Common Weakness Enumeration

CWE-823

Allowed

Use of Out-of-range Pointer Offset

Abstraction: Base · Status: Incomplete

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

177 vulnerabilities reference this CWE, most recent first.

GHSA-F96V-VW98-7425

Vulnerability from github – Published: 2025-07-14 03:30 – Updated: 2025-07-14 15:30
VLAI
Details

Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages.

Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-823"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-14T02:15:21Z",
    "severity": "HIGH"
  },
  "details": "Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages.\n\nUnder certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour.",
  "id": "GHSA-f96v-vw98-7425",
  "modified": "2025-07-14T15:30:32Z",
  "published": "2025-07-14T03:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25180"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FGX8-R5G7-5CR9

Vulnerability from github – Published: 2026-06-03 18:33 – Updated: 2026-07-07 12:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nft_inner: Fix IPv6 inner_thoff desync

In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2.

For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-46244"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-823"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-03T18:16:24Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_inner: Fix IPv6 inner_thoff desync\n\nIn nft_inner_parse_l2l3(), when processing inner IPv6 packets,\nipv6_find_hdr() correctly computes the transport header offset\ntraversing all extension headers, but the result is immediately\noverwritten with nhoff + sizeof(_ip6h) (40 bytes), which only\naccounts for the IPv6 base header. This creates a desync between\ninner_thoff (wrong \u2014 points to extension header start) and l4proto\n(correct \u2014 e.g., IPPROTO_TCP), enabling transport header forgery\nand potential firewall bypass. This issue affects stable versions\nfrom Linux 6.2.\n\nFor comparison, the normal (non-inner) IPv6 path correctly\npreserves ipv6_find_hdr()\u0027s result. Removing the incorrect overwrite\nensures that ipv6_find_hdr()\u0027s calculated transport header offset is\npreserved, thereby fixing the desynchronization.",
  "id": "GHSA-fgx8-r5g7-5cr9",
  "modified": "2026-07-07T12:31:31Z",
  "published": "2026-06-03T18:33:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46244"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:33215"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:34094"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:34443"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:34911"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36018"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-46244"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2484451"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/689bbf48c1f45130086ae1c46ab83ea4c753c601"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/870d59e2cf218e7418491e26bad768cb16654582"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b6a91f68ebfed9c38e0e9150f58a9b85da07181c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c161ad9157f5a0429b5ff94d9770faf3bf48d273"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d0f98a3617f6ae5b1e95cde1e68e7ead4a1279ce"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-46244.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FWGJ-3F9C-7VF7

Vulnerability from github – Published: 2025-02-22 15:30 – Updated: 2025-03-05 18:32
VLAI
Details

Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest's virtualised GPU memory.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-47896"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-823"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-22T15:15:10Z",
    "severity": "LOW"
  },
  "details": "Kernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to write data outside the Guest\u0027s virtualised GPU memory.",
  "id": "GHSA-fwgj-3f9c-7vf7",
  "modified": "2025-03-05T18:32:03Z",
  "published": "2025-02-22T15:30:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47896"
    },
    {
      "type": "WEB",
      "url": "https://www.imaginationtech.com/gpu-driver-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FXH5-4P4V-76PM

Vulnerability from github – Published: 2026-02-11 15:30 – Updated: 2026-02-12 15:32
VLAI
Details

A use of out-of-range pointer offset vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read sensitive portions of memory.

We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-54152"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-823"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-11T13:15:54Z",
    "severity": "LOW"
  },
  "details": "A use of out-of-range pointer offset vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read sensitive portions of memory.\n\nWe have already fixed the vulnerability in the following version:\nQsync Central 5.0.0.4 ( 2026/01/20 ) and later",
  "id": "GHSA-fxh5-4p4v-76pm",
  "modified": "2026-02-12T15:32:42Z",
  "published": "2026-02-11T15:30:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54152"
    },
    {
      "type": "WEB",
      "url": "https://www.qnap.com/en/security-advisory/qsa-26-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-G34V-QR57-MVRM

