CWE-126
AllowedBuffer Over-read
Abstraction: Variant · Status: Draft
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
853 vulnerabilities reference this CWE, most recent first.
GHSA-CFFX-CF3X-MR9H
Vulnerability from github – Published: 2024-02-06 06:30 – Updated: 2024-02-06 06:30Transient DOS while parse fils IE with length equal to 1.
{
"affected": [],
"aliases": [
"CVE-2023-43536"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-06T06:16:03Z",
"severity": "HIGH"
},
"details": "Transient DOS while parse fils IE with length equal to 1.",
"id": "GHSA-cffx-cf3x-mr9h",
"modified": "2024-02-06T06:30:32Z",
"published": "2024-02-06T06:30:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43536"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/february-2024-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CM2M-F7GC-HV64
Vulnerability from github – Published: 2024-04-04 15:30 – Updated: 2024-07-14 21:30A heap-based buffer over-read vulnerability was found in the X.org server's ProcAppleDRICreatePixmap() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.
{
"affected": [],
"aliases": [
"CVE-2024-31082"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-04T14:15:10Z",
"severity": "HIGH"
},
"details": "A heap-based buffer over-read vulnerability was found in the X.org server\u0027s ProcAppleDRICreatePixmap() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker\u0027s inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads.",
"id": "GHSA-cm2m-f7gc-hv64",
"modified": "2024-07-14T21:30:37Z",
"published": "2024-04-04T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31082"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-31082"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2271999"
},
{
"type": "WEB",
"url": "https://lists.x.org/archives/xorg-announce/2024-April/003497.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/03/13"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/04/12/10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CP75-95Q9-G954
Vulnerability from github – Published: 2026-01-07 12:31 – Updated: 2026-01-07 12:31Transient DOS while parsing video packets received from the video firmware.
{
"affected": [],
"aliases": [
"CVE-2025-47330"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-07T12:17:02Z",
"severity": "MODERATE"
},
"details": "Transient DOS while parsing video packets received from the video firmware.",
"id": "GHSA-cp75-95q9-g954",
"modified": "2026-01-07T12:31:23Z",
"published": "2026-01-07T12:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47330"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CQ94-7HFR-HGR8
Vulnerability from github – Published: 2025-09-24 18:30 – Updated: 2025-09-24 18:30Information disclosure when Video engine escape input data is less than expected minimum size.
{
"affected": [],
"aliases": [
"CVE-2025-27036"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-24T16:15:35Z",
"severity": "MODERATE"
},
"details": "Information disclosure when Video engine escape input data is less than expected minimum size.",
"id": "GHSA-cq94-7hfr-hgr8",
"modified": "2025-09-24T18:30:30Z",
"published": "2025-09-24T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27036"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CRJ7-7VC6-G6G3
Vulnerability from github – Published: 2026-01-15 21:31 – Updated: 2026-01-15 21:31A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).
When an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer. This issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring:
[ protocols bgp ... disable-4byte-as ]
Established BGP sessions can be checked by executing:
show bgp neighbor | match "4 byte AS"
This issue affects:
Junos OS:
- all versions before 22.4R3-S8,
- 23.2 versions before 23.2R2-S5,
- 23.4 versions before 23.4R2-S6,
- 24.2 versions before 24.2R2-S2,
- 24.4 versions before 24.4R2;
Junos OS Evolved:
- all versions before 22.4R3-S8-EVO,
- 23.2 versions before 23.2R2-S5-EVO,
- 23.4 versions before 23.4R2-S6-EVO,
- 24.2 versions before 24.2R2-S2-EVO,
- 24.4 versions before 24.4R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2025-60003"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-15T21:16:03Z",
"severity": "HIGH"
},
"details": "A Buffer Over-read vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS).\n\nWhen an affected device receives a BGP update with a set of specific optional transitive attributes over an established peering session, rpd will crash and restart when attempting to advertise the received information to another peer.\nThis issue can only happen if one or both of the BGP peers of the receiving session are non-4-byte-AS capable as determined from the advertised capabilities during BGP session establishment. Junos OS and Junos OS Evolved default behavior is 4-byte-AS capable unless this has been specifically disabled by configuring:\n\n[ protocols bgp ...\u00a0disable-4byte-as\u00a0]\n\n\nEstablished BGP sessions can be checked by executing:\n\nshow bgp neighbor \u003cIP address\u003e | match \"4 byte AS\"\n\n\nThis issue affects:\n\nJunos OS:\u00a0\n\n * all versions before 22.4R3-S8,\n * 23.2 versions before 23.2R2-S5,\n * 23.4 versions before 23.4R2-S6,\n * 24.2 versions before 24.2R2-S2,\n * 24.4 versions before 24.4R2;\n\n\nJunos OS Evolved:\u00a0\n\n * all versions before 22.4R3-S8-EVO,\n * 23.2 versions before 23.2R2-S5-EVO,\n * 23.4 versions before 23.4R2-S6-EVO,\n * 24.2 versions before 24.2R2-S2-EVO,\n * 24.4 versions before 24.4R2-EVO.",
"id": "GHSA-crj7-7vc6-g6g3",
"modified": "2026-01-15T21:31:47Z",
"published": "2026-01-15T21:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60003"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA103166"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-CV8X-5CWW-P4PF
Vulnerability from github – Published: 2024-01-02 06:30 – Updated: 2024-01-02 06:30Transient DOS while parsing ieee80211_parse_mscs_ie in WIN WLAN driver.
