Bounds check vulnerabilities in CVE-Agent-Bench

Bounds check vulnerabilities occur when code accesses an array or buffer without verifying that the index is within valid limits. A program may allocate space for 10 items but attempt to access item 15, causing a read or write past the allocated boundary.

What makes bounds check vulnerabilities common

164 evaluations in CVE-Agent-Bench contain bounds check issues. This category represents the most formulaic fix pattern across the benchmark: add a size comparison before the access.

The vulnerability typically appears in loops where an iterator variable exceeds array bounds, pointer arithmetic where offsets are not validated, or external input used as an array index without range checking.

Projects with many bounds check samples include harfbuzz (font rendering), libarchive (archive handling), blosc (compression), and libjxl (image codec). These projects process untrusted input from files and network sources, making bounds validation critical.

The fix pattern

Bounds check vulnerabilities follow a consistent repair pattern. Before accessing array element at index i, add a check: "if i is greater than or equal to array length, skip the access" or "if i is less than zero, skip the access."

The fix often requires only one or two additional lines: an if-statement that compares the index against the array size, then branches to skip the dangerous access or return an error. Some fixes insert a bounds calculation earlier in the function to prevent the issue from arising in the first place.

Agent performance on bounds checks

Bounds check fixes are among the most reliably fixed by agents across the benchmark. The pattern is mechanical and does not require deep understanding of program semantics. Agents perform above the overall benchmark average on these samples because the fix is straightforward.

Agents that struggle on bounds checks tend to either skip the validation entirely (implementing the function without adding the guard) or add the validation in the wrong location (checking bounds after the dangerous access instead of before). Some agents correctly identify the issue but implement off-by-one errors in the boundary condition.

Comparison to other vulnerability types

Bounds checks represent the easiest category in the benchmark. They contrast sharply with logic fixes, where agents must reason about program correctness, or allocation fixes, where agents must understand memory management semantics.

The high pass rate on bounds checks demonstrates that agents excel at adding explicit safety checks. They struggle more with reasoning about whether code will execute correctly after applying a fix, or with understanding subtle semantic issues in program logic.

Explore more

• Agent leaderboard, See which agents handle bounds checks best
• Bug complexity analysis, Understand the difficulty distribution across all samples
• Agent strategies, How different agents approach these repairs
• Methodology, How bounds checks are scored and verified