Common Weakness Enumeration

CWE-787

Allowed-with-Review

Out-of-bounds Write

Abstraction: Base · Status: Draft

The product writes data past the end, or before the beginning, of the intended buffer.

15096 vulnerabilities reference this CWE, most recent first.

GHSA-VVM3-R83F-JHGF

Vulnerability from github – Published: 2022-05-01 07:39 – Updated: 2022-05-01 07:39
VLAI
Details

Heap-based buffer overflow in Golden FTP Server (goldenftpd) 1.92 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long PASS command. NOTE: it was later reported that 4.70 is also affected. NOTE: the USER vector is already covered by CVE-2005-0634.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-6576"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-12-15T19:28:00Z",
    "severity": "HIGH"
  },
  "details": "Heap-based buffer overflow in Golden FTP Server (goldenftpd) 1.92 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long PASS command. NOTE: it was later reported that 4.70 is also affected.  NOTE: the USER vector is already covered by CVE-2005-0634.",
  "id": "GHSA-vvm3-r83f-jhgf",
  "modified": "2022-05-01T07:39:21Z",
  "published": "2022-05-01T07:39:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-6576"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/161711/Golden-FTP-Server-4.70-Buffer-Overflow.html"
    },
    {
      "type": "WEB",
      "url": "http://retrogod.altervista.org/golden_heap.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/23323"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/16036"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/45924"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/45957"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/4936"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VVMG-8MJR-G6Q3

Vulnerability from github – Published: 2026-05-18 20:17 – Updated: 2026-06-09 10:58
VLAI
Summary
OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers
Details

Summary

OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total iov_iter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment.

Details

In bpf/logenricher/logenricher.c#L50, __fill_iov resolves only one struct iovec, specifically iov_ctx.iov[0] for ITER_IOVEC. The returned iov therefore describes only the first write segment.

However, __write later uses const size_t count = BPF_CORE_READ(from, count);, which is the total byte count across all segments in the iterator. That total is stored in e->len and used in bpf_probe_read_user(e->log, e->len, iov.iov_base) and bpf_probe_write_user(iov.iov_base, zero, to_write).

If count exceeds iov.iov_len, OBI reads and then zeroes memory past the end of the first segment. In practice, this can corrupt adjacent application buffers, leak memory into log events, and in some layouts destabilize the instrumented process.

PoC

Local testing with a minimal ASan harness reproduced the same out-of-bounds read/write condition as the vulnerable writev path.

Use a vulnerable build with the log enricher enabled.

git checkout v0.7.0
make build

Create a program that performs a two-element writev, where the first buffer is short and the second is large:

// save as /tmp/writev-poc.c
#define _GNU_SOURCE
#include <sys/uio.h>
#include <unistd.h>
#include <string.h>

int main(void) {
  char a[8] = "HELLO\n";
  char b[256];
  memset(b, 'B', sizeof(b));

  struct iovec iov[2];
  iov[0].iov_base = a;
  iov[0].iov_len = sizeof(a);
  iov[1].iov_base = b;
  iov[1].iov_len = sizeof(b);

  for (;;) {
    writev(1, iov, 2);
    usleep(10000);
  }
}

Compile and run it:

cc -O2 -o /tmp/writev-poc /tmp/writev-poc.c
/tmp/writev-poc >/dev/null

Attach OBI with log enrichment enabled to the running process:

PID=$(pgrep -f /tmp/writev-poc)
sudo ./bin/obi --pid "$PID"

On a vulnerable build, OBI copies iov_iter.count bytes starting from iov[0].iov_base, even though iov[0] is only 8 bytes long. Depending on allocator layout, you will see one of the following:

  1. log events that include bytes beyond HELLO\n
  2. corrupted stdout content because OBI zeroed memory beyond the first iovec
  3. process instability or a crash

The issue is easiest to observe under a debugger or with ASan-enabled builds of the target program, but those are not required.

