CWE-129
AllowedImproper Validation of Array Index
Abstraction: Variant · Status: Draft
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
746 vulnerabilities reference this CWE, most recent first.
GHSA-7VHM-FMPH-7WXW
Vulnerability from github – Published: 2024-07-10 06:33 – Updated: 2024-07-10 20:43All versions of the package audify are vulnerable to Improper Validation of Array Index when frameSize is provided to the new OpusDecoder().decode or new OpusDecoder().decodeFloat functions it is not checked for negative values. This can lead to a process crash.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "audify"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-21522"
],
"database_specific": {
"cwe_ids": [
"CWE-129"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-10T20:43:22Z",
"nvd_published_at": "2024-07-10T05:15:10Z",
"severity": "HIGH"
},
"details": "All versions of the package audify are vulnerable to Improper Validation of Array Index when frameSize is provided to the new OpusDecoder().decode or new OpusDecoder().decodeFloat functions it is not checked for negative values. This can lead to a process crash.",
"id": "GHSA-7vhm-fmph-7wxw",
"modified": "2024-07-10T20:43:22Z",
"published": "2024-07-10T06:33:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21522"
},
{
"type": "WEB",
"url": "https://gist.github.com/dellalibera/6bb866ae5d1cc2adaabe27bbd6d2d21e"
},
{
"type": "PACKAGE",
"url": "https://github.com/almoghamdani/audify"
},
{
"type": "WEB",
"url": "https://github.com/almoghamdani/audify/blob/94b2fe79dc528fda2c7d59c7a0fd0e9de07dc3dc/src/opus_decoder.cpp#L53"
},
{
"type": "WEB",
"url": "https://github.com/almoghamdani/audify/blob/94b2fe79dc528fda2c7d59c7a0fd0e9de07dc3dc/src/opus_decoder.cpp%23L79"
},
{
"type": "WEB",
"url": "https://security.snyk.io/vuln/SNYK-JS-AUDIFY-6370700"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "audify vulnerable to Improper Validation of Array Index"
}
GHSA-7W8V-GC2J-M9C7
Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-11-03 21:31In the Linux kernel, the following vulnerability has been resolved:
jfs: array-index-out-of-bounds fix in dtReadFirst
The value of stbl can be sometimes out of bounds due to a bad filesystem. Added a check with appopriate return of error code in that case.
{
"affected": [],
"aliases": [
"CVE-2024-56598"
],
"database_specific": {
"cwe_ids": [
"CWE-129"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-27T15:15:19Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: array-index-out-of-bounds fix in dtReadFirst\n\nThe value of stbl can be sometimes out of bounds due\nto a bad filesystem. Added a check with appopriate return\nof error code in that case.",
"id": "GHSA-7w8v-gc2j-m9c7",
"modified": "2025-11-03T21:31:54Z",
"published": "2024-12-27T15:31:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56598"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/22dcbf7661c6ffc3247978c254dc40b833a0d429"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/25f1e673ef61d6bf9a6022e27936785896d74948"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2eea5fda5556ef03defebf07b0a12fcd2c5210f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/823d573f5450ca6be80b36f54d1902ac7cd23fb9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c97a4d5463a1c972ef576ac499ea9b05f956097"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca84a2c9be482836b86d780244f0357e5a778c46"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fd993b2180b4c373af8b99aa28d4dcda5c2a8f10"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7W9G-XVFR-Q799
Vulnerability from github – Published: 2026-01-14 15:33 – Updated: 2026-03-25 18:31In the Linux kernel, the following vulnerability has been resolved:
clk: samsung: exynos-clkout: Assign .num before accessing .hws
Commit f316cdff8d67 ("clk: Annotate struct clk_hw_onecell_data with __counted_by") annotated the hws member of 'struct clk_hw_onecell_data' with __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS) about the number of elements in .hws[], so that it can warn when .hws[] is accessed out of bounds. As noted in that change, the __counted_by member must be initialized with the number of elements before the first array access happens, otherwise there will be a warning from each access prior to the initialization because the number of elements is zero. This occurs in exynos_clkout_probe() due to .num being assigned after .hws[] has been accessed:
UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18 index 0 is out of range for type 'clk_hw []'
Move the .num initialization to before the first access of .hws[], clearing up the warning.
