CWE-131
AllowedIncorrect Calculation of Buffer Size
Abstraction: Base · Status: Draft
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
270 vulnerabilities reference this CWE, most recent first.
GHSA-5C6H-GW38-34MR
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2025-04-20 03:35An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34198729. References: B-RB#110666.
{
"affected": [],
"aliases": [
"CVE-2017-0569"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-07T22:59:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34198729. References: B-RB#110666.",
"id": "GHSA-5c6h-gw38-34mr",
"modified": "2025-04-20T03:35:35Z",
"published": "2022-05-13T01:40:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0569"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-04-01"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/41808"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97331"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038201"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5MCC-F9F9-29W9
Vulnerability from github – Published: 2026-02-17 21:31 – Updated: 2026-02-17 21:31IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to the incorrect calculation of a buffer size.
{
"affected": [],
"aliases": [
"CVE-2025-33124"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-17T20:22:03Z",
"severity": "MODERATE"
},
"details": "IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to the incorrect calculation of a buffer size.",
"id": "GHSA-5mcc-f9f9-29w9",
"modified": "2026-02-17T21:31:14Z",
"published": "2026-02-17T21:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33124"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7260043"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5PMV-RX8R-WMV5
Vulnerability from github – Published: 2026-07-02 20:45 – Updated: 2026-07-02 20:45Summary
On 32-bit platforms, decoding a crafted image may lead to out-of-bounds writes due to integer overflow in length calculation.
Details & PoC
The test listed below fail under miri with command cargo +nightly miri test --release -p jxl-grid
Or you can use Address Sanitizer, which ignores Rust-specific UB like aliasing but still flags out-of-bounds accesses:
RUSTFLAGS=-Zsanitizer=address cargo +nightly test -Zbuild-std -p jxl-grid --release --target x86_64-unknown-linux-gnu
The following tests should be appended to crates/jxl-grid/src/test/subgrids.rs:
mod miri_ub {
use super::*;
// `AlignedGrid::with_alloc_tracker` computes `width * height` unchecked. In release, overflow
// can create a tiny backing buffer for huge logical dimensions.
#[test]
fn aligned_grid_dimension_product_overflows() {
let width = usize::MAX / 2 + 1;
let mut grid = AlignedGrid::<u8>::with_alloc_tracker(width, 2, None).unwrap();
let mut subgrid = grid.as_subgrid_mut();
*subgrid.get_mut(0, 1) = 1;
std::hint::black_box(grid);
}
}
This issue can be reachable through decoding a crafted image in two ways:
-
Huge actual frame A frame such as
65536 x 65536passes the current frame area limit (2^32 <= 2^40) but overflowsusizeelement count on 32-bit. Rendering then allocates too-smallAlignedGrids in modular/VarDCT/filter paths and later writes through mutable subgrids. -
Huge canvas plus tiny cropped frame This is the more practical “small payload, huge logical output” case. A bitstream-controlled frame crop can be tiny, but if the canvas/default requested region is huge, composition can allocate an output grid sized to the canvas/ROI at crates/jxl-render/src/blend.rs. That is bitstream frame cropping, not API crop. With a 32-bit target and a full requested image region whose area overflows, this can happen through ordinary
render_frame().
Impact
On 32-bit platforms this can cause out-of-bounds writes with attacker-controlled data when decoding a crafted JPEG XL image. This could allow arbitrary code execution.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.6.1"
},
"package": {
"ecosystem": "crates.io",
"name": "jxl-grid"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.6.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-52834"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-131",
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T20:45:59Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nOn 32-bit platforms, decoding a crafted image may lead to out-of-bounds writes due to integer overflow in length calculation.\n\n### Details \u0026 PoC\n\nThe test listed below fail under miri with command `cargo +nightly miri test --release -p jxl-grid`\n\nOr you can use Address Sanitizer, which ignores Rust-specific UB like aliasing but still flags out-of-bounds accesses:\n\n`RUSTFLAGS=-Zsanitizer=address cargo +nightly test -Zbuild-std -p jxl-grid --release --target x86_64-unknown-linux-gnu`\n\nThe following tests should be appended to `crates/jxl-grid/src/test/subgrids.rs`:\n\n```rust\nmod miri_ub {\n use super::*;\n\n // `AlignedGrid::with_alloc_tracker` computes `width * height` unchecked. In release, overflow\n // can create a tiny backing buffer for huge logical dimensions.\n #[test]\n fn aligned_grid_dimension_product_overflows() {\n let width = usize::MAX / 2 + 1;\n let mut grid = AlignedGrid::\u003cu8\u003e::with_alloc_tracker(width, 2, None).unwrap();\n let mut subgrid = grid.as_subgrid_mut();\n *subgrid.get_mut(0, 1) = 1;\n std::hint::black_box(grid);\n }\n}\n```\n\nThis issue can be reachable through decoding a crafted image in two ways:\n\n1. **Huge actual frame**\n A frame such as `65536 x 65536` passes the current frame area limit (`2^32 \u003c= 2^40`) but overflows `usize` element count on 32-bit. Rendering then allocates too-small `AlignedGrid`s in modular/VarDCT/filter paths and later writes through mutable subgrids.\n\n2. **Huge canvas plus tiny cropped frame**\n This is the more practical \u201csmall payload, huge logical output\u201d case. A bitstream-controlled frame crop can be tiny, but if the canvas/default requested region is huge, composition can allocate an output grid sized to the canvas/ROI at crates/jxl-render/src/blend.rs. That is bitstream frame cropping, not API crop. With a 32-bit target and a full requested image region whose area overflows, this can happen through ordinary `render_frame()`.\n\n### Impact\n\nOn 32-bit platforms this can cause out-of-bounds writes with attacker-controlled data when decoding a crafted JPEG XL image. This could allow arbitrary code execution.",
