Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-193 (Off-by-one错误) — Vulnerability Class 58

58 vulnerabilities classified as CWE-193 (Off-by-one错误). AI Chinese analysis included.

CWE-193 represents an off-by-one error, a logic flaw where a product calculates or utilizes an incorrect maximum or minimum value that is exactly one unit greater or lesser than the correct limit. This weakness typically arises in boundary conditions during array indexing, loop iterations, or buffer allocation, leading to memory corruption or unexpected program termination. Attackers exploit these miscalculations to trigger buffer overflows, allowing them to overwrite adjacent memory structures with malicious payloads. By exceeding intended bounds, adversaries can execute arbitrary code, escalate privileges, or cause denial-of-service conditions. To prevent such vulnerabilities, developers must rigorously validate boundary conditions, employ static analysis tools to detect logic errors, and use high-level languages with automatic bounds checking. Additionally, thorough code reviews focusing on loop limits and array accesses ensure that integer arithmetic accurately reflects the intended data structure sizes, thereby eliminating the discrepancy that enables exploitation.

MITRE CWE Description
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
Common Consequences (3)
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability
This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.
IntegrityModify Memory
If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.
Confidentiality, Availability, Access ControlExecute Unauthorized Code or Commands, Bypass Protection Mechanism
This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.
Mitigations (1)
ImplementationWhen copying character arrays or using character manipulation methods, the correct size parameter must be used to account for the null terminator that needs to be added at the end of the array. Some examples of functions susceptible to this weakness in C include strcpy(), strncpy(), strcat(), strncat(), printf(), sprintf(), scanf() and sscanf().
Examples (2)
The following code allocates memory for a maximum number of widgets. It then gets a user-specified number of widgets, making sure that the user does not request too many. It then initializes the elements of the array using InitializeWidget(). Because the number of widgets can vary for each request, the code inserts a NULL pointer to signify the location of the last widget.
int i; unsigned int numWidgets; Widget **WidgetList; numWidgets = GetUntrustedSizeValue(); if ((numWidgets == 0) || (numWidgets > MAX_NUM_WIDGETS)) { ExitError("Incorrect number of widgets requested!"); } WidgetList = (Widget **)malloc(numWidgets * sizeof(Widget *)); printf("WidgetList ptr=%p\n", WidgetList); for(i=0; i<numWidgets; i++) { WidgetList[i] = InitializeWidget(); } WidgetList[numWidgets] = NULL; showWidgets(WidgetList);
Bad · C
In this example, the code does not account for the terminating null character, and it writes one byte beyond the end of the buffer.
char firstname[20]; char lastname[20]; char fullname[40]; fullname[0] = '\0'; strncat(fullname, firstname, 20); strncat(fullname, lastname, 20);
Bad · C
char firstname[20]; char lastname[20]; char fullname[40]; fullname[0] = '\0'; strncat(fullname, firstname, sizeof(fullname)-strlen(fullname)-1); strncat(fullname, lastname, sizeof(fullname)-strlen(fullname)-1);
Good · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-44603 Tor <0.4.9.7 越界读取漏洞 — Tor 3.7 Low2026-05-07
CVE-2026-7572 Velociraptor EVTX Parser — Process Crash via Crafted .evtx File — velociraptor 4.4 Medium2026-05-06
CVE-2026-43964 Postfix多个版本缓冲区溢出致崩溃 — Postfix 3.7 Low2026-05-04
CVE-2026-43860 mutt<2.3.2哈希截断漏洞 — mutt 3.7 Low2026-05-04
CVE-2026-40254 FreeRDP: contains_dotdot() off-by-one allows drive channel path traversal via terminal .. — FreeRDP 4.2 Medium2026-04-24
CVE-2026-6861 Emacs: emacs: memory corruption vulnerability when processing svg css — Red Hat Enterprise Linux 10 6.1 Medium2026-04-22
CVE-2026-40312 ImageMagick: Off-by-One in MSL decoder could result in crash — ImageMagick 6.2 Medium2026-04-13
CVE-2026-33997 Moby: Off-by-one error in plugin privilege validation — moby 6.8 Medium2026-03-31
CVE-2026-5123 osrg GoBGP bgp.go DecodeFromBytes off-by-one — GoBGP 3.7 Low2026-03-30
CVE-2026-22593 EVerest has off-by-one stack buffer overflow in IsoMux certificate filename parsing — everest-core 8.4 High2026-03-26
CVE-2026-4887 Gimp: gimp:memory disclosure and denial of service via specially crafted pcx image — Red Hat Enterprise Linux 6 6.1 Medium2026-03-26
CVE-2026-34085 fontconfig 安全漏洞 — fontconfig 5.9 Medium2026-03-25
CVE-2006-10003 XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack — XML::Parser 8.1 -2026-03-19
CVE-2026-28520 arduino-TuyaOpen WiFiMulti Single-Byte Buffer Overflow Remote Code Execution — arduino-TuyaOpen 8.4 High2026-03-15
CVE-2026-31988 yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser — yauzl 5.3 Medium2026-03-11
CVE-2026-26309 Envoy has an off-by-one write in JsonEscaper::escapeString() — envoy 5.3 Medium2026-03-10
CVE-2026-2703 xlnt-community xlnt Encrypted XLSX File base64.cpp decode_base64 off-by-one — xlnt 3.3 Low2026-02-19
CVE-2026-21870 The BACnet Protocol Stack library has an Off-by-one Stack-based Buffer Overflow in tokenizer_string — bacnet-stack 5.5 Medium2026-02-13
CVE-2025-11215 Google Chrome 安全漏洞 — Chrome 8.8AIHighAI2025-11-06
CVE-2025-54349 iperf 安全漏洞 — iperf3 6.5 Medium2025-08-03
CVE-2025-52497 Mbed TLS 安全漏洞 — mbedtls 4.8 Medium2025-07-04
CVE-2025-47711 Nbdkit: nbdkit-server: off-by-one error when processing block status may lead to a denial of service 6.5 Medium2025-06-09
CVE-2025-43973 GoBGP 安全漏洞 — GoBGP 6.8 Medium2025-04-21
CVE-2025-43971 GoBGP 安全漏洞 — GoBGP 8.6 High2025-04-21
CVE-2025-30742 ATOPHTTPD 安全漏洞 — atophttpd 5.3 Medium2025-03-26
CVE-2024-10442 Synology Replication Service 安全漏洞 — Unified Controller (DSMUC) 10.0 Critical2025-03-19
CVE-2024-57259 DENX Software Engineering Das U-Boot 安全漏洞 — U-Boot 7.1 High2025-02-18
CVE-2024-48854 Vulnerabilities in TIFF and PCX Image Codecs Impact QNX Software Development Platform — QNX Software Development Platform (SDP) 5.3 Medium2025-01-14
CVE-2024-51554 off-by-one-error — ASPECT-Enterprise 9.1 Critical2024-12-05
CVE-2024-45796 Suricata defrag: off by one can lead to policy bypass — suricata 5.3 Medium2024-10-16

Vulnerabilities classified as CWE-193 (Off-by-one错误) represent 58 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.