CWE-788: Access of Memory Location After End of Buffer

BaseIncomplete

The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer.

View on MITRE
Back to CWE Lookup

Extended Description

This typically occurs when a pointer or its index is incremented to a position after the buffer; or when pointer arithmetic results in a position after the buffer.

Technical Details

Structure
Simple
Vulnerability Mapping
DISCOURAGED

Applicable To

Languages
CC++Memory-Unsafe
Platforms

Frequently Asked Questions

What is CWE-788: Access of Memory Location After End of Buffer?+

CWE-788: Access of Memory Location After End of Buffer is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product reads or writes to a buffer using an index or pointer that references a memory location after the end of the buffer. This typically occurs when a pointer or its index is incremented to a position after the buffer; or when pointer arithmetic results in a position after the buffer.

What are the security consequences of Access of Memory Location After End of Buffer?+

If exploited, CWE-788 (Access of Memory Location After End of Buffer) it can compromise Confidentiality, Integrity and Availability, leading to outcomes such as Read Memory, Modify Memory, DoS: Crash, Exit, or Restart and Execute Unauthorized Code or Commands.

Which programming languages are affected by Access of Memory Location After End of Buffer?+

CWE-788 commonly affects C, C++ and Memory-Unsafe. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Access of Memory Location After End of Buffer?+

MITRE documents real CVEs mapped to CWE-788, including CVE-2009-2550, CVE-2009-2403, CVE-2009-0689, CVE-2009-0558 and CVE-2008-4113. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-788 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More