CWE-129 (Improper Validation of Array Index) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | C | — | Often | — |
| language | C++ | — | Often | — |
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-25276 | 2026-06-01 | Memory corruption while using Strongbox due to missing bounds check. |
| CVE-2026-45104 | 2026-05-27 | MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilt… |
| CVE-2026-46598 | 2026-05-22 | For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used. |
| CVE-2026-44310 | 2026-05-15 | Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereferences… |
| CVE-2023-31309 | 2026-05-15 | Improper validation in Power Management Firmware (PMFW) may allow an attacker with privileges to pass malformed workload arguments when exporting table data from SMU to DRAM potentially resulting in a… |
| CVE-2026-44222 | 2026-05-12 | vLLM is an inference and serving engine for large language models (LLMs). From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text… |
| CVE-2026-41643 | 2026-05-07 | GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. Prior to version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP where a malf… |
| CVE-2026-40251 | 2026-05-06 | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated user with access to the storage v… |
| CVE-2026-31776 | 2026-05-01 | In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix missing SPDIFI1 index handling SPDIF1 DAIO type isn't properly handled in daio_device_index() for hw20k2, and it … |
| CVE-2026-31764 | 2026-05-01 | In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: Set buffer sampling frequency for accelerometer only The st_lsm6dsx_hwfifo_odr_store() function, which is ca… |
| CVE-2026-31729 | 2026-05-01 | In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: validate connector number in ucsi_notify_common() The connector number extracted from CCI via UCSI_CCI_CONNECTOR… |
| CVE-2026-40886 | 2026-04-23 | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From 3.6.5 to 4.0.4, an unchecked array index in the pod informer's podGCFromPod() func… |
| CVE-2026-6840 | 2026-04-22 | Missing bounds validation for operator could allow out of range operator-code lookup during model loading Affected version is prior to commit 1.30.0. |
| CVE-2026-40097 | 2026-04-10 | Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by… |
| CVE-2026-34942 | 2026-04-09 | Wasmtime is a runtime for WebAssembly. Prior to 24.0.7, 36.0.7, 42.0.2, and 43.0.1, Wasmtime's implementation of transcoding strings into the Component Model's utf16 or latin1+utf16 encodings improper… |
| CVE-2026-21413 | 2026-04-07 | A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer … |
| CVE-2026-23448 | 2026-04-03 | In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP16 nframes bounds check cdc_ncm_rx_verify_ndp16() validates that the NDP header and its DPE… |
| CVE-2026-23447 | 2026-04-03 | In the Linux kernel, the following vulnerability has been resolved: net: usb: cdc_ncm: add ndpoffset to NDP32 nframes bounds check The same bounds-check bug fixed for NDP16 in the previous patch als… |
| CVE-2026-33762 | 2026-03-31 | go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applyin… |
| CVE-2026-32286 | 2026-03-26 | The DataRow.Decode function fails to properly validate field lengths. A malicious or compromised PostgreSQL server can send a DataRow message with a negative field length, causing a slice bounds out o… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Sean Eidemiller | 1.0 | — | added/updated demonstrative examples |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Alternate_Terms, Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities |
| 2008-11-24 | CWE Content Team | 1.1 | — | updated Relationships, Taxonomy_Mappings |
| 2009-01-12 | CWE Content Team | 1.2 | — | updated Common_Consequences |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Description, Name, Relationships |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Applicable_Platforms, Common_Consequences, Observed_Examples, Other_Notes, Potential_Mitigations, Theoretical_Notes, Weakness_Ordinalities |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated Applicable_Platforms, Demonstrative_Examples, Detection_Factors, Likelihood_of_Exploit, Potential_Mitigations, References, Related_Attack_Patterns, Relationships |
| 2010-04-05 | CWE Content Team | 1.8.1 | — | updated Related_Attack_Patterns |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Common_Consequences, Potential_Mitigations, References |
| 2010-09-27 | CWE Content Team | 1.10 | — | updated Potential_Mitigations, Relationship_Notes, Relationships |
| 2010-12-13 | CWE Content Team | 1.11 | — | updated Demonstrative_Examples, Observed_Examples, Potential_Mitigations |
| 2011-03-29 | CWE Content Team | 1.12 | — | updated Common_Consequences, Demonstrative_Examples, Weakness_Ordinalities |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2011-06-27 | CWE Content Team | 2.0 | — | updated Relationships |
| 2011-09-13 | CWE Content Team | 2.1 | — | updated Relationships, Taxonomy_Mappings |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Demonstrative_Examples, Potential_Mitigations, References, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Potential_Mitigations |
| 2014-02-18 | CWE Content Team | 2.6 | — | updated Potential_Mitigations, References |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Causal_Nature, References, Relationships, Taxonomy_Mappings |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated References |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated References, Relationships, Taxonomy_Mappings |
| 2019-09-19 | CWE Content Team | 3.4 | — | updated Potential_Mitigations |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Potential_Mitigations, Relationships, Taxonomy_Mappings |
| 2020-06-25 | CWE Content Team | 4.1 | — | updated Demonstrative_Examples, Potential_Mitigations, Relationships, Type |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Potential_Mitigations, Relationships |
| 2020-12-10 | CWE Content Team | 4.3 | — | updated Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated References, Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated References, Relationships, Taxonomy_Mappings |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Potential_Mitigations, References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated Demonstrative_Examples, Functional_Areas |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Detection_Factors, References, Relationships |