Common Weakness Enumeration

CWE-193

Allowed

Off-by-one Error

Abstraction: Base · Status: Draft

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

255 vulnerabilities reference this CWE, most recent first.

GHSA-XJ26-GX3H-X793

Vulnerability from github – Published: 2024-12-05 15:31 – Updated: 2025-02-27 18:31
VLAI
Details

Default Credentail vulnerabilities in ASPECT on Linux allows access to the product using publicly available default credentials.  Affected products:

ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-51554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-05T13:15:08Z",
    "severity": "HIGH"
  },
  "details": "Default Credentail vulnerabilities in ASPECT on Linux allows access to the product using publicly available default credentials.\u00a0\nAffected products:\n\n\nABB ASPECT - Enterprise v3.08.02; \nNEXUS Series v3.08.02; \nMATRIX Series v3.08.02",
  "id": "GHSA-xj26-gx3h-x793",
  "modified": "2025-02-27T18:31:06Z",
  "published": "2024-12-05T15:31:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51554"
    },
    {
      "type": "WEB",
      "url": "https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497\u0026LanguageCode=en\u0026DocumentPartId=\u0026Action=Launch"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XJ85-GXF6-HQ98

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-2955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-09-08T20:00:00Z",
    "severity": "LOW"
  },
  "details": "The cfg80211_wext_giwessid function in net/wireless/wext-compat.c in the Linux kernel before 2.6.36-rc3-next-20100831 does not properly initialize certain structure members, which allows local users to leverage an off-by-one error in the ioctl_standard_iw_point function in net/wireless/wext-core.c, and obtain potentially sensitive information from kernel heap memory, via vectors involving an SIOCGIWESSID ioctl call that specifies a large buffer size.",
  "id": "GHSA-xj85-gxf6-hq98",
  "modified": "2022-05-13T01:23:38Z",
  "published": "2022-05-13T01:23:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-2955"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=628434"
    },
    {
      "type": "WEB",
      "url": "http://forums.grsecurity.net/viewtopic.php?f=3\u0026t=2290"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/linville/wireless-2.6.git%3Ba=commit%3Bh=42da2f948d949efd0111309f5827bf0298bcc9a4"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/linville/wireless-2.6.git;a=commit;h=42da2f948d949efd0111309f5827bf0298bcc9a4"
    },
    {
      "type": "WEB",
      "url": "http://grsecurity.net/~spender/wireless-infoleak-fix2.patch"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2010/8/27/413"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2010/8/30/127"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2010/8/30/146"
    },
    {
      "type": "WEB",
      "url": "http://lkml.org/lkml/2010/8/30/351"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/41245"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.36-rc3-next-20100831.bz2"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2010/08/31/1"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2010-0771.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2010-0842.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/42885"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1000-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0298"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-XJRX-58MF-555F

Vulnerability from github – Published: 2025-02-27 21:32 – Updated: 2025-10-28 03:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

timers/migration: Fix off-by-one root mis-connection

Before attaching a new root to the old root, the children counter of the new root is checked to verify that only the upcoming CPU's top group have been connected to it. However since the recently added commit b729cc1ec21a ("timers/migration: Fix another race between hotplug and idle entry/exit") this check is not valid anymore because the old root is pre-accounted as a child to the new root. Therefore after connecting the upcoming CPU's top group to the new root, the children count to be expected must be 2 and not 1 anymore.

This omission results in the old root to not be connected to the new root. Then eventually the system may run with more than one top level, which defeats the purpose of a single idle migrator.

Also the old root is pre-accounted but not connected upon the new root creation. But it can be connected to the new root later on. Therefore the old root may be accounted twice to the new root. The propagation of such overcommit can end up creating a double final top-level root with a groupmask incorrectly initialized. Although harmless given that the final top level roots will never have a parent to walk up to, this oddity opportunistically reported the core issue:

WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote CPU: 8 UID: 0 PID: 0 Comm: swapper/8 RIP: 0010:tmigr_requires_handle_remote Call Trace: ? tmigr_requires_handle_remote ? hrtimer_run_queues update_process_times tick_periodic tick_handle_periodic __sysvec_apic_timer_interrupt sysvec_apic_timer_interrupt

Fix the problem by taking the old root into account in the children count of the new root so the connection is not omitted.

