CWE-126
Buffer Over-read
VariantDraft
Description
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Hierarchy (View 1000)
CVEs mapped to this weakness (42)
page 1 of 3| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-41898 | Cri | 0.57 | 9.8 | 0.00 | Apr 24, 2026 | rust-openssl provides OpenSSL bindings for the Rust programming language. From 0.9.24 to before 0.10.78, the FFI trampolines behind SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb forwarded the user closure's returned usize directly to OpenSSL without checking it against the &mut [u8] that was handed to the closure. This can lead to buffer overflows and other unintended consequences. This vulnerability is fixed in 0.10.78. | |
| CVE-2025-36855 | Hig | 0.57 | 8.8 | 0.00 | Sep 8, 2025 | A vulnerability ( CVE-2025-21176 https://www.cve.org/CVERecord ) exists in DiaSymReader.dll due to buffer over-read. Per CWE-126: Buffer Over-read https://cwe.mitre.org/data/definitions/126.html , Buffer Over-read is when a product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. This issue affects EOL ASP.NET 6.0.0 <= 6.0.36 as represented in this CVE, as well as 8.0.0 <= 8.0.11 & <= 9.0.0 as represented in CVE-2025-21176. Additionally, if you've deployed self-contained applications https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry. | |
| CVE-2026-26184 | Hig | 0.51 | 7.8 | 0.00 | Apr 14, 2026 | Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally. | |
| CVE-2026-21378 | Hig | 0.51 | 7.8 | 0.00 | Apr 6, 2026 | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver. | |
| CVE-2026-21376 | Hig | 0.51 | 7.8 | 0.00 | Apr 6, 2026 | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver. | |
| CVE-2026-21375 | Hig | 0.51 | 7.8 | 0.00 | Apr 6, 2026 | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing. | |
| CVE-2026-21374 | Hig | 0.51 | 7.8 | 0.00 | Apr 6, 2026 | Memory Corruption when processing auxiliary sensor input/output control commands with insufficient buffer size validation. | |
| CVE-2026-21373 | Hig | 0.51 | 7.8 | 0.00 | Apr 6, 2026 | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing. | |
| CVE-2026-21371 | Hig | 0.51 | 7.8 | 0.00 | Apr 6, 2026 | Memory Corruption when retrieving output buffer with insufficient size validation. | |
| CVE-2025-47390 | Hig | 0.51 | 7.8 | 0.00 | Apr 6, 2026 | Memory corruption while preprocessing IOCTL request in JPEG driver. | |
| CVE-2026-34059 | Hig | 0.49 | 7.5 | 0.00 | May 4, 2026 | Buffer Over-read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue. | |
| CVE-2026-21381 | Hig | 0.49 | 7.6 | 0.00 | Apr 6, 2026 | Transient DOS when receiving a service data frame with excessive length during device matching over a neighborhood awareness network protocol connection. | |
| CVE-2026-21367 | Hig | 0.49 | 7.6 | 0.00 | Apr 6, 2026 | Transient DOS when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans. | |
| CVE-2024-12011 | Hig | 0.49 | 7.6 | 0.00 | Feb 13, 2025 | A CWE-126 “Buffer Over-read” was discovered affecting the 130.8005 TCP/IP Gateway running firmware version 12h. The information disclosure can be triggered by leveraging a memory leak affecting the web server. A remote unauthenticated attacker can exploit this vulnerability in order to leak valid authentication tokens from the process memory associated to users currently logged to the system and bypass the authentication mechanism. | |
| CVE-2026-4371 | Hig | 0.48 | 7.4 | 0.00 | Mar 24, 2026 | A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking sensitive data. This vulnerability was fixed in Thunderbird 149 and Thunderbird 140.9. | |
| CVE-2024-31082 | Hig | 0.47 | 7.3 | 0.00 | Apr 4, 2024 | A heap-based buffer over-read vulnerability was found in the X.org server's ProcAppleDRICreatePixmap() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. | |
| CVE-2024-31081 | Hig | 0.47 | 7.3 | 0.00 | Apr 4, 2024 | A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. | |
| CVE-2024-31080 | Hig | 0.47 | 7.3 | 0.00 | Apr 4, 2024 | A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. | |
| CVE-2026-37532 | Hig | 0.46 | 7.1 | 0.00 | May 1, 2026 | AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer. | |
| CVE-2025-47400 | Hig | 0.46 | 7.1 | 0.00 | Apr 6, 2026 | Cryptographic issue while copying data to a destination buffer without validating its size. |