{
"affected": [],
"aliases": [
"CVE-2025-71143"
],
"database_specific": {
"cwe_ids": [
"CWE-129"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-14T15:16:04Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: samsung: exynos-clkout: Assign .num before accessing .hws\n\nCommit f316cdff8d67 (\"clk: Annotate struct clk_hw_onecell_data with\n__counted_by\") annotated the hws member of \u0027struct clk_hw_onecell_data\u0027\nwith __counted_by, which informs the bounds sanitizer (UBSAN_BOUNDS)\nabout the number of elements in .hws[], so that it can warn when .hws[]\nis accessed out of bounds. As noted in that change, the __counted_by\nmember must be initialized with the number of elements before the first\narray access happens, otherwise there will be a warning from each access\nprior to the initialization because the number of elements is zero. This\noccurs in exynos_clkout_probe() due to .num being assigned after .hws[]\nhas been accessed:\n\n UBSAN: array-index-out-of-bounds in drivers/clk/samsung/clk-exynos-clkout.c:178:18\n index 0 is out of range for type \u0027clk_hw *[*]\u0027\n\nMove the .num initialization to before the first access of .hws[],\nclearing up the warning.",
"id": "GHSA-7w9g-xvfr-q799",
"modified": "2026-03-25T18:31:35Z",
"published": "2026-01-14T15:33:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71143"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a317f63255ebc3dac378c79c5bff4f8d0561c290"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf33f0b7df13685234ccea7be7bfe316b60db4db"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eb1f3a6ab3efee2b52361879cdc2dc6b11f499c0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fbf57f5e453dadadb3d29b2d1dbe067e3dc4e236"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7WX4-4999-CGFJ
Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2025-03-06 15:34In the Linux kernel, the following vulnerability has been resolved:
jfs: fix array-index-out-of-bounds in diAlloc
Currently there is not check against the agno of the iag while allocating new inodes to avoid fragmentation problem. Added the check which is required.
{
"affected": [],
"aliases": [
"CVE-2023-52805"
],
"database_specific": {
"cwe_ids": [
"CWE-129"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T16:15:18Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: fix array-index-out-of-bounds in diAlloc\n\nCurrently there is not check against the agno of the iag while\nallocating new inodes to avoid fragmentation problem. Added the check\nwhich is required.",
"id": "GHSA-7wx4-4999-cgfj",
"modified": "2025-03-06T15:34:35Z",
"published": "2024-05-21T18:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52805"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/05d9ea1ceb62a55af6727a69269a4fd310edf483"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1708d0a9917fea579cc9da3d87b154285abd2cd8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1ba7df5457dc1c1071c5f92ac11323533a6430e1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2308d0fb0dc32446b4e6ca37cd09c30374bb64e9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/64f062baf202b82f54987a3f614a6c8f3e466641"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/665b44e55c2767a4f899c3b18f49e9e1c9983777"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7467ca10a5ff09b0e87edf6c4d2a4bfdee69cf2c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c68af2af697ba2ba3b138be0c6d72e2ce3a3d6d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cf7e3e84df36a9953796c737f080712f631d7083"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7XM8-224W-5Q6J
Vulnerability from github – Published: 2022-05-17 02:42 – Updated: 2022-05-17 02:42In TrustZone in all Android releases from CAF using the Linux kernel, an Improper Validation of Array Index vulnerability could potentially exist.
