VYPR

CWE-170

Improper Null Termination

BaseIncompleteLikelihood: Medium

Description

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

Null termination errors frequently occur in two different ways. An off-by-one error could cause a null to be written out of bounds, leading to an overflow. Or, a program could use a strncpy() function call incorrectly, which prevents a null terminator from being added at all. Other scenarios are possible.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (16)

  • CVE-2026-8721CriMay 17, 2026
    risk 0.64cvss 9.8epss 0.00

    Crypt::OpenSSL::PKCS12 versions through 1.94 for Perl truncates passwords with embedded NULLs. Password parameters in PKCS12.xs are declared char *, which routes through Perl's default typemap to SvPV_nolen. The Perl length is discarded. The C code (or OpenSSL internally)…

  • CVE-2026-5067CriJun 9, 2026
    risk 0.57cvss 9.8epss 0.01

    A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL…

  • CVE-2024-45288HigSep 5, 2024
    risk 0.55cvss 8.4epss 0.00

    A missing null-termination character in the last element of an nvlist array string can lead to writing outside the allocated buffer.

  • CVE-2024-31484HigMay 14, 2024
    risk 0.51cvss 7.8epss 0.00

    A vulnerability has been identified in CPC80 Central Processing/Communication (All versions < V16.41), CPCI85 Central Processing/Communication (All versions < V5.30), CPCX26 Central Processing/Communication (All versions < V06.02), ETA4 Ethernet Interface IEC60870-5-104 (All…

  • CVE-2026-34464HigMay 5, 2026
    risk 0.50cvss 8.8epss 0.00

    Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, NamedPipeServer::OpenHandler copies the server field from NAMED_PIPE_OPEN_REQ into a fixed WCHAR pipename[160] stack buffer using wcscat without verifying null…

  • CVE-2025-2026HigDec 31, 2025
    risk 0.46cvss epss 0.00

    The NPort 6100-G2/6200-G2 Series is affected by a high-severity vulnerability (CVE-2025-2026) that allows remote attackers to execute a null byte injection through the device’s web API. This may lead to an unexpected device reboot and result in a denial-of-service (DoS)…

  • CVE-2026-34462HigMay 5, 2026
    risk 0.44cvss 7.8epss 0.00

    Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, several ProcessServer handlers (KillAllHandler, SuspendAllHandler, and RunSandboxedHandler) copy a WCHAR boxname[34] field from request structures into WCHAR[40] stack…

  • CVE-2026-42010HigMay 7, 2026
    risk 0.39cvss 7.1epss 0.01

    A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to…

  • CVE-2026-34032MedMay 4, 2026
    risk 0.27cvss 5.3epss 0.00

    Improper Null Termination, Out-of-bounds Read vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue.

  • CVE-2026-33948MedApr 14, 2026
    risk 0.27cvss 5.3epss 0.00

    jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length…

  • CVE-2026-32837MedMar 17, 2026
    risk 0.19cvss 4.0epss 0.00

    miniaudio version 0.11.25 and earlier (fixed in commits 1df46ae and 1df46ae) contain a heap out-of-bounds read vulnerability in the WAV BEXT metadata parser that allows attackers to trigger memory access violations by processing crafted WAV files. Attackers can exploit improper…

  • CVE-2026-23749LowFeb 26, 2026
    risk 0.19cvss 2.9epss 0.00

    Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blockwise transfer path. blockwise_transfer_init() accepts a path whose length equals CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies…

  • CVE-2026-2239LowMar 26, 2026
    risk 0.18cvss 2.8epss 0.00

    A flaw was found in GIMP. Heap-buffer-overflow vulnerability exists in the fread_pascal_string function when processing a specially crafted PSD (Photoshop Document) file. This occurs because the buffer allocated for a Pascal string is not properly null-terminated, leading to an…

  • CVE-2026-40334LowApr 18, 2026
    risk 0.16cvss 3.5epss 0.00

    libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly…

  • CVE-2025-66220Dec 3, 2025
    risk 0.00cvss epss 0.00

    Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as…

  • CVE-2025-61912Oct 10, 2025
    risk 0.00cvss epss 0.00

    python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that…