CWE-126
Buffer Over-read
VariantDraft
Description
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Hierarchy (View 1000)
CVEs mapped to this weakness (47)
page 2 of 3| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-31080 | Hig | 0.47 | 7.3 | 0.00 | Apr 4, 2024 | A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker's inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. | |
| CVE-2026-37532 | Hig | 0.46 | 7.1 | 0.00 | May 1, 2026 | AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer. | |
| CVE-2025-47400 | Hig | 0.46 | 7.1 | 0.00 | Apr 6, 2026 | Cryptographic issue while copying data to a destination buffer without validating its size. | |
| CVE-2025-4582 | Hig | 0.46 | 7.1 | 0.00 | Sep 23, 2025 | Buffer Over-read, Off-by-one Error vulnerability in RTI Connext Professional (Core Libraries) allows File Manipulation, Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.6.0, from 7.0.0 before 7.3.0.8, from 6.1.0 before 6.1.2.26, from 6.0.0 before 6.0.1.43, from 5.3.0 before 5.3.*, from 4.4a before 5.2.*. | |
| CVE-2025-47403 | Med | 0.42 | 6.5 | 0.00 | May 4, 2026 | Transient DOS when processing a malformed Fast Transition response frame with an invalid header structure during wireless roaming. | |
| CVE-2025-47401 | Med | 0.42 | 6.5 | 0.00 | May 4, 2026 | Transient DOS when processing target power rate tables during channel configuration. | |
| CVE-2026-6238 | Med | 0.42 | 6.5 | 0.00 | Apr 28, 2026 | The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions. | |
| CVE-2026-26155 | Med | 0.42 | 6.5 | 0.00 | Apr 14, 2026 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability | |
| CVE-2026-2394 | Med | 0.42 | 6.5 | 0.00 | Apr 1, 2026 | Buffer Over-read vulnerability in RTI Connext Professional (Core Libraries) allows Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*. | |
| CVE-2025-32053 | Med | 0.42 | 6.5 | 0.00 | Apr 3, 2025 | A flaw was found in libsoup. A vulnerability in sniff_feed_or_html() and skip_insignificant_space() functions may lead to a heap buffer over-read. | |
| CVE-2025-32052 | Med | 0.42 | 6.5 | 0.00 | Apr 3, 2025 | A flaw was found in libsoup. A vulnerability in the sniff_unknown() function may lead to heap buffer over-read. | |
| CVE-2025-47406 | Med | 0.40 | 6.1 | 0.00 | May 4, 2026 | Information Disclosure while processing IOCTL handler callbacks without verifying buffer size. | |
| CVE-2026-26169 | Med | 0.40 | 6.1 | 0.00 | Apr 14, 2026 | Buffer over-read in Windows Kernel Memory allows an authorized attacker to disclose information locally. | |
| CVE-2025-7745 | Med | 0.38 | 5.8 | 0.00 | Jul 24, 2025 | Buffer Over-read vulnerability in ABB AC500 V2.This issue affects AC500 V2: through 2.5.2. | |
| CVE-2025-4207 | Med | 0.38 | 5.9 | 0.00 | May 8, 2025 | Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected. | |
| CVE-2026-6532 | Med | 0.36 | 5.5 | 0.00 | Apr 30, 2026 | Kismet protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service | |
| CVE-2026-5772 | Med | 0.34 | 5.3 | 0.00 | Apr 9, 2026 | A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when the LEFT_MOST_WILDCARD_ONLY flag is active. If a wildcard * exhausts the entire hostname string, the function reads one byte past the buffer without a bounds check, which could cause a crash. | |
| CVE-2026-24028 | Med | 0.34 | 5.3 | 0.00 | Mar 31, 2026 | An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure. | |
| CVE-2026-6575 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected. | |
| CVE-2026-8463 | Med | 0.27 | 5.3 | 0.00 | May 13, 2026 | Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When the encoded string is empty, the size_t subtraction underflows to SIZE_MAX and memchr scans adjacent heap memory looking for a '$' separator byte. A caller that invokes argon2_verify against a stored hash that may legitimately be empty (for example a placeholder row or a NULL column materialised as an empty string) reads out-of-bounds heap memory, which can crash the process or leak the position of an adjacent '$' byte into subsequent parsing. |