CWE-193
AllowedOff-by-one Error
Abstraction: Base · Status: Draft
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
256 vulnerabilities reference this CWE, most recent first.
GHSA-8745-Q6HH-2437
Vulnerability from github – Published: 2025-03-19 03:30 – Updated: 2025-03-19 03:30Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066, 1.2.2-0353 and 1.3.0-0423 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code, potentially leading to a broader impact across the system via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2024-10442"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-19T03:15:11Z",
"severity": "CRITICAL"
},
"details": "Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066, 1.2.2-0353 and 1.3.0-0423 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code, potentially leading to a broader impact across the system via unspecified vectors.",
"id": "GHSA-8745-q6hh-2437",
"modified": "2025-03-19T03:30:35Z",
"published": "2025-03-19T03:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10442"
},
{
"type": "WEB",
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_24_22"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-899X-JHM8-PC3M
Vulnerability from github – Published: 2022-04-29 02:57 – Updated: 2024-02-02 03:30Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a 1024 byte RETR command.
{
"affected": [],
"aliases": [
"CVE-2004-0346"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2004-11-23T05:00:00Z",
"severity": "HIGH"
},
"details": "Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a 1024 byte RETR command.",
"id": "GHSA-899x-jhm8-pc3m",
"modified": "2024-02-02T03:30:30Z",
"published": "2022-04-29T02:57:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2004-0346"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15387"
},
{
"type": "WEB",
"url": "http://marc.info/?l=bugtraq\u0026m=107824679817240\u0026w=2"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/9782"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8G6H-GJ49-CM84
Vulnerability from github – Published: 2022-05-02 03:22 – Updated: 2022-05-02 03:22Off-by-one error in the GpFont::SetData function in gdiplus.dll in Microsoft GDI+ on Windows XP allows remote attackers to cause a denial of service (stack corruption and application termination) via a crafted EMF file that triggers an integer overflow, as demonstrated by voltage-exploit.emf, aka the "Microsoft GdiPlus EMF GpFont.SetData integer overflow."
{
"affected": [],
"aliases": [
"CVE-2009-1217"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-04-01T18:00:00Z",
"severity": "MODERATE"
},
"details": "Off-by-one error in the GpFont::SetData function in gdiplus.dll in Microsoft GDI+ on Windows XP allows remote attackers to cause a denial of service (stack corruption and application termination) via a crafted EMF file that triggers an integer overflow, as demonstrated by voltage-exploit.emf, aka the \"Microsoft GdiPlus EMF GpFont.SetData integer overflow.\"",
"id": "GHSA-8g6h-gj49-cm84",
"modified": "2022-05-02T03:22:45Z",
"published": "2022-05-02T03:22:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1217"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/49438"
},
{
"type": "WEB",
"url": "http://bl4cksecurity.blogspot.com/2009/03/microsoft-gdiplus-emf-gpfontsetdata.html"
},
{
"type": "WEB",
"url": "http://blogs.technet.com/srd/archive/2009/03/26/new-emf-gdiplus-dll-crash-not-exploitable-for-code-execution.aspx"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/34250"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/0832"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-8P7J-VHGR-RCW5
Vulnerability from github – Published: 2026-06-25 21:31 – Updated: 2026-06-25 21:31RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability by sending malicious SSR correction streams over NTRIP or serial connections to cause denial of service or crash RTKLIB rovers and CORS servers.
{
"affected": [],
"aliases": [
"CVE-2026-56787"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T19:16:45Z",
"severity": "MODERATE"
},
"details": "RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decode_ssr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit this vulnerability by sending malicious SSR correction streams over NTRIP or serial connections to cause denial of service or crash RTKLIB rovers and CORS servers.",
"id": "GHSA-8p7j-vhgr-rcw5",
"modified": "2026-06-25T21:31:30Z",
"published": "2026-06-25T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56787"
},
{
"type": "WEB",
"url": "https://github.com/tomojitakasu/RTKLIB/issues/798"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/rtklib-off-by-one-out-of-bounds-read-in-decode-ssr3-via-rtcm3-ssr-message"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-8XX8-QRH3-Q8MQ
Vulnerability from github – Published: 2025-08-03 03:30 – Updated: 2025-11-03 21:34In iperf before 3.19.1, iperf_auth.c has an off-by-one error and resultant heap-based buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2025-54349"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-03T02:15:35Z",
"severity": "MODERATE"
},
"details": "In iperf before 3.19.1, iperf_auth.c has an off-by-one error and resultant heap-based buffer overflow.",
"id": "GHSA-8xx8-qrh3-q8mq",
"modified": "2025-11-03T21:34:17Z",
"published": "2025-08-03T03:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54349"
},
{
"type": "WEB",
"url": "https://github.com/esnet/iperf/commit/4e5313bab0b9b3fe03513ab54f722c8a3e4b7bdf"
},
{
"type": "WEB",
"url": "https://github.com/esnet/iperf/releases/tag/3.19.1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-94J5-29M8-F8JQ
Vulnerability from github – Published: 2024-09-05 06:31 – Updated: 2024-09-05 15:33An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller.
A malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.
{
"affected": [],
"aliases": [
"CVE-2024-32668"
],
"database_specific": {
"cwe_ids": [
"CWE-193",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-05T05:15:13Z",
"severity": "HIGH"
},
"details": "An insufficient boundary validation in the USB code could lead to an out-of-bounds write on the heap, with data controlled by the caller.\n\nA malicious, privileged software running in a guest VM can exploit the vulnerability to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process.",
"id": "GHSA-94j5-29m8-f8jq",
"modified": "2024-09-05T15:33:35Z",
"published": "2024-09-05T06:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32668"
},
{
"type": "WEB",
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-24:12.bhyve.asc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9P8Q-J6Q5-MJW8
Vulnerability from github – Published: 2022-02-15 00:02 – Updated: 2022-02-25 15:29In galois_2p8 before 0.1.2, PrimitivePolynomialField::new has an off-by-one buffer overflow for a vector.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "galois_2p8"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-24988"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-193"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-25T15:29:16Z",
"nvd_published_at": "2022-02-14T20:15:00Z",
"severity": "CRITICAL"
},
"details": "In galois_2p8 before 0.1.2, PrimitivePolynomialField::new has an off-by-one buffer overflow for a vector.",
"id": "GHSA-9p8q-j6q5-mjw8",
"modified": "2022-02-25T15:29:16Z",
"published": "2022-02-15T00:02:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24988"
},
{
"type": "PACKAGE",
"url": "https://github.com/djsweet/galois_2p8"
},
{
"type": "WEB",
"url": "https://github.com/djsweet/galois_2p8/blob/master/CHANGELOG.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Buffer Overflow in galois_2p8"
}
GHSA-9R6Q-3R52-HH42
Vulnerability from github – Published: 2024-10-21 18:30 – Updated: 2024-10-25 15:31In the Linux kernel, the following vulnerability has been resolved:
ext4: fix off by one issue in alloc_flex_gd()
Wesley reported an issue:
================================================================== EXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks ------------[ cut here ]------------ kernel BUG at fs/ext4/resize.c:324! CPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27 RIP: 0010:ext4_resize_fs+0x1212/0x12d0 Call Trace: __ext4_ioctl+0x4e0/0x1800 ext4_ioctl+0x12/0x20 __x64_sys_ioctl+0x99/0xd0 x64_sys_call+0x1206/0x20d0 do_syscall_64+0x72/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e ==================================================================
While reviewing the patch, Honza found that when adjusting resize_bg in alloc_flex_gd(), it was possible for flex_gd->resize_bg to be bigger than flexbg_size.
The reproduction of the problem requires the following:
o_group = flexbg_size * 2 * n; o_size = (o_group + 1) * group_size; n_group: [o_group + flexbg_size, o_group + flexbg_size * 2) o_size = (n_group + 1) * group_size;
Take n=0,flexbg_size=16 as an example:
last:15
|o---------------|--------------n-| o_group:0 resize to n_group:30
The corresponding reproducer is:
img=test.img
rm -f $img
truncate -s 600M $img
mkfs.ext4 -F $img -b 1024 -G 16 8M
dev=losetup -f --show $img
mkdir -p /tmp/test
mount $dev /tmp/test
resize2fs $dev 248M
Delete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE() to prevent the issue from happening again.
