CWE-193
AllowedOff-by-one Error
Abstraction: Base · Status: Draft
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
256 vulnerabilities reference this CWE, most recent first.
GHSA-4Q9Q-728X-J7V5
Vulnerability from github – Published: 2022-05-13 01:19 – Updated: 2022-05-13 01:19An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.
{
"affected": [],
"aliases": [
"CVE-2018-14599"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-24T19:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by malicious server responses, leading to DoS or possibly unspecified other impact.",
"id": "GHSA-4q9q-728x-j7v5",
"modified": "2022-05-13T01:19:08Z",
"published": "2022-05-13T01:19:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14599"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2079"
},
{
"type": "WEB",
"url": "https://bugzilla.suse.com/show_bug.cgi?id=1102062"
},
{
"type": "WEB",
"url": "https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=b469da1430cdcee06e31c6251b83aede072a1ff0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00030.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YGARUV66TS5OOSLR5A76BUB7SDV6GO4F"
},
{
"type": "WEB",
"url": "https://lists.x.org/archives/xorg-announce/2018-August/002916.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201811-01"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3758-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3758-2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2018/08/21/6"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105177"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041543"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4X48-PH6H-WFMF
Vulnerability from github – Published: 2024-12-29 12:30 – Updated: 2025-11-03 21:32In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Several fixes to bpf_msg_pop_data
Several fixes to bpf_msg_pop_data, 1. In sk_msg_shift_left, we should put_page 2. if (len == 0), return early is better 3. pop the entire sk_msg (last == msg->sg.size) should be supported 4. Fix for the value of variable "a" 5. In sk_msg_shift_left, after shifting, i has already pointed to the next element. Addtional sk_msg_iter_var_next may result in BUG.
{
"affected": [],
"aliases": [
"CVE-2024-56720"
],
"database_specific": {
"cwe_ids": [
"CWE-193",
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-29T12:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Several fixes to bpf_msg_pop_data\n\nSeveral fixes to bpf_msg_pop_data,\n1. In sk_msg_shift_left, we should put_page\n2. if (len == 0), return early is better\n3. pop the entire sk_msg (last == msg-\u003esg.size) should be supported\n4. Fix for the value of variable \"a\"\n5. In sk_msg_shift_left, after shifting, i has already pointed to the next\nelement. Addtional sk_msg_iter_var_next may result in BUG.",
"id": "GHSA-4x48-ph6h-wfmf",
"modified": "2025-11-03T21:32:02Z",
"published": "2024-12-29T12:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56720"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/275a9f3ef8fabb0cb282a62b9e164dedba7284c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5d609ba262475db450ba69b8e8a557bd768ac07a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/785180bed9879680d8e5c5e1b54c8ae8d948f4c8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/98c7ea7d11f2588e8197db042e0291e4ac8f8346"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d26d977633d1d0b8bf9407278189bd0a8d973323"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d3f5763b3062514a234114e97bbde74d8d702449"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e1f54c61c4c9a5244eb8159dce60d248f7d97b32"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f58d3aa457e77a3d9b3df2ab081dcf9950f6029f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-52MM-RQXX-GFQ6
Vulnerability from github – Published: 2024-06-16 15:30 – Updated: 2025-11-04 00:30Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c.
