CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11291 vulnerabilities reference this CWE, most recent first.
GHSA-M98Q-JG2R-MQMW
Vulnerability from github – Published: 2022-05-17 02:52 – Updated: 2025-04-20 03:34The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TIMESTAMPING_OPT_STATS feature, which allows local users to obtain sensitive information from the kernel's internal socket data structures or cause a denial of service (out-of-bounds read) via crafted system calls, related to net/core/skbuff.c and net/socket.c.
{
"affected": [],
"aliases": [
"CVE-2017-7277"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-28T06:59:00Z",
"severity": "HIGH"
},
"details": "The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TIMESTAMPING_OPT_STATS feature, which allows local users to obtain sensitive information from the kernel\u0027s internal socket data structures or cause a denial of service (out-of-bounds read) via crafted system calls, related to net/core/skbuff.c and net/socket.c.",
"id": "GHSA-m98q-jg2r-mqmw",
"modified": "2025-04-20T03:34:58Z",
"published": "2022-05-17T02:52:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7277"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/4ef1b2869447411ad3ef91ad7d4891a83c1a509a"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/8605330aac5a5785630aec8f64378a54891937cc"
},
{
"type": "WEB",
"url": "https://lkml.org/lkml/2017/3/15/485"
},
{
"type": "WEB",
"url": "https://patchwork.ozlabs.org/patch/740636"
},
{
"type": "WEB",
"url": "https://patchwork.ozlabs.org/patch/740639"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4ef1b2869447411ad3ef91ad7d4891a83c1a509a"
},
{
"type": "WEB",
"url": "http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8605330aac5a5785630aec8f64378a54891937cc"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97141"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9CG-4VJQ-HVPF
Vulnerability from github – Published: 2022-05-24 16:48 – Updated: 2024-04-04 01:03Unintended floating-point error accumulation in SwiftShader in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2018-16069"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-06-27T17:15:00Z",
"severity": "MODERATE"
},
"details": "Unintended floating-point error accumulation in SwiftShader in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to leak cross-origin data via a crafted HTML page.",
"id": "GHSA-m9cg-4vjq-hvpf",
"modified": "2024-04-04T01:03:36Z",
"published": "2022-05-24T16:48:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16069"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2018/09/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/848238"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M9FP-2R32-Q2MW
Vulnerability from github – Published: 2025-03-11 18:32 – Updated: 2025-03-11 18:32Incorrect conversion between numeric types in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-24059"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T17:16:28Z",
"severity": "HIGH"
},
"details": "Incorrect conversion between numeric types in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-m9fp-2r32-q2mw",
"modified": "2025-03-11T18:32:17Z",
"published": "2025-03-11T18:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24059"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24059"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9G2-VWF5-VRVQ
Vulnerability from github – Published: 2024-08-14 15:31 – Updated: 2024-08-14 15:31Illustrator versions 28.5, 27.9.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2024-34134"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-14T15:15:20Z",
"severity": "MODERATE"
},
"details": "Illustrator versions 28.5, 27.9.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-m9g2-vwf5-vrvq",
"modified": "2024-08-14T15:31:17Z",
"published": "2024-08-14T15:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34134"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/illustrator/apsb24-45.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-M9GH-794Q-VJJJ
Vulnerability from github – Published: 2024-11-05 18:32 – Updated: 2024-11-08 21:33In the Linux kernel, the following vulnerability has been resolved:
bpf: Add the missing BPF_LINK_TYPE invocation for sockmap
There is an out-of-bounds read in bpf_link_show_fdinfo() for the sockmap link fd. Fix it by adding the missing BPF_LINK_TYPE invocation for sockmap link
Also add comments for bpf_link_type to prevent missing updates in the future.