Vulnerability from github – Published: 2024-11-18 12:30 – Updated: 2024-11-18 12:30
VLAI
Details

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42387"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-823"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T10:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.",
  "id": "GHSA-g34v-qr57-mvrm",
  "modified": "2024-11-18T12:30:42Z",
  "published": "2024-11-18T12:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42387"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42387"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-G3GR-6W94-3656

Vulnerability from github – Published: 2026-06-16 15:33 – Updated: 2026-07-15 12:31
VLAI
Details

Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12290"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-823"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-16T13:16:29Z",
    "severity": "HIGH"
  },
  "details": "Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, and Firefox ESR 115.37.",
  "id": "GHSA-g3gr-6w94-3656",
  "modified": "2026-07-15T12:31:48Z",
  "published": "2026-06-16T15:33:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12290"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-61"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-60"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-59"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-58"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2026-57"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-12290.json"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489210"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2024852"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-12290"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:39706"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:39428"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:39142"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:39141"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:39011"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:38753"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:38751"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:38750"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:38506"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37391"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:37210"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36103"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36102"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36101"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:36100"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:33445"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:30846"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:29940"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27734"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27733"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:27717"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GG54-6W37-7R4J

Vulnerability from github – Published: 2025-06-03 06:31 – Updated: 2025-06-03 06:31
VLAI
Details

Memory corruption while handling test pattern generator IOCTL command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-53017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-823"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-03T06:15:24Z",
    "severity": "MODERATE"
  },
  "details": "Memory corruption while handling test pattern generator IOCTL command.",
  "id": "GHSA-gg54-6w37-7r4j",
  "modified": "2025-06-03T06:31:14Z",
  "published": "2025-06-03T06:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53017"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GJFH-X4FJ-RG67

Vulnerability from github – Published: 2024-11-18 12:30 – Updated: 2024-11-18 12:30
VLAI
Details

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-42386"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-823"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-18T10:15:07Z",
    "severity": "HIGH"
  },
  "details": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.",
  "id": "GHSA-gjfh-x4fj-rg67",
  "modified": "2024-11-18T12:30:42Z",
  "published": "2024-11-18T12:30:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42386"
    },
    {
      "type": "WEB",
      "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42386"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GR3F-RPFF-FC97

Vulnerability from github – Published: 2023-05-10 18:30 – Updated: 2025-11-04 21:30
VLAI
Details

An out-of-bounds read vulnerability exists in the PORT command parameter extraction functionality of Weston Embedded uC-FTPs v 1.98.00. A specially-crafted set of network packets can lead to denial of service. An attacker can send packets to trigger this vulnerability.This vulnerability occurs when no IP address argument is provided to the PORT command.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-46377"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-823"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-05-10T16:15:10Z",
    "severity": "HIGH"
  },
  "details": "An out-of-bounds read vulnerability exists in the PORT command parameter extraction functionality of Weston Embedded uC-FTPs v 1.98.00. A specially-crafted set of network packets can lead to denial of service. An attacker can send packets to trigger this vulnerability.This vulnerability occurs when no IP address argument is provided to the `PORT` command.",
  "id": "GHSA-gr3f-rpff-fc97",
  "modified": "2025-11-04T21:30:33Z",
  "published": "2023-05-10T18:30:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46377"
    },
    {
      "type": "WEB",
      "url": "https://github.com/weston-embedded/uC-FTPs/pull/2"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1681"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1681"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-H36P-V4X7-W44W

Vulnerability from github – Published: 2023-12-05 03:30 – Updated: 2023-12-05 03:30
VLAI
Details

Memory corruption in Audio while running invalid audio recording from ADSP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-33079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-823"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-05T03:15:12Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption in Audio while running invalid audio recording from ADSP.",
  "id": "GHSA-h36p-v4x7-w44w",
  "modified": "2023-12-05T03:30:22Z",
  "published": "2023-12-05T03:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33079"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

CAPEC-129: Pointer Manipulation

This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.