CWE-823
AllowedUse of Out-of-range Pointer Offset
Abstraction: Base · Status: Incomplete
The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
177 vulnerabilities reference this CWE, most recent first.
GHSA-F96V-VW98-7425
Vulnerability from github – Published: 2025-07-14 03:30 – Updated: 2025-07-14 15:30Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages.
Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour.
{
"affected": [],
"aliases": [
"CVE-2025-25180"
],
"database_specific": {
"cwe_ids": [
"CWE-823"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-14T02:15:21Z",
"severity": "HIGH"
},
"details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages.\n\nUnder certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour.",
"id": "GHSA-f96v-vw98-7425",
"modified": "2025-07-14T15:30:32Z",
"published": "2025-07-14T03:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25180"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FGX8-R5G7-5CR9
Vulnerability from github – Published: 2026-06-03 18:33 – Updated: 2026-07-07 12:31In the Linux kernel, the following vulnerability has been resolved:
netfilter: nft_inner: Fix IPv6 inner_thoff desync
In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.
For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.
{
"affected": [],
"aliases": [
"CVE-2026-46244"
],
"database_specific": {
"cwe_ids": [
"CWE-823"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-03T18:16:24Z",
"severity": "CRITICAL"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: Fix IPv6 inner_thoff desync\n\nIn nft_inner_parse_l2l3(), when processing inner IPv6 packets,\nipv6_find_hdr() correctly computes the transport header offset\ntraversing all extension headers, but the result is immediately\noverwritten with nhoff + sizeof(_ip6h) (40 bytes), which only\naccounts for the IPv6 base header. This creates a desync between\ninner_thoff (wrong \u2014 points to extension header start) and l4proto\n(correct \u2014 e.g., IPPROTO_TCP), enabling transport header forgery\nand potential firewall bypass. This issue affects stable versions\nfrom Linux 6.2.\n\nFor comparison, the normal (non-inner) IPv6 path correctly\npreserves ipv6_find_hdr()\u0027s result. Removing the incorrect overwrite\nensures that ipv6_find_hdr()\u0027s calculated transport header offset is\npreserved, thereby fixing the desynchronization.",
"id": "GHSA-fgx8-r5g7-5cr9",
"modified": "2026-07-07T12:31:31Z",
"published": "2026-06-03T18:33:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46244"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33215"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34094"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34443"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:34911"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36018"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-46244"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484451"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/689bbf48c1f45130086ae1c46ab83ea4c753c601"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/870d59e2cf218e7418491e26bad768cb16654582"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b6a91f68ebfed9c38e0e9150f58a9b85da07181c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c161ad9157f5a0429b5ff94d9770faf3bf48d273"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46244.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FWGJ-3F9C-7VF7
Vulnerability from github – Published: 2025-02-22 15:30 – Updated: 2025-03-05 18:32Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest's virtualised GPU memory.
{
"affected": [],
"aliases": [
"CVE-2024-47896"
],
"database_specific": {
"cwe_ids": [
"CWE-823"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-22T15:15:10Z",
"severity": "LOW"
},
"details": "Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest\u0027s virtualised GPU memory.",
"id": "GHSA-fwgj-3f9c-7vf7",
"modified": "2025-03-05T18:32:03Z",
"published": "2025-02-22T15:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47896"
},
{
"type": "WEB",
"url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-FXH5-4P4V-76PM
Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-12 15:32A use of out-of-range pointer offset vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read sensitive portions of memory.
We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later
{
"affected": [],
"aliases": [
"CVE-2025-54152"
],
"database_specific": {
"cwe_ids": [
"CWE-823"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T13:15:54Z",
"severity": "LOW"
},
"details": "A use of out-of-range pointer offset vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read sensitive portions of memory.\n\nWe have already fixed the vulnerability in the following version:\nQsync Central 5.0.0.4 ( 2026/01/20 ) and later",
"id": "GHSA-fxh5-4p4v-76pm",
"modified": "2026-02-12T15:32:42Z",
"published": "2026-02-11T15:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54152"
},
{
"type": "WEB",
"url": "https://www.qnap.com/en/security-advisory/qsa-26-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-G34V-QR57-MVRM
Vulnerability from github – Published: 2024-11-18 12:30 – Updated: 2024-11-18 12:30Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
{
"affected": [],
"aliases": [
"CVE-2024-42387"
],
"database_specific": {
"cwe_ids": [
"CWE-823"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T10:15:07Z",
"severity": "MODERATE"
},
"details": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.",
"id": "GHSA-g34v-qr57-mvrm",
"modified": "2024-11-18T12:30:42Z",
"published": "2024-11-18T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42387"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42387"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-G3GR-6W94-3656
Vulnerability from github – Published: 2026-06-16 15:33 – Updated: 2026-07-15 12:31Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.
