Common Weakness Enumeration

CWE-193

Allowed

Off-by-one Error

Abstraction: Base · Status: Draft

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

256 vulnerabilities reference this CWE, most recent first.

GHSA-4Q9Q-728X-J7V5

Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19
VLAI
Details

An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-24T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.",
  "id": "GHSA-4q9q-728x-j7v5",
  "modified": "2022-05-13T01:19:08Z",
  "published": "2022-05-13T01:19:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14599"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2079"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.suse.com/show_bug.cgi?id=1102062"
    },
    {
      "type": "WEB",
      "url": "https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00030.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YGARUV66TS5OOSLR5A76BUB7SDV6GO4F"
    },
    {
      "type": "WEB",
      "url": "https://lists.x.org/archives/xorg-announce/2018-August/002916.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201811-01"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3758-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3758-2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2018/08/21/6"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105177"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1041543"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4X48-PH6H-WFMF

Vulnerability from github – Published: 2024-12-29 12:30 – Updated: 2025-11-03 21:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, sockmap: Several fixes to bpf_msg_pop_data

Several fixes to bpf_msg_pop_data, 1. In sk_msg_shift_left, we should put_page 2. if (len == 0), return early is better 3. pop the entire sk_msg (last == msg->sg.size) should be supported 4. Fix for the value of variable "a" 5. In sk_msg_shift_left, after shifting, i has already pointed to the next element. Addtional sk_msg_iter_var_next may result in BUG.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-56720"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193",
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-29T12:15:06Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Several fixes to bpf_msg_pop_data\n\nSeveral fixes to bpf_msg_pop_data,\n1. In sk_msg_shift_left, we should put_page\n2. if (len == 0), return early is better\n3. pop the entire sk_msg (last == msg-\u003esg.size) should be supported\n4. Fix for the value of variable \"a\"\n5. In sk_msg_shift_left, after shifting, i has already pointed to the next\nelement. Addtional sk_msg_iter_var_next may result in BUG.",
  "id": "GHSA-4x48-ph6h-wfmf",
  "modified": "2025-11-03T21:32:02Z",
  "published": "2024-12-29T12:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56720"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/275a9f3ef8fabb0cb282a62b9e164dedba7284c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5d609ba262475db450ba69b8e8a557bd768ac07a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/785180bed9879680d8e5c5e1b54c8ae8d948f4c8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/98c7ea7d11f2588e8197db042e0291e4ac8f8346"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d26d977633d1d0b8bf9407278189bd0a8d973323"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d3f5763b3062514a234114e97bbde74d8d702449"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e1f54c61c4c9a5244eb8159dce60d248f7d97b32"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f58d3aa457e77a3d9b3df2ab081dcf9950f6029f"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-52MM-RQXX-GFQ6

Vulnerability from github – Published: 2024-06-16 15:30 – Updated: 2025-11-04 00:30
VLAI
Details

Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-38440"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-16T13:15:53Z",
    "severity": "HIGH"
  },
  "details": "Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c.",
  "id": "GHSA-52mm-rqxx-gfq6",
  "modified": "2025-11-04T00:30:49Z",
  "published": "2024-06-16T15:30:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Netatalk/netatalk/security/advisories/GHSA-mxx4-9fhm-r3w5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38440"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netatalk/netatalk/issues/1097"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Netatalk/netatalk/blob/90d91a9ac9a7d6132ab7620d31c8c23400949206/etc/uams/uams_dhx_pam.c#L199-L200"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00026.html"
    },
    {
      "type": "WEB",
      "url": "https://netatalk.io/security/CVE-2024-38440"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-533M-3WF6-C33V

Vulnerability from github – Published: 2026-05-18 20:37 – Updated: 2026-06-11 14:06
VLAI
Summary
ImageMagick: Heap Buffer Over-Write of a single byte in the JP2 encoder.
Details

An incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-HDRI-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q16-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-AnyCPU"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-OpenMP-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-arm64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x64"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Magick.NET-Q8-x86"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "14.13.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-46559"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T20:37:38Z",
    "nvd_published_at": "2026-06-10T23:16:47Z",
    "severity": "MODERATE"
  },
  "details": "An incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options.",
  "id": "GHSA-533m-3wf6-c33v",
  "modified": "2026-06-11T14:06:13Z",
  "published": "2026-05-18T20:37:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-533m-3wf6-c33v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46559"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ImageMagick/ImageMagick"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ImageMagick: Heap Buffer Over-Write of a single byte in the JP2 encoder."
}

GHSA-56CJ-WGG3-X943

Vulnerability from github – Published: 2026-03-10 18:30 – Updated: 2026-03-10 22:54
VLAI
Summary
Envoy affected by off-by-one write in JsonEscaper::escapeString()
Details

Summary

An off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string.

### Details

The bug is in the control-character escaping path in source/common/common/ json_escape_string.h:67.

  • The function pre-sizes result to the final length: std::string result(input.size() + required_size, '\');
  • For control characters (0x00..0x1f), it emits a JSON escape sequence of length 6: \u00XX.
  • It uses sprintf(&result[position + 1], "u%04x", ...), which writes 5 chars + a trailing NUL (\0) starting at result[position + 1].
  • Then it does position += 6; and writes result[position] = '\'; to overwrite the NUL.
  • If the control character occurs at the end of the output (e.g., the input ends with \x01), then after position += 6, position == result.size(), so result[position] is one past the end (off-by-one), violating std::string bounds/contract.

Concretely, the problematic lines are:

  • source/common/common/json_escape_string.h:69 (sprintf(...))
  • source/common/common/json_escape_string.h:72 (result[position] = '\';)

Potentially reachable from request-driven paths that escape untrusted data, e.g. invalid header reporting:

  • source/common/http/header_utility.cc:538 ~ source/common/http/ header_utility.cc:546 (escapes invalid header key for error text)

