Common Weakness Enumeration

CWE-190

Allowed

Integer Overflow or Wraparound

Abstraction: Base · Status: Stable

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

3867 vulnerabilities reference this CWE, most recent first.

GHSA-83QJ-G77R-3P2V

Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01
VLAI
Details

In ged, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05838808; Issue ID: ALPS05838808.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-20075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-11T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "In ged, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05838808; Issue ID: ALPS05838808.",
  "id": "GHSA-83qj-g77r-3p2v",
  "modified": "2022-04-19T00:01:22Z",
  "published": "2022-04-12T00:00:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20075"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/April-2022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83R8-F922-M96H

Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2022-05-13 01:28
VLAI
Details

An issue was discovered in a smart contract implementation for SingaporeCoinOrigin (SCO), an Ethereum token. The contract has an integer overflow. If the owner sets the value of sellPrice to a large number in setPrices() then the "amount * sellPrice" will cause an integer overflow in sell().

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-14086"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-16T02:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "An issue was discovered in a smart contract implementation for SingaporeCoinOrigin (SCO), an Ethereum token. The contract has an integer overflow. If the owner sets the value of sellPrice to a large number in setPrices() then the \"amount * sellPrice\" will cause an integer overflow in sell().",
  "id": "GHSA-83r8-f922-m96h",
  "modified": "2022-05-13T01:28:19Z",
  "published": "2022-05-13T01:28:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14086"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hellowuzekai/blockchains/blob/master/overflow1.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-83RC-G55P-8XJ2

Vulnerability from github – Published: 2025-09-29 18:33 – Updated: 2025-09-29 21:30
VLAI
Details

An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can cause the application to crash. If downstream vendors integrate this component improperly, the issue may lead to a buffer overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51495"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-121",
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-29T17:15:31Z",
    "severity": "HIGH"
  },
  "details": "An integer overflow vulnerability exists in the WebSocket component of Mongoose 7.5 thru 7.17. By sending a specially crafted WebSocket request, an attacker can cause the application to crash. If downstream vendors integrate this component improperly, the issue may lead to a buffer overflow.",
  "id": "GHSA-83rc-g55p-8xj2",
  "modified": "2025-09-29T21:30:25Z",
  "published": "2025-09-29T18:33:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cesanta/mongoose/pull/3131"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cainiao159357/CVE-2025-51495"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cesanta/mongoose"
    },
    {
      "type": "WEB",
      "url": "http://mongoose.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-842M-39Q2-7225

Vulnerability from github – Published: 2022-05-14 03:03 – Updated: 2022-05-14 03:03
VLAI
Details

The mintToken function of a smart contract implementation for HRWtoken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-13501"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-09T06:29:00Z",
    "severity": "HIGH"
  },
  "details": "The mintToken function of a smart contract implementation for HRWtoken, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
  "id": "GHSA-842m-39q2-7225",
  "modified": "2022-05-14T03:03:36Z",
  "published": "2022-05-14T03:03:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13501"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/HRWtoken"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-849W-6CW8-9P7M

Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2022-05-24 17:24
VLAI
Details

There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn't verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-07-31T22:15:00Z",
    "severity": "LOW"
  },
  "details": "There is an issue on grub2 before version 2.06 at function read_section_as_string(). It expects a font name to be at max UINT32_MAX - 1 length in bytes but it doesn\u0027t verify it before proceed with buffer allocation to read the value from the font value. An attacker may leverage that by crafting a malicious font file which has a name with UINT32_MAX, leading to read_section_as_string() to an arithmetic overflow, zero-sized allocation and further heap-based buffer overflow.",
  "id": "GHSA-849w-6cw8-9p7m",
  "modified": "2022-05-24T17:24:50Z",
  "published": "2022-05-24T17:24:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14310"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14310"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202104-05"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4432-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-84GJ-XH42-WP59

Vulnerability from github – Published: 2023-04-19 21:30 – Updated: 2024-04-04 03:35
VLAI
Details

In PVRSRVBridgePhysmemNewRamBackedLockedPMR of the PowerVR kernel driver, a missing size check means there is a possible integer overflow that could allow out-of-bounds heap access. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-270400229

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-0876"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-19T20:15:10Z",
    "severity": "HIGH"
  },
  "details": "In PVRSRVBridgePhysmemNewRamBackedLockedPMR of the PowerVR kernel driver, a missing size check means there is a possible integer overflow that could allow out-of-bounds heap access. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-270400229",
  "id": "GHSA-84gj-xh42-wp59",
  "modified": "2024-04-04T03:35:30Z",
  "published": "2023-04-19T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0876"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2023-04-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-84JC-3HJ2-HWC7

Vulnerability from github – Published: 2026-05-06 23:39 – Updated: 2026-05-06 23:39
VLAI
Summary
kanidmd_lib: Image upload validators run before authorization; PNG validator panics on malformed input
Details

Summary

The POST /v1/domain/_image and POST /v1/oauth2/{rs_name}/_image handlers call validate_image() on the uploaded body before the ACL check that restricts image upload to admins. Any bug in an image validator is therefore reachable by an unauthenticated remote client rather than being admin-gated.

