Common Weakness Enumeration

CWE-193

Allowed

Off-by-one Error

Abstraction: Base · Status: Draft

A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

256 vulnerabilities reference this CWE, most recent first.

GHSA-JXC5-X72R-W93V

Vulnerability from github – Published: 2024-08-14 03:31 – Updated: 2024-08-14 03:31
VLAI
Details

An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-36136"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-14T03:15:04Z",
    "severity": "HIGH"
  },
  "details": "An off-by-one error in WLInfoRailService in Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to crash the service, resulting in a DoS.",
  "id": "GHSA-jxc5-x72r-w93v",
  "modified": "2024-08-14T03:31:09Z",
  "published": "2024-08-14T03:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36136"
    },
    {
      "type": "WEB",
      "url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-4-CVE-2024-38652-CVE-2024-38653-CVE-2024-36136-CVE-2024-37399-CVE-2024-37373"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JXV8-P782-98CX

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-25 18:31
VLAI
Details

fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-34085"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T17:17:09Z",
    "severity": "MODERATE"
  },
  "details": "fontconfig before 2.17.1 has an off-by-one error in allocation during sfnt capability handling, leading to a one-byte out-of-bounds write, and potentially a crash or code execution. This is in FcFontCapabilities in fcfreetype.c.",
  "id": "GHSA-jxv8-p782-98cx",
  "modified": "2026-03-25T18:31:55Z",
  "published": "2026-03-25T18:31:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34085"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/commit/b9bec06d73340f1b5727302d13ac3df307b7febc"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/merge_requests/446"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.freedesktop.org/fontconfig/fontconfig/-/work_items/481"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M3CP-9JQ6-3GG3

Vulnerability from github – Published: 2026-01-23 18:31 – Updated: 2026-07-14 15:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

dm-verity: disable recursive forward error correction

There are two problems with the recursive correction:

  1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions - that means that there may be at most 253^4 (4 billion) iterations. Red Hat QE team actually created an image that pushes dm-verity to this limit - and this image just makes the udev-worker process get stuck in the 'D' state.

  2. It doesn't work. In fec_read_bufs we store data into the variable "fio->bufs", but fio bufs is shared between recursive invocations, if "verity_hash_for_block" invoked correction recursively, it would overwrite partially filled fio->bufs.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-71161"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-23T16:15:53Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-verity: disable recursive forward error correction\n\nThere are two problems with the recursive correction:\n\n1. It may cause denial-of-service. In fec_read_bufs, there is a loop that\nhas 253 iterations. For each iteration, we may call verity_hash_for_block\nrecursively. There is a limit of 4 nested recursions - that means that\nthere may be at most 253^4 (4 billion) iterations. Red Hat QE team\nactually created an image that pushes dm-verity to this limit - and this\nimage just makes the udev-worker process get stuck in the \u0027D\u0027 state.\n\n2. It doesn\u0027t work. In fec_read_bufs we store data into the variable\n\"fio-\u003ebufs\", but fio bufs is shared between recursive invocations, if\n\"verity_hash_for_block\" invoked correction recursively, it would\noverwrite partially filled fio-\u003ebufs.",
  "id": "GHSA-m3cp-9jq6-3gg3",
  "modified": "2026-07-14T15:31:32Z",
  "published": "2026-01-23T18:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71161"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/232948cf600fba69aff36b25d85ef91a73a35756"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4220cb37406915c926c0e4a3dbab77cd9cceeb1e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/897d9006e75f46f8bd7df78faa424327ae6a4bcf"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b821ca892cfeeaf0bedc9fc72717294f67144d5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d9f3e47d3fae0c101d9094bc956ed24e7a0ee801"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e227d2b229c7529bd98d348efc55262ccf24ab35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M47Q-4224-6RVC

Vulnerability from github – Published: 2026-05-07 06:31 – Updated: 2026-05-07 06:31
VLAI
Details

Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-44603"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-07T04:16:35Z",
    "severity": "LOW"
  },
  "details": "Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.",
  "id": "GHSA-m47q-4224-6rvc",
  "modified": "2026-05-07T06:31:42Z",
  "published": "2026-05-07T06:31:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44603"
    },
    {
      "type": "WEB",
      "url": "https://forum.torproject.org/c/news/tor-release-announcement/28"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/tor/-/commit/1703df3d439c83c2184e259fad1cfa19240f9c89"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.torproject.org/tpo/core/tor/-/work_items/41245"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/06/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M9R6-94F7-4J6M

Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-26 18:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

irqchip/gic-v3-its: Fix potential VPE leak on error

In its_vpe_irq_domain_alloc, when its_vpe_init() returns an error, there is an off-by-one in the number of VPEs to be freed.