{
"affected": [],
"aliases": [
"CVE-2014-9948"
],
"database_specific": {
"cwe_ids": [
"CWE-129"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-06T14:29:00Z",
"severity": "HIGH"
},
"details": "In TrustZone in all Android releases from CAF using the Linux kernel, an Improper Validation of Array Index vulnerability could potentially exist.",
"id": "GHSA-7xm8-224w-5q6j",
"modified": "2022-05-17T02:42:20Z",
"published": "2022-05-17T02:42:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9948"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-05-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/98249"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7XPR-HC2W-34M9
Vulnerability from github – Published: 2026-05-19 19:54 – Updated: 2026-05-19 19:54CVE-2026-45799
Maintainer summary
Wire's protobuf group-skipping logic did not reject negative lengths before skipping a
length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an
unchecked runtime exception during decoding instead of the documented IOException /
ProtocolException failure path.
This can crash services that decode untrusted protobuf payloads and only handle Wire's documented checked decoding failures.
Affected artifacts
com.squareup.wire:wire-runtime
Affected versions: vulnerable releases before 6.3.0.
Patched versions: 6.3.0 and later.
Users should upgrade to com.squareup.wire:wire-runtime:6.3.0 or later.
com.squareup.wire:wire-runtime-jvm
Affected versions: vulnerable legacy releases, including 5.3.1 and 5.3.3.
Patched versions: none.
com.squareup.wire:wire-runtime-jvm is a discontinued legacy artifact and will not receive a
patched release. Users should migrate to com.squareup.wire:wire-runtime:6.3.0 or later.
Wire 7 alpha releases
The fix has been merged to master and will be included in the next Wire 7 alpha release. Until
that release is available, Wire 7 alpha users should avoid decoding untrusted protobuf payloads with
affected alpha versions or build from a commit containing the fix.
Fix
The issue is fixed in Wire 6.3.0.
The fix rejects negative lengths while skipping groups and throws ProtocolException instead of
allowing the reader to move to an invalid position and later throw an unchecked runtime exception.
Credit
Reported by @TrekLaps.
Technical details
The following technical details are based on the original report, updated by the maintainers to
reflect the assigned CVE, the supported fixed artifact, and the discontinued status of
com.squareup.wire:wire-runtime-jvm.
ByteArrayProtoReader32.skipGroup() in wire-runtime did not validate that a
LENGTH_DELIMITED field's length is non-negative before calling skip(). A crafted protobuf
varint encodes -128 as a signed Int. When skip(-128) runs, the internal position counter
underflows to an invalid negative position. The next readByte() accesses the source with that
negative position, throwing ArrayIndexOutOfBoundsException, a RuntimeException that escapes
Wire's documented IOException boundary and can crash the request handler.
ProtoAdapter.decode(byte[]) is declared to throw IOException. Callers following the documented
API may catch only IOException, so unchecked runtime exceptions from malformed input can escape
the expected error boundary.
The originally confirmed vulnerable legacy versions include 5.3.1 and 5.3.3 for the
discontinued com.squareup.wire:wire-runtime-jvm coordinate. The supported replacement coordinate
is com.squareup.wire:wire-runtime, fixed in version 6.3.0.
Root cause
In the originally reported vulnerable code path, ByteArrayProtoReader32.skipGroup() read the
length as a signed Int and used it without validating that it was non-negative:
STATE_LENGTH_DELIMITED -> {
val length = internalReadVarint32() // returns signed Int and can be negative
skip(length) // no negative check
}
The internal skip() implementation then accepted the negative count because the computed
position was not greater than the limit:
private fun skip(byteCount: Int) {
val newPos = pos + byteCount // for example, 7 + (-128) = -121
if (newPos > limit) throw EOFException()
pos = newPos // pos = -121
}
The next read could then index the source with the invalid negative position:
private fun readByte(): Byte {
if (pos == limit) throw EOFException()
return source[pos++] // source[-121] throws ArrayIndexOutOfBoundsException
}
Wire already rejected negative lengths in normal length-delimited field decoding. The same validation was missing from group-skipping code.
The fix adds this validation when skipping groups:
STATE_LENGTH_DELIMITED -> {
val length = internalReadVarint32()
if (length < 0) throw ProtocolException("Negative length: $length...")
skip(length)
}
The fix was applied to both ByteArrayProtoReader32.skipGroup() and ProtoReader.skipGroup().
