Common Weakness Enumeration

CWE-193

Allowed

Off-by-one Error

Abstraction: Base · Status: Draft

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

256 vulnerabilities reference this CWE, most recent first.

GHSA-3W55-CQRX-X67W

Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30
VLAI
Details

arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vulnerability in the WiFiMulti component. When the victim's smart hardware connects to an attacker-controlled AP hotspot, the attacker can exploit the overflow to execute arbitrary code on the affected embedded device.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-28520"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-16T14:19:28Z",
    "severity": "HIGH"
  },
  "details": "arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vulnerability in the WiFiMulti component. When the victim\u0027s smart hardware connects to an attacker-controlled AP hotspot, the attacker can exploit the overflow to execute arbitrary code on the affected embedded device.",
  "id": "GHSA-3w55-cqrx-x67w",
  "modified": "2026-03-16T15:30:42Z",
  "published": "2026-03-16T15:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28520"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tuya/arduino-TuyaOpen"
    },
    {
      "type": "WEB",
      "url": "https://src.tuya.com/announcement/32"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/arduino-tuyaopen-wifimulti-single-byte-buffer-overflow-remote-code-execution"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-3XJW-75CJ-9FVW

Vulnerability from github – Published: 2025-04-18 15:31 – Updated: 2025-04-29 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: BPF: Fix off-by-one error in build_prologue()

Vincent reported that running BPF progs with tailcalls on LoongArch causes kernel hard lockup. Debugging the issues shows that the JITed image missing a jirl instruction at the end of the epilogue.

There are two passes in JIT compiling, the first pass set the flags and the second pass generates JIT code based on those flags. With BPF progs mixing bpf2bpf and tailcalls, build_prologue() generates N insns in the first pass and then generates N+1 insns in the second pass. This makes epilogue_offset off by one and we will jump to some unexpected insn and cause lockup. Fix this by inserting a nop insn.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-37893"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-18T07:15:42Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: BPF: Fix off-by-one error in build_prologue()\n\nVincent reported that running BPF progs with tailcalls on LoongArch\ncauses kernel hard lockup. Debugging the issues shows that the JITed\nimage missing a jirl instruction at the end of the epilogue.\n\nThere are two passes in JIT compiling, the first pass set the flags and\nthe second pass generates JIT code based on those flags. With BPF progs\nmixing bpf2bpf and tailcalls, build_prologue() generates N insns in the\nfirst pass and then generates N+1 insns in the second pass. This makes\nepilogue_offset off by one and we will jump to some unexpected insn and\ncause lockup. Fix this by inserting a nop insn.",
  "id": "GHSA-3xjw-75cj-9fvw",
  "modified": "2025-04-29T18:30:52Z",
  "published": "2025-04-18T15:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37893"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/205a2182c51ffebaef54d643e3745e720cded08b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/48b904de2408af5f936f0e03f48dfcddeab58aa0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7e2586991e36663c9bc48c828b83eab180ad30a9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3ffad2f02db4aace6799fe0049508b8925eae45"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c74d95a5679741ef428974ab788f5b0758dc78ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9ccb262b39ab01a5ac2e485b7996b8498e7b373"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-453X-FR3C-FMJ5

Vulnerability from github – Published: 2022-04-15 00:00 – Updated: 2022-04-22 00:00
VLAI
Details

A heap-based buffer overflow vulnerability exists in the Palette box parser functionality of Accusoft ImageGear 19.10. A specially-crafted file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-21938"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-14T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A heap-based buffer overflow vulnerability exists in the Palette box parser functionality of Accusoft ImageGear 19.10. A specially-crafted file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.",
  "id": "GHSA-453x-fr3c-fmj5",
  "modified": "2022-04-22T00:00:52Z",
  "published": "2022-04-15T00:00:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21938"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1367"
    },
    {
      "type": "WEB",
      "url": "http://help.accusoft.com/ImageGear/v20.0/Windows/DLL/webframe.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4565-R4X7-HG8J

Vulnerability from github – Published: 2026-06-23 16:52 – Updated: 2026-06-23 16:52
VLAI
Summary
Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation
Details

Summary

A repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function.

