CWE-125: CWE-125: Out-of-bounds Read

BaseStable🏆 #7 in Top 25 (2024)

Description

View on MITRE
2,117Related CVEs
18.64Severity Score
Back to CWE Lookup

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms
Languages

🏆 CWE Top 25 Historical Ranking

2023:#7
Score: 14.60
2,043 CVEs
2024:#7=
Score: 18.64
2,117 CVEs
Trend:Stable (no rank change)

Frequently Asked Questions

What is CWE-125: CWE-125: Out-of-bounds Read?+

CWE-125: CWE-125: Out-of-bounds Read is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description

Is CWE-125 in the CWE Top 25 Most Dangerous Software Weaknesses?+

Yes. CWE-125 ranked #7 in the CWE Top 25 for 2024, associated with 2,117 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.

What are the security consequences of CWE-125: Out-of-bounds Read?+

If exploited, CWE-125 (CWE-125: Out-of-bounds Read) it can compromise Read Memory, Bypass Protection Mechanism, DoS: Crash, Exit, or Restart and Varies by Context, leading to outcomes such as Scope: Confidentiality An attacker could get secret values such as cryptographic keys, PII, memory addresses, or other information that could be used in additional attacks., Scope: Confidentiality Out-of-bounds memory could contain memory addresses or other information that can be used to bypass ASLR and other protection mechanisms in order to improve the reliability of exploiting a separate weakness for code execution. and Scope: Availability An attacker could cause a segmentation fault or crash by causing memory to be read outside of the bounds of the buffer. This is especially likely when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation.

How do you prevent or mitigate CWE-125: Out-of-bounds Read?+

Recommended mitigations for CWE-125 include: Strategy: Input Validation Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs. Strategy: Language Selection Use a language that provides appropriate memory abstractions.

Which programming languages are affected by CWE-125: Out-of-bounds Read?+

CWE-125 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-125 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More

CWE-125: CWE-125: Out-of-bounds Read | #7 in CWE Top 25 2024 | CWE Lookup | InventiveHQ