CWE-787
Allowed-with-ReviewOut-of-bounds Write
Abstraction: Base · Status: Draft
The product writes data past the end, or before the beginning, of the intended buffer.
15102 vulnerabilities reference this CWE, most recent first.
GHSA-P2Q5-R29Q-M7GV
Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-05-24 17:27SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated EPS file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.
{
"affected": [],
"aliases": [
"CVE-2020-6343"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-09T13:15:00Z",
"severity": "MODERATE"
},
"details": "SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open manipulated EPS file received from untrusted sources which results in crashing of the application and becoming temporarily unavailable until the user restarts the application, this is caused due to Improper Input Validation.",
"id": "GHSA-p2q5-r29q-m7gv",
"modified": "2022-05-24T17:27:46Z",
"published": "2022-05-24T17:27:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6343"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/2960815"
},
{
"type": "WEB",
"url": "https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=557449700"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1151"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-P2QF-4MG3-C5H4
Vulnerability from github – Published: 2022-05-13 01:15 – Updated: 2022-05-13 01:15Parsing malformed project files in Omron CX-One versions 4.42 and prior, including the following applications: CX-FLnet versions 1.00 and prior, CX-Protocol versions 1.992 and prior, CX-Programmer versions 9.65 and prior, CX-Server versions 5.0.22 and prior, Network Configurator versions 3.63 and prior, and Switch Box Utility versions 1.68 and prior, may cause a stack-based buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2018-7514"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-17T19:29:00Z",
"severity": "HIGH"
},
"details": "Parsing malformed project files in Omron CX-One versions 4.42 and prior, including the following applications: CX-FLnet versions 1.00 and prior, CX-Protocol versions 1.992 and prior, CX-Programmer versions 9.65 and prior, CX-Server versions 5.0.22 and prior, Network Configurator versions 3.63 and prior, and Switch Box Utility versions 1.68 and prior, may cause a stack-based buffer overflow.",
"id": "GHSA-p2qf-4mg3-c5h4",
"modified": "2022-05-13T01:15:01Z",
"published": "2022-05-13T01:15:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7514"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-100-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2V3-4J32-QJ67
Vulnerability from github – Published: 2022-12-30 21:30 – Updated: 2023-01-05 06:30TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the REMOTE_USER parameter in the get_access (sub_45AC2C) function.
{
"affected": [],
"aliases": [
"CVE-2022-46585"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-30T21:15:00Z",
"severity": "CRITICAL"
},
"details": "TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow via the REMOTE_USER parameter in the get_access (sub_45AC2C) function.",
"id": "GHSA-p2v3-4j32-qj67",
"modified": "2023-01-05T06:30:21Z",
"published": "2022-12-30T21:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46585"
},
{
"type": "WEB",
"url": "https://brief-nymphea-813.notion.site/Vul7-TEW755-bof-create_folder-8676782581de4b1e9d2aee28386bdc04"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2V6-235W-QHFC
Vulnerability from github – Published: 2024-01-02 03:30 – Updated: 2024-01-05 12:30In Modem IMS SMS UA, there is a possible out of bounds write due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00730807; Issue ID: MOLY00730807.
{
"affected": [],
"aliases": [
"CVE-2023-32886"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-02T03:15:08Z",
"severity": "HIGH"
},
"details": "In Modem IMS SMS UA, there is a possible out of bounds write due to a missing bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00730807; Issue ID: MOLY00730807.",
"id": "GHSA-p2v6-235w-qhfc",
"modified": "2024-01-05T12:30:19Z",
"published": "2024-01-02T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32886"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/January-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2VV-8MPQ-57X2
Vulnerability from github – Published: 2026-02-06 09:30 – Updated: 2026-02-06 09:30A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue.
{
"affected": [],
"aliases": [
"CVE-2026-1998"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-06T07:16:12Z",
"severity": "MODERATE"
},
"details": "A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue.",
"id": "GHSA-p2vv-8mpq-57x2",
"modified": "2026-02-06T09:30:29Z",
"published": "2026-02-06T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1998"
},
{
"type": "WEB",
"url": "https://github.com/micropython/micropython/issues/18639"
},
{
"type": "WEB",
"url": "https://github.com/micropython/micropython/issues/18639#issue-3780651410"
},
{
"type": "WEB",
"url": "https://github.com/micropython/micropython/pull/18671"
},
{
"type": "WEB",
"url": "https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6"
},
{
"type": "WEB",
"url": "https://github.com/micropython/micropython"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.344546"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.344546"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.743396"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-P2VV-G8RX-7JQJ
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-11-16 19:00raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML writer, leading to heap-based buffer overflows (sometimes seen in raptor_qname_format_as_xml).
{
"affected": [],
"aliases": [
"CVE-2017-18926"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-06T18:15:00Z",
"severity": "HIGH"
},
"details": "raptor_xml_writer_start_element_common in raptor_xml_writer.c in Raptor RDF Syntax Library 2.0.15 miscalculates the maximum nspace declarations for the XML writer, leading to heap-based buffer overflows (sometimes seen in raptor_qname_format_as_xml).",
"id": "GHSA-p2vv-g8rx-7jqj",
"modified": "2022-11-16T19:00:29Z",
"published": "2022-05-24T17:33:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18926"
},
{
"type": "WEB",
"url": "https://github.com/LibreOffice/core/blob/master/external/redland/raptor/0001-Calcualte-max-nspace-declarations-correctly-for-XML-.patch.1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00012.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RD67AVORGQXORPWNYYUHCH6YPPT6CI4O"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RVHFYQDMVEBICIL4DBAGRRLPUR4QYWMV"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDZRNM45VPTQF2BKRWG4YRCHJGQ2L7NS"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2020/dsa-4785"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2017/06/07/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/11/13/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/11/13/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/11/14/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/11/16/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/11/16/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2W7-2WRH-84V6
Vulnerability from github – Published: 2022-05-07 00:00 – Updated: 2022-05-07 00:00Adobe Photoshop versions 22.5.6 (and earlier) and 23.2.2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PDF file.
