CWE-805
AllowedBuffer Access with Incorrect Length Value
Abstraction: Base · Status: Incomplete
The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
86 vulnerabilities reference this CWE, most recent first.
GHSA-6CMH-RQH8-FQJM
Vulnerability from github – Published: 2025-11-18 00:30 – Updated: 2025-11-18 03:31Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability. This vulnerability is triggered when submitting a WinBioControlUnit call to the StorageAdapter with the ControlCode 0 (WBIO_USH_GET_TEMPLATE) and with either 0 < ReceiveBuferSize < 4 and/or 0 < SendBufferSize < 76. The former will lead to an out-of-bound write of up to 3 bytes and the latter will trigger an out-of-bound read of up to 75 bytes.
{
"affected": [],
"aliases": [
"CVE-2025-36461"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-17T23:15:52Z",
"severity": "HIGH"
},
"details": "Multiple out-of-bounds read and write vulnerabilities exist in the ControlVault WBDI Driver Broadcom Storage Adapter functionality of Dell ControlVault3 prior to 5.15.14.19 and Dell ControlVault3 Plus prior to 6.2.36.47. A specially crafted WinBioControlUnit call can lead to memory corruption. An attacker can issue an api call to trigger this vulnerability.\u00a0This vulnerability is triggered when submitting a `WinBioControlUnit` call to the StorageAdapter with the ControlCode 0 (`WBIO_USH_GET_TEMPLATE`) and with either `0 \u003c ReceiveBuferSize \u003c 4` and/or `0 \u003c SendBufferSize \u003c 76`. The former will lead to an out-of-bound write of up to 3 bytes and the latter will trigger an out-of-bound read of up to 75 bytes.",
"id": "GHSA-6cmh-rqh8-fqjm",
"modified": "2025-11-18T03:31:14Z",
"published": "2025-11-18T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36461"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2175"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000326061/dsa-2025-228"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6PGH-5WH4-5PPH
Vulnerability from github – Published: 2025-04-09 21:31 – Updated: 2025-04-09 21:31A Buffer Access with Incorrect Length Value vulnerability in the jdhcpd daemon of Juniper Networks Junos OS, when DHCP snooping is enabled, allows an unauthenticated, adjacent, attacker to send a DHCP packet with a malformed DHCP option to cause jdhcp to crash creating a Denial of Service (DoS) condition.
Continuous receipt of these DHCP packets using the malformed DHCP Option will create a sustained Denial of Service (DoS) condition.
This issue affects Junos OS:
- from 23.1R1 before 23.2R2-S3,
- from 23.4 before 23.4R2-S3,
- from 24.2 before 24.2R2.
This issue isn't applicable to any versions of Junos OS before 23.1R1.
This issue doesn't affect vSRX Series which doesn't support DHCP Snooping.
This issue doesn't affect Junos OS Evolved.
There are no indicators of compromise for this issue.
{
"affected": [],
"aliases": [
"CVE-2025-21591"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T20:15:25Z",
"severity": "HIGH"
},
"details": "A Buffer Access with Incorrect Length Value vulnerability in the jdhcpd daemon of Juniper Networks Junos OS, when DHCP snooping is enabled, allows an unauthenticated, adjacent, attacker to send a DHCP packet with a malformed DHCP option to cause jdhcp to crash creating a Denial of Service (DoS) condition.\n\nContinuous receipt of these DHCP packets using the malformed DHCP Option will create a sustained Denial of Service (DoS) condition.\n\n\nThis issue affects Junos OS:\n\n\n\n * from 23.1R1 before 23.2R2-S3,\n * from 23.4 before 23.4R2-S3,\n * from 24.2 before 24.2R2.\n\n\nThis issue isn\u0027t applicable to any versions of Junos OS before 23.1R1. \n\n\n\nThis issue doesn\u0027t affect vSRX Series which doesn\u0027t support DHCP Snooping. \n\nThis issue doesn\u0027t affect Junos OS Evolved.\n\nThere are no indicators of compromise for this issue.",
"id": "GHSA-6pgh-5wh4-5pph",
"modified": "2025-04-09T21:31:42Z",
"published": "2025-04-09T21:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21591"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA96448"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Green",
"type": "CVSS_V4"
}
]
}
GHSA-6W3W-CX38-4J8C
Vulnerability from github – Published: 2025-10-15 18:31 – Updated: 2025-10-15 18:31Multiple Cisco products are affected by a vulnerability in the Snort 3 HTTP Decoder that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart.
This vulnerability is due to a lack of complete error checking when the MIME fields of the HTTP header are parsed. An attacker could exploit this vulnerability by sending crafted HTTP packets through an established connection to be parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine unexpectedly restarts.
