CWE-125
AllowedOut-of-bounds Read
Abstraction: Base · Status: Draft
The product reads data past the end, or before the beginning, of the intended buffer.
11292 vulnerabilities reference this CWE, most recent first.
GHSA-MQP7-V9G4-4XGH
Vulnerability from github – Published: 2022-05-14 01:57 – Updated: 2022-05-14 01:57An issue was discovered in libgig 4.1.0. There is a heap-based buffer over-read in RIFF::List::GetListTypeString in RIFF.cpp.
{
"affected": [],
"aliases": [
"CVE-2018-18196"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-09T20:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in libgig 4.1.0. There is a heap-based buffer over-read in RIFF::List::GetListTypeString in RIFF.cpp.",
"id": "GHSA-mqp7-v9g4-4xgh",
"modified": "2022-05-14T01:57:26Z",
"published": "2022-05-14T01:57:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18196"
},
{
"type": "WEB",
"url": "https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQR4-49MQ-6JGP
Vulnerability from github – Published: 2021-12-27 00:01 – Updated: 2022-01-11 00:02MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.
{
"affected": [],
"aliases": [
"CVE-2021-32467"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-26T00:15:00Z",
"severity": "HIGH"
},
"details": "MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected Setup) protocol.",
"id": "GHSA-mqr4-49mq-6jgp",
"modified": "2022-01-11T00:02:09Z",
"published": "2021-12-27T00:01:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32467"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/January-2022"
},
{
"type": "WEB",
"url": "https://kb.netgear.com/000064368/Security-Advisory-for-WiFi-WPS-and-IEEE-1905-Vulnerabilities-on-Multiple-Products-PSV-2021-0298-PSV-2021-0300"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MQR4-8JM7-G4JJ
Vulnerability from github – Published: 2022-05-14 02:59 – Updated: 2022-05-14 02:59Adobe Flash Player 30.0.0.113 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
{
"affected": [],
"aliases": [
"CVE-2018-5008"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-20T19:29:00Z",
"severity": "HIGH"
},
"details": "Adobe Flash Player 30.0.0.113 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.",
"id": "GHSA-mqr4-8jm7-g4jj",
"modified": "2022-05-14T02:59:17Z",
"published": "2022-05-14T02:59:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5008"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2175"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/flash-player/apsb18-24.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104698"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041248"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MQR6-4HMW-HQMW
Vulnerability from github – Published: 2022-05-24 17:01 – Updated: 2022-05-24 17:01Buffer over-read can occur in fast message handler due to improper input validation while processing a message from firmware in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music in APQ8053, APQ8096AU, MSM8996AU, MSM8998, QCN7605, QCS405, QCS605, SDA660, SDM636, SDM660, SDX20, SDX24
{
"affected": [],
"aliases": [
"CVE-2019-10563"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-21T15:15:00Z",
"severity": "MODERATE"
},
"details": "Buffer over-read can occur in fast message handler due to improper input validation while processing a message from firmware in Snapdragon Auto, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music in APQ8053, APQ8096AU, MSM8996AU, MSM8998, QCN7605, QCS405, QCS605, SDA660, SDM636, SDM660, SDX20, SDX24",
"id": "GHSA-mqr6-4hmw-hqmw",
"modified": "2022-05-24T17:01:39Z",
"published": "2022-05-24T17:01:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10563"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/october-2019-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MQW8-Q64P-6837
Vulnerability from github – Published: 2023-01-07 00:30 – Updated: 2025-02-13 18:31Bentley Systems MicroStation Connect versions 10.17.0.209 and prior are vulnerable to an Out-of-Bounds Read when when parsing DGN files, which may allow an attacker to crash the product, disclose sensitive information, or execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2022-41613"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-06T22:15:00Z",
"severity": "HIGH"
},
"details": "Bentley Systems MicroStation Connect versions 10.17.0.209 and prior are vulnerable to an Out-of-Bounds Read when when parsing DGN files, which may allow an attacker to crash the product, disclose sensitive information, or execute arbitrary code.",
"id": "GHSA-mqw8-q64p-6837",
"modified": "2025-02-13T18:31:21Z",
"published": "2023-01-07T00:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41613"
},
{
"type": "WEB",
"url": "https://www.bentley.com/advisories/be-2023-0003"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-293-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MQXR-GWW5-9JHP
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-11-16 12:00Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.
{
"affected": [],
"aliases": [
"CVE-2020-12783"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-11T14:15:00Z",
"severity": "MODERATE"
},
"details": "Exim through 4.93 has an out-of-bounds read in the SPA authenticator that could result in SPA/NTLM authentication bypass in auths/spa.c and auths/auth-spa.c.",
"id": "GHSA-mqxr-gww5-9jhp",
"modified": "2022-11-16T12:00:19Z",
"published": "2022-05-24T17:17:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12783"
},
{
"type": "WEB",
"url": "https://bugs.exim.org/show_bug.cgi?id=2571"
},
{
"type": "WEB",
"url": "https://git.exim.org/exim.git/commit/57aa14b216432be381b6295c312065b2fd034f86"
},
{
"type": "WEB",
"url": "https://git.exim.org/exim.git/commit/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00017.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6IQQ2SERFUD4WMRSX6XYDNK7Q4GPT7Y"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7Z5UG6ZIG32V7M4PP3BCC65C27EWK7G"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4366-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4687"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/05/04/7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MR2M-94CP-78P5
Vulnerability from github – Published: 2022-05-14 03:42 – Updated: 2022-05-14 03:42Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C10, V500R002C00, V600R006C00 have a out-of-bounds read vulnerability. Due to insufficient input validation, an authenticated, remote attacker could send malformed SOAP packets to the target device. Successful exploit could make the device access invalid memory and might reset a process.