Reproduction
The following reproduction was provided for vulnerable legacy wire-runtime-jvm releases such as
5.3.1 and 5.3.3:
curl -sL https://repo1.maven.org/maven2/com/squareup/wire/wire-runtime-jvm/5.3.3/wire-runtime-jvm-5.3.3.jar -o wire.jar
curl -sL https://repo1.maven.org/maven2/com/squareup/okio/okio-jvm/3.9.1/okio-jvm-3.9.1.jar -o okio.jar
curl -sL https://repo1.maven.org/maven2/org/jetbrains/kotlin/kotlin-stdlib/2.1.0/kotlin-stdlib-2.1.0.jar -o stdlib.jar
// WirePoc.java
import com.squareup.wire.AnyMessage;
public class WirePoc {
public static void main(String[] args) throws Exception {
byte[] payload = new byte[] {
(byte) 0x9B, 0x06, // field 99, START_GROUP
0x0A, // field 1, LENGTH_DELIMITED
(byte) 0x80, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 0x0F, // varint = -128
(byte) 0x9C, 0x06 // field 99, END_GROUP
};
AnyMessage.ADAPTER.decode(payload);
}
}
javac -cp "wire.jar:okio.jar:stdlib.jar" WirePoc.java
java -cp ".:wire.jar:okio.jar:stdlib.jar" WirePoc
Observed output on vulnerable versions:
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: Index -120 out of bounds for length 10
at com.squareup.wire.ByteArrayProtoReader32.readByte(ByteArrayProtoReader32.kt:448)
at com.squareup.wire.ByteArrayProtoReader32.internalReadVarint32(ByteArrayProtoReader32.kt:294)
at com.squareup.wire.ByteArrayProtoReader32.skipGroup(ByteArrayProtoReader32.kt:209)
at com.squareup.wire.ByteArrayProtoReader32.nextTag(ByteArrayProtoReader32.kt:156)
at com.squareup.wire.AnyMessage$Companion$ADAPTER$1.decode(AnyMessage.kt:150)
at com.squareup.wire.AnyMessage$Companion$ADAPTER$1.decode(AnyMessage.kt:88)
at com.squareup.wire.ProtoAdapter.decode(ProtoAdapter.kt:468)
at WirePoc.main(WirePoc.java:10)
With the fix, the same payload is rejected with ProtocolException.
Why this can affect any Wire-decoding service
skipGroup() is called for any unknown field with wire type 3. An attacker can send an unknown
field, such as field 99, with wire type START_GROUP. The decoder skips it via skipGroup()
regardless of which message type the service uses, so no schema knowledge is required.
Payload:
9b060a80ffffff0f9c06
Payload breakdown:
0x9B 0x06 field 99, wire type 3 (START_GROUP)
0x0A field 1, wire type 2 (LENGTH_DELIMITED) inside group
0x80 0xFF 0xFF 0xFF 0x0F 5-byte varint = -128 as signed Int
0x9C 0x06 field 99, END_GROUP
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.squareup.wire:wire-runtime-jvm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.3.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.2.0"
},
"package": {
"ecosystem": "Maven",
"name": "com.squareup.wire:wire-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.0.0-alpha02"
},
"package": {
"ecosystem": "Maven",
"name": "com.squareup.wire:wire-runtime"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0-alpha01"
},
{
"fixed": "7.0.0-alpha03"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45799"
],
"database_specific": {
"cwe_ids": [
"CWE-129"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-19T19:54:50Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# CVE-2026-45799\n\n## Maintainer summary\n\nWire\u0027s protobuf group-skipping logic did not reject negative lengths before skipping a\nlength-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an\nunchecked runtime exception during decoding instead of the documented `IOException` /\n`ProtocolException` failure path.\n\nThis can crash services that decode untrusted protobuf payloads and only handle Wire\u0027s documented\nchecked decoding failures.\n\n## Affected artifacts\n\n### `com.squareup.wire:wire-runtime`\n\nAffected versions: vulnerable releases before `6.3.0`.\n\nPatched versions: `6.3.0` and later.\n\nUsers should upgrade to `com.squareup.wire:wire-runtime:6.3.0` or later.\n\n### `com.squareup.wire:wire-runtime-jvm`\n\nAffected versions: vulnerable legacy releases, including `5.3.1` and `5.3.3`.\n\nPatched versions: none.