Even when this doesn’t immediately crash, it can break the std::string requirement that c_str()[size()] == '\0', which can later trigger UB (e.g., if passed to strlen, printf("%s"), or any C API that expects NUL termination).

```cpp //clang++ -std=c++20 -O0 -g -fsanitize=address -fno-omit-frame-pointer repro_json_escape_asan.cc -o repro_json_escape_asan ASAN_OPTIONS=abort_on_error=1 ./repro_json_escape_asan

include

#include #include #include #include

static uint64_t extraSpace(std::string_view input) { uint64_t result = 0; for (unsigned char c : input) { switch (c) { case '\"': case '\': case '\b': case '\f': case '\n': case '\r': case '\t': result += 1; break; default: if (c == 0x00 || (c > 0x00 && c <= 0x1f)) { result += 5; } break; } } return result; }

static std::string escapeString(std::string_view input, uint64_t required_size) { std::string result(input.size() + required_size, '\'); uint64_t position = 0;

for (unsigned char character : input) {
  switch (character) {
  case '\"':
    result[position + 1] = '\"';
    position += 2;
    break;
  case '\\':
    position += 2;
    break;
  case '\b':
    result[position + 1] = 'b';
    position += 2;
    break;
  case '\f':
    result[position + 1] = 'f';
    position += 2;
    break;
  case '\n':
    result[position + 1] = 'n';
    position += 2;
    break;
  case '\r':
    result[position + 1] = 'r';
    position += 2;
    break;
  case '\t':
    result[position + 1] = 't';
    position += 2;
    break;
  default:
    if (character == 0x00 || (character > 0x00 && character <= 0x1f)) {
      std::sprintf(&result[position + 1], "u%04x",

static_cast(character)); position += 6; // Off-by-one when this escape is the last output chunk: // position can become result.size(), so result[position] is out of bounds. result[position] = '\'; } else { result[position++] = static_cast(character); } break; } }

return result;

}

int main() { std::string input(4096, 'A'); input.push_back('\x01'); // ends with a control char -> triggers the buggy path at the end

const uint64_t required = extraSpace(input);
std::string escaped = escapeString(input, required);

std::printf("escaped.size=%zu\n", escaped.size());
unsigned char terminator = static_cast<unsigned char>(escaped.c_str()

[escaped.size()]); std::printf("escaped.c_str()[escaped.size()] = 0x%02x\n", terminator);

// If NUL termination is corrupted, this can read past the logical end.
std::printf("strlen(escaped.c_str()) = %zu\n",

std::strlen(escaped.c_str())); return 0; }```

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "versions": [
        "1.37.0"
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.36.0"
            },
            {
              "last_affected": "1.36.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.35.0"
            },
            {
              "last_affected": "1.35.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/envoyproxy/envoy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.34.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-26309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T18:30:58Z",
    "nvd_published_at": "2026-03-10T20:16:35Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n  An off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt\n  std::string null-termination, causing undefined behavior and potentially\n  leading to crashes or out-of-bounds reads when the resulting string is later\n  treated as a C-string.\n\n  ### Details\n\n  The bug is in the control-character escaping path in source/common/common/\n  json_escape_string.h:67.\n\n  - The function pre-sizes result to the final length: std::string\n    result(input.size() + required_size, \u0027\\\\\u0027);\n  - For control characters (0x00..0x1f), it emits a JSON escape sequence of\n    length 6: \\u00XX.\n  - It uses sprintf(\u0026result[position + 1], \"u%04x\", ...), which writes 5 chars +\n    a trailing NUL (\\0) starting at result[position + 1].\n  - Then it does position += 6; and writes result[position] = \u0027\\\\\u0027; to overwrite\n    the NUL.\n  - If the control character occurs at the end of the output (e.g., the input\n    ends with \\x01), then after position += 6, position == result.size(), so\n    result[position] is one past the end (off-by-one), violating std::string\n    bounds/contract.\n\n  Concretely, the problematic lines are:\n\n  - source/common/common/json_escape_string.h:69 (sprintf(...))\n  - source/common/common/json_escape_string.h:72 (result[position] = \u0027\\\\\u0027;)\n\n  Potentially reachable from request-driven paths that escape untrusted data,\n  e.g. invalid header reporting:\n\n  - source/common/http/header_utility.cc:538 ~ source/common/http/\n    header_utility.cc:546 (escapes invalid header key for error text)\n\n  Even when this doesn\u2019t immediately crash, it can break the std::string\n  requirement that c_str()[size()] == \u0027\\0\u0027, which can later trigger UB (e.g., if\n  passed to strlen, printf(\"%s\"), or any C API that expects NUL termination).