CWE-193
AllowedOff-by-one Error
Abstraction: Base · Status: Draft
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
256 vulnerabilities reference this CWE, most recent first.
GHSA-C2CP-78WW-6JM8
Vulnerability from github – Published: 2025-02-19 00:31 – Updated: 2025-11-03 21:32sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation.
{
"affected": [],
"aliases": [
"CVE-2024-57259"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-18T23:15:09Z",
"severity": "HIGH"
},
"details": "sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation.",
"id": "GHSA-c2cp-78ww-6jm8",
"modified": "2025-11-03T21:32:46Z",
"published": "2025-02-19T00:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57259"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00001.html"
},
{
"type": "WEB",
"url": "https://source.denx.de/u-boot/u-boot/-/commit/048d795bb5b3d9c5701b4855f5e74bcf6849bf5e"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2025/02/17/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C389-X6QF-WXV2
Vulnerability from github – Published: 2022-05-24 17:44 – Updated: 2022-07-31 00:00An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.
{
"affected": [],
"aliases": [
"CVE-2020-27171"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-03-20T22:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.",
"id": "GHSA-c389-x6qf-wxv2",
"modified": "2022-07-31T00:00:59Z",
"published": "2022-05-24T17:44:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27171"
},
{
"type": "WEB",
"url": "https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.11.8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/patch/?id=10d2bb2e6b1d8c4576c56a748f697dbeb8388899"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00035.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FB6LUXPEIRLZH32YXWZVEZAD4ZL6SDK2"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QRTPQE73ANG7D6M4L4PK5ZQDPO4Y2FVD"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T2S3I4SLRNRUQDOFYUS6IUAZMQNMPNLG"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2021/03/19/3"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/162117/Kernel-Live-Patch-Security-Notice-LSN-0075-1.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/03/24/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C46X-VC6V-FPX6
Vulnerability from github – Published: 2022-04-30 18:21 – Updated: 2024-02-15 21:31Off-by-one buffer overflow in the sock_gets function in sockhelp.c for ATPhttpd 0.4b and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.
{
"affected": [],
"aliases": [
"CVE-2002-1816"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-12-31T05:00:00Z",
"severity": "HIGH"
},
"details": "Off-by-one buffer overflow in the sock_gets function in sockhelp.c for ATPhttpd 0.4b and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request.",
"id": "GHSA-c46x-vc6v-fpx6",
"modified": "2024-02-15T21:31:22Z",
"published": "2022-04-30T18:21:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1816"
},
{
"type": "WEB",
"url": "http://archives.neohapsis.com/archives/bugtraq/2002-10/0187.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/7293"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/10362.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/5956"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C4GX-P7GQ-G6HP
Vulnerability from github – Published: 2026-05-04 21:30 – Updated: 2026-06-30 03:36Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.
{
"affected": [],
"aliases": [
"CVE-2026-43964"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-04T19:16:07Z",
"severity": "LOW"
},
"details": "Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.",
"id": "GHSA-c4gx-p7gq-g6hp",
"modified": "2026-06-30T03:36:30Z",
"published": "2026-05-04T21:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43964"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25930"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25932"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:26205"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-43964"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466488"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-43964.json"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/postfix-announce@postfix.org/msg00110.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/05/04/30"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-C5JG-WR5V-2WP2
Vulnerability from github – Published: 2025-04-21 03:30 – Updated: 2025-04-21 21:55An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.35.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/osrg/gobgp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/osrg/gobgp/v3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.35.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-43973"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": true,
"github_reviewed_at": "2025-04-21T21:55:39Z",
"nvd_published_at": "2025-04-21T01:15:45Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in GoBGP before 3.35.0. pkg/packet/rtr/rtr.go does not verify that the input length corresponds to a situation in which all bytes are available for an RTR message.",
"id": "GHSA-c5jg-wr5v-2wp2",
"modified": "2025-04-21T21:55:39Z",
"published": "2025-04-21T03:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43973"
},
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp/commit/5693c58a4815cc6327b8d3b6980f0e5aced28abe"
},
{
"type": "PACKAGE",
"url": "https://github.com/osrg/gobgp"
},
{
"type": "WEB",
"url": "https://github.com/osrg/gobgp/compare/v3.34.0...v3.35.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "GoBGP does not verify that the input length"
}
GHSA-C7FJ-R3PQ-5PH5
Vulnerability from github – Published: 2026-07-06 15:30 – Updated: 2026-07-06 15:30A flaw was found in GIMP's PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2026-58380"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T15:16:40Z",
"severity": "HIGH"
},
"details": "A flaw was found in GIMP\u0027s PNM file format parser. When parsing a specially crafted PNM file, the pnmscanner_gettoken() function writes a null terminator one byte past the end of a stack-allocated buffer due to an off-by-one error in the loop boundary check. This could lead to memory corruption, potentially resulting in denial of service or arbitrary code execution.",
"id": "GHSA-c7fj-r3pq-5ph5",
"modified": "2026-07-06T15:30:48Z",
"published": "2026-07-06T15:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58380"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-58380"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2496135"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/83699817"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/gimp/-/issues/16206"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8MQ-83H4-GM57
Vulnerability from github – Published: 2022-12-18 06:31 – Updated: 2022-12-22 15:30An issue was discovered in the libsofia-sip fork in drachtio-server before 0.8.19. It allows remote attackers to cause a denial of service (daemon crash) via a crafted UDP message that causes a url_canonize2 heap-based buffer over-read because of an off-by-one error.
