CWE-131
AllowedIncorrect Calculation of Buffer Size
Abstraction: Base · Status: Draft
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
270 vulnerabilities reference this CWE, most recent first.
GHSA-JFP7-4J67-8R3Q
Vulnerability from github – Published: 2021-05-21 14:22 – Updated: 2024-10-30 23:19Impact
An attacker can trigger a heap buffer overflow in tf.raw_ops.QuantizedResizeBilinear by manipulating input values so that float rounding results in off-by-one error in accessing image elements:
import tensorflow as tf
l = [256, 328, 361, 17, 361, 361, 361, 361, 361, 361, 361, 361, 361, 361, 384]
images = tf.constant(l, shape=[1, 1, 15, 1], dtype=tf.qint32)
size = tf.constant([12, 6], shape=[2], dtype=tf.int32)
min = tf.constant(80.22522735595703)
max = tf.constant(80.39215850830078)
tf.raw_ops.QuantizedResizeBilinear(images=images, size=size, min=min, max=max,
align_corners=True, half_pixel_centers=True)
This is because the implementation computes two integers (representing the upper and lower bounds for interpolation) by ceiling and flooring a floating point value:
const float in_f = std::floor(in);
interpolation->lower[i] = std::max(static_cast<int64>(in_f), static_cast<int64>(0));
interpolation->upper[i] = std::min(static_cast<int64>(std::ceil(in)), in_size - 1);
For some values of in, interpolation->upper[i] might be smaller than interpolation->lower[i]. This is an issue if interpolation->upper[i] is capped at in_size-1 as it means that interpolation->lower[i] points outside of the image. Then, in the interpolation code, this would result in heap buffer overflow:
template <int RESOLUTION, typename T, typename T_SCALE, typename T_CALC>
inline void OutputLerpForChannels(const InterpolationCache<T_SCALE>& xs,
const int64 x, const T_SCALE ys_ilerp,
const int channels, const float min,
const float max, const T* ys_input_lower_ptr,
const T* ys_input_upper_ptr,
T* output_y_ptr) {
const int64 xs_lower = xs.lower[x];
...
for (int c = 0; c < channels; ++c) {
const T top_left = ys_input_lower_ptr[xs_lower + c];
...
}
}
For the other cases where interpolation->upper[i] is smaller than interpolation->lower[i], we can set them to be equal without affecting the output.
Patches
We have patched the issue in GitHub commit f851613f8f0fb0c838d160ced13c134f778e3ce7.
The fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-29529"
],
"database_specific": {
"cwe_ids": [
"CWE-131",
"CWE-193"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-18T23:06:25Z",
"nvd_published_at": "2021-05-14T20:15:00Z",
"severity": "LOW"
},
"details": "### Impact\nAn attacker can trigger a heap buffer overflow in `tf.raw_ops.QuantizedResizeBilinear` by manipulating input values so that float rounding results in off-by-one error in accessing image elements:\n\n```python\nimport tensorflow as tf\n\nl = [256, 328, 361, 17, 361, 361, 361, 361, 361, 361, 361, 361, 361, 361, 384]\nimages = tf.constant(l, shape=[1, 1, 15, 1], dtype=tf.qint32)\nsize = tf.constant([12, 6], shape=[2], dtype=tf.int32)\nmin = tf.constant(80.22522735595703)\nmax = tf.constant(80.39215850830078)\n\ntf.raw_ops.QuantizedResizeBilinear(images=images, size=size, min=min, max=max,\n align_corners=True, half_pixel_centers=True)\n```\n\nThis is because the [implementation](https://github.com/tensorflow/tensorflow/blob/44b7f486c0143f68b56c34e2d01e146ee445134a/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L62-L66) computes two integers (representing the upper and lower bounds for interpolation) by ceiling and flooring a floating point value:\n\n```cc\nconst float in_f = std::floor(in);\ninterpolation-\u003elower[i] = std::max(static_cast\u003cint64\u003e(in_f), static_cast\u003cint64\u003e(0));\ninterpolation-\u003eupper[i] = std::min(static_cast\u003cint64\u003e(std::ceil(in)), in_size - 1);\n```\n \nFor some values of `in`, `interpolation-\u003eupper[i]` might be smaller than `interpolation-\u003elower[i]`. This is an