CWE-170
AllowedImproper Null Termination
Abstraction: Base · Status: Incomplete
The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
77 vulnerabilities reference this CWE, most recent first.
GHSA-Q76R-57VR-2J23
Vulnerability from github – Published: 2024-03-01 15:31 – Updated: 2024-03-01 15:31Dell Platform BIOS contains an Improper Null Termination vulnerability. A high privilege user with network access to the system could potentially send malicious data to the device in order to cause some services to cease to function.
{
"affected": [],
"aliases": [
"CVE-2023-48674"
],
"database_specific": {
"cwe_ids": [
"CWE-170"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-01T13:15:07Z",
"severity": "MODERATE"
},
"details": "Dell Platform BIOS contains an Improper Null Termination vulnerability. A high privilege user with network access to the system could potentially send malicious data to the device in order to cause some services to cease to function.",
"id": "GHSA-q76r-57vr-2j23",
"modified": "2024-03-01T15:31:37Z",
"published": "2024-03-01T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48674"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000220410/dsa-2023-467"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-QJH3-8FPH-X9WJ
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2021-1471"
],
"database_specific": {
"cwe_ids": [
"CWE-170",
"CWE-295"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-24T20:15:00Z",
"severity": "MODERATE"
},
"details": "Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-qjh3-8fph-x9wj",
"modified": "2022-05-24T17:45:16Z",
"published": "2022-05-24T17:45:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1471"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-jabber-PWrTATTC"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RWJG-C3H2-F57P
Vulnerability from github – Published: 2025-12-05 18:14 – Updated: 2025-12-05 18:14Summary
Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.
Details
This occurs when the SAN is encoded as a BMPSTRING or UNIVERSALSTRING, and its UTF-8 conversion result is truncated at the first null byte during string assignment. As a result, "victim\0evil" may match an exact: "victim" rule and be accepted by Envoy.
PoC
Create a CA and a server certificate signed by that CA. Create two client certificates signed by the same CA: client_evil with OTHERNAME BMPSTRING = "evil" client_null with OTHERNAME BMPSTRING = "victim\0evil" Configure Envoy with require_client_certificate: true and a match_typed_subject_alt_names entry for the OTHERNAME OID with matcher.exact: "victim". Connect without a client cert → connection rejected. Connect with client_evil → connection rejected. Connect with client_null → connection accepted (but shouldn't!).
Impact
An attacker who can obtain a trusted client certificate with a null byte embedded in an OTHERNAME SAN can exploit this vulnerability. The practical impact is unauthorized impersonation of the matched identity, enabling access to services or APIs protected by that exact OTHERNAME check.
Credit
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.36.2"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.36.0"
},
{
"fixed": "1.36.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.35.6"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.35.0"
},
{
"fixed": "1.35.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.34.10"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "1.34.0"
},
{
"fixed": "1.34.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.33.12"
},
"package": {
"ecosystem": "Go",
"name": "github.com/envoyproxy/envoy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.33.13"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66220"
],
"database_specific": {
"cwe_ids": [
"CWE-170"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-05T18:14:02Z",
"nvd_published_at": "2025-12-03T19:15:58Z",
"severity": "MODERATE"
},
"details": "### Summary\nEnvoy\u2019s mTLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte (\\0) inside an `OTHERNAME` SAN value as valid matches.\n\n### Details\nThis occurs when the SAN is encoded as a `BMPSTRING` or `UNIVERSALSTRING`, and its UTF-8 conversion result is truncated at the first null byte during string assignment. As a result, `\"victim\\0evil\"` may match an exact: `\"victim\"` rule and be accepted by Envoy.\n\n### PoC\n\nCreate a CA and a server certificate signed by that CA.\nCreate two client certificates signed by the same CA:\nclient_evil with OTHERNAME BMPSTRING = \"evil\"\nclient_null with OTHERNAME BMPSTRING = \"victim\\0evil\"\nConfigure Envoy with require_client_certificate: true and a match_typed_subject_alt_names entry for the OTHERNAME OID with matcher.exact: \"victim\".\nConnect without a client cert \u2192 connection rejected.\nConnect with client_evil \u2192 connection rejected.\nConnect with client_null \u2192 connection accepted (but shouldn\u0027t!).\n\n### Impact\nAn attacker who can obtain a trusted client certificate with a null byte embedded in an OTHERNAME SAN can exploit this vulnerability. The practical impact is unauthorized impersonation of the matched identity, enabling access to services or APIs protected by that exact OTHERNAME check.\n\n### Credit\n[markevich.nikita1@gmail.com](mailto:markevich.nikita1@gmail.com)",
"id": "GHSA-rwjg-c3h2-f57p",
"modified": "2025-12-05T18:14:03Z",
"published": "2025-12-05T18:14:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66220"
},
{
"type": "PACKAGE",
"url": "https://github.com/envoyproxy/envoy"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Envoy\u0027s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte"
}
GHSA-V5PV-X346-W82J
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-05-24 17:45Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2021-1411"
],
"database_specific": {
"cwe_ids": [
"CWE-170"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-24T21:15:00Z",
"severity": "CRITICAL"
},
"details": "Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-v5pv-x346-w82j",
"modified": "2022-05-24T17:45:12Z",
"published": "2022-05-24T17:45:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1411"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-jabber-PWrTATTC"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-WJ48-H958-4PVM
Vulnerability from github – Published: 2025-12-17 21:30 – Updated: 2025-12-18 21:31An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. An unprivileged user could cause occasionally a Blue Screen Of Death (BSOD) on Windows computers by using an IOCTL and an unterminated string.