{
"affected": [],
"aliases": [
"CVE-2022-47517"
],
"database_specific": {
"cwe_ids": [
"CWE-193",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-18T05:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in the libsofia-sip fork in drachtio-server before 0.8.19. It allows remote attackers to cause a denial of service (daemon crash) via a crafted UDP message that causes a url_canonize2 heap-based buffer over-read because of an off-by-one error.",
"id": "GHSA-c8mq-83h4-gm57",
"modified": "2022-12-22T15:30:21Z",
"published": "2022-12-18T06:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47517"
},
{
"type": "WEB",
"url": "https://github.com/drachtio/drachtio-server/issues/243"
},
{
"type": "WEB",
"url": "https://github.com/davehorton/sofia-sip/commit/22c1bd191f0acbf11f0c0fbea1845d9bf9dcd47e"
},
{
"type": "WEB",
"url": "https://github.com/davehorton/sofia-sip/commit/bfc79d85c8f3a4798a3305fb98f5a11c11d0d29f"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8WP-68RG-MQRC
Vulnerability from github – Published: 2025-02-27 03:34 – Updated: 2025-10-01 21:31In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7925: fix off by one in mt7925_load_clc()
This comparison should be >= instead of > to prevent an out of bounds read and write.
{
"affected": [],
"aliases": [
"CVE-2024-57990"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-27T02:15:13Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: fix off by one in mt7925_load_clc()\n\nThis comparison should be \u003e= instead of \u003e to prevent an out of bounds\nread and write.",
"id": "GHSA-c8wp-68rg-mqrc",
"modified": "2025-10-01T21:31:11Z",
"published": "2025-02-27T03:34:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57990"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/08fa656c91fd5fdf47ba393795b9c0d1e97539ed"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2d1628d32300e4f67ac0b7409cbfa7b912a8fe9d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d03b8fe1b518fc2ea2d82588e905f56d80cd64b2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C8XJ-FR2W-PJFC
Vulnerability from github – Published: 2025-06-09 06:30 – Updated: 2026-06-26 00:32There's a flaw in the nbdkit server when handling responses from its plugins regarding the status of data blocks. If a client makes a specific request for a very large data range, and a plugin responds with an even larger single block, the nbdkit server can encounter a critical internal error, leading to a denial-of-service.
{
"affected": [],
"aliases": [
"CVE-2025-47711"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-09T06:15:25Z",
"severity": "MODERATE"
},
"details": "There\u0027s a flaw in the nbdkit server when handling responses from its plugins regarding the status of data blocks. If a client makes a specific request for a very large data range, and a plugin responds with an even larger single block, the nbdkit server can encounter a critical internal error, leading to a denial-of-service.",
"id": "GHSA-c8xj-fr2w-pjfc",
"modified": "2026-06-26T00:32:01Z",
"published": "2025-06-09T06:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47711"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-47711"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2365687"
},
{
"type": "WEB",
"url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/67E7AASHHADIY7VAD3FFW2I67LTWVWYF"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-CJH6-575G-258G
Vulnerability from github – Published: 2026-06-26 21:32 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison
The local-vs-remote region comparison loop uses '<=' instead of '<', causing it to read one entry past the valid range of qr_regions. The other loops in the same function correctly use '<'.
Fix the loop condition to use '<' for consistency and correctness.
{
"affected": [],
"aliases": [
"CVE-2026-53309"
],
"database_specific": {
"cwe_ids": [
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-26T20:17:24Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison\n\nThe local-vs-remote region comparison loop uses \u0027\u003c=\u0027 instead of \u0027\u003c\u0027,\ncausing it to read one entry past the valid range of qr_regions. The\nother loops in the same function correctly use \u0027\u003c\u0027.\n\nFix the loop condition to use \u0027\u003c\u0027 for consistency and correctness.",
"id": "GHSA-cjh6-575g-258g",
"modified": "2026-06-28T09:31:48Z",
"published": "2026-06-26T21:32:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53309"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/01b61e8dda9b0fdb0d4cda43de25f4e390554d7b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1fb7f356547d9688822315cd2b205ff0bd5429b4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2a0673836f019e7c032acbf48d022d5ccf02a845"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/426cd8eedac89b86148d4478990eeef16e8a2520"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/760ab35040aca8399021fdb9ff1db1089feb7194"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/819d8ebad3200a53de99bd7e297bc428e41ced54"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c60a2710b73838d250cda57344c049b89abc5d52"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d5403ae28085761d58b555645bc7d5feadb10073"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().
No CAPEC attack patterns related to this CWE.