issue if `interpolation-\u003eupper[i]` is capped at `in_size-1` as it means that `interpolation-\u003elower[i]` points outside of the image. Then, [in the interpolation code](https://github.com/tensorflow/tensorflow/blob/44b7f486c0143f68b56c34e2d01e146ee445134a/tensorflow/core/kernels/quantized_resize_bilinear_op.cc#L245-L264), this would result in heap buffer overflow:\n\n```cc\ntemplate \u003cint RESOLUTION, typename T, typename T_SCALE, typename T_CALC\u003e\ninline void OutputLerpForChannels(const InterpolationCache\u003cT_SCALE\u003e\u0026 xs,\n const int64 x, const T_SCALE ys_ilerp,\n const int channels, const float min,\n const float max, const T* ys_input_lower_ptr,\n const T* ys_input_upper_ptr,\n T* output_y_ptr) {\n const int64 xs_lower = xs.lower[x];\n ...\n for (int c = 0; c \u003c channels; ++c) {\n const T top_left = ys_input_lower_ptr[xs_lower + c];\n ...\n }\n}\n```\n\nFor the other cases where `interpolation-\u003eupper[i]` is smaller than `interpolation-\u003elower[i]`, we can set them to be equal without affecting the output.\n\n### Patches\nWe have patched the issue in GitHub commit [f851613f8f0fb0c838d160ced13c134f778e3ce7](https://github.com/tensorflow/tensorflow/commit/f851613f8f0fb0c838d160ced13c134f778e3ce7).\n\nThe fix will be included in TensorFlow 2.5.0. We will also cherrypick this commit on TensorFlow 2.4.2, TensorFlow 2.3.3, TensorFlow 2.2.3 and TensorFlow 2.1.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Ying Wang and Yakun Zhang of Baidu X-Team.",
"id": "GHSA-jfp7-4j67-8r3q",
"modified": "2024-10-30T23:19:12Z",
"published": "2021-05-21T14:22:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-jfp7-4j67-8r3q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29529"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/f851613f8f0fb0c838d160ced13c134f778e3ce7"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-457.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-655.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-166.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Heap buffer overflow caused by rounding"
}
GHSA-JGWX-G3H6-CG8J
Vulnerability from github – Published: 2025-10-09 06:30 – Updated: 2025-10-09 06:30Memory corruption during PlayReady APP usecase while processing TA commands.
{
"affected": [],
"aliases": [
"CVE-2025-27053"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-09T04:16:44Z",
"severity": "HIGH"
},
"details": "Memory corruption during PlayReady APP usecase while processing TA commands.",
"id": "GHSA-jgwx-g3h6-cg8j",
"modified": "2025-10-09T06:30:24Z",
"published": "2025-10-09T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27053"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/october-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JH5W-4GPM-R5XW
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
libceph: Fix potential out-of-bounds access in crush_decode()
A message of type CEPH_MSG_OSD_MAP containing a crush map with at least one bucket has two fields holding the bucket algorithm. If the values in these two fields differ, an out-of-bounds access can occur. This is the case because the first algorithm field (alg) is used to allocate the correct amount of memory for a bucket of this type, while the second algorithm field inside the bucket (b->alg) is used in the subsequent processing.
This patch fixes the issue by adding a check that compares alg and b->alg and aborts the processing in case they differ. Furthermore, b->alg is set to 0 in this case, because the destruction of the crush map also uses this field to determine the bucket type, which can again result in an out-of-bounds access when trying to free the memory pointed to by the fields of the bucket. To correctly free the memory allocated for the bucket in such a case, the corresponding call to kfree is moved from the algorithm-specific crush_destroy_bucket functions to the generic crush_destroy_bucket().