Also warn when more than one top level group exists to better detect similar issues in the future.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-21813"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T20:16:03Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ntimers/migration: Fix off-by-one root mis-connection\n\nBefore attaching a new root to the old root, the children counter of the\nnew root is checked to verify that only the upcoming CPU\u0027s top group have\nbeen connected to it. However since the recently added commit b729cc1ec21a\n(\"timers/migration: Fix another race between hotplug and idle entry/exit\")\nthis check is not valid anymore because the old root is pre-accounted\nas a child to the new root. Therefore after connecting the upcoming\nCPU\u0027s top group to the new root, the children count to be expected must\nbe 2 and not 1 anymore.\n\nThis omission results in the old root to not be connected to the new\nroot. Then eventually the system may run with more than one top level,\nwhich defeats the purpose of a single idle migrator.\n\nAlso the old root is pre-accounted but not connected upon the new root\ncreation. But it can be connected to the new root later on. Therefore\nthe old root may be accounted twice to the new root. The propagation of\nsuch overcommit can end up creating a double final top-level root with a\ngroupmask incorrectly initialized. Although harmless given that the final\ntop level roots will never have a parent to walk up to, this oddity\nopportunistically reported the core issue:\n\n  WARNING: CPU: 8 PID: 0 at kernel/time/timer_migration.c:543 tmigr_requires_handle_remote\n  CPU: 8 UID: 0 PID: 0 Comm: swapper/8\n  RIP: 0010:tmigr_requires_handle_remote\n  Call Trace:\n   \u003cIRQ\u003e\n   ? tmigr_requires_handle_remote\n   ? hrtimer_run_queues\n   update_process_times\n   tick_periodic\n   tick_handle_periodic\n   __sysvec_apic_timer_interrupt\n   sysvec_apic_timer_interrupt\n  \u003c/IRQ\u003e\n\nFix the problem by taking the old root into account in the children count\nof the new root so the connection is not omitted.\n\nAlso warn when more than one top level group exists to better detect\nsimilar issues in the future.",
  "id": "GHSA-xjrx-58mf-555f",
  "modified": "2025-10-28T03:30:13Z",
  "published": "2025-02-27T21:32:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21813"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f449d8fa1808a7f9ee644866bbc079285dbefdd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/868c9037df626b3c245ee26a290a03ae1f9f58d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c6dd70e5b465a2b77c7a7c3d868736d302e29aec"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XM67-587Q-R2VW

Vulnerability from github – Published: 2023-03-09 00:09 – Updated: 2025-05-02 12:52
VLAI
Summary
wasmtime vulnerable to miscompilation of `i8x16.select` with the same inputs on x86_64
Details

Impact

Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly i8x16.select instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error in the calculation of the mask to the pshufb instruction which causes incorrect results to be returned if lanes are selected from the second vector.

The impact of this miscompilation is that the WebAssembly instruction can produce incorrect results for the i8x16.select instruction. This should have no effect on embedders and does not represent a sandbox escape, for example. Guest programs, however, may behave unexpectedly due to the incorrect result of this instruction. In extreme cases if a guest program is handling untrusted input then the guest program may deviate from its intended execution, for example calling an imported host function with different arguments than intended. This still does not impact embedders, however, because there is no form of privilege escalation with the guest.

At this time it's expected that this codegen pattern doesn't show up in the wild that often. LLVM-generated modules, for example, do not appear to conventionally or idiomatically generate code which would hit this bug. It is possible, however, to still write code which triggers this, so it's recommended for embedders to analyze existing modules to see if any are affected.

Patches

This codegen bug has been fixed in Wasmtime 6.0.1, 5.0.1, and 4.0.1. Users are recommended to upgrade to these updated versions.

Workarounds

If upgrading is not an option for you at this time, you can avoid this miscompilation by disabling the Wasm simd proposal

config.wasm_simd(false);

Additionally the bug is only present on x86_64 hosts. Other platforms such as AArch64 and s390x are not affected.

