CWE-127: Buffer Under-read
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.
Last updated
Overview
CWE-127 (Buffer Under-read) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Real-world CVEs
8 recorded CVEs are caused by CWE-127 (Buffer Under-read). The highest-severity and most recent are shown first. 2 new CWE-127 CVEs have been recorded so far in 2026 (3 in 2025).
- CVE-2024-10395High · CVSS 8.6 · EPSS 22th2025-02-03
- CVE-2026-5928
Potential buffer under-read in ungetwc
High · CVSS 7.5 · EPSS 29th2026-04-20 - CVE-2020-1918High · CVSS 7.5 · EPSS 65th2021-03-10
- CVE-2020-5360High · CVSS 7.5 · EPSS 81th2020-12-16
- CVE-2025-20359
Multiple Cisco Products Snort 3 MIME Information Disclosure or Denial of Service Vulnerability
Medium · CVSS 6.5 · EPSS 31th2025-10-15 - CVE-2025-32050
Libsoup: integer overflow in append_param_quoted
Medium · CVSS 5.9 · EPSS 50th2025-04-03 - CVE-2024-25629Medium · CVSS 5.5 · EPSS 27th2024-02-23
- CVE-2026-45683
OpenTelemetry eBPF Instrumentation: Java TLS ioctl kprobe allows kernel memory disclosure
Low · CVSS 3.8 · EPSS 7th2026-06-02
Common consequences
What can happen when CWE-127 is exploited.
Read Memory
Affects: Confidentiality
Bypass Protection Mechanism
Affects: Confidentiality
By reading out-of-bounds memory, an attacker might be able to get secret values, such as memory addresses, which can bypass protection mechanisms such as ASLR in order to improve the reliability and likelihood of exploiting a separate weakness to achieve code execution instead of just denial of service.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Automated Dynamic Analysis
Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Effectiveness: Moderate
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
In the following code, the method retrieves a value from an array at a specific array index location that is given as an input parameter to the method
Vulnerable example
int getValueFromArray(int *array, int len, int index) {However, this method only verifies that the given array index is less than the maximum length of the array but does not check for the minimum value (CWE-839). This will allow a negative value to be accepted as the input array index, which will result in reading data before the beginning of the buffer (CWE-127) and may allow access to sensitive memory. The input array index should be checked to verify that is within the maximum and minimum range required for the array (CWE-129). In this example the if statement should be modified to include a minimum range check, as shown below.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2021-40985 — HTML conversion package has a buffer under-read, allowing a crash
Terminology & mappings
Mapped taxonomies
- PLOVER: Buffer under-read
- Software Fault Patterns: Faulty Buffer Access (SFP8)
Frequently asked questions
Common questions about CWE-127.
- What is CWE-127?
- The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.
- What CVEs are caused by CWE-127?
- 8 recorded CVEs are attributed to CWE-127, including CVE-2024-10395, CVE-2026-5928, CVE-2020-1918.
- How is CWE-127 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-127?
- Exploiting CWE-127 can lead to: Read Memory, Bypass Protection Mechanism.
- Is CWE-127 actively exploited?
- 8 recorded CVEs are caused by CWE-127; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-127) (opens in a new tab)
- CWE-127 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-127
Get alerted the moment a new CWE-127 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.