Fix it by simply passing the number of VPEs allocated, which is the index of the loop iterating over the VPEs.

[maz: fixed commit message]

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-47373"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:23Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v3-its: Fix potential VPE leak on error\n\nIn its_vpe_irq_domain_alloc, when its_vpe_init() returns an error,\nthere is an off-by-one in the number of VPEs to be freed.\n\nFix it by simply passing the number of VPEs allocated, which is the\nindex of the loop iterating over the VPEs.\n\n[maz: fixed commit message]",
  "id": "GHSA-m9r6-94f7-4j6m",
  "modified": "2024-12-26T18:30:33Z",
  "published": "2024-05-21T15:31:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47373"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/280bef512933b2dda01d681d8cbe499b98fc5bdd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/42d3711c23781045e7a5cd28536c774b9a66d20b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/568662e37f927e3dc3e475f3ff7cf4ab7719c5e7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5701e8bff314c155e7afdc467b1e0389d86853d0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7d39992d45acd6f2d6b2f62389c55b61fb3d486b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e0c1c2e5da19685a20557a50f10c6aa4fa26aa84"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MC4G-XGV8-54R7

Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03
VLAI
Details

Multiple off-by-one errors in the WW8DopTypography::ReadFromMem function in oowriter in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted typography information in a Microsoft Word .DOC file that triggers an out-of-bounds write.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-3454"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-01-28T22:00:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple off-by-one errors in the WW8DopTypography::ReadFromMem function in oowriter in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted typography information in a Microsoft Word .DOC file that triggers an out-of-bounds write.",
  "id": "GHSA-mc4g-xgv8-54r7",
  "modified": "2022-05-13T01:03:56Z",
  "published": "2022-05-13T01:03:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3454"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=640954"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/70715"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/40775"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42999"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43065"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43105"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43118"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/60799"
    },
    {
      "type": "WEB",
      "url": "http://ubuntu.com/usn/usn-1056-1"
    },
    {
      "type": "WEB",
      "url": "http://www.cs.brown.edu/people/drosenbe/research.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2011/dsa-2151"
    },
    {
      "type": "WEB",
      "url": "http://www.gentoo.org/security/en/glsa/glsa-201408-19.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:027"
    },
    {
      "type": "WEB",
      "url": "http://www.openoffice.org/security/cves/CVE-2010-3453_CVE-2010-3454.html"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0181.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0182.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/46031"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1025002"
    },
    {
      "type": "WEB",
      "url": "http://www.vsecurity.com/resources/advisory/20110126-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0230"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0232"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0279"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MFC2-6J6Q-99VP

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-07-15 15:32
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Fix off-by-one in check_imm signed range check

check_imm(bits, imm) is used in the arm64 BPF JIT to verify that a branch displacement (in arm64 instruction units) fits into the signed N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding before it is handed to the encoder. The macro currently tests for (imm > 0 && imm >> bits) || (imm < 0 && ~imm >> bits) which admits values in [-2^N, 2^N) — effectively a signed (N+1)-bit range. A signed N-bit field only holds [-2^(N-1), 2^(N-1)), so the check admits one extra bit of range on each side.