"id": "GHSA-5pmv-rx8r-wmv5",
"modified": "2026-07-02T20:45:59Z",
"published": "2026-07-02T20:45:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tirr-c/jxl-oxide/security/advisories/GHSA-5pmv-rx8r-wmv5"
},
{
"type": "PACKAGE",
"url": "https://github.com/tirr-c/jxl-oxide"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0151.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H",
"type": "CVSS_V3"
}
],
"summary": "jxl-grid on 32-bit platforms has an out-of-bounds writes due to integer overflow"
}
GHSA-5QR3-HM6R-FWX9
Vulnerability from github – Published: 2025-04-23 15:30 – Updated: 2025-04-27 00:30In MIFF image processing in ImageMagick before 7.1.1-44, image depth is mishandled after SetQuantumFormat is used.
{
"affected": [],
"aliases": [
"CVE-2025-43965"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-23T15:16:00Z",
"severity": "LOW"
},
"details": "In MIFF image processing in ImageMagick before 7.1.1-44, image depth is mishandled after SetQuantumFormat is used.",
"id": "GHSA-5qr3-hm6r-fwx9",
"modified": "2025-04-27T00:30:33Z",
"published": "2025-04-23T15:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43965"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/commit/bac413a26073923d3ffb258adaab07fb3fe8fdc9"
},
{
"type": "WEB",
"url": "https://github.com/ImageMagick/Website/blob/main/ChangeLog.md#711-44---2025-02-22"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00035.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5R6M-66FX-Q4CM
Vulnerability from github – Published: 2022-05-24 17:25 – Updated: 2022-05-24 17:25An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2020-6070"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-10T14:15:00Z",
"severity": "MODERATE"
},
"details": "An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-5r6m-66fx-q4cm",
"modified": "2022-05-24T17:25:13Z",
"published": "2022-05-24T17:25:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6070"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3SZ4HMQKNI35NBWJI6XMJBGWPEKZRR72"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-0988"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5WVF-8JJJ-7W99
Vulnerability from github – Published: 2026-04-21 15:32 – Updated: 2026-06-30 03:36Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.
{
"affected": [],
"aliases": [
"CVE-2026-6752"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T13:16:21Z",
"severity": "HIGH"
},
"details": "Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.",
"id": "GHSA-5wvf-8jjj-7w99",
"modified": "2026-06-30T03:36:20Z",
"published": "2026-04-21T15:32:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6752"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10757"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19465"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19466"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19467"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19468"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19469"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19542"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19655"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19704"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-6752"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2027499"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460078"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-6752.json"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-30"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-31"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-32"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-33"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-34"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10766"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:10767"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:12285"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:13537"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:15892"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17477"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17687"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17688"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17689"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:17690"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19041"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19131"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19201"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19348"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19461"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19462"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19463"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19464"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-66M8-C62J-H6V5
Vulnerability from github – Published: 2026-07-02 20:45 – Updated: 2026-07-02 20:45Summary
jxl-oxide exposes a public safe API that can construct an undersized FrameBuffer due to unchecked usize multiplication, which immediately trigger panic while initializing the buffer in normal decoding path.
Additionally, calling the safe grouped buffer accessors afterward can create invalid oversized slices from a much smaller allocation, causing undefined behavior; however normal decoding path never reaches UB, because these methods are never used within jxl-oxide.
