Common Weakness Enumeration

CWE-125

Allowed

Out-of-bounds Read

Abstraction: Base · Status: Draft

The product reads data past the end, or before the beginning, of the intended buffer.

11292 vulnerabilities reference this CWE, most recent first.

GHSA-MHM9-743P-JFXQ

Vulnerability from github – Published: 2024-07-30 00:34 – Updated: 2026-04-02 21:31
VLAI
Details

An out-of-bounds read issue was addressed with improved input validation. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing a maliciously crafted file may lead to unexpected app termination.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-40799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-29T23:15:12Z",
    "severity": "HIGH"
  },
  "details": "An out-of-bounds read issue was addressed with improved input validation. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing a maliciously crafted file may lead to unexpected app termination.",
  "id": "GHSA-mhm9-743p-jfxq",
  "modified": "2026-04-02T21:31:50Z",
  "published": "2024-07-30T00:34:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40799"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120908"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120909"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120910"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120911"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120912"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120914"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120915"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/120916"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214116"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214117"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214118"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214119"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214120"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214122"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214123"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT214124"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214116"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214117"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214118"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214119"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214120"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214122"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/kb/HT214124"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/16"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/17"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/18"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/19"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/20"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/21"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/22"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Jul/23"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MHMH-RGMH-RF63

Vulnerability from github – Published: 2025-07-10 09:32 – Updated: 2025-11-19 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix invalid access to memory

In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error.

Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used.

Compile tested only.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-38292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T08:15:27Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix invalid access to memory\n\nIn ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean\nis_continuation is part of rxcb.\nCurrently, after freeing the skb, the rxcb-\u003eis_continuation accessed\nagain which is wrong since the memory is already freed.\nThis might lead use-after-free error.\n\nHence, fix by locally defining bool is_continuation from rxcb,\nso that after freeing skb, is_continuation can be used.\n\nCompile tested only.",
  "id": "GHSA-mhmh-rgmh-rf63",
  "modified": "2025-11-19T21:31:15Z",
  "published": "2025-07-10T09:32:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38292"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/371b340affa52f280f6eadfd25fbd43f09f0d5c0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5f09d16cd57764c95c8548fe5b70672c9ac01127"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f17747fbda6fca934854463873c4abf8061491d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MHRH-92MR-7RW4

Vulnerability from github – Published: 2022-05-24 16:58 – Updated: 2022-05-24 16:58
VLAI
Details

There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-17595"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-10-14T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.",
  "id": "GHSA-mhrh-92mr-7rw4",
  "modified": "2022-05-24T16:58:47Z",
  "published": "2022-05-24T16:58:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17595"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202101-28"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00059.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00061.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MHV6-G5V2-7RQ9

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25
VLAI
Details

Google Chrome before 9.0.597.94 does not properly handle plug-ins, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-0984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-02-10T19:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Google Chrome before 9.0.597.94 does not properly handle plug-ins, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.",
  "id": "GHSA-mhv6-g5v2-7rq9",
  "modified": "2022-05-13T01:25:55Z",
  "published": "2022-05-13T01:25:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0984"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14719"
    },
    {
      "type": "WEB",
      "url": "http://code.google.com/p/chromium/issues/detail?id=69970"
    },
    {
      "type": "WEB",
      "url": "http://googlechromereleases.blogspot.com/2011/02/stable-channel-update_08.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43342"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43368"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2011/dsa-2166"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/46262"
    },
    {
      "type": "WEB",
      "url": "http://www.srware.net/forum/viewtopic.php?f=18\u0026t=2190"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0408"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MHW6-P52X-6VXV

Vulnerability from github – Published: 2026-05-21 15:34 – Updated: 2026-06-19 15:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler

t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes.

Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages.

Add a struct_size() check after extracting port_count and before the loop.

In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset.

Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-21T13:16:18Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler\n\nt7xx_port_enum_msg_handler() uses the modem-supplied port_count field as\na loop bound over port_msg-\u003edata[] without checking that the message buffer\ncontains sufficient data. A modem sending port_count=65535 in a 12-byte\nbuffer triggers a slab-out-of-bounds read of up to 262140 bytes.\n\nAdd a sizeof(*port_msg) check before accessing the port message header\nfields to guard against undersized messages.\n\nAdd a struct_size() check after extracting port_count and before the loop.\n\nIn t7xx_parse_host_rt_data(), guard the rt_feature header read with a\nremaining-buffer check before accessing data_len, validate feat_data_len\nagainst the actual remaining buffer to prevent OOB reads and signed\ninteger overflow on offset.\n\nPass msg_len from both call sites: skb-\u003elen at the DPMAIF path after\nskb_pull(), and the validated feat_data_len at the handshake path.",
  "id": "GHSA-mhw6-p52x-6vxv",
  "modified": "2026-06-19T15:33:10Z",
  "published": "2026-05-21T15:34:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43495"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0e7c074cfcd9bd93765505f9eb8b42f03ed2a744"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b56d7903ab804481f5233a259d5f341e9fd513c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/307c5d0f36a5c74042217136da5bfbd9f7504650"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9855e063e063158cc5bded576382599dc3133202"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd4f4c93c1488d7100b9964f2da4c8b3c29652f1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f94450ce5053b36002995b72d1fa1db3bb08c5bf"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/06/18/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MHWG-RMWG-CHMJ

Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2022-05-13 01:25
VLAI
Details

Netwide Assembler (NASM) 2.13 has a stack-based buffer over-read in the disasm function of the disasm/disasm.c file. Remote attackers could leverage this vulnerability to cause a denial of service or possibly have unspecified other impact via a crafted ELF file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10254"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-21T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Netwide Assembler (NASM) 2.13 has a stack-based buffer over-read in the disasm function of the disasm/disasm.c file. Remote attackers could leverage this vulnerability to cause a denial of service or possibly have unspecified other impact via a crafted ELF file.",
  "id": "GHSA-mhwg-rmwg-chmj",
  "modified": "2022-05-13T01:25:22Z",
  "published": "2022-05-13T01:25:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10254"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/nasm/bugs/561"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MHX8-VX97-XW6W

Vulnerability from github – Published: 2022-05-24 19:16 – Updated: 2022-05-24 19:16
VLAI
Details

Corel DrawStandard 2020 22.0.0.474 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious CDR file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-38109"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-10-02T00:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Corel DrawStandard 2020 22.0.0.474 is affected by an Out-of-bounds Read vulnerability when parsing a crafted file. An unauthenticated attacker could leverage this vulnerability to access unauthorized system memory in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious CDR file.",
  "id": "GHSA-mhx8-vx97-xw6w",
  "modified": "2022-05-24T19:16:22Z",
  "published": "2022-05-24T19:16:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38109"
    },
    {
      "type": "WEB",
      "url": "https://www.fortiguard.com/zeroday/FG-VD-21-038"
    },
    {
      "type": "WEB",
      "url": "https://www.fortinet.com/blog/threat-research/fortinet-security-researcher-discovers-multiple-vulnerabilities-across-multiple-corel-products"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MJ48-4FJ3-6FJG

Vulnerability from github – Published: 2023-10-20 09:30 – Updated: 2024-04-04 08:51
VLAI
Details

VMware Workstation( 17.x prior to 17.5) and Fusion(13.x prior to 13.5) contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-34044"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-20T09:15:12Z",
    "severity": "MODERATE"
  },
  "details": "VMware Workstation( 17.x prior to 17.5) and Fusion(13.x prior to 13.5) contain an out-of-bounds \nread vulnerability that exists in the functionality for sharing host \nBluetooth devices with the virtual machine.\u00a0A malicious actor with local administrative privileges on a virtual \nmachine may be able to read privileged information contained in \nhypervisor memory from a virtual machine.",
  "id": "GHSA-mj48-4fj3-6fjg",
  "modified": "2024-04-04T08:51:15Z",
  "published": "2023-10-20T09:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34044"
    },
    {
      "type": "WEB",
      "url": "https://www.vmware.com/security/advisories/VMSA-2023-0022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJ4R-RG7F-XJM2

Vulnerability from github – Published: 2022-05-14 02:05 – Updated: 2022-05-14 02:05
VLAI
Details

Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-5316"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-20T15:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Out-of-bounds read in the PixarLogCleanup function in tif_pixarlog.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application by sending a crafted TIFF image to the rgb2ycbcr tool.",
  "id": "GHSA-mj4r-rg7f-xjm2",
  "modified": "2022-05-14T02:05:04Z",
  "published": "2022-05-14T02:05:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5316"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201701-16"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-07/msg00087.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-09/msg00060.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-09/msg00090.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3762"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/06/15/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/91203"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJ66-HGQF-6QQW

Vulnerability from github – Published: 2022-08-26 00:03 – Updated: 2022-08-28 00:00
VLAI
Details

A heap-based buffer over-read was discovered in the acc_ua_get_be32 function in miniacc.h in UPX 4.0.0 via a crafted Mach-O file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-125"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-25T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A heap-based buffer over-read was discovered in the acc_ua_get_be32 function in miniacc.h in UPX 4.0.0 via a crafted Mach-O file.",
  "id": "GHSA-mj66-hgqf-6qqw",
  "modified": "2022-08-28T00:00:28Z",
  "published": "2022-08-26T00:03:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27799"
    },
    {
      "type": "WEB",
      "url": "https://github.com/upx/upx/issues/391"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Architecture and Design

Strategy: Language Selection

Use a language that provides appropriate memory abstractions.

CAPEC-540: Overread Buffers

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.