{
"affected": [],
"aliases": [
"CVE-2026-52955"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:05Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibceph: Fix potential out-of-bounds access in crush_decode()\n\nA message of type CEPH_MSG_OSD_MAP containing a crush map with at least\none bucket has two fields holding the bucket algorithm. If the values\nin these two fields differ, an out-of-bounds access can occur. This is\nthe case because the first algorithm field (alg) is used to allocate\nthe correct amount of memory for a bucket of this type, while the second\nalgorithm field inside the bucket (b-\u003ealg) is used in the subsequent\nprocessing.\n\nThis patch fixes the issue by adding a check that compares alg and\nb-\u003ealg and aborts the processing in case they differ. Furthermore,\nb-\u003ealg is set to 0 in this case, because the destruction of the crush\nmap also uses this field to determine the bucket type, which can again\nresult in an out-of-bounds access when trying to free the memory pointed\nto by the fields of the bucket. To correctly free the memory allocated\nfor the bucket in such a case, the corresponding call to kfree is moved\nfrom the algorithm-specific crush_destroy_bucket functions to the\ngeneric crush_destroy_bucket().",
"id": "GHSA-jh5w-4gpm-r5xw",
"modified": "2026-06-30T03:37:11Z",
"published": "2026-06-24T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52955"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-52955"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492328"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0f3604cbe4df14c5e58288ac9f57511e726a222d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3f42508191e129ee6b5ea96578d5cab14f2a013a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4c79fc2d598694bda845b46229c9d48b65042970"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e70ef53e818c53eab28d7b0026b7fd03dddaba5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cceb10023e76bc89f3fe9238ebd0ccab0fc7c7c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea0d42137f0c06da71e37ffc647aab4c5309599a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ebe76d58a48a48031b98543d86c4cd30a825b622"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fb176a99e4c1a5a8448a83d83d3606203ba81faa"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52955.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJ7C-X25R-R8R3
Vulnerability from github – Published: 2026-04-21 20:16 – Updated: 2026-04-27 16:29Description
Noir programs can invoke external functions through foreign calls. When compiling to Brillig bytecode, the SSA instructions are processed block-by-block in BrilligBlock::compile_block(). When the compiler encounters an Instruction::Call with a Value::ForeignFunction target, it invokes codegen_call() in brillig_call/code_gen_call.rs, which dispatches to convert_ssa_foreign_call().
Before emitting the foreign call opcode, the compiler must pre-allocate memory for any array results the call will return. This happens through allocate_external_call_results(), which iterates over the result types. For Type::Array results, it delegates to allocate_foreign_call_result_array() to recursively allocate memory on the heap for nested arrays.
The BrilligArray struct is the internal representation of a Noir array in Brillig IR. Its size field represents the semi-flattened size, the total number of memory slots the array occupies, accounting for the fact that composite types like tuples consume multiple slots per element. This size is computed by compute_array_length() in brillig_block_variables.rs:
pub(crate) fn compute_array_length(item_typ: &CompositeType, elem_count: usize) -> usize {
item_typ.len() * elem_count
}
For the outer array, allocate_external_call_results() correctly uses define_variable(), which internally calls allocate_value_with_type(). This function applies the formula above, producing the correct semi-flattened size.
However, for nested arrays, allocate_foreign_call_result_array() contains a bug. When it encounters a nested Type::Array(types, nested_size), it calls:
Type::Array(_, nested_size) => {
let inner_array = self.brillig_context.allocate_brillig_array(*nested_size as usize);
// ....
}
The pattern Type::Array(_, nested_size) discards the inner types with _ and uses only nested_size, the semantic length of the nested array (the number of logical elements), not the semi-flattened size. For simple element types this works correctly, but for composite element types it under-allocates. Consider a nested array of type [(u32, u32); 3]:
- Semantic length: 3 (three tuples)
- Element size: 2 (each tuple has two fields)
- Required semi-flattened size: 6 memory slots
The current code passes 3 to allocate_brillig_array(), which then calls codegen_initialize_array(). This function allocates array.size + ARRAY_META_COUNT slots, only 4 slots instead of the required 7 (6 data + 1 metadata). When the VM executes the foreign call and writes 6 values plus metadata, it overwrites adjacent heap memory.
Impact
Foreign calls returning nested arrays of tuples or other composite types corrupt the Brillig VM heap.
