VYPR

CWE-193

Off-by-one Error

BaseDraft

Description

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (91)

page 2 of 5
  • CVE-2002-1745HigDec 31, 2002
    risk 0.50cvss 7.5epss 0.18

    Off-by-one error in the CodeBrws.asp sample script in Microsoft IIS 5.0 allows remote attackers to view the source code for files with extensions containing with one additional character after .html, .htm, .asp, or .inc, such as .aspx files.

  • CVE-2026-49127HigMay 28, 2026
    risk 0.49cvss 8.6epss 0.01

    Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin.…

  • CVE-2018-9860HigApr 12, 2018
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An off-by-one error when processing malformed TLS-CBC ciphertext could cause the receiving side to include in the HMAC computation exactly 64K bytes of data following the record buffer, aka an over-read. The MAC…

  • CVE-2018-7329HigFeb 23, 2018
    risk 0.49cvss 7.5epss 0.02

    In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, epan/dissectors/packet-s7comm.c had an infinite loop that was addressed by correcting off-by-one errors.

  • CVE-2017-14502HigSep 17, 2017
    risk 0.49cvss 7.5epss 0.03

    read_header in archive_read_support_format_rar.c in libarchive 3.3.2 suffers from an off-by-one error for UTF-16 names in RAR archives, leading to an out-of-bounds read in archive_read_format_rar_read_header.

  • CVE-2006-4574HigOct 28, 2006
    risk 0.49cvss 7.5epss 0.04

    Off-by-one error in the MIME Multipart dissector in Wireshark (formerly Ethereal) 0.10.1 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger an assertion error related to unexpected length values.

  • CVE-2002-1721HigDec 31, 2002
    risk 0.49cvss 7.5epss 0.02

    Off-by-one error in alterMIME 0.1.10 and 0.1.11 allows remote attackers to cause a denial of service (crash) via an x-header that causes snprintf overwrite the FFGET_FILE variable with a (null) byte.

  • CVE-1999-1568HigJan 1, 1999
    risk 0.49cvss 7.5epss 0.02

    Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command.

  • CVE-2025-4582HigSep 23, 2025
    risk 0.46cvss 7.1epss 0.00

    Buffer Over-read, Off-by-one Error vulnerability in RTI Connext Professional (Core Libraries) allows File Manipulation, Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.6.0, from 7.0.0 before 7.3.0.8, from 6.1.0 before 6.1.2.26, from 6.0.0 before…

  • CVE-2026-41502HigApr 24, 2026
    risk 0.42cvss 7.5epss 0.00

    BACnet Stack is a BACnet open source protocol stack C library for embedded systems. Prior to 1.4.3, an off-by-one out-of-bounds read vulnerability in bacnet-stack's ReadPropertyMultiple service decoder allows unauthenticated remote attackers to read one byte past an allocated…

  • CVE-2026-32605HigApr 13, 2026
    risk 0.42cvss 7.5epss 0.00

    nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer ==…

  • CVE-2015-8701MedDec 29, 2016
    risk 0.42cvss 6.5epss 0.00

    QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A…

  • CVE-2026-6861MedApr 22, 2026
    risk 0.40cvss 6.1epss 0.00

    A flaw was found in GNU Emacs. This vulnerability, a memory corruption issue, occurs when Emacs processes specially crafted SVG (Scalable Vector Graphics) CSS (Cascading Style Sheets) data. A local user could exploit this by convincing a victim to open a malicious SVG file,…

  • CVE-2026-4887MedMar 26, 2026
    risk 0.40cvss 6.1epss 0.01

    A flaw was found in GIMP. This issue is a heap buffer over-read in GIMP PCX file loader due to an off-by-one error. A remote attacker could exploit this by convincing a user to open a specially crafted PCX image. Successful exploitation could lead to out-of-bounds memory…

  • CVE-2026-34085MedMar 25, 2026
    risk 0.38cvss 5.9epss 0.00

    fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.

  • CVE-2026-33997MedMar 31, 2026
    risk 0.37cvss 6.8epss 0.00

    Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may…

  • CVE-2025-71161MedJan 23, 2026
    risk 0.36cvss 5.5epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For…

  • CVE-2024-1441MedMar 11, 2024
    risk 0.36cvss 5.5epss 0.00

    An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. This issue can be reproduced by sending specially crafted data to the libvirt daemon, allowing an unprivileged client…

  • CVE-2018-14679MedJul 28, 2018
    risk 0.36cvss 6.5epss 0.03

    An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk number validity checks, which could lead to denial of service (uninitialized data dereference and application crash).

  • CVE-2004-0342MedNov 23, 2004
    risk 0.36cvss 5.5epss 0.00

    WFTPD Pro Server 3.21 Release 1, with the XeroxDocutech option enabled, allows local users to cause a denial of service (crash) via a (1) MKD or (2) XMKD command that causes an absolute path of 260 characters to be used, which overwrites a cookie with a null character, possibly…