CWE-170
Improper Null Termination
The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
CVE-2026-34464 (GCVE-0-2026-34464)
Vulnerability from cvelistv5 – Published: 2026-05-05 19:31 – Updated: 2026-05-07 12:55
VLAI
Title
Sandboxie-Plus NamedPipeServer OpenHandler stack overflow via unterminated server field
Summary
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. The handler only enforces a minimum packet size, and since the service pipe accepts variable-length messages, a sandboxed caller can fill the server[48] field with non-zero data and append additional controlled wide characters after the structure. wcscat then reads past the fixed field and overflows the stack buffer in the SYSTEM service. This message is restricted to sandboxed callers, making it a sandbox escape vector. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/sandboxie-plus/Sandboxie/secur… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| sandboxie-plus | Sandboxie |
Affected:
< 1.17.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-07T03:55:42.632462Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T12:55:33.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sandboxie",
"vendor": "sandboxie-plus",
"versions": [
{
"status": "affected",
"version": "\u003c 1.17.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null termination. The handler only enforces a minimum packet size, and since the service pipe accepts variable-length messages, a sandboxed caller can fill the server[48] field with non-zero data and append additional controlled wide characters after the structure. wcscat then reads past the fixed field and overflows the stack buffer in the SYSTEM service. This message is restricted to sandboxed callers, making it a sandbox escape vector. This can lead to a crash of the SbieSvc service or potential code execution as SYSTEM. This issue has been fixed in version 1.17.3."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121: Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-170",
"description": "CWE-170: Improper Null Termination",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T19:31:54.814Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-cf8x-f33g-vwfg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-cf8x-f33g-vwfg"
}
],
"source": {
"advisory": "GHSA-cf8x-f33g-vwfg",
"discovery": "UNKNOWN"
},
"title": "Sandboxie-Plus NamedPipeServer OpenHandler stack overflow via unterminated server field"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34464",
"datePublished": "2026-05-05T19:31:54.814Z",
"dateReserved": "2026-03-27T18:18:14.896Z",
"dateUpdated": "2026-05-07T12:55:33.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40334 (GCVE-0-2026-40334)
Vulnerability from cvelistv5 – Published: 2026-04-17 23:16 – Updated: 2026-04-20 13:36
VLAI
Title
libgphoto2 missing null termination in ptp_unpack_Canon_FE() filename buffer in ptp-pack.c
Summary
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-170 - Improper Null Termination
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gphoto/libgphoto2/security/adv… | x_refsource_CONFIRM |
| https://github.com/gphoto/libgphoto2/commit/259fc… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gphoto | libgphoto2 |
Affected:
<= 2.5.33
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-20T13:27:56.209528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T13:36:05.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "libgphoto2",
"vendor": "gphoto",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.5.33"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-170",
"description": "CWE-170: Improper Null Termination",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T23:16:38.751Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-ph87-cc3j-c6hm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-ph87-cc3j-c6hm"
},
{
"name": "https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873"
}
],
"source": {
"advisory": "GHSA-ph87-cc3j-c6hm",
"discovery": "UNKNOWN"
},
"title": "libgphoto2 missing null termination in ptp_unpack_Canon_FE() filename buffer in ptp-pack.c"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40334",
"datePublished": "2026-04-17T23:16:38.751Z",
"dateReserved": "2026-04-10T22:50:01.357Z",
"dateUpdated": "2026-04-20T13:36:05.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5067 (GCVE-0-2026-5067)
Vulnerability from cvelistv5 – Published: 2026-06-09 06:01 – Updated: 2026-06-09 06:01
VLAI
Title
Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key
Summary
A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.