{
"affected": [],
"aliases": [
"CVE-2025-20360"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T17:15:49Z",
"severity": "MODERATE"
},
"details": "Multiple Cisco products are affected by a vulnerability in the Snort 3 HTTP Decoder that could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to restart.\n\n This vulnerability is due to a lack of complete error checking when the MIME fields of the HTTP header are parsed. An attacker could exploit this vulnerability by sending crafted HTTP packets through an established connection to be parsed by Snort 3. A successful exploit could allow the attacker to cause a DoS condition when the Snort 3 Detection Engine unexpectedly restarts.",
"id": "GHSA-6w3w-cx38-4j8c",
"modified": "2025-10-15T18:31:51Z",
"published": "2025-10-15T18:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20360"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-mime-vulns-tTL8PgVH"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-736H-FXPW-GMWM
Vulnerability from github – Published: 2025-08-06 15:31 – Updated: 2025-08-06 15:31NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds write. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure.
{
"affected": [],
"aliases": [
"CVE-2025-23318"
],
"database_specific": {
"cwe_ids": [
"CWE-787",
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-06T13:15:39Z",
"severity": "HIGH"
},
"details": "NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds write. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure.",
"id": "GHSA-736h-fxpw-gmwm",
"modified": "2025-08-06T15:31:23Z",
"published": "2025-08-06T15:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23318"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5687"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23318"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-76GX-97CQ-65F5
Vulnerability from github – Published: 2026-02-11 18:31 – Updated: 2026-06-30 03:35A specially-crafted file can cause libjxl's decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.
This can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).
{
"affected": [],
"aliases": [
"CVE-2026-1837"
],
"database_specific": {
"cwe_ids": [
"CWE-770",
"CWE-787",
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T16:16:04Z",
"severity": "HIGH"
},
"details": "A specially-crafted file can cause libjxl\u0027s decoder to write pixel data to uninitialized unallocated memory. Soon after that data from another uninitialized unallocated region is copied to pixel data.\n\nThis can be done by requesting color transformation of grayscale images to another grayscale color space. Buffers allocated for 1-float-per-pixel are used as if they are allocated for 3-float-per-pixel. That happens only if LCMS2 is used as CMS engine. There is another CMS engine available (selected by build flags).",
"id": "GHSA-76gx-97cq-65f5",
"modified": "2026-06-30T03:35:34Z",
"published": "2026-02-11T18:31:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1837"
},
{
"type": "WEB",
"url": "https://github.com/libjxl/libjxl/issues/4549"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-1837"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438974"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1837.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-785M-5V8G-VF98
Vulnerability from github – Published: 2025-02-05 18:34 – Updated: 2025-02-05 18:34A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.
This vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.
{
"affected": [],
"aliases": [
"CVE-2025-20174"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-05T17:15:24Z",
"severity": "HIGH"
},
"details": "A vulnerability in the SNMP subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an authenticated, remote attacker to cause a DoS condition on an affected device.\n\nThis vulnerability is due to improper error handling when parsing SNMP requests. An attacker could exploit this vulnerability by sending a crafted SNMP request to an affected device. A successful exploit could allow the attacker to cause the device to reload unexpectedly, resulting in a DoS condition.\u0026nbsp;\nThis vulnerability affects SNMP versions 1, 2c, and 3. To exploit this vulnerability through SNMP v2c or earlier, the attacker must know a valid read-write or read-only SNMP community string for the affected system. To exploit this vulnerability through SNMP v3, the attacker must have valid SNMP user credentials for the affected system.",
"id": "GHSA-785m-5v8g-vf98",
"modified": "2025-02-05T18:34:45Z",
"published": "2025-02-05T18:34:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20174"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-dos-sdxnSUcW"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-7GWX-VGP2-4HMG
Vulnerability from github – Published: 2026-06-22 18:34 – Updated: 2026-06-22 18:34The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding.
{
"affected": [],
"aliases": [
"CVE-2026-12549"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-22T16:16:34Z",
"severity": "MODERATE"
},
"details": "The fix for CVE-2026-2443 was regressed by a subsequent rework commit that replaced specific overflow checks with a general signed comparison. When a client sends a Range request with a suffix length exceeding the content size, the resulting negative start value is not properly clamped, leading to malformed HTTP 206 responses and log flooding.",
"id": "GHSA-7gwx-vgp2-4hmg",
"modified": "2026-06-22T18:34:14Z",
"published": "2026-06-22T18:34:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12549"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-12549"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2026-0716"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489999"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libsoup/-/work_items/516"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-7RQ6-MH5F-RP2Q
Vulnerability from github – Published: 2026-01-14 00:31 – Updated: 2026-01-14 00:31A flaw was found in libsoup’s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup’s WebSocket support with this configuration may be impacted.
