VYPR

CWE-158

Improper Neutralization of Null Byte or NUL Character

VariantIncomplete

Description

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

As data is parsed, an injected NUL character or null byte may cause the product to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.

Hierarchy (View 1000)

Parents

Children

none

Related attack patterns (CAPEC)

CAPEC-52 · CAPEC-53

CVEs mapped to this weakness (12)

  • CVE-2009-1537HigKEVMay 29, 2009
    risk 0.73cvss 8.8epss 0.51

    Unspecified vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 allows remote attackers to execute arbitrary code via a crafted QuickTime…

  • CVE-2025-14388CriDec 23, 2025
    risk 0.57cvss 9.8epss 0.00

    The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded…

  • CVE-2025-9648HigSep 29, 2025
    risk 0.57cvss epss 0.01

    A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition. By sending a specially crafted HTTP POST request containing a null byte in the payload, the server enters an infinite loop during…

  • CVE-2025-1936HigMar 4, 2025
    risk 0.47cvss 7.3epss 0.00

    jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in…

  • CVE-2026-23863MedMay 1, 2026
    risk 0.42cvss 6.5epss 0.01

    An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not…

  • CVE-2026-41256MedMay 11, 2026
    risk 0.29cvss 5.5epss 0.00

    jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only…

  • CVE-2025-61985LowOct 6, 2025
    risk 0.23cvss 3.6epss 0.00

    ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

  • CVE-2026-43895MedMay 11, 2026
    risk 0.22cvss 4.4epss 0.00

    jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import…

  • CVE-2026-43861LowMay 4, 2026
    risk 0.17cvss 3.7epss 0.00

    mutt before 2.3.2 does not check for '\0' in url_pct_decode.

  • CVE-2026-43859LowMay 4, 2026
    risk 0.17cvss 3.7epss 0.00

    mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.

  • CVE-2026-4359LowMar 17, 2026
    risk 0.06cvss 2.0epss 0.00

    A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver.

  • CVE-2026-33191Mar 20, 2026
    risk 0.00cvss epss 0.00

    Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker can inject null bytes (URL-encoded as %00) into the supi path parameter of the…