{"@ID": "127", "@Name": "Buffer Under-read", "@Abstraction": "Variant", "@Structure": "Simple", "@Status": "Draft", "Description": "The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "125", "@View_ID": "1000"}, {"@Nature": "ChildOf", "@CWE_ID": "786", "@View_ID": "1000", "@Ordinal": "Primary"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": [{"@Class": "Memory-Unsafe", "@Prevalence": "Undetermined"}, {"@Name": "C", "@Prevalence": "Undetermined"}, {"@Name": "C++", "@Prevalence": "Undetermined"}]}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Implementation", "Note": "This typically occurs when the pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. This may result in exposure of sensitive information or possibly a crash."}}, "Common_Consequences": {"Consequence": [{"Scope": "Confidentiality", "Impact": "Read Memory"}, {"Scope": "Confidentiality", "Impact": "Bypass Protection Mechanism", "Note": "By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service."}]}, "Detection_Methods": {"Detection_Method": [{"@Detection_Method_ID": "DM-14", "Method": "Automated Static Analysis", "Description": "Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect \"sources\" (origins of input) with \"sinks\" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)", "Effectiveness": "High"}, {"@Detection_Method_ID": "DM-15", "Method": "Automated Dynamic Analysis", "Description": "Use tools that are integrated during\n\t     compilation to insert runtime error-checking mechanisms\n\t     related to memory safety errors, such as AddressSanitizer\n\t     (ASan) for C/C++ [REF-1518].", "Effectiveness": "Moderate", "Effectiveness_Notes": "Crafted inputs are necessary to\n\t     reach the code containing the error, such as generated\n\t     by fuzzers.  Also, these tools may reduce performance,\n\t     and they only report the error condition - not the\n\t     original mistake that led to the\n\t     error."}]}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-100", "Intro_Text": "In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null, null, null, null, null], "xhtml:i": ["// check that the array index is less than the maximum", "// length of the array", "// if array index is invalid then output error message", "// and return value indicating error"], "xhtml:div": [{"@style": "margin-left:1em;", "xhtml:div": {"xhtml:br": [null, null], "xhtml:i": "// get the value at the specified index of the array", "#text": "value = array[index];"}}, {"@style": "margin-left:1em;", "xhtml:br": null, "#text": "printf(\"Value is: %d\\n\", array[index]);value = -1;"}], "#text": "int value;\n                           \n                           \n                           \n                           \n                           \n                           if (index < len) {}\n                           \n                           \n                           \n                           \n                           else {}\n                           return value;"}}, "#text": "int getValueFromArray(int *array, int len, int index) {}"}}, {"@Nature": "Good", "@Language": "C", "xhtml:div": {"xhtml:br": [null, null, null, null, null, null, null, null], "xhtml:i": ["// check that the array index is within the correct", "// range of values for the array"], "#text": "...\n                     \n                     \n                     \n                     \n                     \n                     if (index >= 0 && index < len) {\n                     ..."}}], "Body_Text": "However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (CWE-127) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below."}}, "Observed_Examples": {"Observed_Example": {"Reference": "CVE-2021-40985", "Description": "HTML conversion package has a buffer under-read, allowing a crash", "Link": "https://www.cve.org/CVERecord?id=CVE-2021-40985"}}, "Functional_Areas": {"Functional_Area": "Memory Management"}, "Affected_Resources": {"Affected_Resource": "Memory"}, "Taxonomy_Mappings": {"Taxonomy_Mapping": [{"@Taxonomy_Name": "PLOVER", "Entry_Name": "Buffer under-read"}, {"@Taxonomy_Name": "Software Fault Patterns", "Entry_ID": "SFP8", "Entry_Name": "Faulty Buffer Access"}]}, "References": {"Reference": [{"@External_Reference_ID": "REF-1034"}, {"@External_Reference_ID": "REF-1035"}, {"@External_Reference_ID": "REF-44", "@Section": "\"Sin 5: Buffer Overruns.\" Page 89"}, {"@External_Reference_ID": "REF-1518"}]}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Research Gap", "#text": "Under-studied."}}, "Content_History": {"Submission": {"Submission_Name": "PLOVER", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Applicable_Platforms, Relationships, Taxonomy_Mappings, Weakness_Ordinalities"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2009-10-29", "Modification_Version": "1.6", "Modification_ReleaseDate": "2009-10-29", "Modification_Comment": "updated Description, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Causal_Nature"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2019-09-19", "Modification_Version": "3.4", "Modification_ReleaseDate": "2019-09-19", "Modification_Comment": "updated Common_Consequences, References"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-01-31", "Modification_Version": "4.10", "Modification_ReleaseDate": "2023-01-31", "Modification_Comment": "updated Description"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-09-09", "Modification_Version": "4.18", "Modification_ReleaseDate": "2025-09-09", "Modification_Comment": "updated Affected_Resources, Common_Consequences, Demonstrative_Examples, Functional_Areas"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Applicable_Platforms, Description, Detection_Factors, Modes_of_Introduction, References"}]}}
