VYPR

CWE-1285

Improper Validation of Specified Index, Position, or Offset in Input

BaseIncomplete

Description

The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.

Hierarchy (View 1000)

Parents

CVEs mapped to this weakness (13)

  • CVE-2025-3755CriMay 29, 2025
    risk 0.59cvss 9.1epss 0.01

    Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules allows a remote unauthenticated attacker to read information in the product, to cause a Denial-of-Service (DoS) condition in…

  • CVE-2024-36342HigSep 6, 2025
    risk 0.57cvss 8.8epss 0.00

    Improper input validation in the GPU driver could allow an attacker to exploit a heap overflow potentially resulting in arbitrary code execution.

  • CVE-2024-41928HigSep 5, 2024
    risk 0.55cvss 8.4epss 0.00

    Malicious software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available…

  • CVE-2026-33557CriApr 20, 2026
    risk 0.52cvss 9.1epss 0.01

    A possible security vulnerability has been identified in Apache Kafka. By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator`. It accepts any JWT token without validating…

  • CVE-2024-51564HigNov 12, 2024
    risk 0.49cvss 7.5epss 0.00

    A guest can trigger an infinite loop in the hda audio driver.

  • CVE-2026-8036HigJun 2, 2026
    risk 0.46cvss 7.1epss 0.00

    Improper input validation in NI-PAL may allow a local authenticated user to access arbitrary system memory, potentially leading to privilege escalation. This vulnerability affects NI-PAL 26.3.0 and prior versions on Windows and Linux.

  • CVE-2026-41907HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.00

    uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is…

  • CVE-2024-51566MedNov 12, 2024
    risk 0.42cvss 6.5epss 0.00

    The NVMe driver queue processing is vulernable to guest-induced infinite loops.

  • CVE-2026-9100MedMay 20, 2026
    risk 0.38cvss 5.9epss 0.00

    The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or…

  • CVE-2018-25232MedMar 30, 2026
    risk 0.36cvss 5.5epss 0.00

    Softros LAN Messenger 9.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string to the custom log files location field. Attackers can input a buffer of 2000 characters in the Log Files Location…

  • CVE-2019-25593MedMar 22, 2026
    risk 0.36cvss 5.5epss 0.00

    jetCast Server 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Log directory configuration field. Attackers can paste a buffer of 5000 characters into the Log directory input, then…

  • CVE-2025-8291MedOct 7, 2025
    risk 0.28cvss 4.3epss 0.00

    The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could…

  • CVE-2026-45352MedMay 29, 2026
    risk 0.27cvss 5.3epss 0.00

    cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.43.4, negative chunk-size in chunked Transfer-Encoding causes unbounded memory allocation and process crash. The ChunkedDecoder::read_payload function in cpp-httplib (httplib.h) parses…