The product reads or writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

What CVEs are caused by CWE-786?

8 recorded CVEs are attributed to CWE-786, including CVE-2022-0351, CVE-2024-27831, CVE-2024-27840.

How is CWE-786 detected?

Fuzzing: Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.

What are the consequences of CWE-786?

Exploiting CWE-786 can lead to: Read Memory, Modify Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands.

Is CWE-786 actively exploited?

8 recorded CVEs are caused by CWE-786; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-786: Access of Memory Location Before Start of Buffer

CVE-2024-27808

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In the following C/C++ example, a utility function is used to trim trailing whitespace from a character string. The function copies the input string to a local character string and uses a while statement to remove the trailing whitespace by moving backward through the string and overwriting whitespace with a NUL character.

Vulnerable example

char* trimTrailingWhitespace(char *strMessage, int length) {

However, this function can cause a buffer underwrite if the input character string contains all whitespace. On some systems the while statement will move backwards past the beginning of a character string and will call the isspace() function on an address outside of the bounds of the local buffer.

The following example asks a user for an offset into an array to select an item.

The programmer allows the user to specify which element in the list to select, however an attacker can provide an out-of-bounds offset, resulting in a buffer over-read (CWE-126).

The following is an example of code that may result in a buffer underwrite. This code is attempting to replace the substring "Replace Me" in destBuf with the string stored in srcBuf. It does so by using the function strstr(), which returns a pointer to the found substring in destBuf. Using pointer arithmetic, the starting index of the substring is found.

Vulnerable example

int main() {

In the case where the substring is not found in destBuf, strstr() will return NULL, causing the pointer arithmetic to be undefined, potentially setting the value of idx to a negative number. If idx is negative, this will result in a buffer underwrite of destBuf.

CWE-786: Access of Memory Location Before Start of Buffer

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Fuzzing

Automated Dynamic Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-786?

What CVEs are caused by CWE-786?

How is CWE-786 detected?

What are the consequences of CWE-786?

Is CWE-786 actively exploited?

References

Stay ahead of CWE-786

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to detect it

Fuzzing

Automated Dynamic Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-786?

What CVEs are caused by CWE-786?

How is CWE-786 detected?

What are the consequences of CWE-786?

Is CWE-786 actively exploited?

References

Stay ahead of CWE-786