In particular, for check_imm19(), values in [2^18, 2^19) slip past the check but do not fit into the 19-bit signed imm19 field of B.cond. aarch64_insn_encode_immediate() then masks the raw value into the 19-bit field, setting bit 18 (the sign bit) and flipping a forward branch into a backward one. Same class of issue exists for check_imm26() and the B/BL encoding. Shift by (bits - 1) instead of bits so the actual signed N-bit range is enforced.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53036"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:15Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fix off-by-one in check_imm signed range check\n\ncheck_imm(bits, imm) is used in the arm64 BPF JIT to verify that\na branch displacement (in arm64 instruction units) fits into the\nsigned N-bit immediate field of a B, B.cond or CBZ/CBNZ encoding\nbefore it is handed to the encoder. The macro currently tests for\n(imm \u003e 0 \u0026\u0026 imm \u003e\u003e bits) || (imm \u003c 0 \u0026\u0026 ~imm \u003e\u003e bits) which admits\nvalues in [-2^N, 2^N) \u2014 effectively a signed (N+1)-bit range. A\nsigned N-bit field only holds [-2^(N-1), 2^(N-1)), so the check\nadmits one extra bit of range on each side.\n\nIn particular, for check_imm19(), values in [2^18, 2^19) slip past\nthe check but do not fit into the 19-bit signed imm19 field of\nB.cond. aarch64_insn_encode_immediate() then masks the raw value\ninto the 19-bit field, setting bit 18 (the sign bit) and flipping\na forward branch into a backward one. Same class of issue exists\nfor check_imm26() and the B/BL encoding. Shift by (bits - 1)\ninstead of bits so the actual signed N-bit range is enforced.",
  "id": "GHSA-mfc2-6j6q-99vp",
  "modified": "2026-07-15T15:32:45Z",
  "published": "2026-06-24T18:32:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53036"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1a113b5497297871699cd498b1b83542e0db7f15"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1dd8be4ec722ce54e4cace59f3a4ba658111b3ec"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6927f0d6794aa73318bbfa929f1ff6065b0620df"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7fd3b41260c6120e7b60164afea5d961af6224f9"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a5dfeb3b61065039488342d43ae06d4729d955d4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fb74defa1cca1a73177c0c761e641332e4f979a3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MX97-6HP9-H76Q

Vulnerability from github – Published: 2024-08-17 12:30 – Updated: 2024-08-20 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (ltc2991) re-order conditions to fix off by one bug

LTC2991_T_INT_CH_NR is 4. The st->temp_en[] array has LTC2991_MAX_CHANNEL (4) elements. Thus if "channel" is equal to LTC2991_T_INT_CH_NR then we have read one element beyond the end of the array. Flip the conditions around so that we check if "channel" is valid before using it as an array index.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43852"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-17T10:15:10Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (ltc2991) re-order conditions to fix off by one bug\n\nLTC2991_T_INT_CH_NR is 4.  The st-\u003etemp_en[] array has LTC2991_MAX_CHANNEL\n(4) elements.  Thus if \"channel\" is equal to LTC2991_T_INT_CH_NR then we\nhave read one element beyond the end of the array.  Flip the conditions\naround so that we check if \"channel\" is valid before using it as an array\nindex.",
  "id": "GHSA-mx97-6hp9-h76q",
  "modified": "2024-08-20T21:30:32Z",
  "published": "2024-08-17T12:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43852"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/99bf7c2eccff82760fa23ce967cc67c8c219c6a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c180311c0a520692e2d0e9ca44dcd6c2ff1b41c4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MX9G-MG46-CF6G

Vulnerability from github – Published: 2022-04-30 18:18 – Updated: 2024-02-08 03:32
VLAI
Details

Off-by-one buffer overflow in Basic Authentication in Acme Labs thttpd 1.95 through 2.20 allows remote attackers to cause a denial of service and possibly execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2001-1496"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2001-12-31T05:00:00Z",
    "severity": "HIGH"
  },
  "details": "Off-by-one buffer overflow in Basic Authentication in Acme Labs thttpd 1.95 through 2.20 allows remote attackers to cause a denial of service and possibly execute arbitrary code.",
  "id": "GHSA-mx9g-mg46-cf6g",
  "modified": "2024-02-08T03:32:42Z",
  "published": "2022-04-30T18:18:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1496"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/7595"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/241310"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/241953"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/3562"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MXVH-95QR-WW4V

Vulnerability from github – Published: 2022-04-29 01:26 – Updated: 2024-02-16 21:31
VLAI
Details

Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2003-0356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-193"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2003-06-09T04:00:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions.",
  "id": "GHSA-mxvh-95qr-ww4v",
  "modified": "2024-02-16T21:31:28Z",
  "published": "2022-04-29T01:26:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0356"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A69"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2003/dsa-313"
    },
    {
      "type": "WEB",
      "url": "http://www.ethereal.com/appnotes/enpa-sa-00009.html"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/641013"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDKSA-2003:067"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2003-077.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

When copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().

No CAPEC attack patterns related to this CWE.