CWE-193
AllowedOff-by-one Error
Abstraction: Base · Status: Draft
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
256 vulnerabilities reference this CWE, most recent first.
GHSA-2H29-RJH5-XXCH
Vulnerability from github – Published: 2022-05-13 01:13 – Updated: 2022-05-13 01:13QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue.
{
"affected": [],
"aliases": [
"CVE-2015-8701"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-12-29T22:59:00Z",
"severity": "MODERATE"
},
"details": "QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in \u0027tx_consume\u0027 routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue.",
"id": "GHSA-2h29-rjh5-xxch",
"modified": "2022-05-13T01:13:40Z",
"published": "2022-05-13T01:13:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8701"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1286971"
},
{
"type": "WEB",
"url": "https://lists.gnu.org/archive/html/qemu-devel/2015-12/msg04629.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201602-01"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/12/28/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/12/29/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/79706"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2HFR-22WV-H4VJ
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-24 18:32In the Linux kernel, the following vulnerability has been resolved:
ceph: fix num_ops off-by-one when crypto allocation fails
move_dirty_folio_in_page_array() may fail if the file is encrypted, the dirty folio is not the first in the batch, and it fails to allocate a bounce buffer to hold the ciphertext. When that happens, ceph_process_folio_batch() simply redirties the folio and flushes the current batch -- it can retry that folio in a future batch.
However, if this failed folio is not contiguous with the last folio that
did make it into the batch, then ceph_process_folio_batch() has already
incremented ceph_wbc->num_ops; because it doesn't follow through and
add the discontiguous folio to the array, ceph_submit_write() -- which
expects that ceph_wbc->num_ops accurately reflects the number of
contiguous ranges (and therefore the required number of "write extent"
ops) in the writeback -- will panic the kernel:
BUG_ON(ceph_wbc->op_idx + 1 != req->r_num_ops);
This issue can be reproduced on affected kernels by writing to fscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat pattern (total filesize should not matter) and gradually increasing the system's memory pressure until a bounce buffer allocation fails.
Fix this crash by decrementing ceph_wbc->num_ops back to the correct
value when move_dirty_folio_in_page_array() fails, but the folio already
started counting a new (i.e. still-empty) extent.
The defect corrected by this patch has existed since 2022 (see first
Fixes:), but another bug blocked multi-folio encrypted writeback until
recently (see second Fixes:). The second commit made it into 6.18.16,
6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch
therefore fixes a regression (panic) introduced by cac190c7674f.
{
"affected": [],
"aliases": [
"CVE-2026-46066"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix num_ops off-by-one when crypto allocation fails\n\nmove_dirty_folio_in_page_array() may fail if the file is encrypted, the\ndirty folio is not the first in the batch, and it fails to allocate a\nbounce buffer to hold the ciphertext. When that happens,\nceph_process_folio_batch() simply redirties the folio and flushes the\ncurrent batch -- it can retry that folio in a future batch.\n\nHowever, if this failed folio is not contiguous with the last folio that\ndid make it into the batch, then ceph_process_folio_batch() has already\nincremented `ceph_wbc-\u003enum_ops`; because it doesn\u0027t follow through and\nadd the discontiguous folio to the array, ceph_submit_write() -- which\nexpects that `ceph_wbc-\u003enum_ops` accurately reflects the number of\ncontiguous ranges (and therefore the required number of \"write extent\"\nops) in the writeback -- will panic the kernel:\n\n BUG_ON(ceph_wbc-\u003eop_idx + 1 != req-\u003er_num_ops);\n\nThis issue can be reproduced on affected kernels by writing to\nfscrypt-enabled CephFS file(s) with a 4KiB-written/4KiB-skipped/repeat\npattern (total filesize should not matter) and gradually increasing the\nsystem\u0027s memory pressure until a bounce buffer allocation fails.\n\nFix this crash by decrementing `ceph_wbc-\u003enum_ops` back to the correct\nvalue when move_dirty_folio_in_page_array() fails, but the folio already\nstarted counting a new (i.e. still-empty) extent.\n\nThe defect corrected by this patch has existed since 2022 (see first\n`Fixes:`), but another bug blocked multi-folio encrypted writeback until\nrecently (see second `Fixes:`). The second commit made it into 6.18.16,\n6.19.6, and 7.0-rc1, unmasking the panic in those versions. This patch\ntherefore fixes a regression (panic) introduced by cac190c7674f.",
"id": "GHSA-2hfr-22wv-h4vj",
"modified": "2026-06-24T18:32:29Z",
"published": "2026-05-27T15:33:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46066"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6200f41d6fcf2ac7e24866431e381cbc914560e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a0d9555bf9eaeba34fe6b6bb86f442fe08ba3842"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ba12c1e578890f6337a415b7dedf476c6d455105"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2V9G-P8FQ-VVH2
Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2022-03-17 00:05An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
{
"affected": [],
"aliases": [
"CVE-2021-3930"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-18T18:15:00Z",
"severity": "MODERATE"
},
"details": "An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the \u0027page\u0027 argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.",
"id": "GHSA-2v9g-p8fq-vvh2",
"modified": "2022-03-17T00:05:29Z",
"published": "2022-02-19T00:01:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3930"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2020588"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/04/msg00002.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-27"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220225-0007"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2V9V-6H75-597V
Vulnerability from github – Published: 2024-02-28 09:30 – Updated: 2024-12-09 21:31In the Linux kernel, the following vulnerability has been resolved:
drm/amd/display: Fix off by one in hdmi_14_process_transaction()
The hdcp_i2c_offsets[] array did not have an entry for HDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one read overflow. I added an entry and copied the 0x0 value for the offset from similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c.