Severity
9.8 (Critical)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| zephyrproject-rtos | Zephyr |
Affected:
3.7.0 , ≤ 4.3.0
(git)
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Zephyr",
"product": "Zephyr",
"repo": "https://github.com/zephyrproject-rtos/zephyr",
"vendor": "zephyrproject-rtos",
"versions": [
{
"lessThanOrEqual": "4.3.0",
"status": "affected",
"version": "3.7.0",
"versionType": "git"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key"
}
],
"value": "A remote, unauthenticated attacker can trigger memory corruption in Zephyr\u0027s HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-170",
"description": "Improper Null Termination",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T06:01:02.559Z",
"orgId": "e2e69745-5e70-4e92-8431-deb5529a81ad",
"shortName": "zephyr"
},
"references": [
{
"url": "https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-wgr4-9pwq-94vj"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key",
"x_generator": {
"engine": "swg-tools/create-cve-info"
}
}
},
"cveMetadata": {
"assignerOrgId": "e2e69745-5e70-4e92-8431-deb5529a81ad",
"assignerShortName": "zephyr",
"cveId": "CVE-2026-5067",
"datePublished": "2026-06-09T06:01:02.559Z",
"dateReserved": "2026-03-27T22:30:27.757Z",
"dateUpdated": "2026-06-09T06:01:02.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8721 (GCVE-0-2026-8721)
Vulnerability from cvelistv5 – Published: 2026-05-17 18:51 – Updated: 2026-05-18 12:56
VLAI
Title
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs
Summary
Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.
Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded.
The C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-170 - Improper Null Termination
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| JONASBN | Crypt::OpenSSL::PKCS12 |
Affected:
0 , ≤ 1.94
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-05-17T21:18:34.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/17/6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8721",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T12:56:25.907387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T12:56:41.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Crypt-OpenSSL-PKCS12",
"product": "Crypt::OpenSSL::PKCS12",
"programFiles": [
"PKCS12.xs"
],
"programRoutines": [
{
"name": "Crypt::OpenSSL::PKCS12::mac_ok"
},
{
"name": "Crypt::OpenSSL::PKCS12::changepass"
},
{
"name": "Crypt::OpenSSL::PKCS12::create"
},
{
"name": "Crypt::OpenSSL::PKCS12::create_as_string"
},
{
"name": "Crypt::OpenSSL::PKCS12::certificate"
},
{
"name": "Crypt::OpenSSL::PKCS12::ca_certificate"
},
{
"name": "Crypt::OpenSSL::PKCS12::private_key"
},
{
"name": "Crypt::OpenSSL::PKCS12::info_as_hash"
},
{
"name": "Crypt::OpenSSL::PKCS12::info"
}
],
"repo": "https://github.com/dsully/perl-crypt-openssl-pkcs12",
"vendor": "JONASBN",
"versions": [
{
"lessThanOrEqual": "1.94",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs.\n\nPassword parameters in PKCS12.xs are declared char *, which routes through Perl\u0027s default typemap to SvPV_nolen. The Perl length is discarded.\n\nThe C code (or OpenSSL internally) calls strlen() on the buffer. Any password byte at or after the first NULL is silently dropped. Binary / KDF-derived / HMAC-derived passwords lose entropy without any warnings."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-170",
"description": "CWE-170 Improper Null Termination",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-17T18:51:41.420Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/JONASBN/Crypt-OpenSSL-PKCS12-1.95/view/Changes.md"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 1.95 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "CPANSec identified issue"
},
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Author was notified"
},
{
"lang": "en",
"time": "2026-05-17T00:00:00.000Z",
"value": "Maintainer released patch version"
}
],
"title": "Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8721",
"datePublished": "2026-05-17T18:51:41.420Z",
"dateReserved": "2026-05-16T01:07:36.063Z",
"dateUpdated": "2026-05-18T12:56:41.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Requirements
Description:
- Use a language that is not susceptible to these issues. However, be careful of null byte interaction errors (CWE-626) with lower-level constructs that may be written in a language that is susceptible.
Mitigation
Phase: Implementation
Description:
- Ensure that all string functions used are understood fully as to how they append null characters. Also, be wary of off-by-one errors when appending nulls to the end of strings.
Mitigation
Phase: Implementation
Description:
- If performance constraints permit, special code can be added that validates null-termination of string buffers, this is a rather naive and error-prone solution.
Mitigation
Phase: Implementation
Description:
- Switch to bounded string manipulation functions. Inspect buffer lengths involved in the buffer overrun trace reported with the defect.
Mitigation
Phase: Implementation
Description:
- Add code that fills buffers with nulls (however, the length of buffers still needs to be inspected, to ensure that the non null-terminated string is not written at the physical end of the buffer).
No CAPEC attack patterns related to this CWE.