CWE-125: Out-of-bounds Read
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product reads data past the end, or before the beginning, of the intended buffer.
常见后果
影响范围: Confidentiality
技术影响: Read Memory
说明: An attacker could get secret values such as cryptographic keys, PII, memory addresses, or other information that could be used in additional attacks.
影响范围: Confidentiality
技术影响: Bypass Protection Mechanism
说明: Out-of-bounds memory could contain memory addresses or other information that can be used to bypass ASLR and other protection mechanisms in order to improve the reliability of exploiting a separate weakness for code execution.
影响范围: Availability
技术影响: DoS: Crash, Exit, or Restart
说明: An attacker could cause a segmentation fault or crash by causing memory to be read outside of the bounds of the buffer. This is especially likely when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string.
影响范围: Other
技术影响: Varies by Context
说明: The read operation could produce other undefined or unexpected results.
潜在缓解措施
阶段: Implementation
策略: Input Validation
阶段: Architecture and Design
策略: Language Selection
描述: Use a language that provides appropriate memory abstractions.
检测方法
方法: Fuzzing
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
有效性: High
方法: Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
有效性: High
观察示例
参考: CVE-2023-1018
The reference implementation code for a Trusted Platform Module does not implement length checks on data, allowing for an attacker to read 2 bytes past the end of a buffer.
参考: CVE-2020-11899
Out-of-bounds read in IP stack used in embedded systems, as exploited in the wild per CISA KEV.
参考: CVE-2014-0160
Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data.
参考: CVE-2021-40985
HTML conversion package has a buffer under-read, allowing a crash
参考: CVE-2018-10887
Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)
参考: CVE-2009-2523
Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).
参考: CVE-2018-16069
Chain: series of floating-point precision errors (CWE-1339) in a web browser rendering engine causes out-of-bounds read (CWE-125), giving access to cross-origin data
参考: CVE-2004-0112
out-of-bounds read due to improper length check
参考: CVE-2004-0183
packet with large number of specified elements cause out-of-bounds read.
参考: CVE-2004-0221
packet with large number of specified elements cause out-of-bounds read.
参考: CVE-2004-0184
out-of-bounds read, resultant from integer underflow
参考: CVE-2004-1940
large length value causes out-of-bounds read
参考: CVE-2004-0421
malformed image causes out-of-bounds read
参考: CVE-2008-4113
OS kernel trusts userland-supplied length value, allowing reading of sensitive information
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Out-of-bounds Read | - |
| CERT C Secure Coding | ARR30-C | Do not form or use out-of-bounds pointers or array subscripts | Imprecise |
| CERT C Secure Coding | ARR38-C | Guarantee that library functions do not form invalid pointers | Imprecise |
| CERT C Secure Coding | EXP39-C | Do not access a variable through a pointer of an incompatible type | Imprecise |
| CERT C Secure Coding | STR31-C | Guarantee that storage for strings has sufficient space for character data and the null terminator | Imprecise |
| CERT C Secure Coding | STR32-C | Do not pass a non-null-terminated character sequence to a library function that expects a string | CWE More Abstract |
| Software Fault Patterns | SFP8 | Faulty Buffer Access | - |