CWE-131
AllowedIncorrect Calculation of Buffer Size
Abstraction: Base · Status: Draft
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
270 vulnerabilities reference this CWE, most recent first.
GHSA-P3R2-35XM-8Q7V
Vulnerability from github – Published: 2025-01-07 18:30 – Updated: 2025-01-07 18:30In SiWx91x devices, the SHA2/224 algorithm returns a hash of 256 bits instead of 224 bits. This incorrect hash length triggers a software assertion, which subsequently causes a Denial of Service (DoS). If a watchdog is implemented, device will restart after watch dog expires. If watchdog is not implemented, device can be recovered only after a hard reset
{
"affected": [],
"aliases": [
"CVE-2024-8361"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-07T17:15:31Z",
"severity": "HIGH"
},
"details": "In SiWx91x devices, the SHA2/224 algorithm returns a hash of 256 bits instead of 224 bits. This incorrect hash length triggers a software assertion, which subsequently causes a Denial of Service (DoS).\nIf a watchdog is implemented, device will restart after watch dog expires. If watchdog is not implemented, device can be recovered only after a hard reset",
"id": "GHSA-p3r2-35xm-8q7v",
"modified": "2025-01-07T18:30:52Z",
"published": "2025-01-07T18:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8361"
},
{
"type": "WEB",
"url": "https://community.silabs.com/068Vm00000I7zqo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P3VJ-26Q5-C789
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09There is an Incorrect Calculation of Buffer Size in Huawei Smartphone.Successful exploitation of this vulnerability may cause verification bypass and directions to abnormal addresses.
{
"affected": [],
"aliases": [
"CVE-2021-22392"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-02T17:15:00Z",
"severity": "HIGH"
},
"details": "There is an Incorrect Calculation of Buffer Size in Huawei Smartphone.Successful exploitation of this vulnerability may cause verification bypass and directions to abnormal addresses.",
"id": "GHSA-p3vj-26q5-c789",
"modified": "2022-05-24T19:09:33Z",
"published": "2022-05-24T19:09:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22392"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2021/6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P45J-Q5HM-CC64
Vulnerability from github – Published: 2024-02-27 21:31 – Updated: 2024-04-10 21:30In the Linux kernel, the following vulnerability has been resolved:
media: staging/intel-ipu3: Fix set_fmt error handling
If there in an error during a set_fmt, do not overwrite the previous sizes with the invalid config.
Without this patch, v4l2-compliance ends up allocating 4GiB of RAM and causing the following OOPs
[ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes) [ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0 [ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP
{
"affected": [],
"aliases": [
"CVE-2021-46943"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-27T19:04:06Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: staging/intel-ipu3: Fix set_fmt error handling\n\nIf there in an error during a set_fmt, do not overwrite the previous\nsizes with the invalid config.\n\nWithout this patch, v4l2-compliance ends up allocating 4GiB of RAM and\ncausing the following OOPs\n\n[ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes)\n[ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0\n[ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP",
"id": "GHSA-p45j-q5hm-cc64",
"modified": "2024-04-10T21:30:28Z",
"published": "2024-02-27T21:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-46943"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/34892ea938387d83ffcfb7775ec55f0f80767916"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6fb617e37a39db0a3eca4489431359d0bdf3b9bc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a03fb1e8a110658215a4cefc3e2ad53279e496a6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ad91849996f9dd79741a961fd03585a683b08356"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6b81b897f6f9445d57f8d47c4e060ec21556137"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P8G8-Q26R-2Q2R
Vulnerability from github – Published: 2024-09-13 06:30 – Updated: 2024-09-19 18:30In the Linux kernel, the following vulnerability has been resolved:
binfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined
create_elf_fdpic_tables() does not correctly account the space for the AUX vector when an architecture has ELF_HWCAP2 defined. Prior to the commit 10e29251be0e ("binfmt_elf_fdpic: fix /proc//auxv") it resulted in the last entry of the AUX vector being set to zero, but with that change it results in a kernel BUG.
Fix that by adding one to the number of AUXV entries (nitems) when ELF_HWCAP2 is defined.