Vulnerable Code

In internal/database/repo_collaboration.go, line 129:

func (r *Repository) ChangeCollaborationAccessMode(userID int64, mode AccessMode) error {
    // Discard invalid input
    if mode <= AccessModeNone || mode > AccessModeOwner {
        return nil
    }

AccessModeOwner has value 4. The check mode > AccessModeOwner evaluates to 4 > 4 = false, allowing AccessModeOwner to pass through. The correct check should be mode >= AccessModeOwner.

The web route at internal/route/repo/setting.go:413-416 takes the mode as a raw integer from query parameters:

func ChangeCollaborationAccessMode(c *context.Context) {
    if err := c.Repo.Repository.ChangeCollaborationAccessMode(
        c.QueryInt64("uid"),
        database.AccessMode(c.QueryInt("mode"))); err != nil {

This allows an admin collaborator to POST mode=4 and escalate to owner.

Impact

A repository admin collaborator (AccessModeAdmin = 3) can escalate to owner-level access (AccessModeOwner = 4), gaining the ability to: - Delete the repository - Transfer repository ownership to another user - Erase wiki data - Perform all other owner-only operations

The access table is also updated (line 181), so the escalated permissions persist across sessions.

Contrast

The API route at internal/route/api/v1/repo_collaborators.go:46 uses ParseAccessMode() which only returns Read, Write, or Admin - never Owner. The API endpoint is not affected.

Steps to Reproduce

  1. User A creates a private repository
  2. User A adds User B as a collaborator with Admin access (mode=3)
  3. User B logs in and navigates to the repository settings collaboration page
  4. User B sends a POST request: POST /{owner}/{repo}/settings/collaboration/access_mode?uid={B_uid}&mode=4
  5. User B now has Owner access - the "Danger Zone" section appears with "Delete This Repository" and "Transfer Ownership" buttons

Suggested Fix

Change the validation in internal/database/repo_collaboration.go line 129 from:

if mode <= AccessModeNone || mode > AccessModeOwner {

to:

if mode <= AccessModeNone || mode >= AccessModeOwner {
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-23T16:52:30Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nA repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the `ChangeCollaborationAccessMode` function.\n\n## Vulnerable Code\n\nIn `internal/database/repo_collaboration.go`, line 129:\n\n```go\nfunc (r *Repository) ChangeCollaborationAccessMode(userID int64, mode AccessMode) error {\n    // Discard invalid input\n    if mode \u003c= AccessModeNone || mode \u003e AccessModeOwner {\n        return nil\n    }\n```\n\n`AccessModeOwner` has value 4. The check `mode \u003e AccessModeOwner` evaluates to `4 \u003e 4 = false`, allowing `AccessModeOwner` to pass through. The correct check should be `mode \u003e= AccessModeOwner`.\n\nThe web route at `internal/route/repo/setting.go:413-416` takes the mode as a raw integer from query parameters:\n\n```go\nfunc ChangeCollaborationAccessMode(c *context.Context) {\n    if err := c.Repo.Repository.ChangeCollaborationAccessMode(\n        c.QueryInt64(\"uid\"),\n        database.AccessMode(c.QueryInt(\"mode\"))); err != nil {\n```\n\nThis allows an admin collaborator to POST `mode=4` and escalate to owner.\n\n## Impact\n\nA repository admin collaborator (AccessModeAdmin = 3) can escalate to owner-level access (AccessModeOwner = 4), gaining the ability to:\n- **Delete the repository**\n- **Transfer repository ownership** to another user\n- **Erase wiki data**\n- Perform all other owner-only operations\n\nThe `access` table is also updated (line 181), so the escalated permissions persist across sessions.\n\n## Contrast\n\nThe API route at `internal/route/api/v1/repo_collaborators.go:46` uses `ParseAccessMode()` which only returns Read, Write, or Admin - never Owner. The API endpoint is not affected.\n\n## Steps to Reproduce\n\n1. User A creates a private repository\n2. User A adds User B as a collaborator with **Admin** access (mode=3)\n3. User B logs in and navigates to the repository settings collaboration page\n4. User B sends a POST request:\n   ```\n   POST /{owner}/{repo}/settings/collaboration/access_mode?uid={B_uid}\u0026mode=4\n   ```\n5. User B now has **Owner** access - the \"Danger Zone\" section appears with \"Delete This Repository\" and \"Transfer Ownership\" buttons\n\n## Suggested Fix\n\nChange the validation in `internal/database/repo_collaboration.go` line 129 from:\n```go\nif mode \u003c= AccessModeNone || mode \u003e AccessModeOwner {\n```\nto:\n```go\nif mode \u003c= AccessModeNone || mode \u003e= AccessModeOwner {\n```",
  "id": "GHSA-4565-r4x7-hg8j",
  "modified": "2026-06-23T16:52:30Z",
  "published": "2026-06-23T16:52:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-4565-r4x7-hg8j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/pull/8227"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/1fdc9cc28e159135cfa4d6b11ecd5daa0f8ce22b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/releases/tag/v0.14.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation"
}

