Out-of-Bounds Read
What is Out-of-Bounds Read?
Out-of-Bounds ReadA memory-safety bug (CWE-125) where software reads data before, after, or otherwise outside the intended buffer, leaking adjacent memory contents.
An out-of-bounds (OOB) read occurs when a program uses an attacker-influenced index, length or pointer to read past the end (or before the start) of a buffer. The leaked bytes can include cryptographic keys, session tokens, ASLR-defeating pointers, or other process secrets. The canonical example is Heartbleed (CVE-2014-0160) in OpenSSL, where a TLS heartbeat reply copied up to 64KB of memory because the responder trusted an attacker-supplied length. OOB reads are tracked as CWE-125 and frequently combine with separate write primitives to achieve full code execution. Mitigations include bounds-checked APIs, memory-safe languages (Rust, modern C++), sanitisers (ASan, KASAN), fuzzing, and hardware tagging (MTE).
● Examples
- 01
Heartbleed (CVE-2014-0160): OpenSSL TLS heartbeat leaks up to 64KB of process memory.
- 02
An image parser reading past a chunk-size field and returning attacker-readable pixels in API responses.
● Frequently asked questions
What is Out-of-Bounds Read?
A memory-safety bug (CWE-125) where software reads data before, after, or otherwise outside the intended buffer, leaking adjacent memory contents. It belongs to the Attacks & Threats category of cybersecurity.
What does Out-of-Bounds Read mean?
A memory-safety bug (CWE-125) where software reads data before, after, or otherwise outside the intended buffer, leaking adjacent memory contents.
How does Out-of-Bounds Read work?
An out-of-bounds (OOB) read occurs when a program uses an attacker-influenced index, length or pointer to read past the end (or before the start) of a buffer. The leaked bytes can include cryptographic keys, session tokens, ASLR-defeating pointers, or other process secrets. The canonical example is Heartbleed (CVE-2014-0160) in OpenSSL, where a TLS heartbeat reply copied up to 64KB of memory because the responder trusted an attacker-supplied length. OOB reads are tracked as CWE-125 and frequently combine with separate write primitives to achieve full code execution. Mitigations include bounds-checked APIs, memory-safe languages (Rust, modern C++), sanitisers (ASan, KASAN), fuzzing, and hardware tagging (MTE).
How do you defend against Out-of-Bounds Read?
Defences for Out-of-Bounds Read typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Out-of-Bounds Read?
Common alternative names include: OOB read, CWE-125.
● Related terms
- vulnerabilities№ 131
Buffer Overflow
A memory-safety flaw where a program writes past the end of an allocated buffer, corrupting adjacent memory and often enabling code execution.
- attacks№ 544
Integer Underflow
An arithmetic flaw (CWE-191) in which subtracting from an unsigned value below zero wraps to a huge number, often enabling oversized allocations or buffer overruns.
- vulnerabilities№ 667
Memory Corruption
An umbrella term for vulnerabilities where a program writes outside the bounds of intended memory, undermining type-safety, control flow, or data integrity.
- vulnerabilities№ 1193
Use-After-Free
A memory-safety bug where a program continues to use memory after it has been freed, often allowing attackers to control object state and hijack execution.