CWE · MITRE source
CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-16 | Memory Protection | SI | Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution. |
SI-4 | System Monitoring | SI | Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior. |
SA-11 | Developer Testing and Evaluation | SA | Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release. |
SC-27 | Platform-independent Applications | SC | Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-0796 KEV | 9.7 | 10.0 | 0.9441 | 2020-03-12 |
CVE-2017-15944 KEV | 9.6 | 9.8 | 0.9391 | 2017-12-11 |
CVE-2023-4966 KEV | 9.5 | 9.4 | 0.9435 | 2023-10-10 |
CVE-2014-6332 KEV | 9.4 | 8.8 | 0.9409 | 2014-11-11 |
CVE-2020-29557 KEV | 9.4 | 9.8 | 0.9103 | 2021-01-29 |
CVE-2015-2426 KEV | 9.3 | 8.8 | 0.9175 | 2015-07-20 |
CVE-2010-3765 KEV | 9.2 | 9.8 | 0.8662 | 2010-10-28 |
CVE-2011-1889 KEV | 9.2 | 9.8 | 0.8814 | 2011-06-16 |
CVE-2017-11882 KEV | 9.2 | 7.8 | 0.9435 | 2017-11-15 |
CVE-2018-7445 KEV | 9.2 | 9.8 | 0.8756 | 2018-03-19 |
CVE-2017-6736 KEV | 9.1 | 8.8 | 0.8947 | 2017-07-17 |
CVE-2017-11826 KEV | 9.0 | 7.8 | 0.9087 | 2017-10-13 |
CVE-2008-0015 KEV | 8.7 | 8.8 | 0.8158 | 2009-07-07 |
CVE-2017-11774 KEV | 8.7 | 7.8 | 0.8557 | 2017-10-13 |
CVE-2021-22991 KEV | 8.3 | 9.8 | 0.7309 | 2021-03-31 |
CVE-2023-6549 KEV | 8.2 | 8.2 | 0.7651 | 2024-01-17 |
CVE-2016-7193 KEV | 8.0 | 7.8 | 0.7380 | 2016-10-14 |
CVE-2017-0101 KEV | 7.9 | 7.8 | 0.7226 | 2017-03-17 |
CVE-2013-3660 KEV | 7.8 | 7.8 | 0.7063 | 2013-05-24 |
CVE-2017-14492 | 7.5 | 9.8 | 0.9284 | 2017-10-03 |
CVE-2016-1287 | 7.3 | 9.8 | 0.8978 | 2016-02-11 |
CVE-2015-7547 | 7.3 | 8.1 | 0.9395 | 2016-02-18 |
CVE-2018-6892 | 7.3 | 9.8 | 0.8967 | 2018-02-11 |
CVE-2018-10088 | 7.3 | 9.8 | 0.8946 | 2018-06-08 |
CVE-2018-4233 | 7.2 | 8.8 | 0.8990 | 2018-06-08 |