\n\n`com.squareup.wire:wire-runtime-jvm` is a discontinued legacy artifact and will not receive a\npatched release. Users should migrate to `com.squareup.wire:wire-runtime:6.3.0` or later.\n\n### Wire 7 alpha releases\n\nThe fix has been merged to `master` and will be included in the next Wire 7 alpha release. Until\nthat release is available, Wire 7 alpha users should avoid decoding untrusted protobuf payloads with\naffected alpha versions or build from a commit containing the fix.\n\n## Fix\n\nThe issue is fixed in Wire `6.3.0`.\n\nThe fix rejects negative lengths while skipping groups and throws `ProtocolException` instead of\nallowing the reader to move to an invalid position and later throw an unchecked runtime exception.\n\n## Credit\n\nReported by @TrekLaps.\n\n## Technical details\n\nThe following technical details are based on the original report, updated by the maintainers to\nreflect the assigned CVE, the supported fixed artifact, and the discontinued status of\n`com.squareup.wire:wire-runtime-jvm`.\n\n`ByteArrayProtoReader32.skipGroup()` in `wire-runtime` did not validate that a\n`LENGTH_DELIMITED` field\u0027s length is non-negative before calling `skip()`. A crafted protobuf\nvarint encodes `-128` as a signed `Int`. When `skip(-128)` runs, the internal position counter\nunderflows to an invalid negative position. The next `readByte()` accesses the source with that\nnegative position, throwing `ArrayIndexOutOfBoundsException`, a `RuntimeException` that escapes\nWire\u0027s documented `IOException` boundary and can crash the request handler.\n\n`ProtoAdapter.decode(byte[])` is declared to throw `IOException`. Callers following the documented\nAPI may catch only `IOException`, so unchecked runtime exceptions from malformed input can escape\nthe expected error boundary.\n\nThe originally confirmed vulnerable legacy versions include `5.3.1` and `5.3.3` for the\ndiscontinued `com.squareup.wire:wire-runtime-jvm` coordinate. The supported replacement coordinate\nis `com.squareup.wire:wire-runtime`, fixed in version `6.3.0`.\n\n## Root cause\n\nIn the originally reported vulnerable code path, `ByteArrayProtoReader32.skipGroup()` read the\nlength as a signed `Int` and used it without validating that it was non-negative:\n\n```kotlin\nSTATE_LENGTH_DELIMITED -\u003e {\n val length = internalReadVarint32() // returns signed Int and can be negative\n skip(length) // no negative check\n}\n```\n\nThe internal `skip()` implementation then accepted the negative count because the computed\nposition was not greater than the limit:\n\n```kotlin\nprivate fun skip(byteCount: Int) {\n val newPos = pos + byteCount // for example, 7 + (-128) = -121\n if (newPos \u003e limit) throw EOFException()\n pos = newPos // pos = -121\n}\n```\n\nThe next read could then index the source with the invalid negative position:\n\n```kotlin\nprivate fun readByte(): Byte {\n if (pos == limit) throw EOFException()\n return source[pos++] // source[-121] throws ArrayIndexOutOfBoundsException\n}\n```\n\nWire already rejected negative lengths in normal length-delimited field decoding. The same\nvalidation was missing from group-skipping code.\n\nThe fix adds this validation when skipping groups:\n\n```kotlin\nSTATE_LENGTH_DELIMITED -\u003e {\n val length = internalReadVarint32()\n if (length \u003c 0) throw ProtocolException(\"Negative length: $length...\")\n skip(length)\n}\n```\n\nThe fix was applied to both `ByteArrayProtoReader32.skipGroup()` and `ProtoReader.skipGroup()`.\n\n## Reproduction\n\nThe following reproduction was provided for vulnerable legacy `wire-runtime-jvm` releases such as\n`5.3.1` and `5.3.3`:\n\n```bash\ncurl -sL https://repo1.maven.org/maven2/com/squareup/wire/wire-runtime-jvm/5.3.3/wire-runtime-jvm-5.3.3.jar -o wire.jar\ncurl -sL https://repo1.maven.org/maven2/com/squareup/okio/okio-jvm/3.9.1/okio-jvm-3.9.1.jar -o okio.jar\ncurl -sL https://repo1.maven.org/maven2/org/jetbrains/kotlin/kotlin-stdlib/2.1.0/kotlin-stdlib-2.1.0.jar -o stdlib.jar\n```\n\n```java\n// WirePoc.java\nimport com.squareup.wire.AnyMessage;\n\npublic class WirePoc {\n public