CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges
The product allows address regions to overlap, which can result in the bypassing of intended memory protection.
Last updated
Overview
Isolated memory regions and access control (read/write) policies are used by hardware to protect privileged software. Software components are often allowed to change or remap memory region definitions in order to enable flexible and dynamically changeable memory management by system software. If a software component running at lower privilege can program a memory address region to overlap with other memory regions used by software running at higher privilege, privilege escalation may be available to attackers. The memory protection unit (MPU) logic can incorrectly handle such an address overlap and allow the lower-privilege software to read or write into the protected memory region, resulting in privilege escalation attack. An address overlap weakness can also be used to launch a denial of service attack on the higher-privilege software memory regions.
Real-world CVEs
15 recorded CVEs are caused by CWE-1260 (Improper Handling of Overlap Between Protected Memory Ranges). The highest-severity and most recent are shown first. 10 new CWE-1260 CVEs have been recorded so far in 2026 (2 in 2025).
- CVE-2024-4778Critical · CVSS 9.8 · EPSS 36th2024-05-14
- CVE-2022-27813High · CVSS 8.2 · EPSS 8th2023-10-19
- CVE-2019-1164High · CVSS 7.8 · EPSS 57th2019-08-14
- CVE-2025-1937
Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8
High · CVSS 7.5 · EPSS 41th2025-03-04 - CVE-2025-22889High · CVSS 7.0 · EPSS 5th2025-08-12
- CVE-2018-25240
Watchr 1.1.0.0 Denial of Service via Search
Medium · CVSS 6.9 · EPSS 2th2026-04-04 - CVE-2018-25238
VSCO 1.1.1.0 Denial of Service via Search
Medium · CVSS 6.9 · EPSS 5th2026-04-04 - CVE-2019-25592
PHPRunner 10.1 Denial of Service via Dashboard Name Field
Medium · CVSS 6.9 · EPSS 6th2026-03-22 - CVE-2019-25585
Deluge 1.3.15 Denial of Service via Webseeds Field
Medium · CVSS 6.9 · EPSS 7th2026-03-22 - CVE-2019-25572
NordVPN 6.19.6 Denial of Service via Email Field Buffer Overflow
Medium · CVSS 6.9 · EPSS 5th2026-03-21 - CVE-2019-25602
GSearch 1.0.1.0 Denial of Service via Search Input
Medium · CVSS 6.8 · EPSS 2th2026-03-22 - CVE-2019-25570
RealTerm Serial Terminal 2.0.0.70 Denial of Service via Port Field
Medium · CVSS 6.8 · EPSS 12th2026-03-21
Showing 12 of 15 recorded CWE-1260 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1260 vulnerabilitiesCommon consequences
What can happen when CWE-1260 is exploited.
Modify Memory, Read Memory, DoS: Instability
Affects: Confidentiality, Integrity, Availability
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-1260, grouped by where in the lifecycle they apply.
Ensure that memory regions are isolated as intended and that access control (read/write) policies are used by hardware to protect privileged software.
For all of the programmable memory protection regions, the memory protection unit (MPU) design can define a priority scheme.
For example: if three memory regions can be programmed (Region_0, Region_1, and Region_2), the design can enforce a priority scheme, such that, if a system address is within multiple regions, then the region with the lowest ID takes priority and the access-control policy of that region will be applied. In some MPU designs, the priority scheme can also be programmed by trusted software.
Hardware logic or trusted firmware can also check for region definitions and block programming of memory regions with overlapping addresses.
The memory-access-control-check filter can also be designed to apply a policy filter to all of the overlapping ranges, i.e., if an address is within Region_0 and Region_1, then access to this address is only granted if both Region_0 and Region_1 policies allow the access.
Effectiveness: High
How to detect it
Manual Analysis
Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
For example, consider a design with a 16-bit address that has two software privilege levels: Privileged_SW and Non_privileged_SW. To isolate the system memory regions accessible by these two privilege levels, the design supports three memory regions: Region_0, Region_1, and Region_2.
Each region is defined by two 32 bit registers: its range and its access policy.
Certain bits of the access policy are defined symbolically as follows:
For any requests from software, an address-protection filter checks the address range and access policies for each of the three regions, and only allows software access if all three filters allow access.
Consider the following goals for access control as intended by the designer:
The intention is that Non_privileged_SW cannot modify memory region and policies defined by Privileged_SW in Region_0 and Region_1. Thus, it cannot read or write the memory regions that Privileged_SW is using.
This design could be improved in several ways.
The example code below is taken from the IOMMU controller module of the HACK@DAC'19 buggy CVA6 SoC [REF-1338]. The static memory map is composed of a set of Memory-Mapped Input/Output (MMIO) regions covering different IP agents within the SoC. Each region is defined by two 64-bit variables representing the base address and size of the memory region (XXXBase and XXXLength).
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2008-7096 — virtualization product allows compromise of hardware product by accessing certain remapping registers.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1260.
- What is CWE-1260?
- The product allows address regions to overlap, which can result in the bypassing of intended memory protection.
- What CVEs are caused by CWE-1260?
- 15 recorded CVEs are attributed to CWE-1260, including CVE-2024-4778, CVE-2022-27813, CVE-2019-1164.
- How do you prevent CWE-1260?
- Ensure that memory regions are isolated as intended and that access control (read/write) policies are used by hardware to protect privileged software.
- How is CWE-1260 detected?
- Manual Analysis: Create a high privilege memory block of any arbitrary size. Attempt to create a lower privilege memory block with an overlap of the high privilege memory block. If the creation attempt works, fix the hardware. Repeat the test.
- What are the consequences of CWE-1260?
- Exploiting CWE-1260 can lead to: Modify Memory, Read Memory, DoS: Instability.
- Is CWE-1260 actively exploited?
- 15 recorded CVEs are caused by CWE-1260; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1260) (opens in a new tab)
- CWE-1260 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1260
Get alerted the moment a new CWE-1260 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.