CWE-158 27 個 CVE MITRE 定義 ↗

CWE-158:Improper Neutralization of Null Byte or NUL Character

概覽

CWE-158(Improper Neutralization of Null Byte or NUL Character)描述一種在漏洞資料庫與安全評估中使用的弱點類型;定義、背景與對應 CVE 見下方各節。

安全影響
安全影響:因產品與情境而異;請結合 CVE 紀錄、嚴重度評分與 MITRE 說明進行優先級判斷。

描述

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

適用平台

類型 名稱 普遍性 OS / CPE
language Not Language-Specific Undetermined
language C Undetermined
language C++ Undetermined
technology Not Technology-Specific Undetermined

本庫相關 CVE

下列 CVE 在本庫中對應到該弱點,並保留以便追溯與檢索。

CVE 公開時間 摘要
CVE-2026-47778 2026-06-26 Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySub…
CVE-2026-43895 2026-05-11 jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during mod…
CVE-2026-41256 2026-05-11 jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file…
CVE-2026-43861 2026-05-04 mutt before 2.3.2 does not check for '\0' in url_pct_decode.
CVE-2026-43859 2026-05-04 mutt before 2.3.2 sometimes uses strfcpy instead of memcpy for the IMAP auth_cram MD5 digest.
CVE-2026-23863 2026-05-01 An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the ap…
CVE-2026-33191 2026-03-20 Free5GC is an open-source Linux Foundation project for 5th generation (5G) mobile core networks. Versions prior to 1.4.2 are vulnerable to null byte injection in URL path parameters. A remote attacker…
CVE-2026-4359 2026-03-17 A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver.
CVE-2026-28540 2026-03-05 Out-of-bounds character read vulnerability in Bluetooth. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2025-14388 2025-12-23 The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the ext…
CVE-2025-66263 2025-11-25 Unauthenticated Arbitrary File Read via Null Byte Injection in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows a…
CVE-2025-61985 2025-10-06 ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.
CVE-2025-9648 2025-09-29 A vulnerability in the CivetWeb library's function mg_handle_form_request allows remote attackers to trigger a denial of service (DoS) condition. By sending a specially crafted HTTP POST request conta…
CVE-2025-55113 2025-09-16 If the Access Control List is enforced by the Control-M/Agent and the C router is in use (default in Out-of-support Control-M/Agent versions 9.0.18 to 9.0.20 and potentially earlier unsupported versio…
CVE-2025-47812 2025-07-10 In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitr…
CVE-2025-1936 2025-03-04 jar: URLs retrieve local file content packaged in a ZIP archive. The null and everything after it was ignored when retrieving the content from the archive, but the fake extension after the null was us…
CVE-2024-10921 2024-11-14 An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. This iss…
CVE-2024-9026 2024-10-08 In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it is configured to catch workers output through catch_workers_output = yes, it may be possib…
CVE-2024-0408 2024-01-18 A flaw was found in the X.Org server. The GLX PBuffer code does not call the XACE hook when creating the buffer, leaving it unlabeled. When the client issues another request to access that resource (a…
CVE-2023-5719 2023-11-06 The Crimson 3.2 Windows-based configuration tool allows users with administrative access to define new passwords for users and to download the resulting security configuration to a device. If such a …

曾用名

  • Null Character / Null Byte (2008-01-30)
  • Failure to Remove Null Character / Null Byte (2008-04-11)
  • Failure to Sanitize Null Byte or NUL Character (2010-04-05)

內容提交

名稱
PLOVER
日期
2006-07-19
版本
Draft 3

內容修訂

日期 名稱 版本 重要性 評論
2008-07-01 Eric Dalci 1.0 updated Potential_Mitigations
2008-09-08 CWE Content Team 1.0 updated Relationships, Relationship_Notes, Taxonomy_Mappings
2008-10-14 CWE Content Team 1.0.1 updated Description
2008-11-24 CWE Content Team 1.1 updated Observed_Examples
2009-07-27 CWE Content Team 1.5 updated Potential_Mitigations
2010-02-16 CWE Content Team 1.8 updated Taxonomy_Mappings
2010-04-05 CWE Content Team 1.8.1 updated Description, Name
2011-03-29 CWE Content Team 1.12 updated Potential_Mitigations
2011-06-01 CWE Content Team 1.13 updated Common_Consequences
2011-06-27 CWE Content Team 2.0 updated Common_Consequences
2012-05-11 CWE Content Team 2.2 updated Observed_Examples, References, Relationships
2012-10-30 CWE Content Team 2.3 updated Potential_Mitigations
2014-07-30 CWE Content Team 2.8 updated Relationships, Taxonomy_Mappings
2017-05-03 CWE Content Team 2.11 updated Potential_Mitigations
2017-11-08 CWE Content Team 3.0 updated Applicable_Platforms
2020-02-24 CWE Content Team 4.0 updated Potential_Mitigations, Relationships
2020-06-25 CWE Content Team 4.1 updated Observed_Examples, Potential_Mitigations
2023-01-31 CWE Content Team 4.10 updated Description, Potential_Mitigations
2023-04-27 CWE Content Team 4.11 updated Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, References, Weakness_Ordinalities
cvelogic Threat Intelligence