GHSA-45P2-C2M2-2656

Vulnerability from github – Published: 2026-05-27 00:31 – Updated: 2026-07-15 15:32
VLAI
Details

A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-42015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-26T22:16:42Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.",
  "id": "GHSA-45p2-c2m2-2656",
  "modified": "2026-07-15T15:32:42Z",
  "published": "2026-05-27T00:31:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42015"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:13274"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:20611"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:20612"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:20613"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26319"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:26409"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:29197"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30004"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30849"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30850"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:32962"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:33125"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-42015"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467678"
    },
    {
      "type": "WEB",
      "url": "https://www.gnutls.org/security-new.html#GNUTLS-SA-2026-04-29-11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-48HG-P6JQ-42H2

Vulnerability from github – Published: 2024-12-27 15:31 – Updated: 2025-11-03 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

Since the netlink attribute range validation provides inclusive checking, the max of attribute NL80211_ATTR_MLO_LINK_ID should be IEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one.

One crash stack for demonstration:

BUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 Read of size 6 at addr 001102080000000c by task fuzzer.386/9508

CPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_report+0xe0/0x750 mm/kasan/report.c:398 kasan_report+0x139/0x170 mm/kasan/report.c:495 kasan_check_range+0x287/0x290 mm/kasan/generic.c:189 memcpy+0x25/0x60 mm/kasan/shadow.c:65 ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939 rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline] nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453 genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756 genl_family_rcv_msg net/netlink/genetlink.c:833 [inline] genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 genl_rcv+0x24/0x40 net/netlink/genetlink.c:861 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] _syssendmsg+0x5cc/0x8f0 net/socket.c:2499 _sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Update the policy to ensure correct validation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56663"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:26Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one\n\nSince the netlink attribute range validation provides inclusive\nchecking, the *max* of attribute NL80211_ATTR_MLO_LINK_ID should be\nIEEE80211_MLD_MAX_NUM_LINKS - 1 otherwise causing an off-by-one.\n\nOne crash stack for demonstration:\n==================================================================\nBUG: KASAN: wild-memory-access in ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939\nRead of size 6 at addr 001102080000000c by task fuzzer.386/9508\n\nCPU: 1 PID: 9508 Comm: syz.1.386 Not tainted 6.1.70 #2\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106\n print_report+0xe0/0x750 mm/kasan/report.c:398\n kasan_report+0x139/0x170 mm/kasan/report.c:495\n kasan_check_range+0x287/0x290 mm/kasan/generic.c:189\n memcpy+0x25/0x60 mm/kasan/shadow.c:65\n ieee80211_tx_control_port+0x3b6/0xca0 net/mac80211/tx.c:5939\n rdev_tx_control_port net/wireless/rdev-ops.h:761 [inline]\n nl80211_tx_control_port+0x7b3/0xc40 net/wireless/nl80211.c:15453\n genl_family_rcv_msg_doit+0x22e/0x320 net/netlink/genetlink.c:756\n genl_family_rcv_msg net/netlink/genetlink.c:833 [inline]\n genl_rcv_msg+0x539/0x740 net/netlink/genetlink.c:850\n netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508\n genl_rcv+0x24/0x40 net/netlink/genetlink.c:861\n netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]\n netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352\n netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874\n sock_sendmsg_nosec net/socket.c:716 [inline]\n __sock_sendmsg net/socket.c:728 [inline]\n ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499\n ___sys_sendmsg+0x21c/0x290 net/socket.c:2553\n __sys_sendmsg net/socket.c:2582 [inline]\n __do_sys_sendmsg net/socket.c:2591 [inline]\n __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589\n do_syscall_x64 arch/x86/entry/common.c:51 [inline]\n do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81\n entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nUpdate the policy to ensure correct validation.",
  "id": "GHSA-48hg-p6jq-42h2",
  "modified": "2025-11-03T21:31:59Z",
  "published": "2024-12-27T15:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56663"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/29e640ae641b9f5ffc666049426d2b16c98d9963"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2e3dbf938656986cce73ac4083500d0bcfbffe24"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f3412522f78826fef1dfae40ef378a863df2591c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f850d1d9f1106f528dfc5807565f2d1fa9a397d3"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-48WF-G7CP-GR3M

