Common Weakness Enumeration

CWE-193

Allowed

Off-by-one Error

Abstraction: Base · Status: Draft

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

256 vulnerabilities reference this CWE, most recent first.

GHSA-C2CP-78WW-6JM8

Vulnerability from github – Published: 2025-02-19 00:31 – Updated: 2025-11-03 21:32
VLAI
Details

sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57259"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-18T23:15:09Z",
    "severity": "HIGH"
  },
  "details": "sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation.",
  "id": "GHSA-c2cp-78ww-6jm8",
  "modified": "2025-11-03T21:32:46Z",
  "published": "2025-02-19T00:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57259"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2025/02/17/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C389-X6QF-WXV2

Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-07-31 00:00
VLAI
Details

An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27171"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-03-20T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.",
  "id": "GHSA-c389-x6qf-wxv2",
  "modified": "2022-07-31T00:00:59Z",
  "published": "2022-05-24T17:44:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27171"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FB6LUXPEIRLZH32YXWZVEZAD4ZL6SDK2"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRTPQE73ANG7D6M4L4PK5ZQDPO4Y2FVD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2S3I4SLRNRUQDOFYUS6IUAZMQNMPNLG"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2021/03/19/3"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/162117/Kernel-Live-Patch-Security-Notice-LSN-0075-1.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/03/24/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C46X-VC6V-FPX6

Vulnerability from github – Published: 2022-04-30 18:21 – Updated: 2024-02-15 21:31
VLAI
Details

Off-by-one buffer overflow in the sock_gets function in sockhelp.c for ATPhttpd 0.4b and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2002-1816"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2002-12-31T05:00:00Z",
    "severity": "HIGH"
  },
  "details": "Off-by-one buffer overflow in the sock_gets function in sockhelp.c for ATPhttpd 0.4b and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.",
  "id": "GHSA-c46x-vc6v-fpx6",
  "modified": "2024-02-15T21:31:22Z",
  "published": "2022-04-30T18:21:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1816"
    },
    {
      "type": "WEB",
      "url": "http://archives.neohapsis.com/archives/bugtraq/2002-10/0187.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/7293"
    },
    {
      "type": "WEB",
      "url": "http://www.iss.net/security_center/static/10362.php"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/5956"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C4GX-P7GQ-G6HP

Vulnerability from github – Published: 2026-05-04 21:30 – Updated: 2026-06-30 03:36
VLAI
Details

Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-43964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-04T19:16:07Z",
    "severity": "LOW"
  },
  "details": "Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.",
  "id": "GHSA-c4gx-p7gq-g6hp",
  "modified": "2026-06-30T03:36:30Z",
  "published": "2026-05-04T21:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43964"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25930"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:25932"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26205"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-43964"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466488"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43964.json"
    },
    {
      "type": "WEB",
      "url": "https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/04/30"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C5JG-WR5V-2WP2

Vulnerability from github – Published: 2025-04-21 03:30 – Updated: 2025-04-21 21:55
VLAI
Summary
GoBGP does not verify that the input length
Details

An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.35.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/osrg/gobgp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/osrg/gobgp/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.35.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-43973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-21T21:55:39Z",
    "nvd_published_at": "2025-04-21T01:15:45Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message.",
  "id": "GHSA-c5jg-wr5v-2wp2",
  "modified": "2025-04-21T21:55:39Z",
  "published": "2025-04-21T03:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43973"
    },
    {
      "type": "WEB",
      "url": "https://github.com/osrg/gobgp/commit/5693c58a4815cc6327b8d3b6980f0e5aced28abe"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/osrg/gobgp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/osrg/gobgp/compare/v3.34.0...v3.35.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GoBGP does not verify that the input length"
}

GHSA-C7FJ-R3PQ-5PH5

Vulnerability from github – Published: 2026-07-06 15:30 – Updated: 2026-07-06 15:30
VLAI
Details

A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58380"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-06T15:16:40Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in GIMP\u0027s PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.",
  "id": "GHSA-c7fj-r3pq-5ph5",
  "modified": "2026-07-06T15:30:48Z",
  "published": "2026-07-06T15:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58380"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-58380"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496135"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/83699817"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/16206"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C8MQ-83H4-GM57

Vulnerability from github – Published: 2022-12-18 06:31 – Updated: 2022-12-22 15:30
VLAI
Details

