← Back
CWE-131

205 CVEs • Abstraction: Base • Likelihood of Exploit: High

Incorrect Calculation of Buffer Size

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

JSON object

Loading...

CVEs (205)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
1Juniper
2Junos
Junos Os Evolved
Jun 17, 2026
Jul 11, 2025
7.1 HIGH· v4
6.5 MEDIUM· v3
N/A· v2
An Incorrect Calculation of Buffer Size vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent unauthenticated attacker to cause a memory corruption that l...Show more
An Incorrect Calculation of Buffer Size vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent unauthenticated attacker to cause a memory corruption that leads to a rpd crash.  When the logical interface using a routing instance flaps continuously, specific updates are sent to the jflow/sflow modules. This results in memory corruption, leading to an rpd crash and restart.  Continued receipt of these specific updates will cause a sustained Denial of Service condition. This issue affects Junos OS: * All versions before 21.2R3-S9, * All versions of 21.4, * All versions of 22.2, * from 22.4 before 22.4R3-S7, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S4, * from 24.2 before 24.2R2. Junos OS Evolved:  * All versions of 21.2-EVO,  * All versions of 21.4-EVO,  * All versions of 22.2-EVO,  * from 22.4 before 22.4R3-S7-EVO,  * from 23.2 before 23.2R2-S3-EVO,  * from 23.4 before 23.4R2-S4-EVO,  * from 24.2 before 24.2R2-EVO.Show less
1Qualcomm
337215 Mobile Firmware
315 5g Iot Modem FirmwareAqt1000 Firmware+334 more
Jun 17, 2026
Jul 8, 2025
N/A· v4
7.8 HIGH· v3
N/A· v2
Memory corruption while processing video packets received from video firmware.
-
-
Jun 17, 2026
May 2, 2025
7.8 HIGH· v4
N/A· v3
N/A· v2
OpenVM is a performant and modular zkVM framework built for customization and extensibility. In version 1.0.0, OpenVM is vulnerable to overflow through byte decomposition of pc in AUIPC chip. A typo results in the highes...Show more
OpenVM is a performant and modular zkVM framework built for customization and extensibility. In version 1.0.0, OpenVM is vulnerable to overflow through byte decomposition of pc in AUIPC chip. A typo results in the highest limb of pc being range checked to 8-bits instead of 6-bits. This results in the if statement never being triggered because the enumeration gives i=0,1,2, when instead the enumeration should give i=1,2,3, leaving pc_limbs[3] range checked to 8-bits instead of 6-bits. This leads to a vulnerability where the pc_limbs decomposition differs from the true pc, which means a malicious prover can make the destination register take a different value than the AUIPC instruction dictates, by making the decomposition overflow the BabyBear field. This issue has been patched in version 1.1.0.Show less
2Quickjs Ng
Quickjs Project
2Quickjs
Quickjs
Jun 17, 2026
Apr 27, 2025
N/A· v4
8.4 HIGH· v3
N/A· v2
quickjs-ng through 0.9.0 has an incorrect size calculation in JS_ReadBigInt for a BigInt, leading to a heap-based buffer overflow. QuickJS before 2025-04-26 is also affected.
1Imagemagick
1Imagemagick
Jun 17, 2026
Apr 23, 2025
N/A· v4
5.3 MEDIUM· v3
N/A· v2
In multispectral MIFF image processing in ImageMagick before 7.1.1-44, packet_size is mishandled (related to the rendering of all channels in an arbitrary order).
2Debian
Imagemagick
2Debian Linux
Imagemagick
Jun 17, 2026
Apr 23, 2025
N/A· v4
7.5 HIGH· v3
N/A· v2
In MIFF image processing in ImageMagick before 7.1.1-44, image depth is mishandled after SetQuantumFormat is used.
2Netapp
Php
2Ontap
Php
Jun 17, 2026
Mar 30, 2025
6.3 MEDIUM· v4
9.8 CRITICAL· v3
N/A· v2
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value...Show more
In PHP from 8.1.* before 8.1.32, from 8.2.* before 8.2.28, from 8.3.* before 8.3.19, from 8.4.* before 8.4.5, when parsing HTTP redirect in the response to an HTTP request, there is currently limit on the location value size caused by limited size of the location buffer to 1024. However as per RFC9110, the limit is recommended to be 8000. This may lead to incorrect URL truncation and redirecting to a wrong location.Show less
1Openbsd
1Openbsd
Jun 17, 2026
Mar 20, 2025
7.1 HIGH· v4
6.5 MEDIUM· v3
N/A· v2
In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash.
-
-
Jun 17, 2026
Jan 22, 2025
N/A· v4
6.2 MEDIUM· v3
N/A· v2
When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the mes...Show more
When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.Show less
-
-
Jun 17, 2026
Jan 17, 2025
8.7 HIGH· v4
7.5 HIGH· v3
N/A· v2
CWE-131: Incorrect Calculation of Buffer Size vulnerability exists that could cause Denial-of-Service of the product when an unauthenticated user is sending a crafted HTTPS packet to the webserver.
-
-
Jun 17, 2026
Jan 7, 2025
N/A· v4
7.5 HIGH· v3
N/A· v2
In SiWx91x devices, the SHA2/224 algorithm returns a hash of 256 bits instead of 224 bits. This incorrect hash length triggers a software assertion, which subsequently causes a Denial of Service (DoS). If a watchdog is i...Show more
In SiWx91x devices, the SHA2/224 algorithm returns a hash of 256 bits instead of 224 bits. This incorrect hash length triggers a software assertion, which subsequently causes a Denial of Service (DoS). If a watchdog is implemented, device will restart after watch dog expires. If watchdog is not implemented, device can be recovered only after a hard resetShow less
1Google
1Android
Dec 18, 2024
Nov 19, 2024
N/A· v4
7.8 HIGH· v3
N/A· v2
In writeToParcel and createFromParcel of DcParamObject.java, there is a permission bypass due to a write size mismatch. This could lead to an elevation of privileges where the user can start an activity with system privi...Show more
