CWE WEAKNESSES  /  CWE-131

CWE-131

Incorrect Calculation of Buffer Size

What it is

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

Impact

Mitigations

• [Implementation] When allocating a buffer for the purpose of transforming, converting, or encoding an input, allocate enough memory to handle the largest possible encoding. For example, in a routine that converts "&" characters to "&" for HTML entity encoding, the output buffer needs to be at least 5 times as large as the input buffer.
• [Implementation]Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-
• [Implementation] Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
• [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
• [Implementation] When processing structured incoming data containing a size field followed by raw data, identify and resolve any inconsistencies between the size field and the actual size of the data (CWE-130).
• [Implementation] When allocating memory that uses sentinels to mark the end of a data structure - such as NUL bytes in strings - make sure you also include the sentinel in your calculation of the total amount of memory that must be allocated.
• [Implementation] Replace unbounded copy functions with analogous functions that support length arguments, such as strcpy with strncpy. Create these if they are not available.
• [Implementation] Use sizeof() on the appropriate data type to avoid CWE-467.

Real-world CVE examples

• CVE-2025-46687 — Chain: Javascript engine code does not perform a length check (CWE-1284) leading to integer overflow (CWE-190) causing allocation of smaller buffer than expecte
• CVE-2025-27363 — Font rendering library does not properly handle assigning a signed short value to an unsigned long (CWE-195), leading to an integer wraparound (CWE-190), causin
• CVE-2020-17087 — Chain: integer truncation (CWE-197) causes small buffer allocation (CWE-131) leading to out-of-bounds write (CWE-787) in kernel pool, as exploited in the wild p
• CVE-2004-1363 — substitution overflow: buffer overflow using environment variables that are expanded after the length check is performed
• CVE-2004-0747 — substitution overflow: buffer overflow using expansion of environment variables
• CVE-2005-2103 — substitution overflow: buffer overflow using a large number of substitution strings
• CVE-2005-3120 — transformation overflow: product adds extra escape characters to incoming data, but does not account for them in the buffer length
• CVE-2003-0899 — transformation overflow: buffer overflow when expanding ">" to ">", etc.
• CVE-2001-0334 — expansion overflow: buffer overflow using wildcards
• CVE-2001-0248 — expansion overflow: long pathname + glob = overflow
• CVE-2001-0249 — expansion overflow: long pathname + glob = overflow
• CVE-2002-0184 — special characters in argument are not properly expanded

Related weaknesses

Source: MITRE CWE. View on cwe.mitre.org →