LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What was the Cloudbleed vulnerability and what programming error caused it?

A buffer over-read in Cloudflare's HTML parser (2017) caused by a boundary check using == instead of >= — a skipped-past pointer leaked other customers' data.

It was a buffer over-read in Cloudflare's HTML parser (2017) that leaked memory from other customers' requests.

The bug: Boundary check used == instead of >=:

// pointer equals end?
if (++p == pe)
    goto end;

If the pointer jumped past the end (++p > pe), the check failed and parsing continued into adjacent memory.

Trigger: Malformed HTML like <script type= at page end.

Impact:

  • Leaked data from unrelated websites sharing the same server
  • Passwords, API keys, cookies, POST body data
  • Search engines cached some leaked content

Lesson: Boundary checks must use >= not ==. Always consider what happens if values skip past expected boundaries.

Go deeper:

  • doc Cloudbleed (Wikipedia) — the 2017 Cloudflare buffer over-read, the == vs >= pointer bug, and the cached-leak fallout.

From Quiz: SPRG / Secure Programming Introduction | Updated: Jul 05, 2026