CWE-158
AllowedImproper Neutralization of Null Byte or NUL Character
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.
44 vulnerabilities reference this CWE, most recent first.
GHSA-RCJ8-JX65-7C4R
Vulnerability from github – Published: 2024-01-18 18:30 – Updated: 2024-05-22 18:30A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.
{
"affected": [],
"aliases": [
"CVE-2024-0408"
],
"database_specific": {
"cwe_ids": [
"CWE-158"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-18T16:15:08Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (as with a GetGeometry) or when it creates another resource that needs to access that buffer, such as a GC, the XSELINUX code will try to use an object that was never labeled and crash because the SID is NULL.",
"id": "GHSA-rcj8-jx65-7c4r",
"modified": "2024-05-22T18:30:39Z",
"published": "2024-01-18T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0408"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:0320"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2169"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2170"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2995"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2024:2996"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2024-0408"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2257689"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00016.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5J4H7CH565ALSZZYKOJFYDA5KFLG6NUK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EJBMCWQ54R6ZL3MYU2D2JBW6JMZL7BQW"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IZ75X54CN4IFYMIV7OK3JVZ57FHQIGIC"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202401-30"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20240307-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RHVQ-8HMP-HM8H
Vulnerability from github – Published: 2026-05-04 09:31 – Updated: 2026-05-04 09:31mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.
{
"affected": [],
"aliases": [
"CVE-2026-43859"
],
"database_specific": {
"cwe_ids": [
"CWE-158"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-04T07:16:00Z",
"severity": "LOW"
},
"details": "mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.",
"id": "GHSA-rhvq-8hmp-hm8h",
"modified": "2026-05-04T09:31:09Z",
"published": "2026-05-04T09:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43859"
},
{
"type": "WEB",
"url": "https://github.com/muttmua/mutt/commit/834c5a2ed0479e51e8662a31caed129f136f4805"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RVJG-858G-PWH4
Vulnerability from github – Published: 2024-11-14 18:30 – Updated: 2024-11-14 18:30An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.
{
"affected": [],
"aliases": [
"CVE-2024-10921"
],
"database_specific": {
"cwe_ids": [
"CWE-158"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-14T16:15:18Z",
"severity": "MODERATE"
},
"details": "An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This issue affects MongoDB Server v5.0 versions prior to 5.0.30 , MongoDB Server v6.0 versions prior to 6.0.19, MongoDB Server v7.0 versions prior to 7.0.15 and MongoDB Server v8.0 versions prior to and including 8.0.2.",
"id": "GHSA-rvjg-858g-pwh4",
"modified": "2024-11-14T18:30:35Z",
"published": "2024-11-14T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10921"
},
{
"type": "WEB",
"url": "https://jira.mongodb.org/browse/SERVER-96419"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X4J2-C46Q-7JP5
Vulnerability from github – Published: 2025-03-04 15:31 – Updated: 2025-11-03 21:33jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox < 136 and Firefox ESR < 128.8.
{
"affected": [],
"aliases": [
"CVE-2025-1936"
],
"database_specific": {
"cwe_ids": [
"CWE-158"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-04T14:15:38Z",
"severity": "HIGH"
},
"details": "jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was used to determine the type of content. This could have been used to hide code in a web extension disguised as something else like an image. This vulnerability affects Firefox \u003c 136 and Firefox ESR \u003c 128.8.",
"id": "GHSA-x4j2-c46q-7jp5",
"modified": "2025-11-03T21:33:04Z",
"published": "2025-03-04T15:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1936"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1940027"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-14"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-16"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-17"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2025-18"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
Developers should anticipate that null characters or null bytes will be injected/removed/manipulated in the input vectors of their product. Use an appropriate combination of denylists and allowlists to ensure only valid, expected and appropriate input is processed by the system.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation MIT-20
Strategy: Input Validation
Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
CAPEC-52: Embedding NULL Bytes
An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).
CAPEC-53: Postfix, Null Terminate, and Backslash
If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an adversary to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.