Recommendation
Multiply the semantic length by the number of element types when allocating nested arrays. Extract the inner types from the pattern and replace the nested_size argument to allocate_brillig_array() with types.len() * nested_size to compute the semi-flattened size. Alternatively, reuse the existing compute_array_length() helper function to maintain consistency with outer array allocation.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.0-beta.18"
},
"package": {
"ecosystem": "crates.io",
"name": "brillig"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-beta.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41197"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T20:16:09Z",
"nvd_published_at": "2026-04-23T02:16:18Z",
"severity": "CRITICAL"
},
"details": "## Description\n\nNoir programs can invoke external functions through foreign calls. When compiling to Brillig bytecode, the SSA instructions are processed block-by-block in `BrilligBlock::compile_block()`. When the compiler encounters an `Instruction::Call` with a `Value::ForeignFunction` target, it invokes `codegen_call()` in `brillig_call/code_gen_call.rs`, which dispatches to `convert_ssa_foreign_call()`.\n\nBefore emitting the foreign call opcode, the compiler must pre-allocate memory for any array results the call will return. This happens through `allocate_external_call_results()`, which iterates over the result types. For `Type::Array` results, it delegates to `allocate_foreign_call_result_array()` to recursively allocate memory on the heap for nested arrays.\n\nThe `BrilligArray` struct is the internal representation of a Noir array in Brillig IR. Its `size` field represents the **semi-flattened size**, the total number of memory slots the array occupies, accounting for the fact that composite types like tuples consume multiple slots per element. This size is computed by `compute_array_length()` in `brillig_block_variables.rs`:\n\n```rust\npub(crate) fn compute_array_length(item_typ: \u0026CompositeType, elem_count: usize) -\u003e usize {\n item_typ.len() * elem_count\n}\n```\n\nFor the **outer** array, `allocate_external_call_results()` correctly uses `define_variable()`, which internally calls `allocate_value_with_type()`. This function applies the formula above, producing the correct semi-flattened size.\n\nHowever, for **nested** arrays, `allocate_foreign_call_result_array()` contains a bug. When it encounters a nested `Type::Array(types, nested_size)`, it calls:\n\n```rust\nType::Array(_, nested_size) =\u003e { \n\tlet inner_array = self.brillig_context.allocate_brillig_array(*nested_size as usize);\n\t// ....\n}\n```\n\nThe pattern `Type::Array(_, nested_size)` discards the inner types with `_` and uses only `nested_size`, the **semantic length** of the nested array (the number of logical elements), not the semi-flattened size. For simple element types this works correctly, but for composite element types it under-allocates. Consider a nested array of type `[(u32, u32); 3]`:\n\n- Semantic length: 3 (three tuples)\n- Element size: 2 (each tuple has two fields)\n- Required semi-flattened size: 6 memory slots\n \n\nThe current code passes `3` to `allocate_brillig_array()`, which then calls `codegen_initialize_array()`. This function allocates `array.size + ARRAY_META_COUNT` slots, only 4 slots instead of the required 7 (6 data + 1 metadata). When the VM executes the foreign call and writes 6 values plus metadata, it overwrites adjacent heap memory.\n\n## Impact\n\nForeign calls returning nested arrays of tuples or other composite types corrupt the Brillig VM heap.\n\n## Recommendation\n\nMultiply the semantic length by the number of element types when allocating nested arrays. Extract the inner types from the pattern and replace the `nested_size` argument to `allocate_brillig_array()` with `types.len() * nested_size` to compute the semi-flattened size. Alternatively, reuse the existing `compute_array_length()` helper function to maintain consistency with outer array allocation.",
"id": "GHSA-jj7c-x25r-r8r3",
"modified": "2026-04-27T16:29:20Z",
"published": "2026-04-21T20:16:09Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/noir-lang/noir/security/advisories/GHSA-jj7c-x25r-r8r3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41197"
},
{
"type": "PACKAGE",
"url": "https://github.com/noir-lang/noir"
},
{
"type": "WEB",
"url": "https://github.com/noir-lang/noir/releases/tag/v1.0.0-beta.19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Brillig: Heap corruption in foreign call results with nested tuple arrays"
}
GHSA-JJR8-97P7-VMMG
Vulnerability from github – Published: 2024-01-31 15:30 – Updated: 2026-05-12 12:31An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.
{
"affected": [],
"aliases": [
"CVE-2023-6780"
],
"database_specific": {
"cwe_ids": [
"CWE-131",
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-31T14:15:48Z",
"severity": "MODERATE"
},
"details": "An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.",
"id": "GHSA-jjr8-97p7-vmmg",
"modified": "2026-05-12T12:31:34Z",
"published": "2024-01-31T15:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6780"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2023-6780"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254396"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D2FIH77VHY3KCRROCXOT6L27WMZXSJ2G"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWQ6BZJ6CV5UAW4VZSKJ6TO4KIW2KWAQ"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202402-01"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250207-0010"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2024/01/30/6"
},
{
"type": "WEB",
"url": "https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/176932/glibc-syslog-Heap-Based-Buffer-Overflow.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Feb/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-JJX5-3F36-6927
Vulnerability from github – Published: 2021-08-25 20:55 – Updated: 2021-08-18 21:31An issue was discovered in the iced-x86 crate through 1.10.3 for Rust. In Decoder::new(), slice.get_unchecked(slice.length()) is used unsafely.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "iced-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-38188"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-18T21:31:51Z",
"nvd_published_at": "2021-08-08T06:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in the iced-x86 crate through 1.10.3 for Rust. In Decoder::new(), slice.get_unchecked(slice.length()) is used unsafely.",
"id": "GHSA-jjx5-3f36-6927",
"modified": "2021-08-18T21:31:51Z",
"published": "2021-08-25T20:55:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38188"
},
{
"type": "WEB",
"url": "https://github.com/icedland/iced/issues/168"
},
{
"type": "WEB",
"url": "https://github.com/icedland/iced/commit/3c607a003e03b773108401d109167d1840487dce"
},
{
"type": "PACKAGE",
"url": "https://github.com/icedland/iced"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2021-0068.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incorrect buffer size calculation in iced-x86"
}
GHSA-JRHX-6RVP-6V57
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09There is an Incorrect Calculation of Buffer Size in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.
