Buffer over-read

In computer security and programming, a buffer over-read{{cite web |url=http://cwe.mitre.org/data/definitions/126.html |title=CWE – CWE-126: Buffer Over-read |date=February 18, 2014 |work=Common Weakness Enumeration (list version 4.15) |accessdate=July 24, 2024 |archive-date=February 8, 2018 |archive-url=https://web.archive.org/web/20180208124312/https://cwe.mitre.org/data/definitions/126.html |url-status=live }}{{Cite book|last1=Strackx|first1=Raoul|last2=Younan|first2=Yves|last3=Philippaerts|first3=Pieter|last4=Piessens|first4=Frank|last5=Lachmund|first5=Sven|last6=Walter|first6=Thomas|title=Proceedings of the Second European Workshop on System Security |chapter=Breaking the memory secrecy assumption |date=2009-01-01|series=EUROSEC '09|location=New York, NY, USA|publisher=ACM|pages=1–8|doi=10.1145/1519144.1519145|isbn=9781605584720|s2cid=17259394|chapter-url=https://lirias.kuleuven.be/handle/123456789/228745}} or out-of-bounds read{{cite web|url=https://cwe.mitre.org/data/definitions/125.html|title=CWE - CWE-126: Buffer Over-read|work=Common Weakness Enumeration (list version 4.15)|accessdate=July 24, 2024|archive-date=August 17, 2023|archive-url=https://web.archive.org/web/20230817173354/https://cwe.mitre.org/data/definitions/125.html|url-status=live}} is an anomaly where a program, while reading data from a buffer, overruns the buffer's boundary and reads (or tries to read) adjacent memory. This is a special case of violation of memory safety.

Buffer over-reads can be triggered, as in the Heartbleed bug, by maliciously crafted inputs that are designed to exploit a lack of bounds checking to read parts of memory not intended to be accessible. They may also be caused by programming errors alone. Buffer over-reads can result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited to access privileged information.{{citation needed|date=December 2022}}

At other times, buffer over-reads not caused by malicious input can lead to crashes if they trigger invalid page faults. For example, widespread IT outages in 2024 were caused by an out-of-bounds memory error in cybersecurity software developed by CrowdStrike.{{Cite web |title=Falcon Content Update Remediation and Guidance Hub {{!}} CrowdStrike |url=https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/ |access-date=2024-07-24 |website=crowdstrike.com |language=en |archive-date=2024-07-24 |archive-url=https://web.archive.org/web/20240724000443/https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/ |url-status=live }}

Programming languages commonly associated with buffer over-reads include C and C++, which provide no built-in protection against using pointers to access data in any part of virtual memory, and which do not automatically check that reading data from a block of memory is safe; respective examples are attempting to read more elements than contained in an array, or failing to append a trailing terminator to a null-terminated string. Bounds checking can prevent buffer over-reads,{{cite web

| url = http://www.fort-knox.org/files/younan_malloc.pdf

| title = Efficient protection against heap-based buffer overflows without resorting to magic

| date = 2013-02-25

| accessdate = 2014-04-24

| author1 = Yves Younan

| author2 = Wouter Joosen

| author3 = Frank Piessens

| publisher = Dept. of Computer Science, Katholieke Universiteit Leuven

| archive-url = https://web.archive.org/web/20130905132446/http://fort-knox.org/files/younan_malloc.pdf

| archive-date = 2013-09-05

| url-status = dead

}} while fuzz testing can help detect them.