{
"affected": [],
"aliases": [
"CVE-2023-33116"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-02T06:15:12Z",
"severity": "HIGH"
},
"details": "Transient DOS while parsing ieee80211_parse_mscs_ie in WIN WLAN driver.",
"id": "GHSA-cv8x-5cww-p4pf",
"modified": "2024-01-02T06:30:31Z",
"published": "2024-01-02T06:30:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33116"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/january-2024-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CVQV-3452-5Q34
Vulnerability from github – Published: 2023-04-13 09:30 – Updated: 2024-04-04 03:26Information disclosure in modem due to improper input validation during parsing of upcoming CoAP message
{
"affected": [],
"aliases": [
"CVE-2022-25747"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-13T07:15:00Z",
"severity": "HIGH"
},
"details": "Information disclosure in modem due to improper input validation during parsing of upcoming CoAP message",
"id": "GHSA-cvqv-3452-5q34",
"modified": "2024-04-04T03:26:52Z",
"published": "2023-04-13T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25747"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/april-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CW34-GW9H-RXC6
Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-04-09 18:30Windows Remote Access Connection Manager Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-28900"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T17:15:48Z",
"severity": "MODERATE"
},
"details": "Windows Remote Access Connection Manager Information Disclosure Vulnerability",
"id": "GHSA-cw34-gw9h-rxc6",
"modified": "2024-04-09T18:30:26Z",
"published": "2024-04-09T18:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28900"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28900"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CWPG-8775-J56V
Vulnerability from github – Published: 2024-02-21 00:31 – Updated: 2025-02-12 18:31In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging).
{
"affected": [],
"aliases": [
"CVE-2023-6936"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T22:15:08Z",
"severity": "MODERATE"
},
"details": "In wolfSSL prior to 5.6.6, if callback functions are enabled (via the WOLFSSL_CALLBACKS flag), then a malicious TLS client or network attacker can trigger a buffer over-read on the heap of 5 bytes (WOLFSSL_CALLBACKS is only intended for debugging).",
"id": "GHSA-cwpg-8775-j56v",
"modified": "2025-02-12T18:31:27Z",
"published": "2024-02-21T00:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6936"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/pull/6949"
},
{
"type": "WEB",
"url": "https://www.wolfssl.com/docs/security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CX3H-4QPV-8HC9
Vulnerability from github – Published: 2026-06-12 18:30 – Updated: 2026-06-12 18:30Summary
Tornado's optional native extension tornado.speedups implements websocket_mask without validating that the mask argument is exactly four bytes long. The C function reads four bytes from mask unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.
The behavior is reachable from Tornado's XSRF token decoder when xsrf_cookies=True and the native extension is active.
Mitigations
This bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tornado"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.5.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49854"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T18:30:19Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\nTornado\u0027s optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.\n\nThe behavior is reachable from Tornado\u0027s XSRF token decoder when `xsrf_cookies=True` and the native extension is active. \n\n### Mitigations\n\nThis bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).",
"id": "GHSA-cx3h-4qpv-8hc9",
"modified": "2026-06-12T18:30:19Z",
"published": "2026-06-12T18:30:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-cx3h-4qpv-8hc9"
},
{
"type": "PACKAGE",
"url": "https://github.com/tornadoweb/tornado"
},
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Tornado has out-of-bounds memory access via C extension"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.