Impact
On 32-bit platforms this can cause panic by accessing out-of-range indices, making it a DoS vulnerability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.12.5"
},
"package": {
"ecosystem": "crates.io",
"name": "jxl-oxide"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-131",
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T20:45:10Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\n`jxl-oxide` exposes a public safe API that can construct an undersized `FrameBuffer` due to unchecked `usize` multiplication, which immediately trigger panic while initializing the buffer in normal decoding path.\n\nAdditionally, calling the safe grouped buffer accessors afterward can create invalid oversized slices from a much smaller allocation, causing undefined behavior; however normal decoding path never reaches UB, because these methods are never used within `jxl-oxide`.\n\n### Impact\nOn 32-bit platforms this can cause panic by accessing out-of-range indices, making it a DoS vulnerability.",
"id": "GHSA-66m8-c62j-h6v5",
"modified": "2026-07-02T20:45:10Z",
"published": "2026-07-02T20:45:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tirr-c/jxl-oxide/security/advisories/GHSA-66m8-c62j-h6v5"
},
{
"type": "PACKAGE",
"url": "https://github.com/tirr-c/jxl-oxide"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "jxl-oxide: `FrameBuffer::new` creates out-of-bounds slices on overflow"
}
GHSA-67F2-J5VG-639W
Vulnerability from github – Published: 2023-10-15 03:30 – Updated: 2024-08-27 21:31An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.
{
"affected": [],
"aliases": [
"CVE-2023-45871"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-15T01:15:09Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in drivers/net/ethernet/intel/igb/igb_main.c in the IGB driver in the Linux kernel before 6.5.3. A buffer size may not be adequate for frames larger than the MTU.",
"id": "GHSA-67f2-j5vg-639w",
"modified": "2024-08-27T21:31:10Z",
"published": "2023-10-15T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45871"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.5.3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bb5ed01cd2428cd25b1c88a3a9cba87055eb289f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20231110-0001"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-67QF-QF6P-XGV3
Vulnerability from github – Published: 2026-04-11 03:30 – Updated: 2026-06-30 03:36GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28863.
{
"affected": [],
"aliases": [
"CVE-2026-4152"
],
"database_specific": {
"cwe_ids": [
"CWE-122",
"CWE-131",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-11T01:16:16Z",
"severity": "HIGH"
},
"details": "GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28863.",
"id": "GHSA-67qf-qf6p-xgv3",
"modified": "2026-06-30T03:36:15Z",
"published": "2026-04-11T03:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4152"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:16484"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19362"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20691"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25899"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25901"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25907"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-4152"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457533"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/f64c9c23ba3c37dc7b875a9fb477c23953b4666e"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4152.json"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-219"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6GJ8-FXH3-H3J9
Vulnerability from github – Published: 2024-04-12 15:37 – Updated: 2025-04-10 21:30An Incorrect Calculation of Buffer Size vulnerability in Juniper Networks Junos OS SRX 5000 Series devices using SPC2 line cards while ALGs are enabled allows an attacker sending specific crafted packets to cause a transit traffic Denial of Service (DoS).
Continued receipt and processing of these specific packets will sustain the Denial of Service condition.
This issue affects: Juniper Networks Junos OS SRX 5000 Series with SPC2 with ALGs enabled. * All versions earlier than 21.2R3-S7; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3; * 23.2 versions earlier than 23.2R2.
{
"affected": [],
"aliases": [
"CVE-2024-30405"
],
"database_specific": {
"cwe_ids": [
"CWE-131"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-12T15:15:25Z",
"severity": "HIGH"
},
"details": "An Incorrect Calculation of Buffer Size vulnerability in Juniper Networks Junos OS SRX 5000 Series devices using SPC2 line cards while ALGs are enabled allows an attacker sending specific crafted packets to cause a transit traffic Denial of Service (DoS).\n\nContinued receipt and processing of these specific packets will sustain the Denial of Service condition.\n\nThis issue affects:\nJuniper Networks Junos OS SRX 5000 Series with SPC2 with ALGs enabled.\n * All versions earlier than 21.2R3-S7;\n * 21.4 versions earlier than 21.4R3-S6;\n * 22.1 versions earlier than 22.1R3-S5;\n * 22.2 versions earlier than 22.2R3-S3;\n * 22.3 versions earlier than 22.3R3-S2;\n * 22.4 versions earlier than 22.4R3;\n * 23.2 versions earlier than 23.2R2.\u00a0",
"id": "GHSA-6gj8-fxh3-h3j9",
"modified": "2025-04-10T21:30:48Z",
"published": "2024-04-12T15:37:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30405"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA79105"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"
},
{
"type": "WEB",
"url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:A/V:D/RE:L/U:Green"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-8
Strategy: Input Validation
Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation
When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).
Mitigation
When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated.
Mitigation MIT-13
Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
Mitigation
Use sizeof() on the appropriate data type to avoid CWE-467.
Mitigation
Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity. This will simplify validation and will reduce surprises related to unexpected casting.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences, or buffer allocation routines that automatically track buffer size.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Strategy: Environment Hardening
- Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
- For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-22
Strategy: Sandbox or Jail
- Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-100: Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.
CAPEC-47: Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.