In writeToParcel and createFromParcel of DcParamObject.java, there is a permission bypass due to a write size mismatch. This could lead to an elevation of privileges where the user can start an activity with system privileges, with no additional execution privileges needed. User interaction is not needed for exploitation.Show less
1Justdan96
1Tsmuxer
Jun 17, 2026
Nov 14, 2024
N/A· v4
6.5 MEDIUM· v3
N/A· v2
A negative-size-param in tsMuxer version nightly-2024-04-05-01-53-02 allows attackers to cause Denial of Service (DoS) via a crafted TS video file.
1Level1
1Wbr 6012 Firmware
Jun 17, 2026
Oct 30, 2024
N/A· v4
7.5 HIGH· v3
N/A· v2
The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access...Show more
The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure and operate. In addition to providing a WiFi access point, the device serves as a 4-port wired router and implements a variety of common SOHO router capabilities such as port forwarding, quality-of-service, web-based administration, a DHCP server, a basic DMZ, and UPnP capabilities.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Sep 18, 2024
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix incorrect size calculation for loop [WHY] fe_clk_en has size of 5 but sizeof(fe_clk_en) has byte size 20 which is lager than the...Show more
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix incorrect size calculation for loop [WHY] fe_clk_en has size of 5 but sizeof(fe_clk_en) has byte size 20 which is lager than the array size. [HOW] Divide byte size 20 by its element size. This fixes 2 OVERRUN issues reported by Coverity.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Sep 13, 2024
N/A· v4
5.5 MEDIUM· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: binfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined create_elf_fdpic_tables() does not correctly account the space for the AUX vect...Show more
In the Linux kernel, the following vulnerability has been resolved: binfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined create_elf_fdpic_tables() does not correctly account the space for the AUX vector when an architecture has ELF_HWCAP2 defined. Prior to the commit 10e29251be0e ("binfmt_elf_fdpic: fix /proc/<pid>/auxv") it resulted in the last entry of the AUX vector being set to zero, but with that change it results in a kernel BUG. Fix that by adding one to the number of AUXV entries (nitems) when ELF_HWCAP2 is defined.Show less
-
-
Jun 17, 2026
Sep 11, 2024
N/A· v4
4.6 MEDIUM· v3
N/A· v2
Incorrect Calculation of Buffer Size (CWE-131) in the Controller 6000 and Controller 7000 OSDP message handling, allows an attacker with physical access to Controller wiring to instigate a reboot leading to a denial of s...Show more
Incorrect Calculation of Buffer Size (CWE-131) in the Controller 6000 and Controller 7000 OSDP message handling, allows an attacker with physical access to Controller wiring to instigate a reboot leading to a denial of service. This issue affects: Controller 6000 and Controller 7000 9.10 prior to vCR9.10.240816a (distributed in 9.10.1530 (MR2)), 9.00 prior to vCR9.00.240816a (distributed in 9.00.2168 (MR4)), 8.90 prior to vCR8.90.240816a (distributed in 8.90.2155 (MR5)), 8.80 prior to vCR8.80.240816b (distributed in 8.80.1938 (MR6)), all versions of 8.70 and prior.Show less
1Freebsd
1Freebsd
Jun 17, 2026
Sep 5, 2024
N/A· v4
7.5 HIGH· v3
N/A· v2
A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data.
1Linux
1Linux Kernel
Jun 17, 2026
Aug 21, 2024
N/A· v4
5.5 MEDIUM· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof-nau8825: fix module alias overflow The maximum name length for a platform_device_id entry is 20 characters including the trailing NUL...Show more
In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof-nau8825: fix module alias overflow The maximum name length for a platform_device_id entry is 20 characters including the trailing NUL byte. The sof_nau8825.c file exceeds that, which causes an obscure error message: sound/soc/intel/boards/snd-soc-sof_nau8825.mod.c:35:45: error: illegal character encoding in string literal [-Werror,-Winvalid-source-encoding] MODULE_ALIAS("platform:adl_max98373_nau8825<U+0018><AA>"); ^~~~ include/linux/module.h:168:49: note: expanded from macro 'MODULE_ALIAS' ^~~~~~ include/linux/module.h:165:56: note: expanded from macro 'MODULE_INFO' ^~~~ include/linux/moduleparam.h:26:47: note: expanded from macro '__MODULE_INFO' = __MODULE_INFO_PREFIX __stringify(tag) "=" info I could not figure out how to make the module handling robust enough to handle this better, but as a quick fix, using slightly shorter names that are still unique avoids the build issue.Show less
1Linux
1Linux Kernel
Jun 17, 2026
Aug 17, 2024
N/A· v4
7.8 HIGH· v3
N/A· v2
In the Linux kernel, the following vulnerability has been resolved: riscv, bpf: Fix out-of-bounds issue when preparing trampoline image We get the size of the trampoline image during the dry run phase and allocate memo...Show more
In the Linux kernel, the following vulnerability has been resolved: riscv, bpf: Fix out-of-bounds issue when preparing trampoline image We get the size of the trampoline image during the dry run phase and allocate memory based on that size. The allocated image will then be populated with instructions during the real patch phase. But after commit 26ef208c209a ("bpf: Use arch_bpf_trampoline_size"), the `im` argument is inconsistent in the dry run and real patch phase. This may cause emit_imm in RV64 to generate a different number of instructions when generating the 'im' address, potentially causing out-of-bounds issues. Let's emit the maximum number of instructions for the "im" address during dry run to fix this problem.Show less