What CVEs are caused by CWE-135?

1 recorded CVEs are attributed to CWE-135, including CVE-2026-0810.

How do you prevent CWE-135?

Always verify the length of the string unit character.

How is CWE-135 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-135?

Exploiting CWE-135 can lead to: Execute Unauthorized Code or Commands, Read Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory).

Is CWE-135 actively exploited?

1 recorded CVEs are caused by CWE-135; none are currently in CISA's KEV catalog of actively exploited flaws.

Base weakness

Draft

CWE-135: Incorrect Calculation of Multi-Byte String Length

The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.

Last updated May 1, 2026

Recorded CVEs

With this primary weakness

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-135 (Incorrect Calculation of Multi-Byte String Length) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

1 recorded CVEs are caused by CWE-135 (Incorrect Calculation of Multi-Byte String Length). The highest-severity and most recent are shown first. 1 new CWE-135 CVE has been recorded so far in 2026.

CVE-2026-0810
Gix-date: gix-date: undefined behavior due to invalid string generation
High · CVSS 7.1 · EPSS 9th
2026-01-26

Common consequences

What can happen when CWE-135 is exploited.

Execute Unauthorized Code or Commands

Affects: Integrity, Confidentiality, Availability

This weakness may lead to a buffer overflow. Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. This can often be used to subvert any other security service.

Read Memory, DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Affects: Availability, Confidentiality

Out of bounds memory access will very likely result in the corruption of relevant memory, and perhaps instructions, possibly leading to a crash. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.

CWE-135: Incorrect Calculation of Multi-Byte String Length

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-135?

What CVEs are caused by CWE-135?

How do you prevent CWE-135?

How is CWE-135 detected?

What are the consequences of CWE-135?

Is CWE-135 actively exploited?

References

Stay ahead of CWE-135

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-135?

What CVEs are caused by CWE-135?

How do you prevent CWE-135?

How is CWE-135 detected?

What are the consequences of CWE-135?

Is CWE-135 actively exploited?

References

Stay ahead of CWE-135