{
"affected": [],
"aliases": [
"CVE-2024-38440"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-16T13:15:53Z",
"severity": "HIGH"
},
"details": "Netatalk 3.2.0 has an off-by-one error and resultant heap-based buffer overflow because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c.",
"id": "GHSA-52mm-rqxx-gfq6",
"modified": "2025-11-04T00:30:49Z",
"published": "2024-06-16T15:30:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Netatalk/netatalk/security/advisories/GHSA-mxx4-9fhm-r3w5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38440"
},
{
"type": "WEB",
"url": "https://github.com/Netatalk/netatalk/issues/1097"
},
{
"type": "WEB",
"url": "https://github.com/Netatalk/netatalk/blob/90d91a9ac9a7d6132ab7620d31c8c23400949206/etc/uams/uams_dhx_pam.c#L199-L200"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00026.html"
},
{
"type": "WEB",
"url": "https://netatalk.io/security/CVE-2024-38440"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-533M-3WF6-C33V
Vulnerability from github – Published: 2026-05-18 20:37 – Updated: 2026-06-11 14:06An incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46559"
],
"database_specific": {
"cwe_ids": [
"CWE-193",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T20:37:38Z",
"nvd_published_at": "2026-06-10T23:16:47Z",
"severity": "MODERATE"
},
"details": "An incorrect check in the JP2 will result in an heap buffer over-write of a single byte when specifying certain options.",
"id": "GHSA-533m-3wf6-c33v",
"modified": "2026-06-11T14:06:13Z",
"published": "2026-05-18T20:37:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-533m-3wf6-c33v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46559"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick: Heap Buffer Over-Write of a single byte in the JP2 encoder."
}
GHSA-56CJ-WGG3-X943
Vulnerability from github – Published: 2026-03-10 18:30 – Updated: 2026-03-10 22:54Summary
An off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt std::string null-termination, causing undefined behavior and potentially leading to crashes or out-of-bounds reads when the resulting string is later treated as a C-string.
### Details
The bug is in the control-character escaping path in source/common/common/ json_escape_string.h:67.
- The function pre-sizes result to the final length: std::string result(input.size() + required_size, '\');
- For control characters (0x00..0x1f), it emits a JSON escape sequence of length 6: \u00XX.
- It uses sprintf(&result[position + 1], "u%04x", ...), which writes 5 chars + a trailing NUL (\0) starting at result[position + 1].
- Then it does position += 6; and writes result[position] = '\'; to overwrite the NUL.
- If the control character occurs at the end of the output (e.g., the input ends with \x01), then after position += 6, position == result.size(), so result[position] is one past the end (off-by-one), violating std::string bounds/contract.
Concretely, the problematic lines are:
- source/common/common/json_escape_string.h:69 (sprintf(...))
- source/common/common/json_escape_string.h:72 (result[position] = '\';)
Potentially reachable from request-driven paths that escape untrusted data, e.g. invalid header reporting:
- source/common/http/header_utility.cc:538 ~ source/common/http/ header_utility.cc:546 (escapes invalid header key for error text)
Even when this doesn’t immediately crash, it can break the std::string requirement that c_str()[size()] == '\0', which can later trigger UB (e.g., if passed to strlen, printf("%s"), or any C API that expects NUL termination).
```cpp //clang++ -std=c++20 -O0 -g -fsanitize=address -fno-omit-frame-pointer repro_json_escape_asan.cc -o repro_json_escape_asan ASAN_OPTIONS=abort_on_error=1 ./repro_json_escape_asan
include
#include #include #include #include
static uint64_t extraSpace(std::string_view input) { uint64_t result = 0; for (unsigned char c : input) { switch (c) { case '\"': case '\': case '\b': case '\f': case '\n': case '\r': case '\t': result += 1; break; default: if (c == 0x00 || (c > 0x00 && c <= 0x1f)) { result += 5; } break; } } return result; }
static std::string escapeString(std::string_view input, uint64_t required_size) { std::string result(input.size() + required_size, '\'); uint64_t position = 0;
for (unsigned char character : input) {
switch (character) {
case '\"':
result[position + 1] = '\"';
position += 2;
break;
case '\\':
position += 2;
break;
case '\b':
result[position + 1] = 'b';
position += 2;
break;
case '\f':
result[position + 1] = 'f';
position += 2;
break;
case '\n':
result[position + 1] = 'n';
position += 2;
break;
case '\r':
result[position + 1] = 'r';
position += 2;
break;
case '\t':
result[position + 1] = 't';
position += 2;
break;
default:
if (character == 0x00 || (character > 0x00 && character <= 0x1f)) {
std::sprintf(&result[position + 1], "u%04x",
static_cast(character)); position += 6; // Off-by-one when this escape is the last output chunk: // position can become result.size(), so result[position] is out of bounds. result[position] = '\'; } else { result[position++] = static_cast(character); } break; } }
return result;
}
int main() { std::string input(4096, 'A'); input.push_back('\x01'); // ends with a control char -> triggers the buggy path at the end
const uint64_t required = extraSpace(input);
std::string escaped = escapeString(input, required);
std::printf("escaped.size=%zu\n", escaped.size());
unsigned char terminator = static_cast<unsigned char>(escaped.c_str()
[escaped.size()]); std::printf("escaped.c_str()[escaped.size()] = 0x%02x\n", terminator);
// If NUL termination is corrupted, this can read past the logical end.