{
"affected": [],
"aliases": [
"CVE-2025-67790"
],
"database_specific": {
"cwe_ids": [
"CWE-170"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-17T21:16:16Z",
"severity": "HIGH"
},
"details": "An issue was discovered in DriveLock 24.1 before 24.1.6, 24.2 before 24.2.7, and 25.1 before 25.1.5. An unprivileged user could cause occasionally a Blue Screen Of Death (BSOD) on Windows computers by using an IOCTL and an unterminated string.",
"id": "GHSA-wj48-h958-4pvm",
"modified": "2025-12-18T21:31:37Z",
"published": "2025-12-17T21:30:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67790"
},
{
"type": "WEB",
"url": "https://drivelock.help/versions/2025_1/web/en/releasenotes/Content/ReleaseNotes_DriveLock/SecurityBulletins/25-005-BufferOverreadBSOD.htm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WPHW-FGVH-WXQ4
Vulnerability from github – Published: 2022-05-24 17:45 – Updated: 2022-10-22 12:00Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.
{
"affected": [],
"aliases": [
"CVE-2021-1469"
],
"database_specific": {
"cwe_ids": [
"CWE-170",
"CWE-20"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-24T20:15:00Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in Cisco Jabber for Windows, Cisco Jabber for MacOS, and Cisco Jabber for mobile platforms could allow an attacker to execute arbitrary programs on the underlying operating system with elevated privileges, access sensitive information, intercept protected network traffic, or cause a denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory.",
"id": "GHSA-wphw-fgvh-wxq4",
"modified": "2022-10-22T12:00:29Z",
"published": "2022-05-24T17:45:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1469"
},
{
"type": "WEB",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-jabber-PWrTATTC"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X5P5-W4HP-MPRX
Vulnerability from github – Published: 2024-03-12 18:31 – Updated: 2024-03-12 18:31Windows USB Print Driver Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-21442"
],
"database_specific": {
"cwe_ids": [
"CWE-170"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-03-12T17:15:53Z",
"severity": "HIGH"
},
"details": "Windows USB Print Driver Elevation of Privilege Vulnerability",
"id": "GHSA-x5p5-w4hp-mprx",
"modified": "2024-03-12T18:31:13Z",
"published": "2024-03-12T18:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21442"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21442"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use a language that is not susceptible to these issues. However, be careful of null byte interaction errors (CWE-626) with lower-level constructs that may be written in a language that is susceptible.
Mitigation
Ensure that all string functions used are understood fully as to how they append null characters. Also, be wary of off-by-one errors when appending nulls to the end of strings.
Mitigation
If performance constraints permit, special code can be added that validates null-termination of string buffers, this is a rather naive and error-prone solution.
Mitigation
Switch to bounded string manipulation functions. Inspect buffer lengths involved in the buffer overrun trace reported with the defect.
Mitigation
Add code that fills buffers with nulls (however, the length of buffers still needs to be inspected, to ensure that the non null-terminated string is not written at the physical end of the buffer).
No CAPEC attack patterns related to this CWE.