CWE-193: Off-by-one Error — known CVE vulnerabilities
CVEs classified under CWE-193 (Off-by-one Error), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2024-10442 — CVSS 10.0 (critical): Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066, 1.2.2-0353 and 1.3.0-0423…
CVE-2026-53309 — CVSS 9.8 (critical): In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison The…
CVE-2024-38441 — CVSS 9.8 (critical): Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in…
CVE-2023-46853 — CVSS 9.8 (critical): In Memcached before 1.6.22, an off-by-one error exists when processing proxy requests in proxy mode, if \n is used instead of \r\n.
CVE-2023-38429 — CVSS 9.8 (critical): An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in memory allocation…
CVE-2022-34970 — CVSS 9.8 (critical): Crow before 1.0+4 has a heap-based buffer overflow via the function qs_parse in query_string.h. On successful exploitation this…
CVE-2021-21938 — CVSS 9.8 (critical): A heap-based buffer overflow vulnerability exists in the Palette box parser functionality of Accusoft ImageGear 19.10. A specially-crafted…
CVE-2021-31875 — CVSS 9.8 (critical): In mjs_json.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSON string can trigger an off-by-one heap-based buffer overflow in…
CVE-2020-8443 — CVSS 9.8 (critical): In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for log analysis (ossec-analysisd) is vulnerable to an off-by-one…
CVE-2020-6835 — CVSS 9.8 (critical): An issue was discovered in Bftpd before 5.4. There is a heap-based off-by-one error during file-transfer error checking.
CVE-2019-14532 — CVSS 9.8 (critical): An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an off-by-one overwrite due to an underflow on tools/hashtools/hfind.cpp…
CVE-2019-8272 — CVSS 9.8 (critical): UltraVNC revision 1211 has multiple off-by-one vulnerabilities in VNC server code, which can potentially result in code execution. This…
CVE-2019-8268 — CVSS 9.8 (critical): UltraVNC revision 1206 has multiple off-by-one vulnerabilities in VNC client code connected with improper usage of ClientConnection::ReadStr…
CVE-2018-14599 — CVSS 9.8 (critical): An issue was discovered in libX11 through 1.6.5. The function XListExtensions in ListExt.c is vulnerable to an off-by-one error caused by…
CVE-2018-8828 — CVSS 9.8 (critical): A Buffer Overflow issue was discovered in Kamailio before 4.4.7, 5.0.x before 5.0.6, and 5.1.x before 5.1.2. A specially crafted REGISTER…
CVE-2016-10160 — CVSS 9.8 (critical): Off-by-one error in the phar_parse_pharfile function in ext/phar/phar.c in PHP before 5.6.30 and 7.0.x before 7.0.15 allows remote…
CVE-2004-0005 — CVSS 9.8 (critical): Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1)…
CVE-2003-0466 — CVSS 9.8 (critical): Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary…
CVE-2003-0252 — CVSS 9.8 (critical): Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a…
CVE-2003-0356 — CVSS 9.8 (critical): Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute…
CVE-2002-1816 — CVSS 9.8 (critical): Off-by-one buffer overflow in the sock_gets function in sockhelp.c for ATPhttpd 0.4b and earlier allows remote attackers to execute…
CVE-2002-0083 — CVSS 9.8 (critical): Off-by-one error in the channel code of OpenSSH 2.0 through 3.0.2 allows local users or remote malicious servers to gain privileges.
CVE-2001-1496 — CVSS 9.8 (critical): Off-by-one buffer overflow in Basic Authentication in Acme Labs thttpd 1.95 through 2.20 allows remote attackers to cause a denial of…
CVE-2001-0609 — CVSS 9.8 (critical): Format string vulnerability in Infodrom cfingerd 1.4.3 and earlier allows a remote attacker to gain additional privileges via a malformed…
CVE-2010-3454 — CVSS 9.3 (critical): Multiple off-by-one errors in the WW8DopTypography::ReadFromMem function in oowriter in OpenOffice.org (OOo) 2.x and 3.x before 3.3 allow…
CVE-2024-51554 — CVSS 9.1 (critical): Default Credentail vulnerabilities in ASPECT on Linux allows access to the product using publicly available default credentials. Affected…
CVE-2021-46848 — CVSS 9.1 (critical): GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.
CVE-2020-10062 — CVSS 9.0 (critical): An off-by-one error in the Zephyr project MQTT packet length decoder can result in memory corruption and possible remote code execution…
CVE-2020-29040 — CVSS 8.8 (high): An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to cause a denial of service (stack corruption), cause a data…
CVE-2019-18423 — CVSS 8.8 (high): An issue was discovered in Xen through 4.12.x allowing ARM guest OS users to cause a denial of service via a XENMEM_add_to_physmap…
CVE-2018-14682 — CVSS 8.8 (high): An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM…
CVE-2010-1773 — CVSS 8.8 (high): Off-by-one error in the toAlphabetic function in rendering/RenderListMarker.cpp in WebCore in WebKit before r59950, as used in Google…
CVE-2026-54410 — CVSS 8.6 (high): nanoMODBUS through v1.23.0 contains an off-by-one buffer overflow in the recv_msg_header() function of the Modbus/TCP server that allows…
CVE-2026-49127 — CVSS 8.6 (high): Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in…
CVE-2025-43971 — CVSS 8.6 (high): An issue was discovered in GoBGP before 3.35.0. pkg/packet/bgp/bgp.go allows attackers to cause a panic via a zero value for…
CVE-2022-3872 — CVSS 8.6 (high): An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in…
CVE-2026-22593 — CVSS 8.4 (high): EVerest is an EV charging software stack. Prior to version 2026.02.0, an off-by-one check in IsoMux certificate filename handling causes a…
CVE-2026-28520 — CVSS 8.4 (high): arduino-TuyaOpen before version 1.2.1 contains a single-byte buffer overflow vulnerability in the WiFiMulti component. When the victim's…
CVE-2020-14508 — CVSS 8.1 (high): GateManager versions prior to 9.2c, The affected product is vulnerable to an off-by-one error, which may allow an attacker to remotely…
CVE-2026-8357 — CVSS 7.8 (high): LibreOffice Calc compiles cell formulas when opening a spreadsheet. A heap buffer overflow existed when compiling a very long formula made…
CVE-2024-57990 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: fix off by one in mt7925_load_clc() This comparison…
CVE-2024-49880 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: ext4: fix off by one issue in alloc_flex_gd() Wesley reported an issue…
CVE-2024-47682 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: scsi: sd: Fix off-by-one error in sd_read_block_characteristics() Ff…
CVE-2024-46852 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: dma-buf: heaps: Fix off-by-one in CMA heap fault handler Until…
CVE-2024-43852 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: hwmon: (ltc2991) re-order conditions to fix off by one bug…
CVE-2022-48732 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix off by one in BIOS boundary checking Bounds checking…
CVE-2022-48672 — CVSS 7.8 (high): In the Linux kernel, the following vulnerability has been resolved: of: fdt: fix off-by-one error in unflatten_dt_nodes() Commit…