{
"affected": [],
"aliases": [
"CVE-2017-17185"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-15T16:29:00Z",
"severity": "MODERATE"
},
"details": "Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R001C10, V500R002C00, V600R006C00, TE40 V500R002C00, V600R006C00, TE50 V500R002C00, V600R006C00, TE60 V100R001C10, V500R002C00, V600R006C00 have a out-of-bounds read vulnerability. Due to insufficient input validation, an authenticated, remote attacker could send malformed SOAP packets to the target device. Successful exploit could make the device access invalid memory and might reset a process.",
"id": "GHSA-mr2m-94cp-78p5",
"modified": "2022-05-14T03:42:20Z",
"published": "2022-05-14T03:42:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17185"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20180207-01-soap-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-MR55-PXWP-33RP
Vulnerability from github – Published: 2022-04-19 00:00 – Updated: 2022-04-24 00:00Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_vertex() vh->sfaces_last().
{
"affected": [],
"aliases": [
"CVE-2020-28617"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-129"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-18T17:15:00Z",
"severity": "HIGH"
},
"details": "Multiple code execution vulnerabilities exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger any of these vulnerabilities. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser\u003cEW\u003e::read_vertex() vh-\u003esfaces_last().",
"id": "GHSA-mr55-pxwp-33rp",
"modified": "2022-04-24T00:00:31Z",
"published": "2022-04-19T00:00:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28617"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00011.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-34"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MR66-QFPC-4H9R
Vulnerability from github – Published: 2024-07-29 09:36 – Updated: 2025-11-03 18:31In the Linux kernel, the following vulnerability has been resolved:
xfs: don't walk off the end of a directory data block
This adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry to make sure don't stray beyond valid memory region. Before patching, the loop simply checks that the start offset of the dup and dep is within the range. So in a crafted image, if last entry is xfs_dir2_data_unused, we can change dup->length to dup->length-1 and leave 1 byte of space. In the next traversal, this space will be considered as dup or dep. We may encounter an out of bound read when accessing the fixed members.
In the patch, we make sure that the remaining bytes large enough to hold an unused entry before accessing xfs_dir2_data_unused and xfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make sure that the remaining bytes large enough to hold a dirent with a single-byte name before accessing xfs_dir2_data_entry.
{
"affected": [],
"aliases": [
"CVE-2024-41013"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-29T07:15:05Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfs: don\u0027t walk off the end of a directory data block\n\nThis adds sanity checks for xfs_dir2_data_unused and xfs_dir2_data_entry\nto make sure don\u0027t stray beyond valid memory region. Before patching, the\nloop simply checks that the start offset of the dup and dep is within the\nrange. So in a crafted image, if last entry is xfs_dir2_data_unused, we\ncan change dup-\u003elength to dup-\u003elength-1 and leave 1 byte of space. In the\nnext traversal, this space will be considered as dup or dep. We may\nencounter an out of bound read when accessing the fixed members.\n\nIn the patch, we make sure that the remaining bytes large enough to hold\nan unused entry before accessing xfs_dir2_data_unused and\nxfs_dir2_data_unused is XFS_DIR2_DATA_ALIGN byte aligned. We also make\nsure that the remaining bytes large enough to hold a dirent with a\nsingle-byte name before accessing xfs_dir2_data_entry.",
"id": "GHSA-mr66-qfpc-4h9r",
"modified": "2025-11-03T18:31:14Z",
"published": "2024-07-29T09:36:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41013"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0c7fcdb6d06cdf8b19b57c17605215b06afa864a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b0932e4f9da85349d1c8f2a77d2a7a7163b8511d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca96d83c93071f95cf962ce92406621a472df31b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MR68-GQXJ-CFM9
Vulnerability from github – Published: 2025-08-16 15:30 – Updated: 2025-11-18 18:32In the Linux kernel, the following vulnerability has been resolved:
ksmbd: fix out-of-bound read in smb2_write
ksmbd_smb2_check_message doesn't validate hdr->NextCommand. If ->NextCommand is bigger than Offset + Length of smb2 write, It will allow oversized smb2 write length. It will cause OOB read in smb2_write.
{
"affected": [],
"aliases": [
"CVE-2023-3865"
],
"database_specific": {
"cwe_ids": [
"CWE-125"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-16T14:15:27Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix out-of-bound read in smb2_write\n\nksmbd_smb2_check_message doesn\u0027t validate hdr-\u003eNextCommand. If\n-\u003eNextCommand is bigger than Offset + Length of smb2 write, It will\nallow oversized smb2 write length. It will cause OOB read in smb2_write.",
"id": "GHSA-mr68-gqxj-cfm9",
"modified": "2025-11-18T18:32:49Z",
"published": "2025-08-16T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3865"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3813eee5154d6a4c5875cb4444cb2b63bac8947f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/58a9c41064df27632e780c5a3ae3e0e4284957d1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5fe7f7b78290638806211046a99f031ff26164e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c86211159bc3178b891e0d60e586a32c7b6a231b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Mitigation
Strategy: Language Selection
Use a language that provides appropriate memory abstractions.
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.