{
"affected": [],
"aliases": [
"CVE-2024-46684"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-13T06:15:13Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbinfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined\n\ncreate_elf_fdpic_tables() does not correctly account the space for the\nAUX vector when an architecture has ELF_HWCAP2 defined. Prior to the\ncommit 10e29251be0e (\"binfmt_elf_fdpic: fix /proc/\u003cpid\u003e/auxv\") it\nresulted in the last entry of the AUX vector being set to zero, but with\nthat change it results in a kernel BUG.\n\nFix that by adding one to the number of AUXV entries (nitems) when\nELF_HWCAP2 is defined.",
"id": "GHSA-p8g8-q26r-2q2r",
"modified": "2024-09-19T18:30:51Z",
"published": "2024-09-13T06:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46684"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c507da85e4f80c630deb9e98222ccf4118cbe6f8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c6a09e342f8e6d3cac7f7c5c14085236aca284b9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PHQJ-4MHP-Q6MQ
Vulnerability from github – Published: 2026-05-19 19:50 – Updated: 2026-05-19 19:50CipherCtxRef::cipher_update_inplace incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller's buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced.
This only impacts users using AES key-wrap-with-padding ciphers.
This method was missed in the fix for GHSA-xv59-967r-8726
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "openssl"
},
"ranges": [
{
"events": [
{
"introduced": "0.10.50"
},
{
"fixed": "0.10.80"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45784"
],
"database_specific": {
"cwe_ids": [
"CWE-131",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T19:50:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "`CipherCtxRef::cipher_update_inplace` incorrectly sized output buffers when used with AES key-wrap-with-padding ciphers (EVP_aes_{128,192,256}_wrap_pad). For a non-multiple-of-8 input, OpenSSL writes up to 7 bytes past the end of the caller\u0027s buffer or Vec, producing attacker-controllable heap corruption when the plaintext length is attacker-influenced.\n\nThis only impacts users using AES key-wrap-with-padding ciphers.\n\nThis method was missed in the fix for GHSA-xv59-967r-8726",
"id": "GHSA-phqj-4mhp-q6mq",
"modified": "2026-05-19T19:50:11Z",
"published": "2026-05-19T19:50:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-phqj-4mhp-q6mq"
},
{
"type": "PACKAGE",
"url": "https://github.com/rust-openssl/rust-openssl"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers"
}
GHSA-PQ9H-QH69-CP8R
Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2022-05-24 19:09There is an Incorrect Calculation of Buffer Size Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause kernel exceptions with the code.
{
"affected": [],
"aliases": [
"CVE-2021-22415"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-02T17:15:00Z",
"severity": "HIGH"
},
"details": "There is an Incorrect Calculation of Buffer Size Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause kernel exceptions with the code.",
"id": "GHSA-pq9h-qh69-cp8r",
"modified": "2022-05-24T19:09:33Z",
"published": "2022-05-24T19:09:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22415"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2021/6"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PQF5-4PQQ-29F5
Vulnerability from github – Published: 2026-04-22 21:22 – Updated: 2026-04-27 16:42Deriver::derive (and PkeyCtxRef::derive) sets len = buf.len() and passes it as the in/out length to EVP_PKEY_derive, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming *keylen, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "openssl"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.27"
},
{
"fixed": "0.10.78"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41676"
],
"database_specific": {
"cwe_ids": [
"CWE-131",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T21:22:00Z",
"nvd_published_at": "2026-04-24T18:16:29Z",
"severity": "HIGH"
},
"details": "`Deriver::derive` (and `PkeyCtxRef::derive`) sets `len = buf.len()` and passes it as the in/out length to `EVP_PKEY_derive`, relying on OpenSSL to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore the incoming `*keylen`, unconditionally writing the full shared secret (32/56/prime-size bytes). A caller passing a short slice gets a heap/stack overflow from safe code. OpenSSL 3.x providers do check, so this only impacts older OpenSSL.",
"id": "GHSA-pqf5-4pqq-29f5",
"modified": "2026-04-27T16:42:03Z",
"published": "2026-04-22T21:22:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41676"
},
{
"type": "WEB",
"url": "https://github.com/rust-openssl/rust-openssl/pull/2606"
},
{
"type": "WEB",
"url": "https://github.com/rust-openssl/rust-openssl/commit/09b425e5f59a2466d806e71a83a9a449c914c596"
},
{
"type": "PACKAGE",
"url": "https://github.com/rust-openssl/rust-openssl"
},
{
"type": "WEB",
"url": "https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1"
}
GHSA-PR83-52RX-W5F5
Vulnerability from github – Published: 2024-10-30 15:30 – Updated: 2024-10-30 15:30The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.
