CWE · MITRE source
CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Last updated: 19 May 2026 14:18 UTC
NIST 800-53 r5 controls that address this weakness (4)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-16 | Memory Protection | SI | Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution. |
SI-4 | System Monitoring | SI | Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior. |
SA-11 | Developer Testing and Evaluation | SA | Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release. |
SC-27 | Platform-independent Applications | SC | Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2020-0796 KEV | 9.7 | 10.0 | 0.9441 | 2020-03-12 |
CVE-2017-15944 KEV UPD | 9.6 | 9.8 | 0.9402 | 2017-12-11 |
CVE-2023-4966 KEV | 9.5 | 9.4 | 0.9435 | 2023-10-10 |
CVE-2014-6332 KEV UPD | 9.4 | 8.8 | 0.9409 | 2014-11-11 |
CVE-2020-29557 KEV | 9.4 | 9.8 | 0.9103 | 2021-01-29 |
CVE-2015-2426 KEV UPD | 9.3 | 8.8 | 0.9175 | 2015-07-20 |
CVE-2010-3765 KEV UPD | 9.2 | 9.8 | 0.8677 | 2010-10-28 |
CVE-2011-1889 KEV UPD | 9.2 | 9.8 | 0.8814 | 2011-06-16 |
CVE-2017-11882 KEV UPD | 9.2 | 7.8 | 0.9435 | 2017-11-15 |
CVE-2018-7445 KEV | 9.2 | 9.8 | 0.8756 | 2018-03-19 |
CVE-2017-6736 KEV UPD | 9.1 | 8.8 | 0.8947 | 2017-07-17 |
CVE-2017-11826 KEV UPD | 9.1 | 7.8 | 0.9169 | 2017-10-13 |
CVE-2008-0015 KEV UPD | 8.7 | 8.8 | 0.8158 | 2009-07-07 |
CVE-2017-11774 KEV UPD | 8.7 | 7.8 | 0.8557 | 2017-10-13 |
CVE-2023-6549 KEV | 8.4 | 8.2 | 0.7986 | 2024-01-17 |
CVE-2021-22991 KEV | 8.3 | 9.8 | 0.7309 | 2021-03-31 |
CVE-2016-7193 KEV UPD | 8.0 | 7.8 | 0.7380 | 2016-10-14 |
CVE-2017-0101 KEV UPD | 7.9 | 7.8 | 0.7226 | 2017-03-17 |
CVE-2013-3660 KEV UPD | 7.8 | 7.8 | 0.7063 | 2013-05-24 |
CVE-2017-14492 | 7.5 | 9.8 | 0.9284 | 2017-10-03 |
CVE-2016-1287 UPD | 7.3 | 9.8 | 0.8978 | 2016-02-11 |
CVE-2015-7547 UPD | 7.3 | 8.1 | 0.9395 | 2016-02-18 |
CVE-2018-6892 | 7.3 | 9.8 | 0.8967 | 2018-02-11 |
CVE-2018-10088 | 7.3 | 9.8 | 0.8946 | 2018-06-08 |
CVE-2018-4233 | 7.2 | 8.8 | 0.8990 | 2018-06-08 |