CWE-127: Buffer Under-read

VariantDraft

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.

View on MITRE
Back to CWE Lookup

Extended Description

This typically occurs when the pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. This may result in exposure of sensitive information or possibly a crash.

Technical Details

Structure
Simple

Applicable To

Languages
CC++
Platforms

Frequently Asked Questions

What is CWE-127: Buffer Under-read?+

CWE-127: Buffer Under-read is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer. This typically occurs when the pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used. This may result in exposure of sensitive information or possibly a crash.

What are the security consequences of Buffer Under-read?+

If exploited, CWE-127 (Buffer Under-read) it can compromise Confidentiality, leading to outcomes such as Read Memory and Bypass Protection Mechanism.

Which programming languages are affected by Buffer Under-read?+

CWE-127 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Buffer Under-read?+

MITRE documents real CVEs mapped to CWE-127, including CVE-2021-40985. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-127 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More