CWE-193
Off-by-one Error
Description
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (91)
page 4 of 5| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-2703 | Low | 0.14 | 3.3 | 0.00 | Feb 19, 2026 | A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decode_base64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to off-by-one. The attack… | ||
| CVE-2026-45232 | Low | 0.13 | 3.1 | 0.00 | May 20, 2026 | Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by… | ||
| CVE-2009-1217 | 0.04 | — | 0.16 | Apr 1, 2009 | Off-by-one error in the GpFont::SetData function in gdiplus.dll in Microsoft GDI+ on Windows XP allows remote attackers to cause a denial of service (stack corruption and application termination) via a crafted EMF file that triggers an integer overflow, as demonstrated by… | |||
| CVE-2007-2052 | 0.04 | — | 0.12 | Apr 16, 2007 | Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a… | |||
| CVE-2018-8828 | Cri | 0.03 | 9.8 | 0.31 | Mar 20, 2018 | A Buffer Overflow issue was discovered in Kamailio before 4.4.7, 5.0.x before 5.0.6, and 5.1.x before 5.1.2. A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap-based buffer overflow in the tmx_check_pretran function in… | ||
| CVE-2010-3454 | 0.01 | — | 0.10 | Jan 28, 2011 | Multiple off-by-one errors in the WW8DopTypography::ReadFromMem function in oowriter in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted typography information in a… | |||
| CVE-2005-1268 | 0.01 | — | 0.08 | Aug 5, 2005 | Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. | |||
| CVE-2026-31992 | 0.00 | — | 0.00 | Mar 19, 2026 | OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowlisted, attackers can use env -S to bypass policy analysis and execute shell… | |||
| CVE-2026-26309 | 0.00 | — | 0.00 | Mar 10, 2026 | Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds… | |||
| CVE-2025-53014 | 0.00 | — | 0.01 | Jul 14, 2025 | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the `InterpretImageFilename` function. The issue stems from an off-by-one error that causes out-of-bounds memory… | |||
| CVE-2025-43971 | 0.00 | — | 0.00 | Apr 21, 2025 | An issue was discovered in GoBGP before 3.35.0. pkg/packet/bgp/bgp.go allows attackers to cause a panic via a zero value for softwareVersionLen. | |||
| CVE-2025-43973 | 0.00 | — | 0.00 | Apr 21, 2025 | An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message. | |||
| CVE-2023-46247 | 0.00 | — | 0.01 | Dec 13, 2023 | Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used… | |||
| CVE-2023-41880 | 0.00 | — | 0.01 | Sep 15, 2023 | Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only… | |||
| CVE-2023-28709 | — | 0.00 | — | 0.52 | May 22, 2023 | The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and… | ||
| CVE-2023-28858 | — | 0.00 | — | 0.01 | Mar 26, 2023 | redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about… | ||
| CVE-2023-27477 | 0.00 | — | 0.01 | Mar 8, 2023 | wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some… | |||
| CVE-2021-4070 | — | 0.00 | — | 0.01 | Feb 23, 2022 | Off-by-one Error in GitHub repository v2fly/v2ray-core prior to 4.44.0. | ||
| CVE-2022-24988 | — | 0.00 | — | 0.01 | Feb 14, 2022 | In galois_2p8 before 0.1.2, PrimitivePolynomialField::new has an off-by-one buffer overflow for a vector. | ||
| CVE-2021-29529 | 0.00 | — | 0.00 | May 14, 2021 | TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a heap buffer overflow in `tf.raw_ops.QuantizedResizeBilinear` by manipulating input values so that float rounding results in off-by-one error in accessing image elements. This is… |
- risk 0.14cvss 3.3epss 0.00
A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decode_base64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to off-by-one. The attack…
- risk 0.13cvss 3.1epss 0.00
Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by…
- CVE-2009-1217Apr 1, 2009risk 0.04cvss —epss 0.16
Off-by-one error in the GpFont::SetData function in gdiplus.dll in Microsoft GDI+ on Windows XP allows remote attackers to cause a denial of service (stack corruption and application termination) via a crafted EMF file that triggers an integer overflow, as demonstrated by…
- CVE-2007-2052Apr 16, 2007risk 0.04cvss —epss 0.12
Off-by-one error in the PyLocale_strxfrm function in Modules/_localemodule.c for Python 2.4 and 2.5 causes an incorrect buffer size to be used for the strxfrm function, which allows context-dependent attackers to read portions of memory via unknown manipulations that trigger a…
- risk 0.03cvss 9.8epss 0.31
A Buffer Overflow issue was discovered in Kamailio before 4.4.7, 5.0.x before 5.0.6, and 5.1.x before 5.1.2. A specially crafted REGISTER message with a malformed branch or From tag triggers an off-by-one heap-based buffer overflow in the tmx_check_pretran function in…
- CVE-2010-3454Jan 28, 2011risk 0.01cvss —epss 0.10
Multiple off-by-one errors in the WW8DopTypography::ReadFromMem function in oowriter in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted typography information in a…
- CVE-2005-1268Aug 5, 2005risk 0.01cvss —epss 0.08
Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.
- CVE-2026-31992Mar 19, 2026risk 0.00cvss —epss 0.00
OpenClaw versions prior to 2026.2.23 contain an allowlist bypass vulnerability in system.run guardrails that allows authenticated operators to execute unintended commands. When /usr/bin/env is allowlisted, attackers can use env -S to bypass policy analysis and execute shell…
- CVE-2026-26309Mar 10, 2026risk 0.00cvss —epss 0.00
Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, an off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds…
- CVE-2025-53014Jul 14, 2025risk 0.00cvss —epss 0.01
ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the `InterpretImageFilename` function. The issue stems from an off-by-one error that causes out-of-bounds memory…
- CVE-2025-43971Apr 21, 2025risk 0.00cvss —epss 0.00
An issue was discovered in GoBGP before 3.35.0. pkg/packet/bgp/bgp.go allows attackers to cause a panic via a zero value for softwareVersionLen.
- CVE-2025-43973Apr 21, 2025risk 0.00cvss —epss 0.00
An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message.
- CVE-2023-46247Dec 13, 2023risk 0.00cvss —epss 0.01
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used…
- CVE-2023-41880Sep 15, 2023risk 0.00cvss —epss 0.01
Wasmtime is a standalone runtime for WebAssembly. Wasmtime versions from 10.0.0 to versions 10.02, 11.0.2, and 12.0.1 contain a miscompilation of the WebAssembly `i64x2.shr_s` instruction on x86_64 platforms when the shift amount is a constant value that is larger than 32. Only…
- CVE-2023-28709May 22, 2023risk 0.00cvss —epss 0.52
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and…
- CVE-2023-28858Mar 26, 2023risk 0.00cvss —epss 0.01
redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about…
- CVE-2023-27477Mar 8, 2023risk 0.00cvss —epss 0.01
wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some…
- CVE-2021-4070Feb 23, 2022risk 0.00cvss —epss 0.01
Off-by-one Error in GitHub repository v2fly/v2ray-core prior to 4.44.0.
- CVE-2022-24988Feb 14, 2022risk 0.00cvss —epss 0.01
In galois_2p8 before 0.1.2, PrimitivePolynomialField::new has an off-by-one buffer overflow for a vector.
- CVE-2021-29529May 14, 2021risk 0.00cvss —epss 0.00
TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a heap buffer overflow in `tf.raw_ops.QuantizedResizeBilinear` by manipulating input values so that float rounding results in off-by-one error in accessing image elements. This is…