Description
The product reads data past the end, or before the beginning, of the intended buffer.
Potential Impact
Confidentiality
Read Memory
Confidentiality
Bypass Protection Mechanism
Availability
DoS: Crash, Exit, or Restart
Other
Varies by Context
Demonstrative Examples
In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method
Bad
int getValueFromArray(int *array, int len, int index) {
int value;
// check that the array index is less than the maximum
// length of the array
if (index < len) {
// get the value at the specified index of the array
value = array[index];
}
// if array index is invalid then output error message
// and return value indicating error
else {printf("Value is: %d\n", array[index]);value = -1;}
return value;
}However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (CWE-127) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.
Good
...
// check that the array index is within the correct
// range of values for the array
if (index >= 0 && index < len) {
...In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing.
Bad
int processMessageFromSocket(int socket) {
int success;
char buffer[BUFFER_SIZE];char message[MESSAGE_SIZE];
// get message from socket and store into buffer
//Ignoring possibliity that buffer > BUFFER_SIZE
if (getMessage(socket, buffer, BUFFER_SIZE) > 0) {
// place contents of the buffer into message structure
ExMessage *msg = recastBuffer(buffer);
// copy message body into string for processing
int index;for (index = 0; index < msg->msgLength; index++) {message[index] = msg->msgBody[index];}message[index] = '\0';
// process message
success = processMessage(message);
}return success;
}However, the message length variable (msgLength) from the structure is used as the condition for ending the for loop without validating that msgLength accurately reflects the actual length of the message body (CWE-606). If msgLength indicates a length that is longer than the size of a message body (CWE-130), then this can result in a buffer over-read by reading past the end of the buffer (CWE-126).
Mitigations & Prevention
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across relat
Use a language that provides appropriate memory abstractions.
Detection Methods
- Fuzzing High — Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption,
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
- Automated Dynamic Analysis Moderate — Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2023-1018 | The reference implementation code for a Trusted Platform Module does not implement length checks on data, allowing for an attacker to read 2 bytes past the end of a buffer. |
| CVE-2020-11899 | Out-of-bounds read in IP stack used in embedded systems, as exploited in the wild per CISA KEV. |
| CVE-2014-0160 | Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive |
| CVE-2021-40985 | HTML conversion package has a buffer under-read, allowing a crash |
| CVE-2018-10887 | Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125) |
| CVE-2009-2523 | Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122). |
| CVE-2018-16069 | Chain: series of floating-point precision errors (CWE-1339) in a web browser rendering engine causes out-of-bounds read (CWE-125), giving access to cross-origin data |
| CVE-2004-0112 | out-of-bounds read due to improper length check |
| CVE-2004-0183 | packet with large number of specified elements cause out-of-bounds read. |
| CVE-2004-0221 | packet with large number of specified elements cause out-of-bounds read. |
| CVE-2004-0184 | out-of-bounds read, resultant from integer underflow |
| CVE-2004-1940 | large length value causes out-of-bounds read |
| CVE-2004-0421 | malformed image causes out-of-bounds read |
| CVE-2008-4113 | OS kernel trusts userland-supplied length value, allowing reading of sensitive information |
Related Weaknesses
Taxonomy Mappings
- PLOVER: — Out-of-bounds Read
- CERT C Secure Coding: ARR30-C — Do not form or use out-of-bounds pointers or array subscripts
- CERT C Secure Coding: ARR38-C — Guarantee that library functions do not form invalid pointers
- CERT C Secure Coding: EXP39-C — Do not access a variable through a pointer of an incompatible type
- CERT C Secure Coding: STR31-C — Guarantee that storage for strings has sufficient space for character data and the null terminator
- CERT C Secure Coding: STR32-C — Do not pass a non-null-terminated character sequence to a library function that expects a string
- Software Fault Patterns: SFP8 — Faulty Buffer Access
Frequently Asked Questions
What is CWE-125?
CWE-125 (Out-of-bounds Read) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product reads data past the end, or before the beginning, of the intended buffer.
How can CWE-125 be exploited?
Attackers can exploit CWE-125 (Out-of-bounds Read) to read memory. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-125?
Key mitigations include: Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not stric
What is the severity of CWE-125?
CWE-125 is classified as a Base-level weakness (Medium abstraction). It has been observed in 14 real-world CVEs.