static void main(String[] args) throws Exception {\n byte[] payload = new byte[] {\n (byte) 0x9B, 0x06, // field 99, START_GROUP\n 0x0A, // field 1, LENGTH_DELIMITED\n (byte) 0x80, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, 0x0F, // varint = -128\n (byte) 0x9C, 0x06 // field 99, END_GROUP\n };\n\n AnyMessage.ADAPTER.decode(payload);\n }\n}\n```\n\n```bash\njavac -cp \"wire.jar:okio.jar:stdlib.jar\" WirePoc.java\njava -cp \".:wire.jar:okio.jar:stdlib.jar\" WirePoc\n```\n\nObserved output on vulnerable versions:\n\n```text\nException in thread \"main\" java.lang.ArrayIndexOutOfBoundsException: Index -120 out of bounds for length 10\n at com.squareup.wire.ByteArrayProtoReader32.readByte(ByteArrayProtoReader32.kt:448)\n at com.squareup.wire.ByteArrayProtoReader32.internalReadVarint32(ByteArrayProtoReader32.kt:294)\n at com.squareup.wire.ByteArrayProtoReader32.skipGroup(ByteArrayProtoReader32.kt:209)\n at com.squareup.wire.ByteArrayProtoReader32.nextTag(ByteArrayProtoReader32.kt:156)\n at com.squareup.wire.AnyMessage$Companion$ADAPTER$1.decode(AnyMessage.kt:150)\n at com.squareup.wire.AnyMessage$Companion$ADAPTER$1.decode(AnyMessage.kt:88)\n at com.squareup.wire.ProtoAdapter.decode(ProtoAdapter.kt:468)\n at WirePoc.main(WirePoc.java:10)\n```\n\nWith the fix, the same payload is rejected with `ProtocolException`.\n\n## Why this can affect any Wire-decoding service\n\n`skipGroup()` is called for any unknown field with wire type 3. An attacker can send an unknown\nfield, such as field 99, with wire type `START_GROUP`. The decoder skips it via `skipGroup()`\nregardless of which message type the service uses, so no schema knowledge is required.\n\nPayload:\n\n```text\n9b060a80ffffff0f9c06\n```\n\nPayload breakdown:\n\n```text\n0x9B 0x06 field 99, wire type 3 (START_GROUP)\n0x0A field 1, wire type 2 (LENGTH_DELIMITED) inside group\n0x80 0xFF 0xFF 0xFF 0x0F 5-byte varint = -128 as signed Int\n0x9C 0x06 field 99, END_GROUP\n```",
"id": "GHSA-7xpr-hc2w-34m9",
"modified": "2026-05-19T19:54:50Z",
"published": "2026-05-19T19:54:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/square/wire/security/advisories/GHSA-7xpr-hc2w-34m9"
},
{
"type": "WEB",
"url": "https://github.com/square/wire/pull/3595"
},
{
"type": "WEB",
"url": "https://github.com/square/wire/pull/3597"
},
{
"type": "PACKAGE",
"url": "https://github.com/square/wire"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service "
}
GHSA-7XQ8-98GV-5G29
Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2022-05-24 19:12A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser::read_sface() store_sm_boundary_item() Edge_of.A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-35633"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-129"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-30T18:15:00Z",
"severity": "HIGH"
},
"details": "A code execution vulnerability exists in the Nef polygon-parsing functionality of CGAL libcgal CGAL-5.1.1. An oob read vulnerability exists in Nef_S2/SNC_io_parser.h SNC_io_parser\u003cEW\u003e::read_sface() store_sm_boundary_item() Edge_of.A specially crafted malformed file can lead to an out-of-bounds read and type confusion, which could lead to code execution. An attacker can provide malicious input to trigger this vulnerability.",
"id": "GHSA-7xq8-98gv-5g29",
"modified": "2022-05-24T19:12:30Z",
"published": "2022-05-24T19:12:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35633"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00011.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-34"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7XXH-5W72-GMWW
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04An improper array index validation vulnerability exists in the TIF IP_planar_raster_unpack functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-21833"
],
"database_specific": {
"cwe_ids": [
"CWE-129"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-11T17:15:00Z",
"severity": "CRITICAL"
},
