CWE-125: Out-of-bounds Read
Also known as: OOB read
The product reads data past the end, or before the beginning, of the intended buffer.
Last updated
Overview
CWE-125 (Out-of-bounds Read) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
4,151 recorded CVEs are caused by CWE-125 (Out-of-bounds Read), including 18 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 674 new CWE-125 CVEs have been recorded so far in 2026 (687 in 2025).
- CVE-2026-3055CISA KEV
Insufficient input validation leading to memory overread
Critical · CVSS 9.3 · EPSS 100th2026-03-23 - CVE-2025-5777CISA KEV
NetScaler ADC and NetScaler Gateway - Insufficient input validation leading to memory overread
Critical · CVSS 9.3 · EPSS 100th2025-06-17 - CVE-2026-11645CISA KEVHigh · CVSS 8.8 · EPSS 74th2026-06-08
- CVE-2024-0519CISA KEVHigh · CVSS 8.7 · EPSS 89th2024-01-16
- CVE-2017-5030CISA KEVHigh · CVSS 8.7 · EPSS 99th2017-04-24
- CVE-2016-4523CISA KEVHigh · CVSS 8.7 · EPSS 98th2016-06-09
- CVE-2016-1646CISA KEVHigh · CVSS 8.7 · EPSS 99th2016-03-29
- CVE-2023-36424CISA KEV
Windows Common Log File System Driver Elevation of Privilege Vulnerability
High · CVSS 8.5 · EPSS 96th2023-11-14 - CVE-2021-25487CISA KEVHigh · CVSS 8.5 · EPSS 45th2021-10-06
- CVE-2025-5419CISA KEVHigh · CVSS 7.7 · EPSS 93th2025-06-02
- CVE-2014-0160CISA KEVHigh · CVSS 7.5 · EPSS 100th2014-04-07
- CVE-2023-42916CISA KEVHigh · CVSS 7.1 · EPSS 97th2023-11-30
Showing 12 of 4,151 recorded CWE-125 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-125 vulnerabilitiesCommon consequences
What can happen when CWE-125 is exploited.
Read Memory
Affects: Confidentiality
An attacker could get secret values such as cryptographic keys, PII, memory addresses, or other information that could be used in additional attacks.
Bypass Protection Mechanism
Affects: Confidentiality
Out-of-bounds memory could contain memory addresses or other information that can be used to bypass ASLR and other protection mechanisms in order to improve the reliability of exploiting a separate weakness for code execution.
DoS: Crash, Exit, or Restart
Affects: Availability
An attacker could cause a segmentation fault or crash by causing memory to be read outside of the bounds of the buffer. This is especially likely when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string.
Varies by Context
Affects: Other
The read operation could produce other undefined or unexpected results.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
Technologies
How to prevent it
Practical mitigations for CWE-125, grouped by where in the lifecycle they apply.
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.
Use a language that provides appropriate memory abstractions.
How to detect it
Fuzzing
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Effectiveness: High
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Automated Dynamic Analysis
Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Effectiveness: Moderate
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method
Vulnerable example
int getValueFromArray(int *array, int len, int index) {However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (CWE-127) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.
In the following C/C++ example the method processMessageFromSocket() will get a message from a socket, placed into a buffer, and will parse the contents of the buffer into a structure that contains the message length and the message body. A for loop is used to copy the message body into a local character string which will be passed to another method for processing.
Vulnerable example
int processMessageFromSocket(int socket) {However, the message length variable (msgLength) from the structure is used as the condition for ending the for loop without validating that msgLength accurately reflects the actual length of the message body (CWE-606). If msgLength indicates a length that is longer than the size of a message body (CWE-130), then this can result in a buffer over-read by reading past the end of the buffer (CWE-126).
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2020-11899CISA KEV— Out-of-bounds read in IP stack used in embedded systems, as exploited in the wild per CISA KEV.
- CVE-2014-0160CISA KEV— Chain: "Heartbleed" bug receives an inconsistent length parameter (CWE-130) enabling an out-of-bounds read (CWE-126), returning memory that could include private cryptographic keys and other sensitive data.
- CVE-2023-1018 — The reference implementation code for a Trusted Platform Module does not implement length checks on data, allowing for an attacker to read 2 bytes past the end of a buffer.
- CVE-2021-40985 — HTML conversion package has a buffer under-read, allowing a crash
- CVE-2018-10887 — Chain: unexpected sign extension (CWE-194) leads to integer overflow (CWE-190), causing an out-of-bounds read (CWE-125)
- CVE-2009-2523 — Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).
- CVE-2018-16069 — Chain: series of floating-point precision errors (CWE-1339) in a web browser rendering engine causes out-of-bounds read (CWE-125), giving access to cross-origin data
- CVE-2004-0112 — out-of-bounds read due to improper length check
- CVE-2004-0183 — packet with large number of specified elements cause out-of-bounds read.
- CVE-2004-0221 — packet with large number of specified elements cause out-of-bounds read.
- CVE-2004-0184 — out-of-bounds read, resultant from integer underflow
- CVE-2004-1940 — large length value causes out-of-bounds read
- CVE-2004-0421 — malformed image causes out-of-bounds read
- CVE-2008-4113 — OS kernel trusts userland-supplied length value, allowing reading of sensitive information
Terminology & mappings
Alternate terms
- OOB read
- Shorthand for "Out of bounds" read
Mapped taxonomies
- PLOVER: Out-of-bounds Read
- CERT C Secure Coding: Do not form or use out-of-bounds pointers or array subscripts (ARR30-C) — Imprecise fit
- CERT C Secure Coding: Guarantee that library functions do not form invalid pointers (ARR38-C) — Imprecise fit
- CERT C Secure Coding: Do not access a variable through a pointer of an incompatible type (EXP39-C) — Imprecise fit
- CERT C Secure Coding: Guarantee that storage for strings has sufficient space for character data and the null terminator (STR31-C) — Imprecise fit
- CERT C Secure Coding: Do not pass a non-null-terminated character sequence to a library function that expects a string (STR32-C) — CWE More Abstract fit
- Software Fault Patterns: Faulty Buffer Access (SFP8)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-125.
- What is CWE-125?
- The product reads data past the end, or before the beginning, of the intended buffer.
- What CVEs are caused by CWE-125?
- 4,151 recorded CVEs are attributed to CWE-125, including CVE-2026-3055, CVE-2025-5777, CVE-2026-11645. 18 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-125?
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- How is CWE-125 detected?
- Fuzzing: Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
- What are the consequences of CWE-125?
- Exploiting CWE-125 can lead to: Read Memory, Bypass Protection Mechanism, DoS: Crash, Exit, or Restart, Varies by Context.
- Is CWE-125 actively exploited?
- Yes. 18 CWE-125 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 4,151 recorded CVEs.
References
- MITRE CWE definition (CWE-125) (opens in a new tab)
- CWE-125 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-125
Get alerted the moment a new CWE-125 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.