Common Weakness Enumeration

CWE-466

Allowed

Return of Pointer Value Outside of Expected Range

Abstraction: Base · Status: Draft

A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.

17 vulnerabilities reference this CWE, most recent first.

GHSA-H8P8-GV8P-X88F

Vulnerability from github – Published: 2026-03-22 15:31 – Updated: 2026-03-22 15:31
VLAI
Details

Backup Key Recovery 2.2.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 or more characters into the Name field during registration to trigger a crash when submitting the form.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-466"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-22T14:16:27Z",
    "severity": "MODERATE"
  },
  "details": "Backup Key Recovery 2.2.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 or more characters into the Name field during registration to trigger a crash when submitting the form.",
  "id": "GHSA-h8p8-gv8p-x88f",
  "modified": "2026-03-22T15:31:28Z",
  "published": "2026-03-22T15:31:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25599"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46750"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/backup-key-recovery-denial-of-service-via-name-field"
    },
    {
      "type": "WEB",
      "url": "http://www.nsauditor.com/downloads/backeyrecovery_setup.exe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-Q958-7F7X-PMQ4

Vulnerability from github – Published: 2026-07-10 00:31 – Updated: 2026-07-10 00:31
VLAI
Details

A Return of Pointer Value Outside of Expected Range vulnerability in the fileio library of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privilged attacker to cause a Denial-of-Service (DoS).

On EX Series, QFX Series and MX Series a low-privileged attacker issuing a specific 'show l2-learning' command will cause an l2ald crash which will lead to a temporary service impact for all layer 2 services until the process has automatically restarted.

This issue affects EX Series, QFX Series, MX Series: Junos OS:

  • all versions before 23.2R2-S7,
  • 23.4 versions before 23.4R2-S7,
  • 24.2 versions before 24.2R2,
  • 24.4 versions before 24.4R1-S2.

Junos OS Evolved: * all versions before 23.2R2-S7-EVO, * 23.4 versions before 23.4R2-S8-EVO, * 24.2 versions before 24.2R2-EVO, * 24.4 versions before 24.4R1-S3-EVO.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-57025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-466"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-09T22:17:07Z",
    "severity": "MODERATE"
  },
  "details": "A Return of Pointer Value Outside of Expected Range vulnerability in the fileio library of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privilged attacker to cause a Denial-of-Service (DoS).\n\nOn EX Series, QFX Series and MX Series a\u00a0low-privileged attacker issuing a specific \u0027show l2-learning\u0027 command will cause an l2ald crash which will lead to a temporary service impact for all layer 2 services until the process has automatically restarted.\n\nThis issue affects EX Series, QFX Series, MX Series:\nJunos OS:\n\n\n  *  all versions before 23.2R2-S7,\n  *  23.4 versions before 23.4R2-S7,\n  *  24.2 versions before 24.2R2,\n  *  24.4 versions before 24.4R1-S2.\n\n\n\nJunos OS Evolved:\n  *  all versions before 23.2R2-S7-EVO,\n  *  23.4 versions before 23.4R2-S8-EVO,\n  *  24.2 versions before 24.2R2-EVO,\n  *  24.4 versions before 24.4R1-S3-EVO.",
  "id": "GHSA-q958-7f7x-pmq4",
  "modified": "2026-07-10T00:31:26Z",
  "published": "2026-07-10T00:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57025"
    },
    {
      "type": "WEB",
      "url": "https://supportportal.juniper.net/JSA110085"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QC7G-9546-GC47

Vulnerability from github – Published: 2026-03-30 12:32 – Updated: 2026-03-30 12:32
VLAI
Details