std::printf("strlen(escaped.c_str()) = %zu\n",
std::strlen(escaped.c_str())); return 0; }```
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"versions": [
"1.37.0"
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.36.0"
},
{
"last_affected": "1.36.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.35.0"
},
{
"last_affected": "1.35.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.34.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-26309"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-10T18:30:58Z",
"nvd_published_at": "2026-03-10T20:16:35Z",
"severity": "MODERATE"
},
"details": "### Summary\n\n An off-by-one write in Envoy::JsonEscaper::escapeString() can corrupt\n std::string null-termination, causing undefined behavior and potentially\n leading to crashes or out-of-bounds reads when the resulting string is later\n treated as a C-string.\n\n ### Details\n\n The bug is in the control-character escaping path in source/common/common/\n json_escape_string.h:67.\n\n - The function pre-sizes result to the final length: std::string\n result(input.size() + required_size, \u0027\\\\\u0027);\n - For control characters (0x00..0x1f), it emits a JSON escape sequence of\n length 6: \\u00XX.\n - It uses sprintf(\u0026result[position + 1], \"u%04x\", ...), which writes 5 chars +\n a trailing NUL (\\0) starting at result[position + 1].\n - Then it does position += 6; and writes result[position] = \u0027\\\\\u0027; to overwrite\n the NUL.\n - If the control character occurs at the end of the output (e.g., the input\n ends with \\x01), then after position += 6, position == result.size(), so\n result[position] is one past the end (off-by-one), violating std::string\n bounds/contract.\n\n Concretely, the problematic lines are:\n\n - source/common/common/json_escape_string.h:69 (sprintf(...))\n - source/common/common/json_escape_string.h:72 (result[position] = \u0027\\\\\u0027;)\n\n Potentially reachable from request-driven paths that escape untrusted data,\n e.g. invalid header reporting:\n\n - source/common/http/header_utility.cc:538 ~ source/common/http/\n header_utility.cc:546 (escapes invalid header key for error text)\n\n Even when this doesn\u2019t immediately crash, it can break the std::string\n requirement that c_str()[size()] == \u0027\\0\u0027, which can later trigger UB (e.g., if\n passed to strlen, printf(\"%s\"), or any C API that expects NUL termination).\n \n \n ```cpp\n//clang++ -std=c++20 -O0 -g -fsanitize=address -fno-omit-frame-pointer\n repro_json_escape_asan.cc -o repro_json_escape_asan\n ASAN_OPTIONS=abort_on_error=1 ./repro_json_escape_asan\n#include \u003ccstdint\u003e\n #include \u003ccstdio\u003e\n #include \u003ccstring\u003e\n #include \u003cstring\u003e\n #include \u003cstring_view\u003e\n\n static uint64_t extraSpace(std::string_view input) {\n uint64_t result = 0;\n for (unsigned char c : input) {\n switch (c) {\n case \u0027\\\"\u0027:\n case \u0027\\\\\u0027:\n case \u0027\\b\u0027:\n case \u0027\\f\u0027:\n case \u0027\\n\u0027:\n case \u0027\\r\u0027:\n case \u0027\\t\u0027:\n result += 1;\n break;\n default:\n if (c == 0x00 || (c \u003e 0x00 \u0026\u0026 c \u003c= 0x1f)) {\n result += 5;\n }\n break;\n }\n }\n return result;\n }\n\n static std::string escapeString(std::string_view input, uint64_t\n required_size) {\n std::string result(input.size() + required_size, \u0027\\\\\u0027);\n uint64_t position = 0;\n\n for (unsigned char character : input) {\n switch (character) {\n case \u0027\\\"\u0027:\n result[position + 1] = \u0027\\\"\u0027;\n position += 2;\n break;\n case \u0027\\\\\u0027:\n position += 2;\n break;\n case \u0027\\b\u0027:\n