{
"affected": [],
"aliases": [
"CVE-2024-28052"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-30T14:15:04Z",
"severity": "MODERATE"
},
"details": "The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.",
"id": "GHSA-pr83-52rx-w5f5",
"modified": "2024-10-30T15:30:46Z",
"published": "2024-10-30T15:30:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28052"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1997"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PRQQ-QRC5-XVPR
Vulnerability from github – Published: 2026-04-20 21:31 – Updated: 2026-04-21 21:31NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted and executed as vset* configuration instructions rather than raising an illegal-instruction exception. This can be exploited by providing crafted RISC-V binaries to cause incorrect trap behavior, architectural state corruption/divergence, and potential denial of service in systems that rely on NEMU for correct execution or sandboxing.
{
"affected": [],
"aliases": [
"CVE-2026-29645"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-20T20:16:48Z",
"severity": "HIGH"
},
"details": "NEMU (OpenXiangShan/NEMU) before v2025.12.r2 contains an improper instruction-validation flaw in its RISC-V Vector (RVV) decoder. The decoder does not correctly validate the funct3 field when decoding vsetvli/vsetivli/vsetvl, allowing certain invalid OP-V instruction encodings to be misinterpreted and executed as vset* configuration instructions rather than raising an illegal-instruction exception. This can be exploited by providing crafted RISC-V binaries to cause incorrect trap behavior, architectural state corruption/divergence, and potential denial of service in systems that rely on NEMU for correct execution or sandboxing.",
"id": "GHSA-prqq-qrc5-xvpr",
"modified": "2026-04-21T21:31:20Z",
"published": "2026-04-20T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29645"
},
{
"type": "WEB",
"url": "https://github.com/OpenXiangShan/NEMU/issues/952"
},
{
"type": "WEB",
"url": "https://github.com/OpenXiangShan/NEMU/pull/958"
},
{
"type": "WEB",
"url": "https://github.com/OpenXiangShan/NEMU/commit/481de637d5fc5838356caee80a79e56a33754039"
},
{
"type": "WEB",
"url": "https://docs.riscv.org/reference/isa/unpriv/v-st-ext.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PXC8-QHVR-5954
Vulnerability from github – Published: 2025-03-20 21:31 – Updated: 2025-03-21 00:31In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash.
{
"affected": [],
"aliases": [
"CVE-2025-30334"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-20T21:15:24Z",
"severity": "HIGH"
},
"details": "In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash.",
"id": "GHSA-pxc8-qhvr-5954",
"modified": "2025-03-21T00:31:20Z",
"published": "2025-03-20T21:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30334"
},
{
"type": "WEB",
"url": "https://github.com/openbsd/src/commit/c06199859734d958552a581d72b4c0f910e68d7c"
},
{
"type": "WEB",
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.5/common/015_wg.patch.sig"
},
{
"type": "WEB",
"url": "https://ftp.openbsd.org/pub/OpenBSD/patches/7.6/common/006_wg.patch.sig"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-8
Strategy: Input Validation
Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).
Mitigation
When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated.
Mitigation MIT-13
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
Mitigation
Use sizeof() on the appropriate data type to avoid CWE-467.
Mitigation
Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify validation and will reduce surprises related to unexpected casting.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences, or buffer allocation routines that automatically track buffer size.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Strategy: Environment Hardening
- Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
- For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-22
Strategy: Sandbox or Jail
- Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-100: Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.
CAPEC-47: Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.