CWE-158
Improper Neutralization of Null Byte or NUL Character
VariantIncomplete
Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.
As data is parsed, an injected NUL character or null byte may cause the product to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-52 · CAPEC-53
CVEs mapped to this weakness (10)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-14388 | Cri | 0.64 | 9.8 | 0.00 | Dec 23, 2025 | The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path. | |
| CVE-2025-9648 | Hig | 0.57 | — | 0.01 | Sep 29, 2025 | A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition. By sending a specially crafted HTTP POST request containing a null byte in the payload, the server enters an infinite loop during form data parsing. Multiple malicious requests will result in complete CPU exhaustion and render the service unresponsive to further requests. This issue was fixed in commit 782e189. This issue affects only the library, standalone executable pre-built by vendor is not affected. | |
| CVE-2025-1936 | Hig | 0.47 | 7.3 | 0.00 | Mar 4, 2025 | jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability was fixed in Firefox 136, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8. | |
| CVE-2026-23863 | Med | 0.42 | 6.5 | 0.00 | May 1, 2026 | An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild. | |
| CVE-2026-41256 | Med | 0.36 | 5.5 | 0.00 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before the NUL. This leaves jq with a post-CVE-2026-33948 prefix/full-buffer mismatch on the compilation path even though the JSON parser path has already been fixed. | |
| CVE-2026-43895 | Med | 0.29 | 4.4 | 0.00 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy or audit code may validate and the on-disk path that jq actually opens. | |
| CVE-2026-43861 | Low | 0.24 | 3.7 | 0.00 | May 4, 2026 | mutt before 2.3.2 does not check for '\0' in url_pct_decode. | |
| CVE-2026-43859 | Low | 0.24 | 3.7 | 0.00 | May 4, 2026 | mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest. | |
| CVE-2025-61985 | Low | 0.23 | 3.6 | 0.00 | Oct 6, 2025 | ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. | |
| CVE-2026-4359 | Low | 0.13 | 2.0 | 0.00 | Mar 17, 2026 | A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver. |