{
"affected": [],
"aliases": [
"CVE-2021-22391"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-02T17:15:00Z",
"severity": "HIGH"
},
"details": "There is an Incorrect Calculation of Buffer Size in Huawei Smartphone.Successful exploitation of this vulnerability may cause the system to reset.",
"id": "GHSA-jrhx-6rvp-6v57",
"modified": "2022-05-24T19:09:33Z",
"published": "2022-05-24T19:09:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22391"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2021/6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JRWX-V3XX-XRP8
Vulnerability from github – Published: 2026-05-13 18:30 – Updated: 2026-05-13 18:30When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2026-40618"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T16:16:43Z",
"severity": "HIGH"
},
"details": "When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration\u00a0set to disabled, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.\u00a0\u00a0\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-jrwx-v3xx-xrp8",
"modified": "2026-05-13T18:30:55Z",
"published": "2026-05-13T18:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40618"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000158082"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JVQH-H8M5-XC3Q
Vulnerability from github – Published: 2022-05-24 19:18 – Updated: 2022-05-24 19:18Incorrect calculation of buffer size vulnerability in Peleton TTR01 up to and including PTV55G allows a remote attacker to trigger a Denial of Service attack through the GymKit daemon process by exploiting a heap overflow in the network server handling the Apple GymKit communication. This can lead to an Apple MFI device not being able to authenticate with the Peleton Bike
{
"affected": [],
"aliases": [
"CVE-2021-40526"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-10-25T11:15:00Z",
"severity": "MODERATE"
},
"details": "Incorrect calculation of buffer size vulnerability in Peleton TTR01 up to and including PTV55G allows a remote attacker to trigger a Denial of Service attack through the GymKit daemon process by exploiting a heap overflow in the network server handling the Apple GymKit communication. This can lead to an Apple MFI device not being able to authenticate with the Peleton Bike",
"id": "GHSA-jvqh-h8m5-xc3q",
"modified": "2022-05-24T19:18:48Z",
"published": "2022-05-24T19:18:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40526"
},
{
"type": "WEB",
"url": "https://twitter.com/ROPsicle/status/1438216078103044107?s=20"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JW98-JRC9-MRX5
Vulnerability from github – Published: 2022-11-14 12:00 – Updated: 2022-11-16 19:00In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.
{
"affected": [],
"aliases": [
"CVE-2022-31630"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-14T07:15:00Z",
"severity": "HIGH"
},
"details": "In PHP versions prior to 7.4.33, 8.0.25 and 8.2.12, when using imageloadfont() function in gd extension, it is possible to supply a specially crafted font file, such as if the loaded font is used with imagechar() function, the read outside allocated buffer will be used. This can lead to crashes or disclosure of confidential information.",
"id": "GHSA-jw98-jrc9-mrx5",
"modified": "2022-11-16T19:00:25Z",
"published": "2022-11-14T12:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31630"
},
{
"type": "WEB",
"url": "https://bugs.php.net/bug.php?id=81739"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-8
Strategy: Input Validation
Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).
Mitigation
When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated.
Mitigation MIT-13
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
Mitigation
Use sizeof() on the appropriate data type to avoid CWE-467.
Mitigation
Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify validation and will reduce surprises related to unexpected casting.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences, or buffer allocation routines that automatically track buffer size.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Strategy: Environment Hardening
- Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
- For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-22
Strategy: Sandbox or Jail
- Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-100: Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.
CAPEC-47: Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.