{
"affected": [],
"aliases": [
"CVE-2022-28277"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-05-06T18:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Photoshop versions 22.5.6 (and earlier) and 23.2.2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious PDF file.",
"id": "GHSA-p2w7-2wrh-84v6",
"modified": "2022-05-07T00:00:34Z",
"published": "2022-05-07T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28277"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/photoshop/apsb22-20.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2W9-G2W7-8FW9
Vulnerability from github – Published: 2022-05-24 19:03 – Updated: 2025-02-28 15:30An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.
{
"affected": [],
"aliases": [
"CVE-2021-3549"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-26T21:15:00Z",
"severity": "HIGH"
},
"details": "An out of bounds flaw was found in GNU binutils objdump utility version 2.36. An attacker could use this flaw and pass a large section to avr_elf32_load_records_from_section() probably resulting in a crash or in some cases memory corruption. The highest threat from this vulnerability is to integrity as well as system availability.",
"id": "GHSA-p2w9-g2w7-8fw9",
"modified": "2025-02-28T15:30:55Z",
"published": "2022-05-24T19:03:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3549"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1960717"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-30"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20250228-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2WF-QJ6M-X5FG
Vulnerability from github – Published: 2026-05-01 15:30 – Updated: 2026-07-10 12:31In the Linux kernel, the following vulnerability has been resolved:
ip6_tunnel: clear skb2->cb[] in ip4ip6_err()
Oskar Kjos reported the following problem.
ip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written by the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes IPCB(skb2) to __ip_options_echo(), which interprets that cb[] region as struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff at offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr value. __ip_options_echo() then reads optlen from attacker-controlled packet data at sptr[rr+1] and copies that many bytes into dopt->__data, a fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).
To fix this we clear skb2->cb[], as suggested by Oskar Kjos.
Also add minimal IPv4 header validation (version == 4, ihl >= 5).
{
"affected": [],
"aliases": [
"CVE-2026-43037"
],
"database_specific": {
"cwe_ids": [
"CWE-787",
"CWE-843"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T15:16:48Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6_tunnel: clear skb2-\u003ecb[] in ip4ip6_err()\n\nOskar Kjos reported the following problem.\n\nip4ip6_err() calls icmp_send() on a cloned skb whose cb[] was written\nby the IPv6 receive path as struct inet6_skb_parm. icmp_send() passes\nIPCB(skb2) to __ip_options_echo(), which interprets that cb[] region\nas struct inet_skb_parm (IPv4). The layouts differ: inet6_skb_parm.nhoff\nat offset 14 overlaps inet_skb_parm.opt.rr, producing a non-zero rr\nvalue. __ip_options_echo() then reads optlen from attacker-controlled\npacket data at sptr[rr+1] and copies that many bytes into dopt-\u003e__data,\na fixed 40-byte stack buffer (IP_OPTIONS_DATA_FIXED_SIZE).\n\nTo fix this we clear skb2-\u003ecb[], as suggested by Oskar Kjos.\n\nAlso add minimal IPv4 header validation (version == 4, ihl \u003e= 5).",
"id": "GHSA-p2wf-qj6m-x5fg",
"modified": "2026-07-10T12:31:33Z",
"published": "2026-05-01T15:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43037"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28740"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28741"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28742"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28748"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28749"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28750"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28887"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28962"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33486"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34098"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-43037"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464351"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1063515ce15ff31065c4e7f8265f4c2fd3c54876"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2cc6e3b0fe0f0242d1f530a93a4924f48ab85ba5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2edfa31769a4add828a7e604b21cb82aaaa05925"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4a622658f384b03560834cbe8ffcfe69a278f7c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/590f622669b97eaf7b57a1de7b0a6e68c5d8b2c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a0c4ce9900a108eaf55d0f3b399cb55999647d39"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d6621f60192fe10c047a4487be42a6f4c150707f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea9f65b27c8404e164848ebff1443310fd187629"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43037.json"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22900"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22940"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22964"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23224"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:23237"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24343"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25120"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25121"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25181"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25186"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25191"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25193"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25200"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25217"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25533"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25534"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26528"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26535"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27719"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27729"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:28738"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-P2X9-FRG7-V44Q
Vulnerability from github – Published: 2023-02-14 12:30 – Updated: 2023-02-22 21:30A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted SPP file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-19791)
{
"affected": [],
"aliases": [
"CVE-2023-24981"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-14T11:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability has been identified in Tecnomatix Plant Simulation (All versions \u003c V2201.0006). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted SPP file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-19791)",
"id": "GHSA-p2x9-frg7-v44q",
"modified": "2023-02-22T21:30:39Z",
"published": "2023-02-14T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24981"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-847261.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
- Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Mitigation MIT-4.1
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-9
- Consider adhering to the following rules when allocating and managing an application's memory:
- Double check that the buffer is as large as specified.
- When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
- Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
- If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Strategy: Environment Hardening
- Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
- For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-13
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
No CAPEC attack patterns related to this CWE.