References

For more information

If you have any questions or comments about this advisory:

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "fixed": "4.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "cranelift-codegen"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.88.0"
            },
            {
              "fixed": "0.91.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "cranelift-codegen"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.92.0"
            },
            {
              "fixed": "0.92.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "cranelift-codegen"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.93.0"
            },
            {
              "fixed": "0.93.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-27477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-09T00:09:03Z",
    "nvd_published_at": "2023-03-08T21:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nWasmtime\u0027s code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error  in the calculation of the mask to the `pshufb` instruction which causes incorrect results to be returned if lanes are selected from the second vector.\n\nThe impact of this miscompilation is that the WebAssembly instruction can produce incorrect results for the `i8x16.select` instruction. This should have no effect on embedders and does not represent a sandbox escape, for example. Guest programs, however, may behave unexpectedly due to the incorrect result of this instruction. In extreme cases if a guest program is handling untrusted input then the guest program may deviate from its intended execution, for example calling an imported host function with different arguments than intended. This still does not impact embedders, however, because there is no form of privilege escalation with the guest.\n\nAt this time it\u0027s expected that this codegen pattern doesn\u0027t show up in the wild that often. LLVM-generated modules, for example, do not appear to conventionally or idiomatically generate code which would hit this bug. It is possible, however, to still write code which triggers this, so it\u0027s recommended for embedders to analyze existing modules to see if any are affected.\n\n### Patches\n\nThis codegen bug has been fixed in Wasmtime 6.0.1, 5.0.1, and 4.0.1. Users are recommended to upgrade to these updated versions.\n\n### Workarounds\n\nIf upgrading is not an option for you at this time, you can avoid this miscompilation by [disabling the Wasm simd proposal](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simd)\n\n```rust\nconfig.wasm_simd(false);\n```\n\nAdditionally the bug is only present on x86_64 hosts. Other platforms such as AArch64 and s390x are not affected.\n\n### References\n\n* [The WebAssembly simd proposal](https://github.com/webassembly/simd)\n* [Mailing list announcement](https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQ)\n* [GitHub advisory](https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xm67-587q-r2vw)\n* [Commit to fix this issue on Wasmtime\u0027s `main` branch](https://github.com/bytecodealliance/wasmtime/commit/5dc2bbccbb363e474d2c9a1b8e38a89a43bbd5d1)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Reach out to us on [the Bytecode Alliance Zulip chat](https://bytecodealliance.zulipchat.com/#narrow/stream/217126-wasmtime)\n* Open an issue in [the bytecodealliance/wasmtime repository](https://github.com/bytecodealliance/wasmtime/)",
  "id": "GHSA-xm67-587q-r2vw",
  "modified": "2025-05-02T12:52:23Z",
  "published": "2023-03-09T00:09:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xm67-587q-r2vw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27477"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/commit/5dc2bbccbb363e474d2c9a1b8e38a89a43bbd5d1"
    },
    {
      "type": "WEB",
      "url": "https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytecodealliance/wasmtime"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webassembly/simd"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/a/bytecodealliance.org/g/sec-announce/c/Mov-ItrNJsQ"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0093.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "wasmtime vulnerable to miscompilation of `i8x16.select` with the same inputs on x86_64"
}

GHSA-XMRM-F5H6-FXM7

Vulnerability from github – Published: 2022-04-29 02:57 – Updated: 2024-02-16 21:31
VLAI
Details

WFTPD Pro Server 3.21 Release 1, with the XeroxDocutech option enabled, allows local users to cause a denial of service (crash) via a (1) MKD or (2) XMKD command that causes an absolute path of 260 characters to be used, which overwrites a cookie with a null character, possibly due to an off-by-one error.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2004-0342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2004-11-23T05:00:00Z",
    "severity": "LOW"
  },
  "details": "WFTPD Pro Server 3.21 Release 1, with the XeroxDocutech option enabled, allows local users to cause a denial of service (crash) via a (1) MKD or (2) XMKD command that causes an absolute path of 260 characters to be used, which overwrites a cookie with a null character, possibly due to an off-by-one error.",
  "id": "GHSA-xmrm-f5h6-fxm7",
  "modified": "2024-02-16T21:31:29Z",
  "published": "2022-04-29T02:57:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-0342"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15342"
    },
    {
      "type": "WEB",
      "url": "http://marc.info/?l=bugtraq\u0026m=107801142924976\u0026w=2"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/11001"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/4116"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/9767"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

No CAPEC attack patterns related to this CWE.