result[position + 1] = \u0027b\u0027;\n position += 2;\n break;\n case \u0027\\f\u0027:\n result[position + 1] = \u0027f\u0027;\n position += 2;\n break;\n case \u0027\\n\u0027:\n result[position + 1] = \u0027n\u0027;\n position += 2;\n break;\n case \u0027\\r\u0027:\n result[position + 1] = \u0027r\u0027;\n position += 2;\n break;\n case \u0027\\t\u0027:\n result[position + 1] = \u0027t\u0027;\n position += 2;\n break;\n default:\n if (character == 0x00 || (character \u003e 0x00 \u0026\u0026 character \u003c= 0x1f)) {\n std::sprintf(\u0026result[position + 1], \"u%04x\",\n static_cast\u003cint\u003e(character));\n position += 6;\n // Off-by-one when this escape is the last output chunk:\n // position can become result.size(), so result[position] is out of\n bounds.\n result[position] = \u0027\\\\\u0027;\n } else {\n result[position++] = static_cast\u003cchar\u003e(character);\n }\n break;\n }\n }\n\n return result;\n }\n\n int main() {\n std::string input(4096, \u0027A\u0027);\n input.push_back(\u0027\\x01\u0027); // ends with a control char -\u003e triggers the buggy\n path at the end\n\n const uint64_t required = extraSpace(input);\n std::string escaped = escapeString(input, required);\n\n std::printf(\"escaped.size=%zu\\n\", escaped.size());\n unsigned char terminator = static_cast\u003cunsigned char\u003e(escaped.c_str()\n [escaped.size()]);\n std::printf(\"escaped.c_str()[escaped.size()] = 0x%02x\\n\", terminator);\n\n // If NUL termination is corrupted, this can read past the logical end.\n std::printf(\"strlen(escaped.c_str()) = %zu\\n\",\n std::strlen(escaped.c_str()));\n return 0;\n }```",
"id": "GHSA-56cj-wgg3-x943",
"modified": "2026-03-10T22:54:36Z",
"published": "2026-03-10T18:30:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-56cj-wgg3-x943"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26309"
},
{
"type": "PACKAGE",
"url": "https://github.com/envoyproxy/envoy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "Envoy affected by off-by-one write in JsonEscaper::escapeString()"
}
GHSA-56MF-WC59-GHX4
Vulnerability from github – Published: 2022-05-13 01:41 – Updated: 2022-05-13 01:41axTLS version 1.5.3 has a coding error in the ASN.1 parser resulting in the year (19)50 of UTCTime being misinterpreted as 2050.
{
"affected": [],
"aliases": [
"CVE-2017-1000416"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-22T23:29:00Z",
"severity": "MODERATE"
},
"details": "axTLS version 1.5.3 has a coding error in the ASN.1 parser resulting in the year (19)50 of UTCTime being misinterpreted as 2050.",
"id": "GHSA-56mf-wc59-ghx4",
"modified": "2022-05-13T01:41:14Z",
"published": "2022-05-13T01:41:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000416"
},
{
"type": "WEB",
"url": "https://www.ieee-security.org/TC/SP2017/papers/231.pdf"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=FW--c_F_cY8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5793-WFXR-J725
Vulnerability from github – Published: 2024-09-27 15:30 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
dma-buf: heaps: Fix off-by-one in CMA heap fault handler
Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps: Don't track CMA dma-buf pages under RssFile") it was possible to obtain a mapping larger than the buffer size via mremap and bypass the overflow check in dma_buf_mmap_internal. When using such a mapping to attempt to fault past the end of the buffer, the CMA heap fault handler also checks the fault offset against the buffer size, but gets the boundary wrong by 1. Fix the boundary check so that we don't read off the end of the pages array and insert an arbitrary page in the mapping.
