CWE-129: Improper Validation of Array Index
low-riskThe product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Common Consequences
Detection Methods
This weakness can often be detected using automated static analysis tools. Many modern tools use data flow analysis or constraint-based techniques to minimize the number of false positives. Automated static analysis generally does not account for environmental considerations when reporting out-of-bounds memory operations. This can make it difficult for users to determine which warnings should be investigated first. For example, an analysis tool might report array index errors that originate from command line arguments in a program that is not expected to run with setuid or other special privileges.
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Black box methods might not get the needed code coverage within limited time constraints, and a dynamic test might not produce any noticeable side effects even if it is successful.
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2023-40477 | 7.8 | 92.8% | — |
| CVE-2022-35737 | 7.5 | 51.9% | — |
| CVE-2021-35598 | 6.3 | 39.3% | — |
| CVE-2021-35594 | 6.3 | 39.3% | — |
| CVE-2017-8797 | 7.5 | 30.4% | — |
| CVE-2021-35592 | 6.3 | 28.6% | — |
| CVE-2020-11881 | 7.5 | 21.2% | — |
| CVE-2020-10071 | 9.0 | 13.9% | — |
| CVE-2018-12018 | 7.5 | 12.2% | — |
| CVE-2022-21310 | 6.3 | 11.4% | — |