\n  \n  \n  ```cpp\n//clang++ -std=c++20 -O0 -g -fsanitize=address -fno-omit-frame-pointer\n  repro_json_escape_asan.cc -o repro_json_escape_asan\n  ASAN_OPTIONS=abort_on_error=1 ./repro_json_escape_asan\n#include \u003ccstdint\u003e\n  #include \u003ccstdio\u003e\n  #include \u003ccstring\u003e\n  #include \u003cstring\u003e\n  #include \u003cstring_view\u003e\n\n  static uint64_t extraSpace(std::string_view input) {\n    uint64_t result = 0;\n    for (unsigned char c : input) {\n      switch (c) {\n      case \u0027\\\"\u0027:\n      case \u0027\\\\\u0027:\n      case \u0027\\b\u0027:\n      case \u0027\\f\u0027:\n      case \u0027\\n\u0027:\n      case \u0027\\r\u0027:\n      case \u0027\\t\u0027:\n        result += 1;\n        break;\n      default:\n        if (c == 0x00 || (c \u003e 0x00 \u0026\u0026 c \u003c= 0x1f)) {\n          result += 5;\n        }\n        break;\n      }\n    }\n    return result;\n  }\n\n  static std::string escapeString(std::string_view input, uint64_t\n  required_size) {\n    std::string result(input.size() + required_size, \u0027\\\\\u0027);\n    uint64_t position = 0;\n\n    for (unsigned char character : input) {\n      switch (character) {\n      case \u0027\\\"\u0027:\n        result[position + 1] = \u0027\\\"\u0027;\n        position += 2;\n        break;\n      case \u0027\\\\\u0027:\n        position += 2;\n        break;\n      case \u0027\\b\u0027:\n        result[position + 1] = \u0027b\u0027;\n        position += 2;\n        break;\n      case \u0027\\f\u0027:\n        result[position + 1] = \u0027f\u0027;\n        position += 2;\n        break;\n      case \u0027\\n\u0027:\n        result[position + 1] = \u0027n\u0027;\n        position += 2;\n        break;\n      case \u0027\\r\u0027:\n        result[position + 1] = \u0027r\u0027;\n        position += 2;\n        break;\n      case \u0027\\t\u0027:\n        result[position + 1] = \u0027t\u0027;\n        position += 2;\n        break;\n      default:\n        if (character == 0x00 || (character \u003e 0x00 \u0026\u0026 character \u003c= 0x1f)) {\n          std::sprintf(\u0026result[position + 1], \"u%04x\",\n  static_cast\u003cint\u003e(character));\n          position += 6;\n          // Off-by-one when this escape is the last output chunk:\n          // position can become result.size(), so result[position] is out of\n  bounds.\n          result[position] = \u0027\\\\\u0027;\n        } else {\n          result[position++] = static_cast\u003cchar\u003e(character);\n        }\n        break;\n      }\n    }\n\n    return result;\n  }\n\n  int main() {\n    std::string input(4096, \u0027A\u0027);\n    input.push_back(\u0027\\x01\u0027); // ends with a control char -\u003e triggers the buggy\n  path at the end\n\n    const uint64_t required = extraSpace(input);\n    std::string escaped = escapeString(input, required);\n\n    std::printf(\"escaped.size=%zu\\n\", escaped.size());\n    unsigned char terminator = static_cast\u003cunsigned char\u003e(escaped.c_str()\n  [escaped.size()]);\n    std::printf(\"escaped.c_str()[escaped.size()] = 0x%02x\\n\", terminator);\n\n    // If NUL termination is corrupted, this can read past the logical end.\n    std::printf(\"strlen(escaped.c_str()) = %zu\\n\",\n  std::strlen(escaped.c_str()));\n    return 0;\n  }```",
  "id": "GHSA-56cj-wgg3-x943",
  "modified": "2026-03-10T22:54:36Z",
  "published": "2026-03-10T18:30:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26309"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/envoyproxy/envoy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Envoy affected by off-by-one write in JsonEscaper::escapeString()"
}

GHSA-56MF-WC59-GHX4

Vulnerability from github – Published: 2022-05-13 01:41 – Updated: 2022-05-13 01:41
VLAI
Details

axTLS version 1.5.3 has a coding error in the ASN.1 parser resulting in the year (19)50 of UTCTime being misinterpreted as 2050.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1000416"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-22T23:29:00Z",
    "severity": "MODERATE"
  },
  "details": "axTLS version 1.5.3 has a coding error in the ASN.1 parser resulting in the year (19)50 of UTCTime being misinterpreted as 2050.",
  "id": "GHSA-56mf-wc59-ghx4",
  "modified": "2022-05-13T01:41:14Z",
  "published": "2022-05-13T01:41:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000416"
    },
    {
      "type": "WEB",
      "url": "https://www.ieee-security.org/TC/SP2017/papers/231.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.youtube.com/watch?v=FW--c_F_cY8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5793-WFXR-J725

Vulnerability from github – Published: 2024-09-27 15:30 – Updated: 2025-11-04 00:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

dma-buf: heaps: Fix off-by-one in CMA heap fault handler

Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps: Don't track CMA dma-buf pages under RssFile") it was possible to obtain a mapping larger than the buffer size via mremap and bypass the overflow check in dma_buf_mmap_internal. When using such a mapping to attempt to fault past the end of the buffer, the CMA heap fault handler also checks the fault offset against the buffer size, but gets the boundary wrong by 1. Fix the boundary check so that we don't read off the end of the pages array and insert an arbitrary page in the mapping.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-46852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-27T13:15:16Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: heaps: Fix off-by-one in CMA heap fault handler\n\nUntil VM_DONTEXPAND was added in commit 1c1914d6e8c6 (\"dma-buf: heaps:\nDon\u0027t track CMA dma-buf pages under RssFile\") it was possible to obtain\na mapping larger than the buffer size via mremap and bypass the overflow\ncheck in dma_buf_mmap_internal. When using such a mapping to attempt to\nfault past the end of the buffer, the CMA heap fault handler also checks\nthe fault offset against the buffer size, but gets the boundary wrong by\n1. Fix the boundary check so that we don\u0027t read off the end of the pages\narray and insert an arbitrary page in the mapping.",
  "id": "GHSA-5793-wfxr-j725",
  "modified": "2025-11-04T00:31:31Z",
  "published": "2024-09-27T15:30:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46852"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/007180fcb6cc4a93211d4cc45fef3f5ccccd56ae"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79cce5e81d20fa9ad553be439d665ac3302d3c95"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/84175dc5b2c932266a50c04e5ce342c30f817a2f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e79050882b857c37634baedbdcf7c2047c24cbff"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ea5ff5d351b520524019f7ff7f9ce418de2dad87"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/eb7fc8b65cea22f9038c52398c8b22849e9620ea"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5CCM-MJXH-P582

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

UltraVNC revision 1211 has multiple off-by-one vulnerabilities in VNC server code, which can potentially result in code execution. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1212.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-8272"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-03-08T23:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "UltraVNC revision 1211 has multiple off-by-one vulnerabilities in VNC server code, which can potentially result in code execution. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1212.",
  "id": "GHSA-5ccm-mjxh-p582",
  "modified": "2022-05-13T01:14:20Z",
  "published": "2022-05-13T01:14:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8272"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-927095.pdf"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2019/03/01/klcert-19-019-ultravnc-off-by-one-error"
    },
    {
      "type": "WEB",
      "url": "https://www.us-cert.gov/ics/advisories/icsa-20-161-06"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5CXF-MXJ6-WWF7

Vulnerability from github – Published: 2025-11-07 00:30 – Updated: 2025-11-07 15:31
VLAI
Details

Off by one error in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-06T22:15:39Z",
    "severity": "MODERATE"
  },
  "details": "Off by one error in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-5cxf-mxj6-wwf7",
  "modified": "2025-11-07T15:31:29Z",
  "published": "2025-11-07T00:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11215"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_30.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/439758498"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5J5V-66R8-4GM4

Vulnerability from github – Published: 2024-10-21 15:32 – Updated: 2024-10-23 18:33
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

powercap: intel_rapl: Fix off by one in get_rpi()

The rp->priv->rpi array is either rpi_msr or rpi_tpmi which have NR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >= to prevent an off by one access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-49862"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-21T13:15:06Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: intel_rapl: Fix off by one in get_rpi()\n\nThe rp-\u003epriv-\u003erpi array is either rpi_msr or rpi_tpmi which have\nNR_RAPL_PRIMITIVES number of elements.  Thus the \u003e needs to be \u003e=\nto prevent an off by one access.",
  "id": "GHSA-5j5v-66r8-4gm4",
  "modified": "2024-10-23T18:33:07Z",
  "published": "2024-10-21T15:32:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49862"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/288cbc505e2046638c615c36357cb78bc9fee1e0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6a34f3b0d7f11fb6ed72da315fd2360abd9c0737"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/851e7f7f14a15f4e47b7d0f70d5c4a2b95b824d6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/95f6580352a7225e619551febb83595bcb77ab17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

No CAPEC attack patterns related to this CWE.