CWE-158
Improper Neutralization of Null Byte or NUL Character
Description
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.
Hierarchy (View 1000)
Parents
Children
none
Related attack patterns (CAPEC)
CAPEC-52 · CAPEC-53
CVEs mapped to this weakness (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-1537 | Hig | 0.73 | 8.8 | 0.51 | KEV | May 29, 2009 | Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime… | |
| CVE-2025-14388 | Cri | 0.57 | 9.8 | 0.00 | Dec 23, 2025 | The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded… | ||
| CVE-2025-9648 | Hig | 0.57 | — | 0.01 | Sep 29, 2025 | A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition. By sending a specially crafted HTTP POST request containing a null byte in the payload, the server enters an infinite loop during… | ||
| CVE-2025-1936 | Hig | 0.47 | 7.3 | 0.00 | Mar 4, 2025 | jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in… | ||
| CVE-2026-23863 | Med | 0.42 | 6.5 | 0.01 | May 1, 2026 | An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not… | ||
| CVE-2026-41256 | Med | 0.29 | 5.5 | 0.00 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only… | ||
| CVE-2025-61985 | Low | 0.23 | 3.6 | 0.00 | Oct 6, 2025 | ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used. | ||
| CVE-2026-43895 | Med | 0.22 | 4.4 | 0.00 | May 11, 2026 | jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import… | ||
| CVE-2026-43861 | Low | 0.17 | 3.7 | 0.00 | May 4, 2026 | mutt before 2.3.2 does not check for '\0' in url_pct_decode. | ||
| CVE-2026-43859 | Low | 0.17 | 3.7 | 0.00 | May 4, 2026 | mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest. | ||
| CVE-2026-4359 | Low | 0.06 | 2.0 | 0.00 | Mar 17, 2026 | A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver. | ||
| CVE-2026-33191 | 0.00 | — | 0.00 | Mar 20, 2026 | Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the… |
- risk 0.73cvss 8.8epss 0.51
Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime…
- risk 0.57cvss 9.8epss 0.00
The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded…
- risk 0.57cvss —epss 0.01
A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition. By sending a specially crafted HTTP POST request containing a null byte in the payload, the server enters an infinite loop during…
- risk 0.47cvss 7.3epss 0.00
jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in…
- risk 0.42cvss 6.5epss 0.01
An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not…
- risk 0.29cvss 5.5epss 0.00
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only…
- risk 0.23cvss 3.6epss 0.00
ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
- risk 0.22cvss 4.4epss 0.00
jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import…
- risk 0.17cvss 3.7epss 0.00
mutt before 2.3.2 does not check for '\0' in url_pct_decode.
- risk 0.17cvss 3.7epss 0.00
mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.
- risk 0.06cvss 2.0epss 0.00
A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver.
- CVE-2026-33191Mar 20, 2026risk 0.00cvss —epss 0.00
Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the…