CVEbaza.plSłownik CWECWE-626
Common Weakness Enumeration

CWE-626

Null Byte Interaction Error (Poison Null Byte)

Kategoria: VariantCVE: 6
Opis

Produkt nie obsługuje prawidłowo bajtów zerowych lub znaków NUL podczas przekazywania danych między różnymi reprezentacjami lub komponentami. Brak poprawnego przetwarzania tych znaków może prowadzić do nieprzewidywalnego zachowania systemu lub luk w zabezpieczeniach.

Description (EN)

The product does not properly handle null bytes or NUL characters when passing data between different representations or components.

Podatności CVE z CWE-626 (6)
9.8
CVSS
CRITICAL
CVE-2019-11936

Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1.

pub. 2019-12-04
9.4
CVSS
CRITICAL
CVE-2019-17137

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR AC1200 R6220 Firmware version 1.1.0.86 Smart WiFi Router. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of path strings. By inserting a null byte into the path, the user can skip most authentication checks. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-8616.

pub. 2020-02-10
7.5
CVSS
HIGH
CVE-2026-42579

Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

pub. 2026-05-13
7.1
CVSS
HIGH
CVE-2026-42010

A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

pub. 2026-05-07
4.4
CVSS
MEDIUM
CVE-2020-10773

A stack information leak flaw was found in s390/s390x in the Linux kernel’s memory manager functionality, where it incorrectly writes to the /proc/sys/vm/cmm_timeout file. This flaw allows a local user to see the kernel data.

pub. 2020-09-10
3.7
CVSS
LOW
CVE-2026-42040

Axios to oparta na Promise'ach biblioteka HTTP dla przeglądarki i Node.js. W wersjach przed 1.15.1 i 0.31.1 funkcja encode() w lib/helpers/AxiosURLSearchParams.js zawiera mapowanie znaków (charMap) w linii 21, które odwraca bezpieczne kodowanie procentowe bajtów null. Po tym, jak encodeURIComponent('\x00') poprawnie produkuje bezpieczną sekwencję %00, wpis charMap '%00': '\x00' konwertuje ją z powrotem do surowego bajtu null. Wpływ pierwotny jest ograniczony, ponieważ standardowy przepływ żądań axios nie jest dotknięty. Podatność została naprawiona w wersjach 1.15.1 i 0.31.1.

pub. 2026-04-24
Informacje
ID: CWE-626
Typ: Variant
Podatności: 6
MITRE CWE ↗
← Słownik CWE