CWE-126
AllowedBuffer Over-read
Abstraction: Variant · Status: Draft
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
852 vulnerabilities reference this CWE, most recent first.
GHSA-G3H4-3P28-925R
Vulnerability from github – Published: 2022-12-06 09:30 – Updated: 2022-12-07 18:30In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.
{
"affected": [],
"aliases": [
"CVE-2022-42758"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-06T07:15:00Z",
"severity": "LOW"
},
"details": "In wlan driver, there is a possible missing bounds check, This could lead to local denial of service in wlan services.",
"id": "GHSA-g3h4-3p28-925r",
"modified": "2022-12-07T18:30:27Z",
"published": "2022-12-06T09:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42758"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/1599588060988411006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G3QJ-J598-CXMQ
Vulnerability from github – Published: 2026-03-24 19:10 – Updated: 2026-03-24 19:10Summary
fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in extractStrings() — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.
The crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint — single request, unauthenticated, instant kill.
Fixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.
Affected versions
fido2-lib <= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old cbor package — not affected.
Only affects systems where cbor-extract native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.
PoC
const { decode } = require("cbor-x");
decode(Buffer.from("7a10000000", "hex")); // exit code 139 (SIGSEGV)
CBOR text string header claiming 268MB in a 5-byte buffer. extractStrings() in extract.cpp line 87 calls readString() without bounds check. Reads past buffer into unmapped memory.
In context: attacker intercepts WebAuthn registration response, replaces attestationObject with the 5-byte payload, POSTs to the registration verification endpoint. Server calls attestationResult() → cbor-x.decode() → cbor-extract → SIGSEGV.
Fix
Bump cbor-x to >= 1.6.3 (which pulls cbor-extract >= 2.2.1).
-"cbor-x": "~1.6.0"
+"cbor-x": "^1.6.3"
— Malik X (@Xvush)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.5.7"
},
"package": {
"ecosystem": "npm",
"name": "fido2-lib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.5.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126",
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:10:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nfido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract \u003c= 2.2.0 has a heap buffer over-read in `extractStrings()` \u2014 a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.\n\nThe crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint \u2014 single request, unauthenticated, instant kill.\n\nFixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.\n\n## Affected versions\n\nfido2-lib \u003c= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old `cbor` package \u2014 not affected.\n\nOnly affects systems where `cbor-extract` native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.\n\n## PoC\n\n```js\nconst { decode } = require(\"cbor-x\");\ndecode(Buffer.from(\"7a10000000\", \"hex\")); // exit code 139 (SIGSEGV)\n```\n\nCBOR text string header claiming 268MB in a 5-byte buffer. `extractStrings()` in extract.cpp line 87 calls `readString()` without bounds check. Reads past buffer into unmapped memory.\n\nIn context: attacker intercepts WebAuthn registration response, replaces `attestationObject` with the 5-byte payload, POSTs to the registration verification endpoint. Server calls `attestationResult()` \u2192 `cbor-x.decode()` \u2192 `cbor-extract` \u2192 SIGSEGV.\n\n## Fix\n\nBump cbor-x to \u003e= 1.6.3 (which pulls cbor-extract \u003e= 2.2.1).\n\n```diff\n-\"cbor-x\": \"~1.6.0\"\n+\"cbor-x\": \"^1.6.3\"\n```\n\n\u2014 Malik X (@Xvush)",
"id": "GHSA-g3qj-j598-cxmq",
"modified": "2026-03-24T19:10:38Z",
"published": "2026-03-24T19:10:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/webauthn-open-source/fido2-lib/security/advisories/GHSA-g3qj-j598-cxmq"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/cbor-extract/issues/2"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/cbor-extract/issues/3"
},
{
"type": "WEB",
"url": "https://github.com/kriszyp/cbor-extract/commit/1f6e0d9704149bdb5531d25f5d08a0280a71e2ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/webauthn-open-source/fido2-lib"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing"
}
GHSA-G3X4-QG6F-W8X2
Vulnerability from github – Published: 2025-02-03 18:30 – Updated: 2025-02-03 18:30Information disclosure while parsing the OCI IE with invalid length.
{
"affected": [],
"aliases": [
"CVE-2024-49838"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-03T17:15:20Z",
"severity": "HIGH"
},
"details": "Information disclosure while parsing the OCI IE with invalid length.",
"id": "GHSA-g3x4-qg6f-w8x2",
"modified": "2025-02-03T18:30:42Z",
"published": "2025-02-03T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49838"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G54X-7HPM-29Q8
Vulnerability from github – Published: 2026-02-27 06:31 – Updated: 2026-06-30 03:35In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.
