Log inLog in

Base weakness

Draft

CWE-466: Return of Pointer Value Outside of Expected Range

A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.

Last updated May 1, 2026

7

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

CWE-466 (Return of Pointer Value Outside of Expected Range) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.

Real-world CVEs

7 recorded CVEs are caused by CWE-466 (Return of Pointer Value Outside of Expected Range). The highest-severity and most recent are shown first. 5 new CWE-466 CVEs have been recorded so far in 2026.

CVE-2018-25227

Valentina Studio 9.0.4 Denial of Service via Host Parameter

Medium · CVSS 6.9 · EPSS 6th

2026-03-30

CVE-2019-25599

Backup Key Recovery 2.2.4 Denial of Service via Name Field

Medium · CVSS 6.9 · EPSS 5th

2026-03-22

CVE-2019-25586

Deluge 1.3.15 Denial of Service via URL Field

Medium · CVSS 6.9 · EPSS 6th

2026-03-22

CVE-2019-25548

BlueStacks 4.80.0.1060 Denial of Service via Search Field

Medium · CVSS 6.9 · EPSS 5th

2026-03-21

Common consequences

What can happen when CWE-466 is exploited.

Read Memory, Modify Memory

Affects: Confidentiality, Integrity

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Implementation

Applies to

Languages

Memory-Unsafe

C

C++

How to detect it

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Automated Dynamic Analysis

Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].

Effectiveness: Moderate

Terminology & mappings

Mapped taxonomies

7 Pernicious Kingdoms: Illegal Pointer Value
Software Fault Patterns: Glitch in computation (SFP1)

Frequently asked questions

Common questions about CWE-466.

What is CWE-466?

A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.

What CVEs are caused by CWE-466?

7 recorded CVEs are attributed to CWE-466, including CVE-2024-21849, CVE-2024-33602, CVE-2018-25234.

How is CWE-466 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-466?

Exploiting CWE-466 can lead to: Read Memory, Modify Memory.

Is CWE-466 actively exploited?

7 recorded CVEs are caused by CWE-466; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-466

Get alerted the moment a new CWE-466 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing