The product does not properly handle null bytes or NUL characters when passing data between different representations or components.
A null byte (NUL character) can have different meanings across representations or languages. For example, it is a string terminator in standard C libraries, but Perl and PHP strings do not treat it as a terminator. When two representations are crossed - such as when Perl or PHP invokes underlying C functionality - this can produce an interaction error with unexpected results. Similar issues have been reported for ASP. Other interpreters written in C might also be affected.
The poison null byte is frequently useful in path traversal attacks by terminating hard-coded extensions that are added to a filename. It can play a role in regular expression processing in PHP.
Current usage of "poison null byte" is typically related to this
C/Perl/PHP interaction error, but the original term in 1998 was applied to
an off-by-one buffer overflow involving a null byte.
There are not many CVE examples, because the poison NULL byte is a design
limitation, which typically is not included in CVE by itself. It is
typically used as a facilitator manipulation to widen the scope of potential
attacks against other vulnerabilities.