Vulnerability from github – Published: 2026-03-03 18:00 – Updated: 2026-03-20 21:36
VLAI
Summary
OpenClaw has allowlist exec-guard bypass via env -S
Details

Summary

In allowlist mode, system.run guardrails could be bypassed through env -S, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.

Severity Rationale (Medium)

This issue is rated medium because it is a guardrail/policy bypass in OpenClaw's trusted-operator model, not an authentication boundary break.

  • Authenticated Gateway callers are trusted operators by design.
  • exec approvals/allowlists are operator safety controls.
  • The bug still weakens expected safety behavior and can enable unintended command execution when untrusted content influences tool input.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Vulnerable versions: <= 2026.2.22-2
  • Patched versions: >= 2026.2.23

Latest published npm version checked during triage: 2026.2.22-2.

Technical Impact

When /usr/bin/env is allowlisted, env -S 'sh -c ...' could be treated as allowed non-wrapper argv while runtime still executes shell-wrapper semantics.

Fix Commit(s)

  • a1c4bf07c6baad3ef87a0e710fe9aef127b1f606 (core allowlist/runtime parity hardening)
  • 3f923e831364d83d0f23499ee49961de334cf58b (explicit env -S regressions)

Release Process Note

patched_versions is pre-set to >= 2026.2.23, so this advisory is now public.

OpenClaw thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-31992"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-193"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T18:00:06Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nIn `allowlist` mode, `system.run` guardrails could be bypassed through `env -S`, causing policy-analysis/runtime-execution mismatch for shell wrapper payloads.\n\n### Severity Rationale (Medium)\nThis issue is rated **medium** because it is a guardrail/policy bypass in OpenClaw\u0027s trusted-operator model, not an authentication boundary break.\n\n- Authenticated Gateway callers are trusted operators by design.\n- `exec` approvals/allowlists are operator safety controls.\n- The bug still weakens expected safety behavior and can enable unintended command execution when untrusted content influences tool input.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `\u003c= 2026.2.22-2`\n- Patched versions: `\u003e= 2026.2.23`\n\nLatest published npm version checked during triage: `2026.2.22-2`.\n\n### Technical Impact\nWhen `/usr/bin/env` is allowlisted, `env -S \u0027sh -c ...\u0027` could be treated as allowed non-wrapper argv while runtime still executes shell-wrapper semantics.\n\n### Fix Commit(s)\n- `a1c4bf07c6baad3ef87a0e710fe9aef127b1f606` (core allowlist/runtime parity hardening)\n- `3f923e831364d83d0f23499ee49961de334cf58b` (explicit `env -S` regressions)\n\n### Release Process Note\n`patched_versions` is pre-set to `\u003e= 2026.2.23`, so this advisory is now public.\n\nOpenClaw thanks @tdjackey for reporting.",
  "id": "GHSA-48wf-g7cp-gr3m",
  "modified": "2026-03-20T21:36:21Z",
  "published": "2026-03-03T18:00:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-48wf-g7cp-gr3m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31992"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/3f923e831364d83d0f23499ee49961de334cf58b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/a1c4bf07c6baad3ef87a0e710fe9aef127b1f606"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-allowlist-exec-guard-bypass-via-env-s"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has allowlist exec-guard bypass via env -S"
}

