CVEbaza.plCWE DictionaryCWE-823
Common Weakness Enumeration

CWE-823

Use of Out-of-range Pointer Offset

Category: BaseCVE: 100
Description

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

CVE vulnerabilities with CWE-823 (100)
9.8
CVSS
CRITICAL
CVE-2017-11076

On some hardware revisions where VP9 decoding is hardware-accelerated, the frame size is not programmed correctly into the decoder hardware which can lead to an invalid memory access by the decoder.

pub. 2024-11-26
9.8
CVSS
CRITICAL
CVE-2023-43553

Memory corruption while parsing beacon/probe response frame when AP sends more supported links in MLIE.

pub. 2024-03-04
9.8
CVSS
CRITICAL
CVE-2023-22388

Memory Corruption in Multi-mode Call Processor while processing bit mask API.

pub. 2023-11-07
9.8
CVSS
CRITICAL
CVE-2023-24855

Memory corruption in Modem while processing security related configuration before AS Security Exchange.

pub. 2023-10-03
9.6
CVSS
CRITICAL
CVE-2026-21732

A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a write out-of-bounds write crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. An edge case using a very large value in switch statements in GPU shader code can cause a segmentation fault in the GPU shader compiler due to an out-of-bounds write access.

pub. 2026-03-20
9.1
CVSS
CRITICAL
CVE-2026-46244

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_inner: Fix IPv6 inner_thoff desync In nft_inner_parse_l2l3(), when processing inner IPv6 packets, ipv6_find_hdr() correctly computes the transport header offset traversing all extension headers, but the result is immediately overwritten with nhoff + sizeof(_ip6h) (40 bytes), which only accounts for the IPv6 base header. This creates a desync between inner_thoff (wrong — points to extension header start) and l4proto (correct — e.g., IPPROTO_TCP), enabling transport header forgery and potential firewall bypass. This issue affects stable versions from Linux 6.2. For comparison, the normal (non-inner) IPv6 path correctly preserves ipv6_find_hdr()'s result. Removing the incorrect overwrite ensures that ipv6_find_hdr()'s calculated transport header offset is preserved, thereby fixing the desynchronization.

pub. 2026-06-03
8.8
CVSS
HIGH
CVE-2025-27059

Memory corruption while performing SCM call.

pub. 2025-10-09
8.8
CVSS
HIGH
CVE-2024-42416

The ctl_report_supported_opcodes function did not sufficiently validate a field provided by userspace, allowing an arbitrary write to a limited amount of kernel help memory. Malicious software running in a guest VM that exposes virtio_scsi can exploit the vulnerabilities to achieve code execution on the host in the bhyve userspace process, which typically runs as root. Note that bhyve runs in a Capsicum sandbox, so malicious code is constrained by the capabilities available to the bhyve process. A malicious iSCSI initiator could achieve remote code execution on the iSCSI target host.

pub. 2024-09-05
8.8
CVSS
HIGH
CVE-2022-0729

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440.

pub. 2022-02-23
8.6
CVSS
HIGH
CVE-2017-20211

UCanCode E-XD++ Visualization Enterprise Suite contains an untrusted pointer dereference vulnerability via the TKDRAWCAD.TKDrawCADCtrl.1 ActiveX control. This is because it exposes a RotateShape method that dereferences a user-supplied pointer without sufficient validation. A crafted input may cause the control to dereference an attacker-controlled pointer, enabling remote code execution in the context of the hosting process. The vulnerability requires user interaction (instantiation of the ActiveX control via a web page or a file).

pub. 2025-11-12
8.6
CVSS
HIGH
CVE-2023-43534

Memory corruption while validating the TID to Link Mapping action request frame, when a station connects to an access point.

pub. 2024-02-06
8.6
CVSS
HIGH
CVE-2023-46724

Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.

pub. 2023-11-01
8.6
CVSS
HIGH
CVE-2023-20187

A vulnerability in the Multicast Leaf Recycle Elimination (mLRE) feature of Cisco IOS XE Software for Cisco ASR 1000 Series Aggregation Services Routers could allow an unauthenticated, remote attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability is due to incorrect handling of certain IPv6 multicast packets when they are fanned out more than seven times on an affected device. An attacker could exploit this vulnerability by sending a specific IPv6 multicast or IPv6 multicast VPN (MVPNv6) packet through the affected device. A successful exploit could allow the attacker to cause a reload of the affected device, resulting in a DoS condition.

pub. 2023-09-27
8.4
CVSS
HIGH
CVE-2023-33066

Memory corruption in Audio while processing RT proxy port register driver.

pub. 2024-03-04
8.4
CVSS
HIGH
CVE-2023-33033

Memory corruption in Audio during playback with speaker protection.

pub. 2024-01-02
8.4
CVSS
HIGH
CVE-2023-33106

Memory corruption while submitting a large list of sync points in an AUX command to the IOCTL_KGSL_GPU_AUX_COMMAND.

pub. 2023-12-05🚩 CISA KEV⚡ EXPLOIT
8.4
CVSS
HIGH
CVE-2022-25694

Memory corruption in Modem due to usage of Out-of-range pointer offset in UIM

pub. 2023-03-10
8.4
CVSS
HIGH
CVE-2022-25709

Memory corruption in modem due to use of out of range pointer offset while processing qmi msg

pub. 2023-03-10
8.3
CVSS
HIGH
CVE-2026-42946

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to read the memory of the NGINX worker process or restart it.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

pub. 2026-05-13
8.2
CVSS
HIGH
CVE-2026-32829

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

pub. 2026-03-20
Showing 20 of 100 vulnerabilities
Information
ID: CWE-823
Type: Base
Vulnerabilities: 100
MITRE CWE ↗
← CWE Dictionary