← Back
CWE-131

205 CVEs • Abstraction: Base • Likelihood of Exploit: High

Incorrect Calculation of Buffer Size

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

JSON object

Loading...

CVEs (205)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Facebook
1Fizz
Jun 17, 2026
Apr 29, 2019
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
An improperly performed length calculation on a buffer in PlaintextRecordLayer could lead to an infinite loop and denial-of-service based on user input. This issue affected versions of fizz prior to v2019.03.04.00.
1Atlantiswordprocessor
1Atlantis Word Processor
Nov 21, 2024
Dec 1, 2018
N/A· v4
7.8 HIGH· v3
6.8 MEDIUM· v2
An exploitable arbitrary write vulnerability exists in the open document format parser of the Atlantis Word Processor, version 3.2.7.2, while trying to null-terminate a string. A specially crafted document can allow an a...Show more
An exploitable arbitrary write vulnerability exists in the open document format parser of the Atlantis Word Processor, version 3.2.7.2, while trying to null-terminate a string. A specially crafted document can allow an attacker to pass an untrusted value as a length to a constructor. This constructor will miscalculate a length and then use it to calculate the position to write a null byte. This can allow an attacker to corrupt memory, which can result in code execution under the context of the application. An attacker must convince a victim to open a specially crafted document in order to trigger this vulnerability.Show less
4Canonical
DebianHaxx+1 more
4Debian Linux
Enterprise LinuxLibcurl+1 more
Nov 21, 2024
Sep 5, 2018
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large tem...Show more
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. The internal function Curl_ntlm_core_mk_nt_hash multiplies the length of the password by two (SUM) to figure out how large temporary storage area to allocate from the heap. The length value is then subsequently used to iterate over the password and generate output into the allocated storage buffer. On systems with a 32 bit size_t, the math to calculate SUM triggers an integer overflow when the password length exceeds 2GB (2^31 bytes). This integer overflow usually causes a very small buffer to actually get allocated instead of the intended very huge one, making the use of that buffer end up in a heap buffer overflow. (This bug is almost identical to CVE-2017-8816.)Show less
1Godotengine
1Godot
Nov 21, 2024
Aug 20, 2018
N/A· v4
7.5 HIGH· v3
5.0 MEDIUM· v2
Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)S...Show more
Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)Serialization functions (core/io/marshalls.cpp) that can result in DoS (packet of death), possible leak of uninitialized memory. This attack appear to be exploitable via A malformed packet is received over the network by a Godot application that uses built-in serialization (e.g. game server, or game client). Could be triggered by multiplayer opponent. This vulnerability appears to have been fixed in 2.1.5, 3.0.6, master branch after commit feaf03421dda0213382b51aff07bd5a96b29487b.Show less
1Google
1Android
Nov 21, 2024
Apr 4, 2018
N/A· v4
7.8 HIGH· v3
7.2 HIGH· v2
In writeToParcel and createFromParcel of RttManager.java, there is a permission bypass due to a write size mismatch. This could lead to a local escalation of privileges where the user can start an activity with system pr...Show more
In writeToParcel and createFromParcel of RttManager.java, there is a permission bypass due to a write size mismatch. This could lead to a local escalation of privileges where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, 8.1. Android ID: A-70398564.Show less
1Gnu
1Binutils
May 13, 2026
Sep 30, 2017
N/A· v4
5.5 MEDIUM· v3
4.3 MEDIUM· v2
process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file tha...Show more
process_debug_info in dwarf.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, allows remote attackers to cause a denial of service (infinite loop) via a crafted ELF file that contains a negative size value in a CU structure.Show less
1Google
1Android
May 13, 2026
Aug 9, 2017
N/A· v4
7.8 HIGH· v3
9.3 HIGH· v2
A remote code execution vulnerability in the Android media framework (libavc). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36998372.
2Google
Linux
2Android
Linux Kernel
