CWE-126
AllowedBuffer Over-read
Abstraction: Variant · Status: Draft
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
854 vulnerabilities reference this CWE, most recent first.
GHSA-CX3H-4QPV-8HC9
Vulnerability from github – Published: 2026-06-12 18:30 – Updated: 2026-06-12 18:30Summary
Tornado's optional native extension tornado.speedups implements websocket_mask without validating that the mask argument is exactly four bytes long. The C function reads four bytes from mask unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.
The behavior is reachable from Tornado's XSRF token decoder when xsrf_cookies=True and the native extension is active.
Mitigations
This bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tornado"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.5.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49854"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T18:30:19Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\nTornado\u0027s optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string. This can read beyond the provided buffer, exposing up to 3 bytes of uninitialized memory.\n\nThe behavior is reachable from Tornado\u0027s XSRF token decoder when `xsrf_cookies=True` and the native extension is active. \n\n### Mitigations\n\nThis bug is fixed in Tornado 6.5.6. Prior to upgrading to this version, setting the environment variable TORNADO_EXTENSION=0 will disable the vulnerable code (at the expense of reducing websocket performance).",
"id": "GHSA-cx3h-4qpv-8hc9",
"modified": "2026-06-12T18:30:19Z",
"published": "2026-06-12T18:30:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/security/advisories/GHSA-cx3h-4qpv-8hc9"
},
{
"type": "PACKAGE",
"url": "https://github.com/tornadoweb/tornado"
},
{
"type": "WEB",
"url": "https://github.com/tornadoweb/tornado/releases/tag/v6.5.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Tornado has out-of-bounds memory access via C extension"
}
GHSA-CX43-QJ46-J7WR
Vulnerability from github – Published: 2022-04-08 00:00 – Updated: 2022-04-19 00:01A remote, authenticated attacker can send a specific crafted HTTP or HTTPS requests causing a buffer over-read resulting in a crash of the webserver and the CODESYS Control runtime system.
{
"affected": [],
"aliases": [
"CVE-2022-22519"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-07T19:15:00Z",
"severity": "MODERATE"
},
"details": "A remote, authenticated attacker can send a specific crafted HTTP or HTTPS requests causing a buffer over-read resulting in a crash of the webserver and the CODESYS Control runtime system.",
"id": "GHSA-cx43-qj46-j7wr",
"modified": "2022-04-19T00:01:33Z",
"published": "2022-04-08T00:00:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22519"
},
{
"type": "WEB",
"url": "https://customers.codesys.com/index.php?eID=dumpFile\u0026t=f\u0026f=17094\u0026token=2fb188e2213c74194e81ba61ff99f1c68602ba4d\u0026download="
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CXCM-VGV2-MQ4G
Vulnerability from github – Published: 2024-01-02 06:30 – Updated: 2024-01-02 06:30Transient DOS in WLAN Firmware while parsing a BTM request.
{
"affected": [],
"aliases": [
"CVE-2023-33062"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-02T06:15:10Z",
"severity": "HIGH"
},
"details": "Transient DOS in WLAN Firmware while parsing a BTM request.",
"id": "GHSA-cxcm-vgv2-mq4g",
"modified": "2024-01-02T06:30:30Z",
"published": "2024-01-02T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33062"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/january-2024-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-CXVV-P2XR-R2M8
Vulnerability from github – Published: 2023-09-04 18:30 – Updated: 2023-09-04 18:30Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV.
{
"affected": [],
"aliases": [
"CVE-2023-4758"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-04T16:15:08Z",
"severity": "MODERATE"
},
"details": "Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV.",
"id": "GHSA-cxvv-p2xr-r2m8",
"modified": "2023-09-04T18:30:25Z",
"published": "2023-09-04T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4758"
},
{
"type": "WEB",
"url": "https://github.com/gpac/gpac/commit/193633b1648582444fc99776cd741d7ba0125e86"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/2f496261-1090-45ac-bc89-cc93c82090d6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-F2W3-QVQC-X7RQ
Vulnerability from github – Published: 2024-09-10 18:30 – Updated: 2024-09-10 18:30Microsoft Windows Admin Center Information Disclosure Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-43475"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-10T17:15:35Z",
"severity": "HIGH"
},
"details": "Microsoft Windows Admin Center Information Disclosure Vulnerability",
"id": "GHSA-f2w3-qvqc-x7rq",
"modified": "2024-09-10T18:30:47Z",
"published": "2024-09-10T18:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43475"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43475"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F4P6-W7PH-5GQM
Vulnerability from github – Published: 2025-04-07 12:33 – Updated: 2025-04-07 12:33Transient DOS may occur while parsing SSID in action frames.
{
"affected": [],
"aliases": [
"CVE-2025-21448"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-07T11:15:53Z",
"severity": "HIGH"
},
"details": "Transient DOS may occur while parsing SSID in action frames.",
"id": "GHSA-f4p6-w7ph-5gqm",
"modified": "2025-04-07T12:33:19Z",
"published": "2025-04-07T12:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21448"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F4WH-W575-W6C3
Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-08-05 15:30Transient DOS while parsing probe response and assoc response frame when received frame length is less than max size of timestamp.
{
"affected": [],
"aliases": [
"CVE-2024-33026"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-05T15:15:52Z",
"severity": "HIGH"
},
"details": "Transient DOS while parsing probe response and assoc response frame when received frame length is less than max size of timestamp.",
"id": "GHSA-f4wh-w575-w6c3",
"modified": "2024-08-05T15:30:53Z",
"published": "2024-08-05T15:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33026"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-F5RX-W2R6-VXR8
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-10-08 00:00A vulnerability has been identified in JT2Go (All versions < V13.2), Teamcenter Visualization (All versions < V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13344)
{
"affected": [],
"aliases": [
"CVE-2021-34308"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-13T11:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in JT2Go (All versions \u003c V13.2), Teamcenter Visualization (All versions \u003c V13.2). The BMP_Loader.dll library in affected applications lacks proper validation of user-supplied data when parsing BMP files. This could result in an out of bounds read past the end of an allocated buffer. An attacker could leverage this vulnerability to leak information in the context of the current process. (ZDI-CAN-13344)",
"id": "GHSA-f5rx-w2r6-vxr8",
"modified": "2022-10-08T00:00:18Z",
"published": "2022-05-24T19:07:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34308"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-483182.pdf"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-21-837"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F8XC-GMQX-V9FH
Vulnerability from github – Published: 2026-05-14 15:31 – Updated: 2026-05-14 15:31Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.
{
"affected": [],
"aliases": [
"CVE-2026-6575"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T14:16:25Z",
"severity": "MODERATE"
},
"details": "Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.",
"id": "GHSA-f8xc-gmqx-v9fh",
"modified": "2026-05-14T15:31:58Z",
"published": "2026-05-14T15:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6575"
},
{
"type": "WEB",
"url": "https://www.postgresql.org/support/security/CVE-2026-6575"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-F9FC-826Q-M9W2
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2026-42828"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:08Z",
"severity": "HIGH"
},
"details": "Buffer over-read in Windows Projected File System Filter Driver allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-f9fc-826q-m9w2",
"modified": "2026-06-09T18:30:43Z",
"published": "2026-06-09T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42828"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42828"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.