CWE-466
AllowedReturn of Pointer Value Outside of Expected Range
Abstraction: Base · Status: Draft
A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.
17 vulnerabilities reference this CWE, most recent first.
GHSA-H8P8-GV8P-X88F
Vulnerability from github – Published: 2026-03-22 15:31 – Updated: 2026-03-22 15:31Backup Key Recovery 2.2.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 or more characters into the Name field during registration to trigger a crash when submitting the form.
{
"affected": [],
"aliases": [
"CVE-2019-25599"
],
"database_specific": {
"cwe_ids": [
"CWE-466"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-22T14:16:27Z",
"severity": "MODERATE"
},
"details": "Backup Key Recovery 2.2.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 or more characters into the Name field during registration to trigger a crash when submitting the form.",
"id": "GHSA-h8p8-gv8p-x88f",
"modified": "2026-03-22T15:31:28Z",
"published": "2026-03-22T15:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25599"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46750"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/backup-key-recovery-denial-of-service-via-name-field"
},
{
"type": "WEB",
"url": "http://www.nsauditor.com/downloads/backeyrecovery_setup.exe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-Q958-7F7X-PMQ4
Vulnerability from github – Published: 2026-07-10 00:31 – Updated: 2026-07-10 00:31A Return of Pointer Value Outside of Expected Range vulnerability in the fileio library of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privilged attacker to cause a Denial-of-Service (DoS).
On EX Series, QFX Series and MX Series a low-privileged attacker issuing a specific 'show l2-learning' command will cause an l2ald crash which will lead to a temporary service impact for all layer 2 services until the process has automatically restarted.
This issue affects EX Series, QFX Series, MX Series: Junos OS:
- all versions before 23.2R2-S7,
- 23.4 versions before 23.4R2-S7,
- 24.2 versions before 24.2R2,
- 24.4 versions before 24.4R1-S2.
Junos OS Evolved: * all versions before 23.2R2-S7-EVO, * 23.4 versions before 23.4R2-S8-EVO, * 24.2 versions before 24.2R2-EVO, * 24.4 versions before 24.4R1-S3-EVO.
{
"affected": [],
"aliases": [
"CVE-2026-57025"
],
"database_specific": {
"cwe_ids": [
"CWE-466"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T22:17:07Z",
"severity": "MODERATE"
},
"details": "A Return of Pointer Value Outside of Expected Range vulnerability in the fileio library of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privilged attacker to cause a Denial-of-Service (DoS).\n\nOn EX Series, QFX Series and MX Series a\u00a0low-privileged attacker issuing a specific \u0027show l2-learning\u0027 command will cause an l2ald crash which will lead to a temporary service impact for all layer 2 services until the process has automatically restarted.\n\nThis issue affects EX Series, QFX Series, MX Series:\nJunos OS:\n\n\n * all versions before 23.2R2-S7,\n * 23.4 versions before 23.4R2-S7,\n * 24.2 versions before 24.2R2,\n * 24.4 versions before 24.4R1-S2.\n\n\n\nJunos OS Evolved:\n * all versions before 23.2R2-S7-EVO,\n * 23.4 versions before 23.4R2-S8-EVO,\n * 24.2 versions before 24.2R2-EVO,\n * 24.4 versions before 24.4R1-S3-EVO.",
"id": "GHSA-q958-7f7x-pmq4",
"modified": "2026-07-10T00:31:26Z",
"published": "2026-07-10T00:31:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57025"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA110085"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QC7G-9546-GC47
Vulnerability from github – Published: 2026-03-30 12:32 – Updated: 2026-03-30 12:32SmartFTP Client 9.0.2615.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can paste a buffer of 300 repeated characters into the Host connection parameter to trigger an application crash.