I also declared several of these arrays as having HDCP_MESSAGE_ID_MAX entries. This doesn't change the code, but it's just a belt and suspenders approach to try future proof the code.
{
"affected": [],
"aliases": [
"CVE-2021-47046"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-28T09:15:40Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix off by one in hdmi_14_process_transaction()\n\nThe hdcp_i2c_offsets[] array did not have an entry for\nHDCP_MESSAGE_ID_WRITE_CONTENT_STREAM_TYPE so it led to an off by one\nread overflow. I added an entry and copied the 0x0 value for the offset\nfrom similar code in drivers/gpu/drm/amd/display/modules/hdcp/hdcp_ddc.c.\n\nI also declared several of these arrays as having HDCP_MESSAGE_ID_MAX\nentries. This doesn\u0027t change the code, but it\u0027s just a belt and\nsuspenders approach to try future proof the code.",
"id": "GHSA-2v9v-6h75-597v",
"modified": "2024-12-09T21:31:00Z",
"published": "2024-02-28T09:30:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47046"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/080bd41d6478a64edf96704fddcda52b1fd5fed7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/403c4528e5887af3deb9838cb77a557631d1e138"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6a58310d5d1e5b02d0fc9b393ba540c9367bced5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8e6fafd5a22e7a2eb216f5510db7aab54cc545c1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-2WRF-HF7J-CX32
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted image file. NOTE: this may be related to the SDL_Image product.
{
"affected": [],
"aliases": [
"CVE-2019-19721"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-15T18:15:00Z",
"severity": "MODERATE"
},
"details": "An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted image file. NOTE: this may be related to the SDL_Image product.",
"id": "GHSA-2wrf-hf7j-cx32",
"modified": "2022-05-24T17:17:57Z",
"published": "2022-05-24T17:17:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19721"
},
{
"type": "WEB",
"url": "https://bugs.gentoo.org/721940"
},
{
"type": "WEB",
"url": "https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=72afe7ebd8305bf4f5360293b8621cde52ec506b"
},
{
"type": "WEB",
"url": "https://www.videolan.org/security"
},
{
"type": "WEB",
"url": "http://hg.libsdl.org/SDL_image"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-362X-Q9RC-H58C
Vulnerability from github – Published: 2025-10-01 12:30 – Updated: 2026-01-20 18:31In the Linux kernel, the following vulnerability has been resolved:
ext4: fix off-by-one errors in fast-commit block filling
Due to several different off-by-one errors, or perhaps due to a late change in design that wasn't fully reflected in the code that was actually merged, there are several very strange constraints on how fast-commit blocks are filled with tlv entries:
-
tlvs must start at least 10 bytes before the end of the block, even though the minimum tlv length is 8. Otherwise, the replay code will ignore them. (BUG: ext4_fc_reserve_space() could violate this requirement if called with a len of blocksize - 9 or blocksize - 8. Fortunately, this doesn't seem to happen currently.)
-
tlvs must end at least 1 byte before the end of the block. Otherwise the replay code will consider them to be invalid. This quirk contributed to a bug (fixed by an earlier commit) where uninitialized memory was being leaked to disk in the last byte of blocks.
Also, strangely these constraints don't apply to the replay code in e2fsprogs, which will accept any tlvs in the blocks (with no bounds checks at all, but that is a separate issue...).
Given that this all seems to be a bug, let's fix it by just filling blocks with tlv entries in the natural way.
Note that old kernels will be unable to replay fast-commit journals created by kernels that have this commit.