GHSA-4C73-VGP7-GJQ5

Vulnerability from github – Published: 2025-09-18 15:30 – Updated: 2025-12-12 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

modpost: fix off by one in is_executable_section()

The > comparison should be >= to prevent an out of bounds array access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-53397"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-18T14:15:42Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmodpost: fix off by one in is_executable_section()\n\nThe \u003e comparison should be \u003e= to prevent an out of bounds array\naccess.",
  "id": "GHSA-4c73-vgp7-gjq5",
  "modified": "2025-12-12T21:31:31Z",
  "published": "2025-09-18T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53397"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/02dc8e8bdbe4412cfcf17ee3873e63fa5a55b957"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3a3f1e573a105328a2cca45a7cfbebabbf5e3192"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e0424cd8a44b5f480feb06753cdf4e1f248d148"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7ee557590bac154d324de446d1cd0444988bd511"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b2e77050b91199453bf19d0517b047b7339a9e3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cade370efe2f9e2a79ea8587506ffe2b51ac6d2b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cb0cdca5c979bc34c27602e2039562932c2591a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dd872d5576cc94528f427c7264c2c438928cc6d2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4CXW-HQ44-R344

Vulnerability from github – Published: 2022-02-24 00:00 – Updated: 2022-03-03 19:17
VLAI
Summary
Off-by-one Error in v2fly/v2ray-core
Details

v2fly/v2ray-core prior to 4.44.0 is vulnerable to an off-by-one error. Indexing operations on arrays, slices, or strings should use an index at most one less than the length. If the index is checked for being less than or equal to the length (<=), instead of less than the length (<), the index could be out of bounds.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/v2fly/v2ray-core/v4"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.44.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 4.44.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/v2fly/v2ray-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-4070"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-24T20:44:31Z",
    "nvd_published_at": "2022-02-23T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "v2fly/v2ray-core prior to 4.44.0 is vulnerable to an off-by-one error. Indexing operations on arrays, slices, or strings should use an index at most one less than the length. If the index is checked for being less than or equal to the length (`\u003c=`), instead of less than the length (`\u003c`), the index could be out of bounds.",
  "id": "GHSA-4cxw-hq44-r344",
  "modified": "2022-03-03T19:17:50Z",
  "published": "2022-02-24T00:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4070"
    },
    {
      "type": "WEB",
      "url": "https://github.com/v2fly/v2ray-core/commit/c1af2bfd7aa59a4482aa7f6ec4b9208c1d350b5c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/v2fly/v2ray-core"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/8da19456-4d89-41ef-9781-a41efd6a1877"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Off-by-one Error in v2fly/v2ray-core"
}

GHSA-4JQC-CJ54-FRF5

Vulnerability from github – Published: 2022-05-14 03:27 – Updated: 2025-04-20 03:31
VLAI
Details

Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-10160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-01-24T21:59:00Z",
    "severity": "CRITICAL"
  },
  "details": "Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PHAR archive with an alias mismatch.",
  "id": "GHSA-4jqc-cj54-frf5",
  "modified": "2025-04-20T03:31:31Z",
  "published": "2022-05-14T03:27:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10160"
    },
    {
      "type": "WEB",
      "url": "https://github.com/php/php-src/commit/b28b8b2fee6dfa6fcd13305c581bb835689ac3be"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:1296"
    },
    {
      "type": "WEB",
      "url": "https://bugs.php.net/bug.php?id=73768"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201702-29"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20180112-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.tenable.com/security/tns-2017-04"
    },
    {
      "type": "WEB",
      "url": "http://php.net/ChangeLog-5.php"
    },
    {
      "type": "WEB",
      "url": "http://php.net/ChangeLog-7.php"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2017/dsa-3783"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95783"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037659"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

No CAPEC attack patterns related to this CWE.