{
"affected": [],
"aliases": [
"CVE-2026-12290"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-823"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-16T13:16:29Z",
"severity": "HIGH"
},
"details": "Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.",
"id": "GHSA-g3gr-6w94-3656",
"modified": "2026-07-15T12:31:48Z",
"published": "2026-06-16T15:33:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12290"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-61"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-60"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-59"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-58"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-57"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12290.json"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489210"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2024852"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-12290"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39706"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39428"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39142"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39141"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:39011"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38753"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38751"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38750"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:38506"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37391"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:37210"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36103"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36102"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36101"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:36100"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:33445"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30846"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:29940"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27734"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27733"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:27717"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GG54-6W37-7R4J
Vulnerability from github – Published: 2025-06-03 06:31 – Updated: 2025-06-03 06:31Memory corruption while handling test pattern generator IOCTL command.
{
"affected": [],
"aliases": [
"CVE-2024-53017"
],
"database_specific": {
"cwe_ids": [
"CWE-823"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-03T06:15:24Z",
"severity": "MODERATE"
},
"details": "Memory corruption while handling test pattern generator IOCTL command.",
"id": "GHSA-gg54-6w37-7r4j",
"modified": "2025-06-03T06:31:14Z",
"published": "2025-06-03T06:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53017"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GJFH-X4FJ-RG67
Vulnerability from github – Published: 2024-11-18 12:30 – Updated: 2024-11-18 12:30Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.
{
"affected": [],
"aliases": [
"CVE-2024-42386"
],
"database_specific": {
"cwe_ids": [
"CWE-823"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-18T10:15:07Z",
"severity": "HIGH"
},
"details": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.",
"id": "GHSA-gjfh-x4fj-rg67",
"modified": "2024-11-18T12:30:42Z",
"published": "2024-11-18T12:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42386"
},
{
"type": "WEB",
"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42386"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GR3F-RPFF-FC97
Vulnerability from github – Published: 2023-05-10 18:30 – Updated: 2025-11-04 21:30An out-of-bounds read vulnerability exists in the PORT command parameter extraction functionality of Weston Embedded uC-FTPs v 1.98.00. A specially-crafted set of network packets can lead to denial of service. An attacker can send packets to trigger this vulnerability.This vulnerability occurs when no IP address argument is provided to the PORT command.
{
"affected": [],
"aliases": [
"CVE-2022-46377"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-823"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-10T16:15:10Z",
"severity": "HIGH"
},
"details": "An out-of-bounds read vulnerability exists in the PORT command parameter extraction functionality of Weston Embedded uC-FTPs v 1.98.00. A specially-crafted set of network packets can lead to denial of service. An attacker can send packets to trigger this vulnerability.This vulnerability occurs when no IP address argument is provided to the `PORT` command.",
"id": "GHSA-gr3f-rpff-fc97",
"modified": "2025-11-04T21:30:33Z",
"published": "2023-05-10T18:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46377"
},
{
"type": "WEB",
"url": "https://github.com/weston-embedded/uC-FTPs/pull/2"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1681"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1681"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H36P-V4X7-W44W
Vulnerability from github – Published: 2023-12-05 03:30 – Updated: 2023-12-05 03:30Memory corruption in Audio while running invalid audio recording from ADSP.
{
"affected": [],
"aliases": [
"CVE-2023-33079"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-823"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-05T03:15:12Z",
"severity": "HIGH"
},
"details": "Memory corruption in Audio while running invalid audio recording from ADSP.",
"id": "GHSA-h36p-v4x7-w44w",
"modified": "2023-12-05T03:30:22Z",
"published": "2023-12-05T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33079"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-129: Pointer Manipulation
This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.