{
"affected": [],
"aliases": [
"CVE-2024-50123"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-05T18:15:15Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Add the missing BPF_LINK_TYPE invocation for sockmap\n\nThere is an out-of-bounds read in bpf_link_show_fdinfo() for the sockmap\nlink fd. Fix it by adding the missing BPF_LINK_TYPE invocation for\nsockmap link\n\nAlso add comments for bpf_link_type to prevent missing updates in the\nfuture.",
"id": "GHSA-m9gh-794q-vjjj",
"modified": "2024-11-08T21:33:53Z",
"published": "2024-11-05T18:32:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50123"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6d79f12c0ce2bc8ff5f109093df1734bd6450615"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c2f803052bc7a7feb2e03befccc8e49b6ff1f5f5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9GX-79MM-Q64V
Vulnerability from github – Published: 2022-05-24 19:17 – Updated: 2022-05-24 19:17An Out Of Bounds (OOB) access vulnerability in the handling of responses by a Juniper Agile License (JAL) Client in Juniper Networks Junos OS and Junos OS Evolved, configured in Network Mode (to use Juniper Agile License Manager) may allow an attacker to cause a partial Denial of Service (DoS), or lead to remote code execution (RCE). The vulnerability exists in the packet parsing logic on the client that processes the response from the server using a custom protocol. An attacker with control of a JAL License Manager, or with access to the local broadcast domain, may be able to spoof a new JAL License Manager and/or craft a response to the Junos OS License Client, leading to exploitation of this vulnerability. This issue only affects Junos systems configured in Network Mode. Systems that are configured in Standalone Mode (the default mode of operation for all systems) are not vulnerable to this issue. This issue affects: Juniper Networks Junos OS: 19.2 versions prior to 19.2R3-S3; 19.3 versions prior to 19.3R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. Juniper Networks Junos OS Evolved: version 20.1R1-EVO and later versions, prior to 21.2R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 19.2R1.
{
"affected": [],
"aliases": [
"CVE-2021-31354"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-19T19:15:00Z",
"severity": "HIGH"
},
"details": "An Out Of Bounds (OOB) access vulnerability in the handling of responses by a Juniper Agile License (JAL) Client in Juniper Networks Junos OS and Junos OS Evolved, configured in Network Mode (to use Juniper Agile License Manager) may allow an attacker to cause a partial Denial of Service (DoS), or lead to remote code execution (RCE). The vulnerability exists in the packet parsing logic on the client that processes the response from the server using a custom protocol. An attacker with control of a JAL License Manager, or with access to the local broadcast domain, may be able to spoof a new JAL License Manager and/or craft a response to the Junos OS License Client, leading to exploitation of this vulnerability. This issue only affects Junos systems configured in Network Mode. Systems that are configured in Standalone Mode (the default mode of operation for all systems) are not vulnerable to this issue. This issue affects: Juniper Networks Junos OS: 19.2 versions prior to 19.2R3-S3; 19.3 versions prior to 19.3R3-S3; 20.1 versions prior to 20.1R2-S2, 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. Juniper Networks Junos OS Evolved: version 20.1R1-EVO and later versions, prior to 21.2R2-EVO. This issue does not affect Juniper Networks Junos OS versions prior to 19.2R1.",
"id": "GHSA-m9gx-79mm-q64v",
"modified": "2022-05-24T19:17:54Z",
"published": "2022-05-24T19:17:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31354"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA11219"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-M9JJ-WQC5-FM74
Vulnerability from github – Published: 2026-01-02 15:30 – Updated: 2026-01-05 21:30An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data.
We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later
{
"affected": [],
"aliases": [
"CVE-2025-54164"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-02T15:16:02Z",
"severity": "MODERATE"
},
"details": "An out-of-bounds read vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3256 build 20250913 and later\nQuTS hero h5.2.7.3256 build 20250913 and later\nQuTS hero h5.3.1.3250 build 20250912 and later",
"id": "GHSA-m9jj-wqc5-fm74",
"modified": "2026-01-05T21:30:31Z",
"published": "2026-01-02T15:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54164"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-25-50"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M9JQ-HQ6H-2VJH
Vulnerability from github – Published: 2025-05-02 18:31 – Updated: 2025-11-12 21:30In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: HCI: Fix global-out-of-bounds
To loop a variable-length array, hci_init_stage_sync(stage) considers that stage[i] is valid as long as stage[i-1].func is valid. Thus, the last element of stage[].func should be intentionally invalid as hci_init0[], le_init2[], and others did. However, amp_init1[] and amp_init2[] have no invalid element, letting hci_init_stage_sync() keep accessing amp_init1[] over its valid range. This patch fixes this by adding {} in the last of amp_init1[] and amp_init2[].
