Common Weakness Enumeration

CWE-787

Allowed-with-Review

Out-of-bounds Write

Abstraction: Base · Status: Draft

The product writes data past the end, or before the beginning, of the intended buffer.

15106 vulnerabilities reference this CWE, most recent first.

GHSA-W55C-VQMF-7CP2

Vulnerability from github – Published: 2024-06-06 18:30 – Updated: 2024-06-06 18:30
VLAI
Details

Sonos Era 100 SMB2 Message Handling Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos Era 100 smart speakers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of SMB2 messages. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22384.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-5267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-06T18:15:19Z",
    "severity": "HIGH"
  },
  "details": "Sonos Era 100 SMB2 Message Handling Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos Era 100 smart speakers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of SMB2 messages. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22384.",
  "id": "GHSA-w55c-vqmf-7cp2",
  "modified": "2024-06-06T18:30:58Z",
  "published": "2024-06-06T18:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5267"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-543"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W55V-4C3H-PJH8

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

Stack-based buffer overflow in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-2035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-06-09T00:55:00Z",
    "severity": "HIGH"
  },
  "details": "Stack-based buffer overflow in Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code via unspecified vectors.",
  "id": "GHSA-w55v-4c3h-pjh8",
  "modified": "2022-05-13T01:06:46Z",
  "published": "2022-05-13T01:06:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2035"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00007.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2012-0722.html"
    },
    {
      "type": "WEB",
      "url": "http://www.adobe.com/support/security/bulletins/apsb12-14.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W56G-CW97-958X

Vulnerability from github – Published: 2022-05-24 17:37 – Updated: 2022-05-24 17:37
VLAI
Details

Arm Compiler 5 through 5.06u6 has an error in a stack protection feature designed to help spot stack-based buffer overflows in local arrays. When this feature is enabled, a protected function writes a guard value to the stack prior to (above) any vulnerable arrays in the stack. The guard value is checked for corruption on function return; corruption leads to an error-handler call. In certain circumstances, the reference value that is compared against the guard value is itself also written to the stack (after any vulnerable arrays). The reference value is written to the stack when the function runs out of registers to use for other temporary data. If both the reference value and the guard value are written to the stack, then the stack protection will fail to spot corruption when both values are overwritten with the same value. For both the reference value and the guard value to be corrupted, there would need to be both a buffer overflow and a buffer underflow in the vulnerable arrays (or some other vulnerability that causes two separated stack entries to be corrupted).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-24658"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-12-24T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Arm Compiler 5 through 5.06u6 has an error in a stack protection feature designed to help spot stack-based buffer overflows in local arrays. When this feature is enabled, a protected function writes a guard value to the stack prior to (above) any vulnerable arrays in the stack. The guard value is checked for corruption on function return; corruption leads to an error-handler call. In certain circumstances, the reference value that is compared against the guard value is itself also written to the stack (after any vulnerable arrays). The reference value is written to the stack when the function runs out of registers to use for other temporary data. If both the reference value and the guard value are written to the stack, then the stack protection will fail to spot corruption when both values are overwritten with the same value. For both the reference value and the guard value to be corrupted, there would need to be both a buffer overflow and a buffer underflow in the vulnerable arrays (or some other vulnerability that causes two separated stack entries to be corrupted).",
  "id": "GHSA-w56g-cw97-958x",
  "modified": "2022-05-24T17:37:12Z",
  "published": "2022-05-24T17:37:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24658"
    },
    {
      "type": "WEB",
      "url": "https://developer.arm.com/support/arm-security-updates/arm-compiler-5-stack-protection"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-W56X-HJ26-MQ65

Vulnerability from github – Published: 2022-05-24 17:27 – Updated: 2022-05-24 17:27
VLAI
Details

A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25212"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-367",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-09-09T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452.",
  "id": "GHSA-w56x-hj26-mq65",
  "modified": "2022-05-24T17:27:41Z",
  "published": "2022-05-24T17:27:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25212"
    },
    {
      "type": "WEB",
      "url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.8.3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b4487b93545214a9db8cbf32e86411677b0cca21"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/grsecurity/status/1303370421958578179"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4525-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4527-1"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4578-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00042.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W57P-72JV-7755

Vulnerability from github – Published: 2023-08-30 15:30 – Updated: 2024-04-04 07:16
VLAI
Details

