Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-131 (缓冲区大小计算不正确) — Vulnerability Class 82

82 vulnerabilities classified as CWE-131 (缓冲区大小计算不正确). AI Chinese analysis included.

CWE-131 represents a critical logic error where software fails to accurately determine the necessary memory allocation size for a buffer. This miscalculation typically stems from using incorrect data types, ignoring header overhead, or neglecting null terminators during size computations. Attackers exploit this vulnerability by crafting inputs that exceed the allocated memory space, triggering a buffer overflow. This overflow allows malicious actors to overwrite adjacent memory, potentially executing arbitrary code, crashing the application, or gaining unauthorized system access. To prevent such exploits, developers must rigorously validate input lengths and employ safe, bounds-checking functions like strncpy or snprintf instead of unsafe alternatives. Additionally, utilizing static analysis tools and conducting thorough code reviews can help identify arithmetic errors in memory allocation logic before deployment, ensuring that buffer sizes accurately reflect the actual data requirements.

MITRE CWE Description
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
Common Consequences (1)
Integrity, Availability, ConfidentialityDoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Read Memory, Modify Memory
If the incorrect calculation is used in the context of memory allocation, then the software may create a buffer that is smaller or larger than expected. If the allocated buffer is smaller than expected, this could lead to an out-of-bounds read or write (CWE-119), possibly causing a crash, allowing a…
Mitigations (5)
ImplementationWhen allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.
ImplementationUnderstand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]…
ImplementationPerform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
ImplementationWhen processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).
Examples (2)
The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget.
int i; unsigned int numWidgets; Widget **WidgetList; numWidgets = GetUntrustedSizeValue(); if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) { ExitError("Incorrect number of widgets requested!"); } WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *)); printf("WidgetList ptr=%p\n", WidgetList); for(i=0; i<numWidgets; i++) { WidgetList[i] = InitializeWidget(); } WidgetList[numWidgets] = NULL; showWidgets(WidgetList);
Bad · C
The following image processing code allocates a table for images.
img_t table_ptr; /*struct containing img data, 10kB each*/ int num_imgs; ... num_imgs = get_num_imgs(); table_ptr = (img_t*)malloc(sizeof(img_t)*num_imgs); ...
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-1949 Incorrect calculation of buffer size on the stack in AS320T — AS320T 9.8 Critical2026-04-24
CVE-2026-41197 Brillig: Heap corruption in foreign call results with nested tuple arrays — noir 9.8AICriticalAI2026-04-23
CVE-2026-40918 Gimp: gimp: denial of service via crafted pvr image file — Red Hat Enterprise Linux 6 5.5 Medium2026-04-15
CVE-2026-20911 Libraw 安全漏洞 — LibRaw 9.8 Critical2026-04-07
CVE-2025-33216 NVIDIA SNAP-4 Container 安全漏洞 — SNAP-4 Container 6.8 Medium2026-03-24
CVE-2019-25555 TwistedBrush Pro Studio 24.06 Script Recorder Denial of Service — TwistedBrush Pro Studio 6.2 Medium2026-03-21
CVE-2026-20049 Cisco Secure Firewall Adaptive Security Appliance和Cisco Secure Firewall Threat Defense 安全漏洞 — Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 7.7 High2026-03-04
CVE-2026-2738 OpenVPN ovpn-dco-win 安全漏洞 — ovpn-dco-win 5.5AIMediumAI2026-02-19
CVE-2025-33124 Fixes to common vulnerabilities found in IBM Db2 Merge Backup for Linux, UNIX and Windows — DB2 Merge Backup for Linux, UNIX and Windows 6.5 Medium2026-02-17
CVE-2026-1188 Eclipse OMR 安全漏洞 — Eclipse OMR 9.8AICriticalAI2026-01-29
CVE-2026-22791 openCryptoki incorrectly calculates the buffer size in C_WrapKey with CKM_ECDH_AES_KEY_WRAP — opencryptoki 6.6 Medium2026-01-13
CVE-2025-66216 AIS-catcher has a Buffer Overflow vulnerability in `AIS::Message` leading to DoS/RCE — AIS-catcher 9.8 -2025-11-29
CVE-2025-61661 Grub2: grub2: out-of-bounds write via malicious usb device — grub2 4.8 Medium2025-11-18
CVE-2025-27074 Incorrect Calculation of Buffer Size in SCE-Mink — Snapdragon 8.8 High2025-11-04
CVE-2025-33126 Fixes to common vulnerabilities found in IBM Db2 High Performance Unload — DB2 High Performance Unload 6.5 Medium2025-10-27
CVE-2025-27053 Incorrect Calculation of Buffer Size in HLOS — Snapdragon 7.8 High2025-10-09
CVE-2025-52955 Junos OS and Junos OS Evolved: When jflow/sflow is configured continuous logical interface flaps causes rpd crash and restart — Junos OS 6.5 Medium2025-07-11
CVE-2025-27042 Incorrect Calculation of Buffer Size in Video — Snapdragon 7.8 High2025-07-08
CVE-2025-46723 OpenVM byte decomposition of pc in AUIPC chip can overflow — openvm 9.8AICriticalAI2025-05-02
CVE-2025-46688 QuickJS 安全漏洞 — QuickJS 5.6 Medium2025-04-27
CVE-2025-43965 ImageMagick 安全漏洞 — ImageMagick 2.9 Low2025-04-23
CVE-2025-46393 ImageMagick 安全漏洞 — ImageMagick 2.9 Low2025-04-23
CVE-2025-1861 Stream HTTP wrapper truncates redirect location to 1024 bytes — PHP 6.5 -2025-03-30
CVE-2025-30334 OpenBSD wg(4) kernel crash — OpenBSD 6.5 Medium2025-03-20
CVE-2025-0395 GNU C Library 安全漏洞 — glibc 9.8 -2025-01-22
CVE-2024-11425 Schneider Electric Modicon M580 安全漏洞 — Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety) 7.5 High2025-01-17
CVE-2024-8361 DoS caused due to wrong hash length returned for SHA2/224 algorithm — WiSeConnect SDK 7.5 High2025-01-07
CVE-2024-28052 LevelOne WBR-6012 安全漏洞 — WBR-6012 5.3 Medium2024-10-30
CVE-2024-39808 Controller 6000和Controller 7000 安全漏洞 — Controller 6000 and Controller 7000 4.6 Medium2024-09-11
CVE-2024-45287 Multiple vulnerabilities in libnv — FreeBSD 7.5AIHighAI2024-09-05

Vulnerabilities classified as CWE-131 (缓冲区大小计算不正确) represent 82 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.