"details": "An improper array index validation vulnerability exists in the TIF IP_planar_raster_unpack functionality of Accusoft ImageGear 19.9. A specially crafted malformed file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-7xxh-5w72-gmww",
"modified": "2022-05-24T19:04:58Z",
"published": "2022-05-24T19:04:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21833"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1296"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-82G6-QC26-QCJ7
Vulnerability from github – Published: 2023-02-12 06:30 – Updated: 2023-02-21 21:30In engineermode services, there is a missing permission check. This could lead to local denial of service in engineermode services.
{
"affected": [],
"aliases": [
"CVE-2022-47348"
],
"database_specific": {
"cwe_ids": [
"CWE-129"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-12T04:15:00Z",
"severity": "MODERATE"
},
"details": "In engineermode services, there is a missing permission check. This could lead to local denial of service in engineermode services.",
"id": "GHSA-82g6-qc26-qcj7",
"modified": "2023-02-21T21:30:18Z",
"published": "2023-02-12T06:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47348"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1621031430231134210"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-84R5-V95Q-856F
Vulnerability from github – Published: 2025-11-04 06:31 – Updated: 2025-11-04 06:31Memory corruption while processing audio streaming operations.
{
"affected": [],
"aliases": [
"CVE-2025-47352"
],
"database_specific": {
"cwe_ids": [
"CWE-129"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-04T04:15:38Z",
"severity": "HIGH"
},
"details": "Memory corruption while processing audio streaming operations.",
"id": "GHSA-84r5-v95q-856f",
"modified": "2025-11-04T06:31:11Z",
"published": "2025-11-04T06:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47352"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-7
Strategy: Input Validation
Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).
Mitigation MIT-15
- For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
- Even though client-side checks provide minimal benefits with respect to server-side security, they are still useful. First, they can support intrusion detection. If the server receives input that should have been rejected by the client, then it may be an indication of an attack. Second, client-side error-checking can provide helpful feedback to the user about the expectations for valid input. Third, there may be a reduction in server-side processing time for accidental input errors, although this is typically a small savings.
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, Ada allows the programmer to constrain the values of a variable and languages such as Java and Ruby will allow the programmer to handle exceptions when an out-of-bounds index is accessed.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Strategy: Environment Hardening
- Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
- For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- When accessing a user-controlled array index, use a stringent range of values that are within the target array. Make sure that you do not allow negative values to be used. That is, verify the minimum as well as the maximum of the range of acceptable values.
Mitigation MIT-35
Be especially careful to validate all input when invoking code that crosses language boundaries, such as from an interpreted language to native code. This could create an unexpected interaction between the language boundaries. Ensure that you are not violating any of the expectations of the language with which you are interfacing. For example, even though Java may not be susceptible to buffer overflows, providing a large argument in a call to native code might trigger an overflow.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-22
Strategy: Sandbox or Jail
- Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-100: Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.