{
"affected": [],
"aliases": [
"CVE-2018-25234"
],
"database_specific": {
"cwe_ids": [
"CWE-466"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T12:16:17Z",
"severity": "MODERATE"
},
"details": "SmartFTP Client 9.0.2615.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can paste a buffer of 300 repeated characters into the Host connection parameter to trigger an application crash.",
"id": "GHSA-qc7g-9546-gc47",
"modified": "2026-03-30T12:32:27Z",
"published": "2026-03-30T12:32:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25234"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/45759"
},
{
"type": "WEB",
"url": "https://www.smartftp.com/en-us"
},
{
"type": "WEB",
"url": "https://www.smartftp.com/en-us/download"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/smartftp-client-denial-of-service-via-host-field"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-QJCW-R4CF-VP97
Vulnerability from github – Published: 2026-03-30 12:32 – Updated: 2026-03-30 12:32Valentina Studio 9.0.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can trigger the crash by pasting a 256-byte buffer of repeated characters into the Host parameter during server connection attempts.
{
"affected": [],
"aliases": [
"CVE-2018-25227"
],
"database_specific": {
"cwe_ids": [
"CWE-466"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-30T12:16:15Z",
"severity": "MODERATE"
},
"details": "Valentina Studio 9.0.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can trigger the crash by pasting a 256-byte buffer of repeated characters into the Host parameter during server connection attempts.",
"id": "GHSA-qjcw-r4cf-vp97",
"modified": "2026-03-30T12:32:26Z",
"published": "2026-03-30T12:32:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25227"
},
{
"type": "WEB",
"url": "https://valentina-db.com/en"
},
{
"type": "WEB",
"url": "https://valentina-db.com/en/developer/database/download-valentina-database-adk"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46421"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/valentina-studio-denial-of-service-via-host-parameter"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RMF4-RVGX-3JFQ
Vulnerability from github – Published: 2026-03-22 03:30 – Updated: 2026-03-22 03:30Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the URL field. Attackers can paste a buffer of 5000 characters into the 'From URL' field during torrent addition to trigger an application crash.
{
"affected": [],
"aliases": [
"CVE-2019-25586"
],
"database_specific": {
"cwe_ids": [
"CWE-466"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-22T01:16:56Z",
"severity": "MODERATE"
},
"details": "Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the URL field. Attackers can paste a buffer of 5000 characters into the \u0027From URL\u0027 field during torrent addition to trigger an application crash.",
"id": "GHSA-rmf4-rvgx-3jfq",
"modified": "2026-03-22T03:30:25Z",
"published": "2026-03-22T03:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25586"
},
{
"type": "WEB",
"url": "https://dev.deluge-torrent.org"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/46883"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/deluge-denial-of-service-via-url-field"
},
{
"type": "WEB",
"url": "http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-WJW6-7QC3-VGHJ
Vulnerability from github – Published: 2024-02-14 18:30 – Updated: 2024-02-14 18:30When an Advanced WAF/ASM security policy and a Websockets profile are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2024-21849"
],
"database_specific": {
"cwe_ids": [
"CWE-466"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-14T17:15:12Z",
"severity": "HIGH"
},
"details": "\n\n\nWhen an Advanced WAF/ASM security policy and a Websockets profile are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) process to terminate.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-wjw6-7qc3-vghj",
"modified": "2024-02-14T18:30:25Z",
"published": "2024-02-14T18:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21849"
},
{
"type": "WEB",
"url": "https://my.f5.com/manage/s/article/K000135873"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X25X-J4W4-7M59
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-06-28 22:41A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.61"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:script-security"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.62"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10356"
],
"database_specific": {
"cwe_ids": [
"CWE-466"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-28T22:41:36Z",
"nvd_published_at": "2019-07-31T13:15:00Z",
"severity": "HIGH"
},
"details": "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts.",
"id": "GHSA-x25x-j4w4-7m59",
"modified": "2022-06-28T22:41:36Z",
"published": "2022-05-24T16:51:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10356"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2594"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2651"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2662"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1465%20(2)"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/07/31/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Return of Pointer Value Outside of Expected Rang in Jenkins Script Security Plugin"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.