Impact

This is a memory safety flaw in the log-enrichment eBPF path. It affects deployments that enable log injection and instrument applications that write logs through writev. An attacker who can trigger the vulnerable local writev pattern inside the instrumented process can cause memory corruption or disclosure in that process. The most direct effects are corrupted output and adjacent-memory disclosure, with process instability possible if the overwrite lands on sensitive state.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.opentelemetry.io/obi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45684"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-126",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T20:17:57Z",
    "nvd_published_at": "2026-06-02T16:16:43Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nOBI\u0027s log enricher mishandles `writev` buffers by reading only the first `iovec` entry but using the total `iov_iter.count` as the copy length. When log injection is enabled, a crafted multi-segment `writev` call can make OBI read and overwrite memory beyond the first segment.\n\n### Details\n\nIn [bpf/logenricher/logenricher.c#L50](https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/blob/360521f411213566a3b557a1f0c093e6cd68a4de/bpf/logenricher/logenricher.c#L50), `__fill_iov` resolves only one `struct iovec`, specifically `iov_ctx.iov[0]` for `ITER_IOVEC`. The returned `iov` therefore describes only the first write segment.\n\nHowever, `__write` later uses `const size_t count = BPF_CORE_READ(from, count);`, which is the total byte count across all segments in the iterator. That total is stored in `e-\u003elen` and used in `bpf_probe_read_user(e-\u003elog, e-\u003elen, iov.iov_base)` and `bpf_probe_write_user(iov.iov_base, zero, to_write)`.\n\nIf `count` exceeds `iov.iov_len`, OBI reads and then zeroes memory past the end of the first segment. In practice, this can corrupt adjacent application buffers, leak memory into log events, and in some layouts destabilize the instrumented process.\n\n### PoC\n\nLocal testing with a minimal ASan harness reproduced the same out-of-bounds read/write condition as the vulnerable `writev` path.\n\nUse a vulnerable build with the log enricher enabled.\n\n```bash\ngit checkout v0.7.0\nmake build\n```\n\nCreate a program that performs a two-element `writev`, where the first buffer is short and the second is large:\n\n```c\n// save as /tmp/writev-poc.c\n#define _GNU_SOURCE\n#include \u003csys/uio.h\u003e\n#include \u003cunistd.h\u003e\n#include \u003cstring.h\u003e\n\nint main(void) {\n  char a[8] = \"HELLO\\n\";\n  char b[256];\n  memset(b, \u0027B\u0027, sizeof(b));\n\n  struct iovec iov[2];\n  iov[0].iov_base = a;\n  iov[0].iov_len = sizeof(a);\n  iov[1].iov_base = b;\n  iov[1].iov_len = sizeof(b);\n\n  for (;;) {\n    writev(1, iov, 2);\n    usleep(10000);\n  }\n}\n```\n\nCompile and run it:\n\n```bash\ncc -O2 -o /tmp/writev-poc /tmp/writev-poc.c\n/tmp/writev-poc \u003e/dev/null\n```\n\nAttach OBI with log enrichment enabled to the running process:\n\n```bash\nPID=$(pgrep -f /tmp/writev-poc)\nsudo ./bin/obi --pid \"$PID\"\n```\n\nOn a vulnerable build, OBI copies `iov_iter.count` bytes starting from `iov[0].iov_base`, even though `iov[0]` is only 8 bytes long. Depending on allocator layout, you will see one of the following:\n\n1. log events that include bytes beyond `HELLO\\n`\n2. corrupted stdout content because OBI zeroed memory beyond the first iovec\n3. process instability or a crash\n\nThe issue is easiest to observe under a debugger or with ASan-enabled builds of the target program, but those are not required.\n\n### Impact\n\nThis is a memory safety flaw in the log-enrichment eBPF path. It affects deployments that enable log injection and instrument applications that write logs through `writev`. An attacker who can trigger the vulnerable local `writev` pattern inside the instrumented process can cause memory corruption or disclosure in that process. The most direct effects are corrupted output and adjacent-memory disclosure, with process instability possible if the overwrite lands on sensitive state.",
  "id": "GHSA-vvmg-8mjr-g6q3",
  "modified": "2026-06-09T10:58:49Z",
  "published": "2026-05-18T20:17:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-vvmg-8mjr-g6q3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45684"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers"
}

GHSA-VVPW-GRJ7-VX3C

Vulnerability from github – Published: 2024-08-05 15:30 – Updated: 2024-08-05 15:30
VLAI
Details

Memory corruption during session sign renewal request calls in HLOS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-05T15:15:46Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption during session sign renewal request calls in HLOS.",
  "id": "GHSA-vvpw-grj7-vx3c",
  "modified": "2024-08-05T15:30:53Z",
  "published": "2024-08-05T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23356"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/august-2024-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVQG-86QW-RHM8

Vulnerability from github – Published: 2025-04-15 21:31 – Updated: 2025-08-19 15:31
VLAI
Details