{
"affected": [],
"aliases": [
"CVE-2024-46852"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-27T13:15:16Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-buf: heaps: Fix off-by-one in CMA heap fault handler\n\nUntil VM_DONTEXPAND was added in commit 1c1914d6e8c6 (\"dma-buf: heaps:\nDon\u0027t track CMA dma-buf pages under RssFile\") it was possible to obtain\na mapping larger than the buffer size via mremap and bypass the overflow\ncheck in dma_buf_mmap_internal. When using such a mapping to attempt to\nfault past the end of the buffer, the CMA heap fault handler also checks\nthe fault offset against the buffer size, but gets the boundary wrong by\n1. Fix the boundary check so that we don\u0027t read off the end of the pages\narray and insert an arbitrary page in the mapping.",
"id": "GHSA-5793-wfxr-j725",
"modified": "2025-11-04T00:31:31Z",
"published": "2024-09-27T15:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46852"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/007180fcb6cc4a93211d4cc45fef3f5ccccd56ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/79cce5e81d20fa9ad553be439d665ac3302d3c95"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/84175dc5b2c932266a50c04e5ce342c30f817a2f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e79050882b857c37634baedbdcf7c2047c24cbff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ea5ff5d351b520524019f7ff7f9ce418de2dad87"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/eb7fc8b65cea22f9038c52398c8b22849e9620ea"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CCM-MJXH-P582
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14UltraVNC revision 1211 has multiple off-by-one vulnerabilities in VNC server code, which can potentially result in code execution. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1212.
{
"affected": [],
"aliases": [
"CVE-2019-8272"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-08T23:29:00Z",
"severity": "CRITICAL"
},
"details": "UltraVNC revision 1211 has multiple off-by-one vulnerabilities in VNC server code, which can potentially result in code execution. This attack appears to be exploitable via network connectivity. These vulnerabilities have been fixed in revision 1212.",
"id": "GHSA-5ccm-mjxh-p582",
"modified": "2022-05-13T01:14:20Z",
"published": "2022-05-13T01:14:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8272"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-927095.pdf"
},
{
"type": "WEB",
"url": "https://ics-cert.kaspersky.com/advisories/klcert-advisories/2019/03/01/klcert-19-019-ultravnc-off-by-one-error"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsa-20-161-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5CXF-MXJ6-WWF7
Vulnerability from github – Published: 2025-11-07 00:30 – Updated: 2025-11-07 15:31Off by one error in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2025-11215"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-06T22:15:39Z",
"severity": "MODERATE"
},
"details": "Off by one error in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-5cxf-mxj6-wwf7",
"modified": "2025-11-07T15:31:29Z",
"published": "2025-11-07T00:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11215"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_30.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/439758498"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5J5V-66R8-4GM4
Vulnerability from github – Published: 2024-10-21 15:32 – Updated: 2024-10-23 18:33In the Linux kernel, the following vulnerability has been resolved:
powercap: intel_rapl: Fix off by one in get_rpi()
The rp->priv->rpi array is either rpi_msr or rpi_tpmi which have NR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >= to prevent an off by one access.
{
"affected": [],
"aliases": [
"CVE-2024-49862"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-21T13:15:06Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npowercap: intel_rapl: Fix off by one in get_rpi()\n\nThe rp-\u003epriv-\u003erpi array is either rpi_msr or rpi_tpmi which have\nNR_RAPL_PRIMITIVES number of elements. Thus the \u003e needs to be \u003e=\nto prevent an off by one access.",
"id": "GHSA-5j5v-66r8-4gm4",
"modified": "2024-10-23T18:33:07Z",
"published": "2024-10-21T15:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49862"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/288cbc505e2046638c615c36357cb78bc9fee1e0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6a34f3b0d7f11fb6ed72da315fd2360abd9c0737"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/851e7f7f14a15f4e47b7d0f70d5c4a2b95b824d6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/95f6580352a7225e619551febb83595bcb77ab17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().
No CAPEC attack patterns related to this CWE.