{
"affected": [],
"aliases": [
"CVE-2022-50428"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-01T12:15:34Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix off-by-one errors in fast-commit block filling\n\nDue to several different off-by-one errors, or perhaps due to a late\nchange in design that wasn\u0027t fully reflected in the code that was\nactually merged, there are several very strange constraints on how\nfast-commit blocks are filled with tlv entries:\n\n- tlvs must start at least 10 bytes before the end of the block, even\n though the minimum tlv length is 8. Otherwise, the replay code will\n ignore them. (BUG: ext4_fc_reserve_space() could violate this\n requirement if called with a len of blocksize - 9 or blocksize - 8.\n Fortunately, this doesn\u0027t seem to happen currently.)\n\n- tlvs must end at least 1 byte before the end of the block. Otherwise\n the replay code will consider them to be invalid. This quirk\n contributed to a bug (fixed by an earlier commit) where uninitialized\n memory was being leaked to disk in the last byte of blocks.\n\nAlso, strangely these constraints don\u0027t apply to the replay code in\ne2fsprogs, which will accept any tlvs in the blocks (with no bounds\nchecks at all, but that is a separate issue...).\n\nGiven that this all seems to be a bug, let\u0027s fix it by just filling\nblocks with tlv entries in the natural way.\n\nNote that old kernels will be unable to replay fast-commit journals\ncreated by kernels that have this commit.",
"id": "GHSA-362x-q9rc-h58c",
"modified": "2026-01-20T18:31:51Z",
"published": "2025-10-01T12:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50428"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/18f28f13301d1afb8cea9c4ddcecdbff14488ec6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/48a6a66db82b8043d298a630f22c62d43550cae5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5439ad45c0d0c8db41eb6f4dce6f778f15a5ee16"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5ca65dffdead16572ca046c43fb576b227f7f635"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-38W7-MQ68-3H8Q
Vulnerability from github – Published: 2026-07-01 06:31 – Updated: 2026-07-09 06:31UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. In vncviewer/ClientConnection.cpp, when the server-supplied nameLength equals exactly 2024 the code declares a 2024-byte stack buffer _dn[2024] and calls ReadString(_dn, 2024). ReadString writes the NUL terminator at buf[length], i.e., _dn[2024], one byte past the end of the stack buffer. A malicious VNC server can trigger this condition by advertising a desktop name of length 2024 in its ServerInit message. On release builds without stack canaries the single-byte NUL overwrite adjacent stack data. On builds with /GS stack protection the canary is corrupted and the process terminates, resulting in denial of service. User interaction (connecting the viewer to the malicious server) is required.
{
"affected": [],
"aliases": [
"CVE-2026-7831"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T05:16:24Z",
"severity": "HIGH"
},
"details": "UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. In vncviewer/ClientConnection.cpp, when the server-supplied nameLength equals exactly 2024 the code declares a 2024-byte stack buffer _dn[2024] and calls ReadString(_dn, 2024). ReadString writes the NUL terminator at buf[length], i.e., _dn[2024], one byte past the end of the stack buffer. A malicious VNC server can trigger this condition by advertising a desktop name of length 2024 in its ServerInit message. On release builds without stack canaries the single-byte NUL overwrite adjacent stack data. On builds with /GS stack protection the canary is corrupted and the process terminates, resulting in denial of service. User interaction (connecting the viewer to the malicious server) is required.",
"id": "GHSA-38w7-mq68-3h8q",
"modified": "2026-07-09T06:31:59Z",
"published": "2026-07-01T06:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7831"
},
{
"type": "WEB",
"url": "https://github.com/ultravnc/UltraVNC"
},
{
"type": "WEB",
"url": "https://uvnc.com"
},
{
"type": "WEB",
"url": "https://www.securin.io/zero-days/cve-2026-7831-off-by-one-stack-overflow-viewer-namelength-ultravnc"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3CM8-8GXQ-6JR4
Vulnerability from github – Published: 2022-06-16 00:00 – Updated: 2025-01-02 21:31Windows Kernel Denial of Service Vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-30155"
],
"database_specific": {
"cwe_ids": [
"CWE-193",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-15T22:15:00Z",
"severity": "MODERATE"
},
"details": "Windows Kernel Denial of Service Vulnerability.",
"id": "GHSA-3cm8-8gxq-6jr4",
"modified": "2025-01-02T21:31:38Z",
"published": "2022-06-16T00:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30155"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30155"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30155"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167755/Windows-Kernel-nt-MiRelocateImage-Invalid-Read.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3P24-8MW5-X2HX
Vulnerability from github – Published: 2025-07-04 15:31 – Updated: 2025-11-03 21:34Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.
{
"affected": [],
"aliases": [
"CVE-2025-52497"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T15:15:22Z",
"severity": "MODERATE"
},
"details": "Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.",
"id": "GHSA-3p24-8mw5-x2hx",
"modified": "2025-11-03T21:34:05Z",
"published": "2025-07-04T15:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52497"
},
{
"type": "WEB",
"url": "https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-2.md"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00013.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-3QGV-JW3W-GQ48
Vulnerability from github – Published: 2022-05-13 01:53 – Updated: 2022-05-13 01:53An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An off-by-one error when processing malformed TLS-CBC ciphertext could cause the receiving side to include in the HMAC computation exactly 64K bytes of data following the record buffer, aka an over-read. The MAC comparison will subsequently fail and the connection will be closed. This could be used for denial of service. No information leak occurs.
{
"affected": [],
"aliases": [
"CVE-2018-9860"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-12T05:29:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An off-by-one error when processing malformed TLS-CBC ciphertext could cause the receiving side to include in the HMAC computation exactly 64K bytes of data following the record buffer, aka an over-read. The MAC comparison will subsequently fail and the connection will be closed. This could be used for denial of service. No information leak occurs.",
"id": "GHSA-3qgv-jw3w-gq48",
"modified": "2022-05-13T01:53:57Z",
"published": "2022-05-13T01:53:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-9860"
},
{
"type": "WEB",
"url": "https://botan.randombit.net/security.html"
},
{
"type": "WEB",
"url": "https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7434"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().
No CAPEC attack patterns related to this CWE.