[ Note: another reproucer which this commit fixes is:
img=test.img
rm -f $img
truncate -s 25MiB $img
mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img
truncate -s 3GiB $img
dev=losetup -f --show $img
mkdir -p /tmp/test
mount $dev /tmp/test
resize2fs $dev 3G
umount $dev
losetup -d $dev
-- TYT ]
{
"affected": [],
"aliases": [
"CVE-2024-49880"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T18:15:10Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off by one issue in alloc_flex_gd()\n\nWesley reported an issue:\n\n==================================================================\nEXT4-fs (dm-5): resizing filesystem from 7168 to 786432 blocks\n------------[ cut here ]------------\nkernel BUG at fs/ext4/resize.c:324!\nCPU: 9 UID: 0 PID: 3576 Comm: resize2fs Not tainted 6.11.0+ #27\nRIP: 0010:ext4_resize_fs+0x1212/0x12d0\nCall Trace:\n __ext4_ioctl+0x4e0/0x1800\n ext4_ioctl+0x12/0x20\n __x64_sys_ioctl+0x99/0xd0\n x64_sys_call+0x1206/0x20d0\n do_syscall_64+0x72/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n==================================================================\n\nWhile reviewing the patch, Honza found that when adjusting resize_bg in\nalloc_flex_gd(), it was possible for flex_gd-\u003eresize_bg to be bigger than\nflexbg_size.\n\nThe reproduction of the problem requires the following:\n\n o_group = flexbg_size * 2 * n;\n o_size = (o_group + 1) * group_size;\n n_group: [o_group + flexbg_size, o_group + flexbg_size * 2)\n o_size = (n_group + 1) * group_size;\n\nTake n=0,flexbg_size=16 as an example:\n\n last:15\n|o---------------|--------------n-|\no_group:0 resize to n_group:30\n\nThe corresponding reproducer is:\n\nimg=test.img\nrm -f $img\ntruncate -s 600M $img\nmkfs.ext4 -F $img -b 1024 -G 16 8M\ndev=`losetup -f --show $img`\nmkdir -p /tmp/test\nmount $dev /tmp/test\nresize2fs $dev 248M\n\nDelete the problematic plus 1 to fix the issue, and add a WARN_ON_ONCE()\nto prevent the issue from happening again.\n\n[ Note: another reproucer which this commit fixes is:\n\n img=test.img\n rm -f $img\n truncate -s 25MiB $img\n mkfs.ext4 -b 4096 -E nodiscard,lazy_itable_init=0,lazy_journal_init=0 $img\n truncate -s 3GiB $img\n dev=`losetup -f --show $img`\n mkdir -p /tmp/test\n mount $dev /tmp/test\n resize2fs $dev 3G\n umount $dev\n losetup -d $dev\n\n -- TYT ]",
"id": "GHSA-9r6q-3r52-hh42",
"modified": "2024-10-25T15:31:25Z",
"published": "2024-10-21T18:30:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49880"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d80d2b8bf613398baf7185009e35f9d0459ecb0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6121258c2b33ceac3d21f6a221452692c465df88"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/acb559d6826116cc113598640d105094620c2526"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9VQ4-862J-5VX8
Vulnerability from github – Published: 2023-07-18 00:31 – Updated: 2025-01-03 12:30An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access.
{
"affected": [],
"aliases": [
"CVE-2023-38429"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-18T00:15:09Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation (because of ksmbd_smb2_check_message) that may lead to out-of-bounds access.",
"id": "GHSA-9vq4-862j-5vx8",
"modified": "2025-01-03T12:30:30Z",
"published": "2023-07-18T00:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38429"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.3.4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/ksmbd?id=443d61d1fa9faa60ef925513d83742902390100f"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250103-0009"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9WMV-XX8C-X6QW
Vulnerability from github – Published: 2022-04-21 01:57 – Updated: 2024-03-21 03:33In the Linux kernel before 2.6.34, a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one (buffer overflow) problem.
{
"affected": [],
"aliases": [
"CVE-2010-5331"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-27T22:15:00Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel before 2.6.34, a range check issue in drivers/gpu/drm/radeon/atombios.c could cause an off by one (buffer overflow) problem.",
"id": "GHSA-9wmv-xx8c-x6qw",
"modified": "2024-03-21T03:33:41Z",
"published": "2022-04-21T01:57:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-5331"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/0031c41be5c529f8329e327b63cde92ba1284842"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-5331"
},
{
"type": "WEB",
"url": "https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0031c41be5c529f8329e327b63cde92ba1284842"
},
{
"type": "WEB",
"url": "https://mirrors.edge.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.34"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K33183814?utm_source=f5support\u0026amp%3Butm_medium=RSS"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K33183814?utm_source=f5support\u0026amp;utm_medium=RSS"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().
No CAPEC attack patterns related to this CWE.