One such bug exists today: png_has_trailer() panics on inputs shorter than 8 bytes, or whose first chunk-length field is near u32::MAX.

On a default build this has no server-wide impact. The panic unwinds only the requester's own tokio task; the server process survives, no shared state is poisoned, and other connections are unaffected. This was reported privately rather than as a public issue because (a) the project previously treated an admin-triggered thread crash of identical impact as security-relevant (e51d0dee4), and this is reachable by a broader population; and (b) a downstream build with panic = "abort" would upgrade it to an unauthenticated process-crash DoS.

Details

Validate-before-authorize ordering

Both handlers parse and validate attacker-controlled bytes before checking whether the caller is permitted to upload at all:

  • server/core/src/https/v1_domain.rs:118image.validate_image() runs; handle_image_update(client_auth_info, …) (the ACL check) is at line 129.
  • server/core/src/https/v1_oauth2.rs:550 — same ordering.

The VerifiedClientInformation extractor (server/core/src/https/extractors/mod.rs:18-90) always returns Ok — it builds a ClientAuthInfo from whatever credentials are present (including none) and does not reject anonymous callers. Authorization is deferred to handle_image_update(), which is never reached if the validator panics or errors first.

PNG validator panic (demonstrator)

validate_image() (server/lib/src/valueset/image/mod.rs:98) checks only a 256 KiB maximum size, not a minimum, before dispatching to the format-specific validator.

Short inputserver/lib/src/valueset/image/png.rs:73-76:

pub fn png_has_trailer(contents: &Vec<u8>) -> Result<bool, ImageValidationError> {
    let buf = contents.as_slice();
    let (magic, buf) = buf.split_at(PNG_PRELUDE.len()); // 8; panics if len < 8

Chunk-length overflowserver/lib/src/valueset/image/png.rs:46,53:

if buf.len() < (length + 4) as usize {   // length: u32; wraps before the usize cast
    ...
}
let (_, buf) = buf.split_at(length as usize);   // panics for length ≈ u32::MAX

In a release build 0xFFFF_FFFC + 4 wraps to 0, the guard passes, and split_at panics.

PoC

printf '\x89PNG' > /tmp/short.png
curl -sk https://$KANIDM_HOST/v1/domain/_image \
     -F 'image=@/tmp/short.png;type=image/png;filename=x.png'
# → connection reset / empty reply; server process remains up

Unit-test confirmation (cargo test -p kanidmd_lib --lib):

#[test]
fn audit_png_short_input_panics() {
    let short = vec![0x89u8, 0x50, 0x4e, 0x47];
    assert!(std::panic::catch_unwind(|| png_has_trailer(&short)).is_err());
}

#[test]
fn audit_png_chunk_length_overflow_panics() {
    let mut data = vec![0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a];
    data.extend_from_slice(&[0xFF, 0xFF, 0xFF, 0xFD]);
    data.extend_from_slice(b"IHDR");
    data.extend_from_slice(&[0u8; 8]);
    assert!(std::panic::catch_unwind(|| png_has_trailer(&data)).is_err());
}

Both tests pass (i.e. both inputs panic).

Impact

The only party affected is the requester, whose own connection is dropped. Repeating the request has no cumulative effect beyond ordinary request load.

On the upstream build:

  • Each connection runs in its own tokio::task::spawn (server/core/src/https/mod.rs:481); the accept loop continues after a task panic.
  • No panic = "abort" in any workspace [profile.*].
  • No Mutex/RwLock held across the call site; nothing is poisoned.
  • The panic occurs before any write actor is messaged; no DB or replication state is touched.

Residual risk: a downstream packager that sets panic = "abort" (or links code that installs an abort handler) would see a full unauthenticated process crash. (No such packager is known)

