CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.0.1)  
Search by ID:

CWE-119: Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer

Individual Definition in a New Window
Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer
Status: Draft
Weakness ID: 119 (Weakness Class)
Description
Summary

The software may potentially allow operations, such as reading or writing, to be performed at addresses not intended by the developer.

Extended Description

When software permits read or write operations on memory located outside of an allocated range, an attacker may be able to access/modify sensitive information, cause the system to crash, alter the intended control flow, or execute arbitrary code.

Affected Resources
* Memory
Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness ClassWeakness Class118Improper Access of Indexable Resource (aka 'Range Error')
Research Concepts (primary)1000
ChildOfWeakness ClassWeakness ClassWeakness Class20Insufficient Input Validation
Development Concepts (primary)699
Seven Pernicious Kingdoms (primary)700
ChildOfCategoryCategory726OWASP Top Ten 2004 Category A5 - Buffer Overflows
Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOfCategoryCategory633Weaknesses that Affect Memory
Resource-specific Weaknesses (primary)631
MemberOfViewView635Weaknesses Used by NVD
Weaknesses Used by NVD (primary)635
ParentOfWeakness BaseWeakness BaseWeakness Base123Write-what-where Condition
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness BaseWeakness Base124Boundary Beginning Violation ('Buffer Underwrite')
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness BaseWeakness Base125Out-of-bounds Read
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness BaseWeakness Base128Wrap-around Error
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness BaseWeakness Base129Unchecked Array Indexing
Development Concepts (primary)699
Research Concepts (primary)1000
CanFollowWeakness BaseWeakness BaseWeakness Base131Incorrect Calculation of Buffer Size
Development Concepts699
Research Concepts1000
CanFollowWeakness BaseWeakness BaseWeakness Base193Off-by-one Error
Research Concepts1000
ParentOfWeakness BaseWeakness BaseWeakness Base466Return of Pointer Value Outside of Expected Range
Research Concepts (primary)1000
ParentOfCompound Element: CompositeCompound Element: Composite120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Development Concepts (primary)699
Research Concepts (primary)1000
Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
OWASP Top Ten 2004A5ExactBuffer Overflows
Time of Introduction
* Architecture and Design
* Implementation
Related Attack Patterns
CAPEC-ID(CAPEC Version 1.1)Attack Pattern Name
100Overflow Buffers
10Buffer Overflow via Environment Variables
14Client-side Injection-induced Buffer Overflow
42MIME Conversion
24Filter Failure through Buffer Overflow
8Buffer Overflow in an API Call
44Overflow Binary Resource File
9Buffer Overflow in Local Command-Line Utilities
45Buffer Overflow via Symbolic Links
46Overflow Variables and Tags
47Buffer Overflow via Parameter Expansion
Content History
Modifications
Eric Dalci. Cigital. 2008-07-01. (External)
updated Time_of_Introduction
Veracode. 2008-08-15. (External)
Suggested OWASP Top Ten 2004 mapping
CWE Content Team. MITRE. 2008-09-08. (Internal)
updated Description, Relationships, Taxonomy_Mappings
CWE Content Team. MITRE. 2008-10-14. (Internal)
updated Relationships
Previous Entry Names
* Buffer Errors (changed 2008-04-11)
Back to top
Page Last Updated: October 16, 2008
 

CWE is a Software Assurance strategic initiative sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

This Web site is hosted by The MITRE Corporation.
Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation.

Contact cwe@mitre.org for more information.
Privacy policy
Terms of use
Contact us