{
"affected": [],
"aliases": [
"CVE-2026-28364"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-27T04:16:03Z",
"severity": "HIGH"
},
"details": "In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.",
"id": "GHSA-g54x-7hpm-29q8",
"modified": "2026-06-30T03:35:46Z",
"published": "2026-02-27T06:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28364"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-28364"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443348"
},
{
"type": "WEB",
"url": "https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/OSEC-2026-01"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28364.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G5V2-XWQ4-V6V3
Vulnerability from github – Published: 2023-07-04 06:30 – Updated: 2024-04-04 05:22Memory Corruption in WLAN HOST while fetching TX status information.
{
"affected": [],
"aliases": [
"CVE-2023-28542"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-04T05:15:10Z",
"severity": "HIGH"
},
"details": "Memory Corruption in WLAN HOST while fetching TX status information.",
"id": "GHSA-g5v2-xwq4-v6v3",
"modified": "2024-04-04T05:22:53Z",
"published": "2023-07-04T06:30:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28542"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/july-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G766-256G-WQP4
Vulnerability from github – Published: 2024-09-02 12:30 – Updated: 2024-09-02 12:30Memory corruption when the captureRead QDCM command is invoked from user-space.
{
"affected": [],
"aliases": [
"CVE-2024-33047"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-02T12:15:17Z",
"severity": "HIGH"
},
"details": "Memory corruption when the captureRead QDCM command is invoked from user-space.",
"id": "GHSA-g766-256g-wqp4",
"modified": "2024-09-02T12:30:45Z",
"published": "2024-09-02T12:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33047"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G7R9-5G7J-9RFJ
Vulnerability from github – Published: 2025-09-24 18:30 – Updated: 2025-09-24 18:30information disclosure while invoking calibration data from user space to update firmware size.
{
"affected": [],
"aliases": [
"CVE-2025-27030"
],
"database_specific": {
"cwe_ids": [
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-24T16:15:34Z",
"severity": "MODERATE"
},
"details": "information disclosure while invoking calibration data from user space to update firmware size.",
"id": "GHSA-g7r9-5g7j-9rfj",
"modified": "2025-09-24T18:30:30Z",
"published": "2025-09-24T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27030"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-G952-5578-5WVP
Vulnerability from github – Published: 2023-04-13 09:30 – Updated: 2024-04-04 03:26Information disclosure due to buffer over-read while parsing DNS response packets in Modem.
{
"affected": [],
"aliases": [
"CVE-2022-33222"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-13T07:15:00Z",
"severity": "HIGH"
},
"details": "Information disclosure due to buffer over-read while parsing DNS response packets in Modem.",
"id": "GHSA-g952-5578-5wvp",
"modified": "2024-04-04T03:26:47Z",
"published": "2023-04-13T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33222"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/april-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G9J4-5RRW-7GVR
Vulnerability from github – Published: 2025-02-03 18:30 – Updated: 2025-02-03 18:30Memory corruption while handling IOCTL call from user-space to set latency level.
{
"affected": [],
"aliases": [
"CVE-2024-45561"
],
"database_specific": {
"cwe_ids": [
"CWE-126",
"CWE-416"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-03T17:15:18Z",
"severity": "HIGH"
},
"details": "Memory corruption while handling IOCTL call from user-space to set latency level.",
"id": "GHSA-g9j4-5rrw-7gvr",
"modified": "2025-02-03T18:30:42Z",
"published": "2025-02-03T18:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45561"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G9XM-7C5J-7CX6
Vulnerability from github – Published: 2026-04-01 03:31 – Updated: 2026-04-14 18:30Buffer Over-read vulnerability in RTI Connext Professional (Core Libraries) allows Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1., from 6.0.0 before 6.0., from 5.3.0 before 5.3., from 4.3x before 5.2..
{
"affected": [],
"aliases": [
"CVE-2026-2394"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-126"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-01T01:16:40Z",
"severity": "MODERATE"
},
"details": "Buffer Over-read vulnerability in RTI Connext Professional (Core Libraries) allows Overread Buffers.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*.",
"id": "GHSA-g9xm-7c5j-7cx6",
"modified": "2026-04-14T18:30:27Z",
"published": "2026-04-01T03:31:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2394"
},
{
"type": "WEB",
"url": "https://www.rti.com/vulnerabilities/#cve-2026-2394"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.