Tenda AC7 V1.0 V15.03.06.44 and Tenda AC9 V3.0 V15.03.06.42_multi were discovered to contain a stack overflow via parameter ssid at url /goform/fast_setting_wifi_set.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-41552"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-30T13:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "Tenda AC7 V1.0 V15.03.06.44 and Tenda AC9 V3.0 V15.03.06.42_multi were discovered to contain a stack overflow via parameter ssid at url /goform/fast_setting_wifi_set.",
  "id": "GHSA-w57p-72jv-7755",
  "modified": "2024-04-04T07:16:45Z",
  "published": "2023-08-30T15:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41552"
    },
    {
      "type": "WEB",
      "url": "https://github.com/peris-navince/founded-0-days/blob/main/form_fast_setting_wifi_set/1.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W57R-3PX7-JQGG

Vulnerability from github – Published: 2025-01-28 06:30 – Updated: 2025-01-28 06:30
VLAI
Details

NVIDIA GPU display driver for Windows and Linux contains a vulnerability where data is written past the end or before the beginning of a buffer. A successful exploit of this vulnerability might lead to information disclosure, denial of service, or data tampering.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0150"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-28T04:15:09Z",
    "severity": "HIGH"
  },
  "details": "NVIDIA GPU display driver for Windows and Linux contains a vulnerability where data is written past the end or before the beginning of a buffer. A successful exploit of this vulnerability might lead to information disclosure, denial of service, or data tampering.",
  "id": "GHSA-w57r-3px7-jqgg",
  "modified": "2025-01-28T06:30:40Z",
  "published": "2025-01-28T06:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0150"
    },
    {
      "type": "WEB",
      "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5614"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W57V-486J-MRF7

Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2022-10-11 19:00
VLAI
Details

Use-after-garbage-collection in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-5787"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-23T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-garbage-collection in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
  "id": "GHSA-w57v-486j-mrf7",
  "modified": "2022-10-11T19:00:54Z",
  "published": "2022-05-24T16:46:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5787"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop_12.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/913964"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00085.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W57X-F5PM-84R5

Vulnerability from github – Published: 2024-08-21 12:30 – Updated: 2024-08-21 12:30
VLAI
Details

A maliciously crafted DWG file, when parsed in Revit, can force a stack-based buffer overflow. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-121",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-21T10:15:05Z",
    "severity": "HIGH"
  },
  "details": "A maliciously crafted DWG file, when parsed in Revit, can force a stack-based buffer overflow. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.",
  "id": "GHSA-w57x-f5pm-84r5",
  "modified": "2024-08-21T12:30:25Z",
  "published": "2024-08-21T12:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37008"
    },
    {
      "type": "WEB",
      "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0013"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W584-H26P-3H6H

Vulnerability from github – Published: 2024-06-03 03:31 – Updated: 2025-02-03 21:31
VLAI
Details

In modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is no needed for exploitation. Patch ID: MOLY01267281; Issue ID: MSV-1477.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-06-03T02:15:08Z",
    "severity": "HIGH"
  },
  "details": "In modem, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote denial of service with no additional execution privileges needed. User interaction is no needed for exploitation. Patch ID: MOLY01267281; Issue ID: MSV-1477.",
  "id": "GHSA-w584-h26p-3h6h",
  "modified": "2025-02-03T21:31:48Z",
  "published": "2024-06-03T03:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20066"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/June-2024"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-W586-QRFW-4QHV

Vulnerability from github – Published: 2026-01-27 09:30 – Updated: 2026-01-27 09:30
VLAI
Details

Out-of-bounds Write vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files ldebug.C, lvm.C.

This issue affects UEVR: before 1.05.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24817"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-27T09:15:52Z",
    "severity": "HIGH"
  },
  "details": "Out-of-bounds Write vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files ldebug.C, lvm.C.\n\nThis issue affects UEVR: before 1.05.",
  "id": "GHSA-w586-qrfw-4qhv",
  "modified": "2026-01-27T09:30:30Z",
  "published": "2026-01-27T09:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24817"
    },
    {
      "type": "WEB",
      "url": "https://github.com/praydog/UEVR/pull/336"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
  • Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Mitigation MIT-4.1
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Mitigation MIT-10
Operation Build and Compilation

Strategy: Environment Hardening

  • Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
  • D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-9
Implementation
  • Consider adhering to the following rules when allocating and managing an application's memory:
  • Double check that the buffer is as large as specified.
  • When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
  • Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
  • If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Mitigation MIT-11
Operation Build and Compilation

Strategy: Environment Hardening

  • Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
  • Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
  • For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Operation

Strategy: Environment Hardening

  • Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
  • For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-13
Implementation

Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.

No CAPEC attack patterns related to this CWE.