CWE-786: Access of Memory Location Before Start of Buffer

BaseIncomplete

The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

View on MITRE
Back to CWE Lookup

Extended Description

This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used.

Technical Details

Structure
Simple

Applicable To

Languages
CC++
Platforms

Frequently Asked Questions

What is CWE-786: Access of Memory Location Before Start of Buffer?+

CWE-786: Access of Memory Location Before Start of Buffer is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer. This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used.

What are the security consequences of Access of Memory Location Before Start of Buffer?+

If exploited, CWE-786 (Access of Memory Location Before Start of Buffer) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Read Memory, Modify Memory, DoS: Crash, Exit, or Restart and Execute Unauthorized Code or Commands.

Which programming languages are affected by Access of Memory Location Before Start of Buffer?+

CWE-786 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Access of Memory Location Before Start of Buffer?+

MITRE documents real CVEs mapped to CWE-786, including CVE-2002-2227, CVE-2007-4580, CVE-2007-1584, CVE-2007-0886 and CVE-2006-6171. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-786 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More