CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
常见后果
影响范围: Integrity Confidentiality Availability
技术影响: Execute Unauthorized Code or Commands Modify Memory
说明: If the memory accessible by the attacker can be effectively controlled, it may be possible to execute arbitrary code, as with a standard buffer overflow. If the attacker can overwrite a pointer's worth of memory (usually 32 or 64 bits), they can alter the intended control flow by redirecting a function pointer to their own malicious code. Even when the attacker can only modify a single byte arbitrary code execution can be possible. Sometimes this is because the same problem can be exploited repeatedly to the same effect. Other times it is because the attacker can overwrite security-critical application-specific data -- such as a flag indicating whether the user is an administrator.
影响范围: Availability Confidentiality
技术影响: Read Memory DoS: Crash, Exit, or Restart DoS: Resource Consumption (CPU) DoS: Resource Consumption (Memory)
说明: Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
影响范围: Confidentiality
技术影响: Read Memory
说明: In the case of an out-of-bounds read, the attacker may have access to sensitive information. If the sensitive information contains system details, such as the current buffer's position in memory, this knowledge can be used to craft further attacks, possibly with more severe consequences.
潜在缓解措施
阶段: Requirements
策略: Language Selection
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Operation Build and Compilation
策略: Environment Hardening
有效性: Defense in Depth
阶段: Implementation
阶段: Operation Build and Compilation
策略: Environment Hardening
有效性: Defense in Depth
阶段: Operation
策略: Environment Hardening
有效性: Defense in Depth
阶段: Implementation
描述: Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
有效性: Moderate
检测方法
方法: Automated Static Analysis
有效性: High
方法: Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
方法: Automated Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Manual Static Analysis - Binary or Bytecode
有效性: SOAR Partial
方法: Dynamic Analysis with Automated Results Interpretation
有效性: SOAR Partial
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: SOAR Partial
方法: Automated Static Analysis - Source Code
有效性: High
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2021-22991
Incorrect URI normalization in application traffic product leads to buffer overflow, as exploited in the wild per CISA KEV.
参考: CVE-2020-29557
Buffer overflow in Wi-Fi router web interface, as exploited in the wild per CISA KEV.
参考: CVE-2009-2550
Classic stack-based buffer overflow in media player using a long entry in a playlist
参考: CVE-2009-2403
Heap-based buffer overflow in media player using a long entry in a playlist
参考: CVE-2009-0689
large precision value in a format string triggers overflow
参考: CVE-2009-0690
negative offset value leads to out-of-bounds read
参考: CVE-2009-1532
malformed inputs cause accesses of uninitialized or previously-deleted objects, leading to memory corruption
参考: CVE-2009-1528
chain: lack of synchronization leads to memory corruption
参考: CVE-2021-29529
Chain: machine-learning product can have a heap-based buffer overflow (CWE-122) when some integer-oriented bounds are calculated by using ceiling() and floor() on floating point values (CWE-1339)
参考: CVE-2009-0558
attacker-controlled array index leads to code execution
参考: CVE-2009-0269
chain: -1 value from a function call was intended to indicate an error, but is used as an array index instead.
参考: CVE-2009-0566
chain: incorrect calculations lead to incorrect pointer dereference and memory corruption
参考: CVE-2009-1350
product accepts crafted messages that lead to a dereference of an arbitrary pointer
参考: CVE-2009-0191
chain: malformed input causes dereference of uninitialized memory
参考: CVE-2008-4113
OS kernel trusts userland-supplied length value, allowing reading of sensitive information
参考: CVE-2005-1513
Chain: integer overflow in securely-coded mail program leads to buffer overflow. In 2005, this was regarded as unrealistic to exploit, but in 2020, it was rediscovered to be easier to exploit due to evolutions of the technology.
参考: CVE-2003-0542
buffer overflow involving a regular expression with a large number of captures
参考: CVE-2017-1000121
chain: unchecked message size metadata allows integer overflow (CWE-190) leading to buffer overflow (CWE-119).
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| OWASP Top Ten 2004 | A5 | Buffer Overflows | Exact |
| CERT C Secure Coding | ARR00-C | Understand how arrays work | - |
| CERT C Secure Coding | ARR30-C | Do not form or use out-of-bounds pointers or array subscripts | CWE More Abstract |
| CERT C Secure Coding | ARR38-C | Guarantee that library functions do not form invalid pointers | CWE More Abstract |
| CERT C Secure Coding | ENV01-C | Do not make assumptions about the size of an environment variable | - |
| CERT C Secure Coding | EXP39-C | Do not access a variable through a pointer of an incompatible type | Imprecise |
| CERT C Secure Coding | FIO37-C | Do not assume character data has been read | - |
| CERT C Secure Coding | STR31-C | Guarantee that storage for strings has sufficient space for character data and the null terminator | CWE More Abstract |
| CERT C Secure Coding | STR32-C | Do not pass a non-null-terminated character sequence to a library function that expects a string | CWE More Abstract |
| WASC | 7 | Buffer Overflow | - |
| Software Fault Patterns | SFP8 | Faulty Buffer Access | - |
关键信息
CWE ID: CWE-119
抽象级别: Class
结构: Simple
状态: Stable
利用可能性: High