================================================================== BUG: KASAN: global-out-of-bounds in hci_dev_open_sync ( /v6.2-bzimage/net/bluetooth/hci_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci_sync.c:4689) Read of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032 CPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04 Workqueue: hci1 hci_power_on Call Trace: dump_stack_lvl (/v6.2-bzimage/lib/dump_stack.c:107 (discriminator 1)) print_report (/v6.2-bzimage/mm/kasan/report.c:307 /v6.2-bzimage/mm/kasan/report.c:417) ? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci_sync.c:4689) kasan_report (/v6.2-bzimage/mm/kasan/report.c:184 /v6.2-bzimage/mm/kasan/report.c:519) ? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci_sync.c:4689) hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154 /v6.2-bzimage/net/bluetooth/hci_sync.c:3343 /v6.2-bzimage/net/bluetooth/hci_sync.c:4418 /v6.2-bzimage/net/bluetooth/hci_sync.c:4609 /v6.2-bzimage/net/bluetooth/hci_sync.c:4689) ? __pfx_hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:4635) ? mutex_lock (/v6.2-bzimage/./arch/x86/include/asm/atomic64_64.h:190 /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443 /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781 /v6.2-bzimage/kernel/locking/mutex.c:171 /v6.2-bzimage/kernel/locking/mutex.c:285) ? __pfx_mutex_lock (/v6.2-bzimage/kernel/locking/mutex.c:282) hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:485 /v6.2-bzimage/net/bluetooth/hci_core.c:984) ? __pfx_hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:969) ? read_word_at_a_time (/v6.2-bzimage/./include/asm-generic/rwonce.h:85) ? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62 /v6.2-bzimage/lib/string.c:161) process_one_work (/v6.2-bzimage/kernel/workqueue.c:2294) worker_thread (/v6.2-bzimage/./include/linux/list.h:292 /v6.2-bzimage/kernel/workqueue.c:2437) ? __pfx_worker_thread (/v6.2-bzimage/kernel/workqueue.c:2379) kthread (/v6.2-bzimage/kernel/kthread.c:376) ? __pfx_kthread (/v6.2-bzimage/kernel/kthread.c:331) ret_from_fork (/v6.2-bzimage/arch/x86/entry/entry_64.S:314) The buggy address belongs to the variable: amp_init1+0x30/0x60 The buggy address belongs to the physical page: page:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia flags: 0x200000000001000(reserved|node=0|zone=2) raw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00 ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
ffffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
---truncated---
{
"affected": [],
"aliases": [
"CVE-2023-53057"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-02T16:15:24Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HCI: Fix global-out-of-bounds\n\nTo loop a variable-length array, hci_init_stage_sync(stage) considers\nthat stage[i] is valid as long as stage[i-1].func is valid.\nThus, the last element of stage[].func should be intentionally invalid\nas hci_init0[], le_init2[], and others did.\nHowever, amp_init1[] and amp_init2[] have no invalid element, letting\nhci_init_stage_sync() keep accessing amp_init1[] over its valid range.\nThis patch fixes this by adding {} in the last of amp_init1[] and\namp_init2[].\n\n==================================================================\nBUG: KASAN: global-out-of-bounds in hci_dev_open_sync (\n/v6.2-bzimage/net/bluetooth/hci_sync.c:3154\n/v6.2-bzimage/net/bluetooth/hci_sync.c:3343\n/v6.2-bzimage/net/bluetooth/hci_sync.c:4418\n/v6.2-bzimage/net/bluetooth/hci_sync.c:4609\n/v6.2-bzimage/net/bluetooth/hci_sync.c:4689)\nRead of size 8 at addr ffffffffaed1ab70 by task kworker/u5:0/1032\nCPU: 0 PID: 1032 Comm: kworker/u5:0 Not tainted 6.2.0 #3\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04\nWorkqueue: hci1 hci_power_on\nCall Trace:\n \u003cTASK\u003e\ndump_stack_lvl (/v6.2-bzimage/lib/dump_stack.c:107 (discriminator 1))\nprint_report (/v6.2-bzimage/mm/kasan/report.c:307\n /v6.2-bzimage/mm/kasan/report.c:417)\n? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154\n /v6.2-bzimage/net/bluetooth/hci_sync.c:3343\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4418\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4609\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)\nkasan_report (/v6.2-bzimage/mm/kasan/report.c:184\n /v6.2-bzimage/mm/kasan/report.c:519)\n? hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154\n /v6.2-bzimage/net/bluetooth/hci_sync.c:3343\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4418\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4609\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)\nhci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:3154\n /v6.2-bzimage/net/bluetooth/hci_sync.c:3343\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4418\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4609\n /v6.2-bzimage/net/bluetooth/hci_sync.c:4689)\n? __pfx_hci_dev_open_sync (/v6.2-bzimage/net/bluetooth/hci_sync.c:4635)\n? mutex_lock (/v6.2-bzimage/./arch/x86/include/asm/atomic64_64.h:190\n /v6.2-bzimage/./include/linux/atomic/atomic-long.h:443\n /v6.2-bzimage/./include/linux/atomic/atomic-instrumented.h:1781\n /v6.2-bzimage/kernel/locking/mutex.c:171\n /v6.2-bzimage/kernel/locking/mutex.c:285)\n? __pfx_mutex_lock (/v6.2-bzimage/kernel/locking/mutex.c:282)\nhci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:485\n /v6.2-bzimage/net/bluetooth/hci_core.c:984)\n? __pfx_hci_power_on (/v6.2-bzimage/net/bluetooth/hci_core.c:969)\n? read_word_at_a_time (/v6.2-bzimage/./include/asm-generic/rwonce.h:85)\n? strscpy (/v6.2-bzimage/./arch/x86/include/asm/word-at-a-time.h:62\n /v6.2-bzimage/lib/string.c:161)\nprocess_one_work (/v6.2-bzimage/kernel/workqueue.c:2294)\nworker_thread (/v6.2-bzimage/./include/linux/list.h:292\n /v6.2-bzimage/kernel/workqueue.c:2437)\n? __pfx_worker_thread (/v6.2-bzimage/kernel/workqueue.c:2379)\nkthread (/v6.2-bzimage/kernel/kthread.c:376)\n? __pfx_kthread (/v6.2-bzimage/kernel/kthread.c:331)\nret_from_fork (/v6.2-bzimage/arch/x86/entry/entry_64.S:314)\n \u003c/TASK\u003e\nThe buggy address belongs to the variable:\namp_init1+0x30/0x60\nThe buggy address belongs to the physical page:\npage:000000003a157ec6 refcount:1 mapcount:0 mapping:0000000000000000 ia\nflags: 0x200000000001000(reserved|node=0|zone=2)\nraw: 0200000000001000 ffffea0005054688 ffffea0005054688 000000000000000\nraw: 0000000000000000 0000000000000000 00000001ffffffff 000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\n ffffffffaed1aa00: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00\n ffffffffaed1aa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00\n\u003effffffffaed1ab00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9\n \n---truncated---",
"id": "GHSA-m9jq-hq6h-2vjh",
"modified": "2025-11-12T21:30:59Z",
"published": "2025-05-02T18:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53057"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8497222b22b591c6b2d106e0e3c1672ffe4e10e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b3168abd24245aa0775c5a387dcf94d36ca7e738"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bce56405201111807cc8e4f47c6de3e10b17c1ac"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9JX-FC37-PPQ8
Vulnerability from github – Published: 2023-05-12 00:30 – Updated: 2024-04-04 04:03Adobe Substance 3D Painter versions 8.3.0 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-29281"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-11T22:15:10Z",
"severity": "HIGH"
},
"details": "Adobe Substance 3D Painter versions 8.3.0 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-m9jx-fc37-ppq8",
"modified": "2024-04-04T04:03:18Z",
"published": "2023-05-12T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29281"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/substance3d_painter/apsb23-29.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M9PG-V9J9-9QR5
Vulnerability from github – Published: 2025-06-10 18:32 – Updated: 2025-06-10 18:32Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.
{
"affected": [],
"aliases": [
"CVE-2025-33063"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-10T17:22:39Z",
"severity": "MODERATE"
},
"details": "Out-of-bounds read in Windows Storage Management Provider allows an authorized attacker to disclose information locally.",
"id": "GHSA-m9pg-v9j9-9qr5",
"modified": "2025-06-10T18:32:29Z",
"published": "2025-06-10T18:32:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33063"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-33063"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.