Vulnerabilities > Incorrect Calculation of Buffer Size
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-11-19 | CVE-2017-13315 | Incorrect Calculation of Buffer Size vulnerability in Google Android In writeToParcel and createFromParcel of DcParamObject.java, there is a permission bypass due to a write size mismatch. | 7.8 |
2024-09-13 | CVE-2024-46684 | Incorrect Calculation of Buffer Size vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: binfmt_elf_fdpic: fix AUXV size calculation when ELF_HWCAP2 is defined create_elf_fdpic_tables() does not correctly account the space for the AUX vector when an architecture has ELF_HWCAP2 defined. | 5.5 |
2024-08-21 | CVE-2022-48889 | Incorrect Calculation of Buffer Size vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sof-nau8825: fix module alias overflow The maximum name length for a platform_device_id entry is 20 characters including the trailing NUL byte. | 5.5 |
2024-08-17 | CVE-2024-43843 | Incorrect Calculation of Buffer Size vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: riscv, bpf: Fix out-of-bounds issue when preparing trampoline image We get the size of the trampoline image during the dry run phase and allocate memory based on that size. | 7.8 |
2024-08-14 | CVE-2024-42259 | Incorrect Calculation of Buffer Size vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Fix Virtual Memory mapping boundaries calculation Calculating the size of the mapped area as the lesser value between the requested size and the actual size does not consider the partial mapping offset. | 5.5 |
2024-04-03 | CVE-2024-26752 | Incorrect Calculation of Buffer Size vulnerability in multiple products In the Linux kernel, the following vulnerability has been resolved: l2tp: pass correct message length to ip6_append_data l2tp_ip6_sendmsg needs to avoid accounting for the transport header twice when splicing more data into an already partially-occupied skbuff. To manage this, we check whether the skbuff contains data using skb_queue_empty when deciding how much data to append using ip6_append_data. However, the code which performed the calculation was incorrect: ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0; ...due to C operator precedence, this ends up setting ulen to transhdrlen for messages with a non-zero length, which results in corrupted packets on the wire. Add parentheses to correct the calculation in line with the original intent. | 5.5 |
2024-04-03 | CVE-2024-26721 | Incorrect Calculation of Buffer Size vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: drm/i915/dsc: Fix the macro that calculates DSCC_/DSCA_ PPS reg address Commit bd077259d0a9 ("drm/i915/vdsc: Add function to read any PPS register") defines a new macro to calculate the DSC PPS register addresses with PPS number as an input. | 5.5 |
2024-03-11 | CVE-2024-27237 | Incorrect Calculation of Buffer Size vulnerability in Google Android In wipe_ns_memory of nsmemwipe.c, there is a possible incorrect size calculation due to a logic error in the code. | 5.5 |
2024-02-27 | CVE-2021-46943 | Incorrect Calculation of Buffer Size vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: media: staging/intel-ipu3: Fix set_fmt error handling If there in an error during a set_fmt, do not overwrite the previous sizes with the invalid config. Without this patch, v4l2-compliance ends up allocating 4GiB of RAM and causing the following OOPs [ 38.662975] ipu3-imgu 0000:00:05.0: swiotlb buffer is full (sz: 4096 bytes) [ 38.662980] DMA: Out of SW-IOMMU space for 4096 bytes at device 0000:00:05.0 [ 38.663010] general protection fault: 0000 [#1] PREEMPT SMP | 7.8 |
2024-02-14 | CVE-2024-23805 | Incorrect Calculation of Buffer Size vulnerability in F5 products Undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. | 7.5 |