{
"affected": [],
"aliases": [
"CVE-2026-0716"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T23:16:04Z",
"severity": "MODERATE"
},
"details": "A flaw was found in libsoup\u2019s WebSocket frame processing when handling incoming messages. If a non-default configuration is used where the maximum incoming payload size is unset, the library may read memory outside the intended bounds. This can cause unintended memory exposure or a crash. Applications using libsoup\u2019s WebSocket support with this configuration may be impacted.",
"id": "GHSA-7rq6-mh5f-rp2q",
"modified": "2026-01-14T00:31:29Z",
"published": "2026-01-14T00:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0716"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-0716"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427896"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libsoup/-/issues/476"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-8F59-HCPC-G3HP
Vulnerability from github – Published: 2026-02-25 18:31 – Updated: 2026-02-25 18:31A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause the LLDP process to restart, which could cause an affected device to reload unexpectedly.
This vulnerability is due to improper handling of specific fields in an LLDP frame. An attacker could exploit this vulnerability by sending a crafted LLDP packet to an interface of an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition. Note: LLDP is a Layer 2 link protocol. To exploit this vulnerability, an attacker would need to be directly connected to an interface of an affected device, either physically or logically (for example, through a Layer 2 Tunnel configured to transport the LLDP protocol).
{
"affected": [],
"aliases": [
"CVE-2026-20010"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-25T17:25:24Z",
"severity": "HIGH"
},
"details": "A vulnerability in the Link Layer Discovery Protocol (LLDP) feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to cause the LLDP process to restart, which could cause an affected device to reload unexpectedly.\n\nThis vulnerability is due to improper handling of specific fields in an LLDP frame. An attacker could exploit this vulnerability by sending a crafted LLDP packet to an interface of an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a denial of service (DoS) condition.\nNote:\u0026nbsp;LLDP is a Layer 2 link protocol. To exploit this vulnerability, an attacker would need to be\u0026nbsp;directly connected to an interface of an affected device, either physically or logically (for example, through a Layer 2 Tunnel configured to transport the LLDP protocol).",
"id": "GHSA-8f59-hcpc-g3hp",
"modified": "2026-02-25T18:31:38Z",
"published": "2026-02-25T18:31:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20010"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3kn9k_aci_lldp_dos-NdgRrrA3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-8WVR-G2VR-63W6
Vulnerability from github – Published: 2026-01-06 21:30 – Updated: 2026-01-06 21:30On affected platforms running Arista EOS with MACsec configuration, a specially crafted packet can cause the MACsec process to terminate unexpectedly. Continuous receipt of these packets with certain MACsec configurations can cause longer term disruption of dataplane traffic.
{
"affected": [],
"aliases": [
"CVE-2025-7048"
],
"database_specific": {
"cwe_ids": [
"CWE-805"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-06T20:16:01Z",
"severity": "MODERATE"
},
"details": "On affected platforms running Arista EOS with MACsec configuration, a specially crafted packet can cause the MACsec process to terminate unexpectedly. Continuous receipt of these packets with certain MACsec configurations can cause longer term disruption of dataplane traffic.",
"id": "GHSA-8wvr-g2vr-63w6",
"modified": "2026-01-06T21:30:34Z",
"published": "2026-01-06T21:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7048"
},
{
"type": "WEB",
"url": "https://www.arista.com/en/support/advisories-notices/security-advisory/23120-security-advisory-0132"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer.
- Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
Mitigation MIT-4.1
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.
Mitigation MIT-10
Strategy: Environment Hardening
- Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.
- D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
Mitigation MIT-9
- Consider adhering to the following rules when allocating and managing an application's memory:
- Double check that the buffer is as large as specified.
- When using functions that accept a number of bytes to copy, such as strncpy(), be aware that if the destination buffer size is equal to the source buffer size, it may not NULL-terminate the string.
- Check buffer boundaries if accessing the buffer in a loop and make sure there is no danger of writing past the allocated space.
- If necessary, truncate all input strings to a reasonable length before passing them to the copy and concatenation functions.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-11
Strategy: Environment Hardening
- Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.
- Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking.
- For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
Mitigation MIT-12
Strategy: Environment Hardening
- Use a CPU and operating system that offers Data Execution Protection (using hardware NX or XD bits) or the equivalent techniques that simulate this feature in software, such as PaX [REF-60] [REF-61]. These techniques ensure that any instruction executed is exclusively at a memory address that is part of the code segment.
- For more information on these techniques see D3-PSEP (Process Segment Execution Prevention) from D3FEND [REF-1336].
Mitigation MIT-17
Strategy: Environment Hardening
Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the product or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.
Mitigation MIT-22
Strategy: Sandbox or Jail
- Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
- OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
- This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
- Be careful to avoid CWE-243 and other weaknesses related to jails.
CAPEC-100: Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.
CAPEC-256: SOAP Array Overflow
An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request. If the server processing the transmission naively trusts the specified size, then an attacker can intentionally understate the size of the array, possibly resulting in a buffer overflow if the server attempts to read the entire data set into the memory it allocated for a smaller array.