsa-4019"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4204"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JM96-WX5C-HR7M
Vulnerability from github – Published: 2024-08-14 15:31 – Updated: 2024-08-14 15:31Out of bounds read in OpenBMC Firmware for some Intel(R) Server Platforms before versions egs-1.15-0, bhs-0.27 may allow a privileged user to potentially enable information disclosure via local access.
{
"affected": [],
"aliases": [
"CVE-2023-49144"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-14T14:15:15Z",
"severity": "HIGH"
},
"details": "Out of bounds read in OpenBMC Firmware for some Intel(R) Server Platforms before versions egs-1.15-0, bhs-0.27 may allow a privileged user to potentially enable information disclosure via local access.",
"id": "GHSA-jm96-wx5c-hr7m",
"modified": "2024-08-14T15:31:13Z",
"published": "2024-08-14T15:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49144"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01078.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JMF6-74R8-6C28
Vulnerability from github – Published: 2026-05-20 03:31 – Updated: 2026-05-21 21:30Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.
{
"affected": [],
"aliases": [
"CVE-2026-43620"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-20T02:16:36Z",
"severity": "MODERATE"
},
"details": "Rsync version\u00a03.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client.",
"id": "GHSA-jmf6-74r8-6c28",
"modified": "2026-05-21T21:30:31Z",
"published": "2026-05-20T03:31:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/RsyncProject/rsync/security/advisories/GHSA-28pw-r563-rxvm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43620"
},
{
"type": "WEB",
"url": "https://github.com/RsyncProject/rsync/releases/tag/v3.4.3"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/rsync-out-of-bounds-array-read-via-recv-files"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.