This weakness occurs when a program uses user-supplied input as an array index without checking whether that index is within the valid range of the array. An…
This weakness occurs when a program uses user-supplied input as an array index without checking whether that index is within the valid range of the array. An attacker can supply an out-of-bounds index to read or write memory outside the intended array, potentially exposing sensitive data, corrupting program state, or triggering a crash.
02How It Happens
Arrays have fixed sizes and valid index ranges (typically 0 to length-1). When code accepts user input and uses it directly as an array index without validation, an attacker can supply a negative number, zero when it shouldn't be used, or a number larger than the array's size. The program then accesses memory at an unintended location. This is especially dangerous in languages like C and C++ where bounds checking is not automatic, but can also occur in higher-level languages if developers assume input is safe or fail to validate it.
The root cause is a gap between the set of indices a programmer intended to allow and the set of indices the code actually permits. This gap is often created by missing or incomplete validation logic, or by assumptions about input that turn out to be false.
03Real-World Impact
Out-of-bounds array access can lead to information disclosure (reading sensitive data from adjacent memory), memory corruption (writing to unintended locations), denial of service (triggering a segmentation fault or exception), or in some cases, code execution if the attacker can overwrite function pointers or other critical data structures. The severity depends on what data or code lies adjacent to the array in memory and whether the access is read or write.
04Vulnerable & Fixed Patterns
Vulnerable pattern
def get_user_data(user_id):
users = ["alice", "bob", "charlie"]
# user_id comes directly from user input without validation
return users[user_id]
# Attacker supplies user_id = 10 or user_id = -5
result = get_user_data(int(input("Enter user ID: ")))
Why it's vulnerable: The function does not check whether user_id is within the valid range [0, 2]. An out-of-bounds index will raise an IndexError (denial of service) or, in some contexts, access unintended data.
Fixed pattern
def get_user_data(user_id):
users = ["alice", "bob", "charlie"]
# Validate the index before use
if not isinstance(user_id, int) or user_id < 0 or user_id >= len(users):
raise ValueError("Invalid user ID")
return users[user_id]
result = get_user_data(int(input("Enter user ID: ")))
Vulnerable pattern
<?php
$products = ["widget", "gadget", "tool"];
$product_id = $_GET["id"]; // No validation
// Direct array access with untrusted input
echo "Product: " . $products[$product_id];
?>
Why it's vulnerable: The $product_id from the query string is used directly as an array key without checking its type or range. An attacker can supply a negative index, a string, or an out-of-bounds integer.
Validate all user input before using it as an array index. Check that it is the correct type (integer, not string or float) and within the valid range [0, array_length - 1].
Use allowlisting where possible. If the index should only be one of a known set of values, compare against that set explicitly rather than relying on range checks alone.
Prefer named keys or dictionaries over numeric indices when the mapping is semantic (e.g., use user["name"] instead of user[0]), reducing the risk of off-by-one errors.
Use language features that enforce bounds checking. In Python, rely on built-in IndexError exceptions; in PHP, use isset() or array_key_exists() before access.
Log and alert on validation failures. If an out-of-bounds index is supplied, log it as a potential attack and reject the request.
Test with boundary values. Include test cases for negative indices, zero, the maximum valid index, and values beyond the array size.
06Signs You May Already Be Affected
Look for unexpected crashes or error logs containing "index out of bounds," "segmentation fault," or similar messages correlated with specific user input patterns. Check application logs for repeated attempts to access array indices with unusual values (very large numbers, negative numbers, or non-numeric strings where integers are expected). If you see memory corruption symptoms or unexplained data changes in adjacent data structures, an out-of-bounds write may be occurring.