An issue was discovered in the libsofia-sip fork in drachtio-server before 0.8.19. It allows remote attackers to cause a denial of service (daemon crash) via a crafted UDP message that causes a url_canonize2 heap-based buffer over-read because of an off-by-one error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47517"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-18T05:15:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in the libsofia-sip fork in drachtio-server before 0.8.19. It allows remote attackers to cause a denial of service (daemon crash) via a crafted UDP message that causes a url_canonize2 heap-based buffer over-read because of an off-by-one error.",
  "id": "GHSA-c8mq-83h4-gm57",
  "modified": "2022-12-22T15:30:21Z",
  "published": "2022-12-18T06:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47517"
    },
    {
      "type": "WEB",
      "url": "https://github.com/drachtio/drachtio-server/issues/243"
    },
    {
      "type": "WEB",
      "url": "https://github.com/davehorton/sofia-sip/commit/22c1bd191f0acbf11f0c0fbea1845d9bf9dcd47e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/davehorton/sofia-sip/commit/bfc79d85c8f3a4798a3305fb98f5a11c11d0d29f"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C8WP-68RG-MQRC

Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2025-10-01 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7925: fix off by one in mt7925_load_clc()

This comparison should be >= instead of > to prevent an out of bounds read and write.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57990"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T02:15:13Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: fix off by one in mt7925_load_clc()\n\nThis comparison should be \u003e= instead of \u003e to prevent an out of bounds\nread and write.",
  "id": "GHSA-c8wp-68rg-mqrc",
  "modified": "2025-10-01T21:31:11Z",
  "published": "2025-02-27T03:34:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57990"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/08fa656c91fd5fdf47ba393795b9c0d1e97539ed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2d1628d32300e4f67ac0b7409cbfa7b912a8fe9d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d03b8fe1b518fc2ea2d82588e905f56d80cd64b2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C8XJ-FR2W-PJFC

Vulnerability from github – Published: 2025-06-09 06:30 – Updated: 2026-06-26 00:32
VLAI
Details

There's a flaw in the nbdkit server when handling responses from its plugins regarding the status of data blocks. If a client makes a specific request for a very large data range, and a plugin responds with an even larger single block, the nbdkit server can encounter a critical internal error, leading to a denial-of-service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-09T06:15:25Z",
    "severity": "MODERATE"
  },
  "details": "There\u0027s a flaw in the nbdkit server when handling responses from its plugins regarding the status of data blocks. If a client makes a specific request for a very large data range, and a plugin responds with an even larger single block, the nbdkit server can encounter a critical internal error, leading to a denial-of-service.",
  "id": "GHSA-c8xj-fr2w-pjfc",
  "modified": "2026-06-26T00:32:01Z",
  "published": "2025-06-09T06:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47711"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-47711"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365687"
    },
    {
      "type": "WEB",
      "url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/67E7AASHHADIY7VAD3FFW2I67LTWVWYF"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-CJH6-575G-258G

Vulnerability from github – Published: 2026-06-26 21:32 – Updated: 2026-06-28 09:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison

The local-vs-remote region comparison loop uses '<=' instead of '<', causing it to read one entry past the valid range of qr_regions. The other loops in the same function correctly use '<'.

Fix the loop condition to use '<' for consistency and correctness.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-26T20:17:24Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison\n\nThe local-vs-remote region comparison loop uses \u0027\u003c=\u0027 instead of \u0027\u003c\u0027,\ncausing it to read one entry past the valid range of qr_regions.  The\nother loops in the same function correctly use \u0027\u003c\u0027.\n\nFix the loop condition to use \u0027\u003c\u0027 for consistency and correctness.",
  "id": "GHSA-cjh6-575g-258g",
  "modified": "2026-06-28T09:31:48Z",
  "published": "2026-06-26T21:32:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53309"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01b61e8dda9b0fdb0d4cda43de25f4e390554d7b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1fb7f356547d9688822315cd2b205ff0bd5429b4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2a0673836f019e7c032acbf48d022d5ccf02a845"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/426cd8eedac89b86148d4478990eeef16e8a2520"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/760ab35040aca8399021fdb9ff1db1089feb7194"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/819d8ebad3200a53de99bd7e297bc428e41ced54"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c60a2710b73838d250cda57344c049b89abc5d52"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d5403ae28085761d58b555645bc7d5feadb10073"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

No CAPEC attack patterns related to this CWE.