SmartFTP Client 9.0.2615.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can paste a buffer of 300 repeated characters into the Host connection parameter to trigger an application crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-25234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-466"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T12:16:17Z",
    "severity": "MODERATE"
  },
  "details": "SmartFTP Client 9.0.2615.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can paste a buffer of 300 repeated characters into the Host connection parameter to trigger an application crash.",
  "id": "GHSA-qc7g-9546-gc47",
  "modified": "2026-03-30T12:32:27Z",
  "published": "2026-03-30T12:32:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25234"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/45759"
    },
    {
      "type": "WEB",
      "url": "https://www.smartftp.com/en-us"
    },
    {
      "type": "WEB",
      "url": "https://www.smartftp.com/en-us/download"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/smartftp-client-denial-of-service-via-host-field"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-QJCW-R4CF-VP97

Vulnerability from github – Published: 2026-03-30 12:32 – Updated: 2026-03-30 12:32
VLAI
Details

Valentina Studio 9.0.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can trigger the crash by pasting a 256-byte buffer of repeated characters into the Host parameter during server connection attempts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-25227"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-466"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-30T12:16:15Z",
    "severity": "MODERATE"
  },
  "details": "Valentina Studio 9.0.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Host field. Attackers can trigger the crash by pasting a 256-byte buffer of repeated characters into the Host parameter during server connection attempts.",
  "id": "GHSA-qjcw-r4cf-vp97",
  "modified": "2026-03-30T12:32:26Z",
  "published": "2026-03-30T12:32:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25227"
    },
    {
      "type": "WEB",
      "url": "https://valentina-db.com/en"
    },
    {
      "type": "WEB",
      "url": "https://valentina-db.com/en/developer/database/download-valentina-database-adk"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46421"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/valentina-studio-denial-of-service-via-host-parameter"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-RMF4-RVGX-3JFQ

Vulnerability from github – Published: 2026-03-22 03:30 – Updated: 2026-03-22 03:30
VLAI
Details

Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the URL field. Attackers can paste a buffer of 5000 characters into the 'From URL' field during torrent addition to trigger an application crash.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25586"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-466"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-22T01:16:56Z",
    "severity": "MODERATE"
  },
  "details": "Deluge 1.3.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the URL field. Attackers can paste a buffer of 5000 characters into the \u0027From URL\u0027 field during torrent addition to trigger an application crash.",
  "id": "GHSA-rmf4-rvgx-3jfq",
  "modified": "2026-03-22T03:30:25Z",
  "published": "2026-03-22T03:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25586"
    },
    {
      "type": "WEB",
      "url": "https://dev.deluge-torrent.org"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46883"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/deluge-denial-of-service-via-url-field"
    },
    {
      "type": "WEB",
      "url": "http://download.deluge-torrent.org/windows/deluge-1.3.15-win32-py2.7.exe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-WJW6-7QC3-VGHJ

Vulnerability from github – Published: 2024-02-14 18:30 – Updated: 2024-02-14 18:30
VLAI
Details

When an Advanced WAF/ASM security policy and a Websockets profile are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21849"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-466"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-14T17:15:12Z",
    "severity": "HIGH"
  },
  "details": "\n\n\nWhen an Advanced WAF/ASM security policy and a Websockets profile are configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) process to terminate.\u00a0\u00a0Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
  "id": "GHSA-wjw6-7qc3-vghj",
  "modified": "2024-02-14T18:30:25Z",
  "published": "2024-02-14T18:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21849"
    },
    {
      "type": "WEB",
      "url": "https://my.f5.com/manage/s/article/K000135873"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X25X-J4W4-7M59

Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-06-28 22:41
VLAI
Summary
Return of Pointer Value Outside of Expected Rang in Jenkins Script Security Plugin
Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.61"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:script-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.62"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10356"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-466"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T22:41:36Z",
    "nvd_published_at": "2019-07-31T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions allowed attackers to execute arbitrary code in sandboxed scripts.",
  "id": "GHSA-x25x-j4w4-7m59",
  "modified": "2022-06-28T22:41:36Z",
  "published": "2022-05-24T16:51:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10356"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2594"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2651"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:2662"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1465%20(2)"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/07/31/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Return of Pointer Value Outside of Expected Rang in Jenkins Script Security Plugin"
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.