CWE-126
Buffer Over-read
Description
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Hierarchy (View 1000)
CVEs mapped to this weakness (65)
page 3 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-4207 | Med | 0.38 | 5.9 | 0.01 | May 8, 2025 | Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL… | ||
| CVE-2025-59609 | Med | 0.36 | 5.5 | 0.00 | Jun 1, 2026 | Information Disclosure when processing advertisement frames with malformed MBSSID elements of insufficient length. | ||
| CVE-2026-24028 | Med | 0.34 | 5.3 | 0.01 | Mar 31, 2026 | An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory,… | ||
| CVE-2026-11787 | Med | 0.33 | 5.0 | 0.00 | Jun 9, 2026 | A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior. | ||
| CVE-2026-45460 | Med | 0.31 | 4.7 | 0.00 | Jun 9, 2026 | Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally. | ||
| CVE-2026-6532 | Med | 0.29 | 5.5 | 0.00 | Apr 30, 2026 | Kismet protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service | ||
| CVE-2026-6575 | Med | 0.28 | 4.3 | 0.00 | May 14, 2026 | Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor… | ||
| CVE-2026-8463 | Med | 0.27 | 5.3 | 0.00 | May 13, 2026 | Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When… | ||
| CVE-2026-5772 | Med | 0.27 | 5.3 | 0.00 | Apr 9, 2026 | A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when the LEFT_MOST_WILDCARD_ONLY flag is active. If a wildcard * exhausts the entire hostname string, the function reads one byte past the buffer… | ||
| CVE-2025-12745 | Med | 0.27 | 5.3 | 0.00 | Nov 5, 2025 | A weakness has been identified in QuickJS up to eb2c89087def1829ed99630cb14b549d7a98408c. This affects the function js_array_buffer_slice of the file quickjs.c. This manipulation causes buffer over-read. The attack is restricted to local execution. The exploit has been made… | ||
| CVE-2024-57970 | Med | 0.26 | 4.0 | 0.00 | Feb 16, 2025 | libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlink in archive_read_support_format_tar.c via a TAR archive because it mishandles truncation in the middle of a GNU long linkname. | ||
| CVE-2026-45684 | Med | 0.25 | 4.9 | 0.00 | Jun 2, 2026 | OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy… | ||
| CVE-2026-0930 | Med | 0.21 | 4.3 | 0.00 | Apr 20, 2026 | Potential read out of bounds case with wolfSSHd on Windows while handling a terminal resize request. An authenticated user could trigger the out of bounds read after establishing a connection which would leak the adjacent stack memory to the pseudo-console output. | ||
| CVE-2025-66038 | Low | 0.18 | 3.9 | 0.00 | Mar 30, 2026 | OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the… | ||
| CVE-2026-40341 | Low | 0.16 | 3.5 | 0.00 | Apr 18, 2026 | libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out of bound read in ptp_unpack_EOS_FocusInfoEx could be used to crash libgphoto2 when processing input from untrusted USB devices. Commit c385b34af260595dfbb5f9329526be5158985987… | ||
| CVE-2024-12975 | Low | 0.07 | — | 0.00 | Mar 7, 2025 | A buffer overread can occur in the CPC application when operating in full duplex SPI upon receiving an invalid packet over the SPI interface. | ||
| CVE-2025-11961 | Low | 0.05 | 1.9 | 0.00 | Dec 31, 2025 | pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an… | ||
| CVE-2006-7197 | 0.01 | — | 0.08 | Apr 25, 2007 | The AJP connector in Apache Tomcat 5.5.15 uses an incorrect length for chunks, which can cause a buffer over-read in the ajp_process_callback in mod_jk, which allows remote attackers to read portions of sensitive memory. | |||
| CVE-2026-49854 | low | 0.00 | — | 0.00 | Jun 12, 2026 | ### Summary Tornado's optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string.… | ||
| CVE-2026-27799 | 0.00 | — | 0.00 | Feb 25, 2026 | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when… |
- risk 0.38cvss 5.9epss 0.01
Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL…
- risk 0.36cvss 5.5epss 0.00
Information Disclosure when processing advertisement frames with malformed MBSSID elements of insufficient length.
- risk 0.34cvss 5.3epss 0.01
An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory,…
- risk 0.33cvss 5.0epss 0.00
A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior.
- risk 0.31cvss 4.7epss 0.00
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to disclose information locally.
- risk 0.29cvss 5.5epss 0.00
Kismet protocol dissector crash in Wireshark 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
- risk 0.28cvss 4.3epss 0.00
Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor…
- risk 0.27cvss 5.3epss 0.00
Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input. The auto-detect form of argon2_verify passes encoded_len - 1 as the length argument to memchr without checking that encoded_len is non-zero. When…
- risk 0.27cvss 5.3epss 0.00
A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when the LEFT_MOST_WILDCARD_ONLY flag is active. If a wildcard * exhausts the entire hostname string, the function reads one byte past the buffer…
- risk 0.27cvss 5.3epss 0.00
A weakness has been identified in QuickJS up to eb2c89087def1829ed99630cb14b549d7a98408c. This affects the function js_array_buffer_slice of the file quickjs.c. This manipulation causes buffer over-read. The attack is restricted to local execution. The exploit has been made…
- risk 0.26cvss 4.0epss 0.00
libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlink in archive_read_support_format_tar.c via a TAR archive because it mishandles truncation in the middle of a GNU long linkname.
- risk 0.25cvss 4.9epss 0.00
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy…
- risk 0.21cvss 4.3epss 0.00
Potential read out of bounds case with wolfSSHd on Windows while handling a terminal resize request. An authenticated user could trigger the out of bounds read after establishing a connection which would leak the adjacent stack memory to the pseudo-console output.
- risk 0.18cvss 3.9epss 0.00
OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, sc_compacttlv_find_tag searches a compact-TLV buffer for a given tag. In compact-TLV, a single byte encodes the tag (high nibble) and value length (low nibble). With a 1-byte buffer {0x0A}, the…
- risk 0.16cvss 3.5epss 0.00
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out of bound read in ptp_unpack_EOS_FocusInfoEx could be used to crash libgphoto2 when processing input from untrusted USB devices. Commit c385b34af260595dfbb5f9329526be5158985987…
- risk 0.07cvss —epss 0.00
A buffer overread can occur in the CPC application when operating in full duplex SPI upon receiving an invalid packet over the SPI interface.
- risk 0.05cvss 1.9epss 0.00
pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an…
- CVE-2006-7197Apr 25, 2007risk 0.01cvss —epss 0.08
The AJP connector in Apache Tomcat 5.5.15 uses an incorrect length for chunks, which can cause a buffer over-read in the ajp_process_callback in mod_jk, which allows remote attackers to read portions of sensitive memory.
- risk 0.00cvss —epss 0.00
### Summary Tornado's optional native extension `tornado.speedups` implements `websocket_mask` without validating that the `mask` argument is exactly four bytes long. The C function reads four bytes from `mask` unconditionally, even when Python passes a shorter byte string.…
- CVE-2026-27799Feb 25, 2026risk 0.00cvss —epss 0.00
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in the DJVU image format handler. The vulnerability occurs due to integer truncation when…