CWE-135 – Incorrect Calculation of Multi-Byte String Length | Common Weakness Enumeration (CWE)

Overview

CWE-135 (Incorrect Calculation of Multi-Byte String Length) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.

Security impact: Security impact: Depends on product and context; use CVE records, severity scores, and MITRE guidance to prioritize.

Description

The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.

Applicable platforms

Kind	Name	Class	Prevalence	OS / CPE
language	C	—	Undetermined	—
language	C++	—	Undetermined	—

Related CVEs in this database

These CVEs are mapped to this weakness in this database and kept for traceability and search.

CVE	Published	Summary
CVE-2026-34831	2026-04-02	Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When th…
CVE-2026-0810	2026-01-26	A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `Ti…

Previous names

Improper String Length Checking (2008-04-11)

Content submission

Name: CLASP
Date: 2006-07-19
Version: Draft 3

Content modifications

Date	Name	Version	Importance	Comment
2008-07-01	Eric Dalci	1.0	—	updated Potential_Mitigations, Time_of_Introduction
2008-09-08	CWE Content Team	1.0	—	updated Applicable_Platforms, Relationships, Other_Notes, Taxonomy_Mappings
2008-11-24	CWE Content Team	1.1	—	updated Relationships, Taxonomy_Mappings
2009-05-27	CWE Content Team	1.4	—	updated Description
2010-02-16	CWE Content Team	1.8	—	updated Demonstrative_Examples, References
2011-06-01	CWE Content Team	1.13	—	updated Common_Consequences, Relationships, Taxonomy_Mappings
2011-06-27	CWE Content Team	2.0	—	updated Common_Consequences
2012-05-11	CWE Content Team	2.2	—	updated Common_Consequences, Demonstrative_Examples, Relationships, Taxonomy_Mappings
2012-10-30	CWE Content Team	2.3	—	updated Potential_Mitigations
2014-06-23	CWE Content Team	2.7	—	updated Enabling_Factors_for_Exploitation, Other_Notes
2014-07-30	CWE Content Team	2.8	—	updated Relationships, Taxonomy_Mappings
2017-11-08	CWE Content Team	3.0	—	updated Enabling_Factors_for_Exploitation, Modes_of_Introduction, References, Taxonomy_Mappings
2018-03-27	CWE Content Team	3.1	—	updated References
2019-01-03	CWE Content Team	3.2	—	updated Taxonomy_Mappings
2021-03-15	CWE Content Team	4.4	—	updated References
2023-01-31	CWE Content Team	4.10	—	updated Description
2023-04-27	CWE Content Team	4.11	—	updated Detection_Factors, Relationships
2023-06-29	CWE Content Team	4.12	—	updated Mapping_Notes
2024-07-16	CWE Content Team	4.15	—	updated Common_Consequences
2025-12-11	CWE Content Team	4.19	—	updated Weakness_Ordinalities

Contributions

Type	Name	Date	Comment
Feedback	Gregory Padgett	2010-01-11	correction to Demonstrative_Example