CWE-823: Use of Out-of-range Pointer Offset
Also known as: Untrusted pointer offset
The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
Last updated
Overview
While a pointer can contain a reference to any arbitrary memory location, a program typically only intends to use the pointer to access limited portions of memory, such as contiguous memory used to access an individual array. Programs may use offsets in order to access fields or sub-elements stored within structured data. The offset might be out-of-range if it comes from an untrusted source, is the result of an incorrect calculation, or occurs because of another error. If an attacker can control or influence the offset so that it points outside of the intended boundaries of the structure, then the attacker may be able to read or write to memory locations that are used elsewhere in the product. As a result, the attack might change the state of the product as accessed through program variables, cause a crash or instable behavior, and possibly lead to code execution.
Real-world CVEs
93 recorded CVEs are caused by CWE-823 (Use of Out-of-range Pointer Offset), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 11 new CWE-823 CVEs have been recorded so far in 2026 (25 in 2025).
- CVE-2023-33106CISA KEV
Use of Out-of-range Pointer Offset in Graphics
High · CVSS 8.6 · EPSS 54th2023-12-05 - CVE-2024-42383
Use of Out-of-range Pointer Offset in Mongoose Web Server library
Critical · CVSS 9.8 · EPSS 18th2024-11-18 - CVE-2023-43553Critical · CVSS 9.8 · EPSS 28th2024-03-04
- CVE-2023-43534
Use of Out-of-range Pointer Offset in WLAN HOST
Critical · CVSS 9.8 · EPSS 18th2024-02-06 - CVE-2023-22388
Use of Out-of-range Pointer Offset in Multi-mode Call Processor
Critical · CVSS 9.8 · EPSS 28th2023-11-07 - CVE-2023-24855Critical · CVSS 9.8 · EPSS 42th2023-10-03
- CVE-2026-21732
GPU DDK - libusc OOB write at ConvertSwitchToArrayLookupBP during WebGPU shader compilation
Critical · CVSS 9.6 · EPSS 21th2026-03-20 - CVE-2020-8904Critical · CVSS 9.6 · EPSS 14th2020-08-12
- CVE-2026-46244
netfilter: nft_inner: Fix IPv6 inner_thoff desync
Critical · CVSS 9.1 · EPSS 24th2026-06-03 - CVE-2025-27059
Use of Out-of-range Pointer Offset in TZ Firmware
High · CVSS 8.8 · EPSS 0th2025-10-09 - CVE-2017-11076High · CVSS 8.8 · EPSS 26th2024-11-26
- CVE-2024-42416
Multiple issues in ctl(4) CAM Target Layer
High · CVSS 8.8 · EPSS 32th2024-09-05
Showing 12 of 93 recorded CWE-823 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-823 vulnerabilitiesCommon consequences
What can happen when CWE-823 is exploited.
Read Memory
Affects: Confidentiality
If the untrusted pointer is used in a read operation, an attacker might be able to read sensitive portions of memory.
DoS: Crash, Exit, or Restart
Affects: Availability
If the untrusted pointer references a memory location that is not accessible to the program, or points to a location that is "malformed" or larger than expected by a read or write operation, the application may terminate unexpectedly.
Execute Unauthorized Code or Commands, Modify Memory
Affects: Integrity, Confidentiality, Availability
If the untrusted pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Automated Dynamic Analysis
Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Effectiveness: Moderate
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2009-3129CISA KEV— Spreadsheet program processes a record with an invalid size field, which is later used as an offset.
- CVE-2010-2160 — Invalid offset in undocumented opcode leads to memory corruption.
- CVE-2010-1281 — Multimedia player uses untrusted value from a file when using file-pointer calculations.
- CVE-2009-2694 — Instant messaging library does not validate an offset value specified in a packet.
- CVE-2009-2687 — Language interpreter does not properly handle invalid offsets in JPEG image, leading to out-of-bounds memory access and crash.
- CVE-2009-0690 — negative offset leads to out-of-bounds read
- CVE-2008-4114 — untrusted offset in kernel
- CVE-2010-2873 — "blind trust" of an offset value while writing heap memory allows corruption of function pointer,leading to code execution
- CVE-2010-2866 — negative value (signed) causes pointer miscalculation
- CVE-2010-2872 — signed values cause incorrect pointer calculation
- CVE-2007-5657 — values used as pointer offsets
- CVE-2010-2867 — a return value from a function is sign-extended if the value is signed, then used as an offset for pointer arithmetic
- CVE-2009-1097 — portions of a GIF image used as offsets, causing corruption of an object pointer.
- CVE-2008-1807 — invalid numeric field leads to a free of arbitrary memory locations, then code execution.
- CVE-2007-2500 — large number of elements leads to a free of an arbitrary address
- CVE-2008-1686 — array index issue (CWE-129) with negative offset, used to dereference a function pointer
- CVE-2010-2878 — "buffer seek" value - basically an offset?
Terminology & mappings
Alternate terms
- Untrusted pointer offset
- This term is narrower than the concept of "out-of-range" offset, since the offset might be the result of a calculation or other error that does not depend on any externally-supplied values.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-823.
- What is CWE-823?
- The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
- What CVEs are caused by CWE-823?
- 93 recorded CVEs are attributed to CWE-823, including CVE-2023-33106, CVE-2024-42383, CVE-2023-43553. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How is CWE-823 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-823?
- Exploiting CWE-823 can lead to: Read Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Modify Memory.
- Is CWE-823 actively exploited?
- Yes. 1 CWE-823 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 93 recorded CVEs.
References
- MITRE CWE definition (CWE-823) (opens in a new tab)
- CWE-823 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-823
Get alerted the moment a new CWE-823 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.