Quiz Entry - updated: 2026.07.05
What was the Cloudbleed vulnerability and what programming error caused it?
A buffer over-read in Cloudflare's HTML parser (2017) caused by a boundary check using == instead of >= — a skipped-past pointer leaked other customers' data.
It was a buffer over-read in Cloudflare's HTML parser (2017) that leaked memory from other customers' requests.
The bug: Boundary check used == instead of >=:
// pointer equals end?
if (++p == pe)
goto end;
If the pointer jumped past the end (++p > pe), the check failed and parsing continued into adjacent memory.
Trigger: Malformed HTML like <script type= at page end.
Impact:
- Leaked data from unrelated websites sharing the same server
- Passwords, API keys, cookies, POST body data
- Search engines cached some leaked content
Lesson: Boundary checks must use >= not ==. Always consider what happens if values skip past expected boundaries.
Go deeper:
Cloudbleed (Wikipedia) — the 2017 Cloudflare buffer over-read, the == vs >= pointer bug, and the cached-leak fallout.