May 13, 2026
May 12, 2017
N/A· v4
7.0 HIGH· v3
7.6 HIGH· v2
An elevation of privilege vulnerability in the Qualcomm Secure Channel Manager driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High bec...Show more
An elevation of privilege vulnerability in the Qualcomm Secure Channel Manager driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-35401052. References: QC-CR#1081711.Show less
1Microsoft
8Windows 10
Windows 7Windows 8.1+5 more
May 13, 2026
Apr 12, 2017
N/A· v4
8.1 HIGH· v3
9.3 HIGH· v2
An elevation of privilege vulnerability exists in Windows when LDAP request buffer lengths are improperly calculated. In a remote attack scenario, an attacker could exploit this vulnerability by running a specially craft...Show more
An elevation of privilege vulnerability exists in Windows when LDAP request buffer lengths are improperly calculated. In a remote attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to send malicious traffic to a Domain Controller, aka "LDAP Elevation of Privilege Vulnerability."Show less
1Linux
1Linux Kernel
May 13, 2026
Apr 7, 2017
N/A· v4
7.0 HIGH· v3
7.6 HIGH· v2
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first req...Show more
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34198729. References: B-RB#110666.Show less
5Debian
F5Gnu+2 more
15Arx Firmware
Debian LinuxEnterprise Linux Desktop+12 more
May 6, 2026
Jun 5, 2014
N/A· v4
N/A· v3
7.5 HIGH· v2
The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN....Show more
The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.Show less
4Apple
CanonicalFedoraproject+1 more
5Fedora
Mac Os XMac Os X Server+2 more
Apr 23, 2026
May 5, 2008
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbit...Show more
The init_request_info function in sapi/cgi/cgi_main.c in PHP before 5.2.6 does not properly consider operator precedence when calculating the length of PATH_TRANSLATED, which might allow remote attackers to execute arbitrary code via a crafted URI.Show less
2Debian
Invisible Island
2Debian Linux
Lynx
Apr 16, 2026
Oct 17, 2005
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escap...Show more
Stack-based buffer overflow in the HTrjis function in Lynx 2.8.6 and earlier allows remote NNTP servers to execute arbitrary code via certain article headers containing Asian characters that cause Lynx to add extra escape (ESC) characters.Show less
1Gaim Project
1Gaim
Apr 16, 2026
Aug 16, 2005
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Buffer overflow in the AIM and ICQ module in Gaim before 1.5.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an away message with a large number of AIM s...Show more
Buffer overflow in the AIM and ICQ module in Gaim before 1.5.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an away message with a large number of AIM substitution strings, such as %t or %n.Show less
1Haxx
2Curl
Libcurl
Apr 16, 2026
May 2, 2005
N/A· v4
8.8 HIGH· v3
5.1 MEDIUM· v2
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengt...Show more
Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.Show less
6Apache
HpOpenpkg+3 more
6Hp Ux
Http ServerOpenpkg+3 more
Apr 16, 2026
Feb 9, 2005
N/A· v4
7.8 HIGH· v3
6.9 MEDIUM· v2
Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a lengt...Show more
Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.Show less
1Apache
1Http Server
Apr 16, 2026
Oct 20, 2004
N/A· v4
7.8 HIGH· v3
4.6 MEDIUM· v2
Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables.
1Oracle
7Application Server
Collaboration SuiteDatabase Server+4 more
Apr 16, 2026
Aug 4, 2004
N/A· v4
9.8 CRITICAL· v3
7.2 HIGH· v2
Buffer overflow in extproc in Oracle 10g allows remote attackers to execute arbitrary code via environment variables in the library name, which are expanded after the length check is performed.
2Debian
Heimdal Project
2Debian Linux
Heimdal
Apr 16, 2026
Jul 7, 2004
N/A· v4
9.8 CRITICAL· v3
10.0 HIGH· v2
k5admind (kadmind) for Heimdal allows remote attackers to execute arbitrary code via a Kerberos 4 compatibility administration request whose framing length is less than 2, which leads to a heap-based buffer overflow.
1Acme
1Thttpd
Apr 16, 2026
Nov 3, 2003
N/A· v4
9.8 CRITICAL· v3
7.5 HIGH· v2
Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expa...Show more
Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expanded to "&lt;" and "&gt;" sequences.Show less