A maliciously crafted JPG file, when linked or imported into certain Autodesk applications, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1275"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-15T21:15:47Z",
    "severity": "HIGH"
  },
  "details": "A maliciously crafted JPG file, when linked or imported into certain Autodesk applications, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.",
  "id": "GHSA-vvqg-86qw-rhm8",
  "modified": "2025-08-19T15:31:20Z",
  "published": "2025-04-15T21:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1275"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/products/autodesk-access/overview"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/products/dwg-trueview/overview"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0006"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVQH-P9P4-63X6

Vulnerability from github – Published: 2024-11-28 00:39 – Updated: 2024-11-28 00:39
VLAI
Details

Fuji Electric Tellus Lite V-Simulator 5 V8 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fuji Electric Tellus Lite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of V8 files in the V-Simulator 5 component. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24771.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11803"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-28T00:15:06Z",
    "severity": "HIGH"
  },
  "details": "Fuji Electric Tellus Lite V-Simulator 5 V8 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Fuji Electric Tellus Lite. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of V8 files in the V-Simulator 5 component. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24771.",
  "id": "GHSA-vvqh-p9p4-63x6",
  "modified": "2024-11-28T00:39:27Z",
  "published": "2024-11-28T00:39:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11803"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1629"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVQR-C837-HR5Q

Vulnerability from github – Published: 2025-01-03 03:30 – Updated: 2025-11-03 21:32
VLAI
Details

In resizeToAtLeast of SkRegion.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43097"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-03T01:15:07Z",
    "severity": "HIGH"
  },
  "details": "In resizeToAtLeast of SkRegion.cpp, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-vvqr-c837-hr5q",
  "modified": "2025-11-03T21:32:03Z",
  "published": "2025-01-03T03:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43097"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/external/skia/+/8d355fe1d0795fc30b84194b87563f75c6f8f2a7"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2024-12-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVQW-R3VV-46PH

Vulnerability from github – Published: 2025-05-05 18:32 – Updated: 2025-05-06 06:30
VLAI
Details

Out of bounds memory access in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-4050"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-05T18:15:43Z",
    "severity": "HIGH"
  },
  "details": "Out of bounds memory access in DevTools in Google Chrome prior to 136.0.7103.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)",
  "id": "GHSA-vvqw-r3vv-46ph",
  "modified": "2025-05-06T06:30:35Z",
  "published": "2025-05-05T18:32:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4050"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_29.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/409342999"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVR6-2W5F-52QH

Vulnerability from github – Published: 2023-02-14 12:30 – Updated: 2023-02-22 21:30
VLAI
Details

A vulnerability has been identified in Tecnomatix Plant Simulation (All versions < V2201.0006). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted SPP file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-19807)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-24985"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-14T11:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been identified in Tecnomatix Plant Simulation (All versions \u003c V2201.0006). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted SPP file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-19807)",
  "id": "GHSA-vvr6-2w5f-52qh",
  "modified": "2023-02-22T21:30:39Z",
  "published": "2023-02-14T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24985"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-847261.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVV9-8H6R-HQF7

Vulnerability from github – Published: 2023-08-14 21:30 – Updated: 2024-04-04 06:56
VLAI
Details

Tenda A18 V15.13.07.09 was discovered to contain a stack overflow via the security parameter in the formWifiBasicSet function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39828"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-14T21:15:13Z",
    "severity": "HIGH"
  },
  "details": "Tenda A18 V15.13.07.09 was discovered to contain a stack overflow via the security parameter in the formWifiBasicSet function.",
  "id": "GHSA-vvv9-8h6r-hqf7",
  "modified": "2024-04-04T06:56:09Z",
  "published": "2023-08-14T21:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39828"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lst-oss/Vulnerability/tree/main/Tenda/A18/formWifiBasicSet"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVVP-MQXF-GJFR

Vulnerability from github – Published: 2022-11-02 12:00 – Updated: 2022-11-02 19:00
VLAI
Details

An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to cause unexpected system termination or write kernel memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-32925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-01T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to cause unexpected system termination or write kernel memory.",
  "id": "GHSA-vvvp-mqxf-gjfr",
  "modified": "2022-11-02T19:00:25Z",
  "published": "2022-11-02T12:00:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32925"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213446"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213486"
    },
    {
      "type": "WEB",
      "url": "https://support.apple.com/en-us/HT213487"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
  • Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Mitigation MIT-4.1
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-9
Implementation
  • Consider adhering to the following rules when allocating and managing an application's memory:
  • Double check that the buffer is as large as specified.
  • When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
  • Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
  • If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Operation

Strategy: Environment Hardening

  • Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
  • For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-13
Implementation

Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.

No CAPEC attack patterns related to this CWE.