Affected: v1.1.0-rc.15 (introduced in e7f594a1c, #2112) through master @ edf50b9da.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "kanidmd_lib"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-20",
      "CWE-696"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:39:14Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `POST /v1/domain/_image` and `POST /v1/oauth2/{rs_name}/_image` handlers call `validate_image()` on the uploaded body **before** the ACL check that restricts image upload to admins. Any bug in an image validator is therefore reachable by an unauthenticated remote client rather than being admin-gated.\n\nOne such bug exists today: `png_has_trailer()` panics on inputs shorter than 8 bytes, or whose first chunk-length field is near `u32::MAX`.\n\n**On a default build this has no server-wide impact.** The panic unwinds only the requester\u0027s own tokio task; the server process survives, no shared state is poisoned, and other connections are unaffected. This was reported privately rather than as a public issue because (a) the project previously treated an admin-triggered thread crash of identical impact as security-relevant (e51d0dee4), and this is reachable by a broader population; and (b) a downstream build with `panic = \"abort\"` would upgrade it to an unauthenticated process-crash DoS.\n\n### Details\n\n#### Validate-before-authorize ordering\n\nBoth handlers parse and validate attacker-controlled bytes before checking whether the caller is permitted to upload at all:\n\n- `server/core/src/https/v1_domain.rs:118` \u2014 `image.validate_image()` runs; `handle_image_update(client_auth_info, \u2026)` (the ACL check) is at line 129.\n- `server/core/src/https/v1_oauth2.rs:550` \u2014 same ordering.\n\nThe `VerifiedClientInformation` extractor (`server/core/src/https/extractors/mod.rs:18-90`) always returns `Ok` \u2014 it builds a `ClientAuthInfo` from whatever credentials are present (including none) and does not reject anonymous callers. Authorization is deferred to `handle_image_update()`, which is never reached if the validator panics or errors first.\n\n#### PNG validator panic (demonstrator)\n\n`validate_image()` (`server/lib/src/valueset/image/mod.rs:98`) checks only a 256 KiB maximum size, not a minimum, before dispatching to the format-specific validator.\n\n**Short input** \u2014 `server/lib/src/valueset/image/png.rs:73-76`:\n\n```rust\npub fn png_has_trailer(contents: \u0026Vec\u003cu8\u003e) -\u003e Result\u003cbool, ImageValidationError\u003e {\n    let buf = contents.as_slice();\n    let (magic, buf) = buf.split_at(PNG_PRELUDE.len()); // 8; panics if len \u003c 8\n```\n\n**Chunk-length overflow** \u2014 `server/lib/src/valueset/image/png.rs:46,53`:\n\n```rust\nif buf.len() \u003c (length + 4) as usize {   // length: u32; wraps before the usize cast\n    ...\n}\nlet (_, buf) = buf.split_at(length as usize);   // panics for length \u2248 u32::MAX\n```\n\nIn a release build `0xFFFF_FFFC + 4` wraps to `0`, the guard passes, and `split_at` panics.\n\n### PoC\n\n```sh\nprintf \u0027\\x89PNG\u0027 \u003e /tmp/short.png\ncurl -sk https://$KANIDM_HOST/v1/domain/_image \\\n     -F \u0027image=@/tmp/short.png;type=image/png;filename=x.png\u0027\n# \u2192 connection reset / empty reply; server process remains up\n```\n\nUnit-test confirmation (`cargo test -p kanidmd_lib --lib`):\n\n```rust\n#[test]\nfn audit_png_short_input_panics() {\n    let short = vec![0x89u8, 0x50, 0x4e, 0x47];\n    assert!(std::panic::catch_unwind(|| png_has_trailer(\u0026short)).is_err());\n}\n\n#[test]\nfn audit_png_chunk_length_overflow_panics() {\n    let mut data = vec![0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a];\n    data.extend_from_slice(\u0026[0xFF, 0xFF, 0xFF, 0xFD]);\n    data.extend_from_slice(b\"IHDR\");\n    data.extend_from_slice(\u0026[0u8; 8]);\n    assert!(std::panic::catch_unwind(|| png_has_trailer(\u0026data)).is_err());\n}\n```\n\nBoth tests pass (i.e. both inputs panic).\n\n### Impact\n\nThe only party affected is the requester, whose own connection is dropped. Repeating the request has no cumulative effect beyond ordinary request load.\n\nOn the upstream build:\n\n- Each connection runs in its own `tokio::task::spawn` (`server/core/src/https/mod.rs:481`); the accept loop continues after a task panic.\n- No `panic = \"abort\"` in any workspace `[profile.*]`.\n- No `Mutex`/`RwLock` held across the call site; nothing is poisoned.\n- The panic occurs before any write actor is messaged; no DB or replication state is touched.\n\n**Residual risk:** a downstream packager that sets `panic = \"abort\"` (or links code that installs an abort handler) would see a full unauthenticated process crash. (No such packager is known)\n\n**Affected:** v1.1.0-rc.15 (introduced in e7f594a1c, #2112) through `master` @ edf50b9da.",
  "id": "GHSA-84jc-3hj2-hwc7",
  "modified": "2026-05-06T23:39:14Z",
  "published": "2026-05-06T23:39:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kanidm/kanidm/security/advisories/GHSA-84jc-3hj2-hwc7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kanidm/kanidm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "kanidmd_lib: Image upload validators run before authorization; PNG validator panics on malformed input"
}

GHSA-84M3-F99P-CQX5

Vulnerability from github – Published: 2025-08-08 00:30 – Updated: 2026-05-07 13:24
VLAI
Summary
ExecuTorch integer overflow vulnerability
Details

An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 0830af8207240df8d7f35b984cdf8bc35d74fa73.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "executorch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.pytorch:executorch-android"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "SwiftURL",
        "name": "github.com/pytorch/executorch"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30405"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-12T18:49:11Z",
    "nvd_published_at": "2025-08-07T23:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 0830af8207240df8d7f35b984cdf8bc35d74fa73.",
  "id": "GHSA-84m3-f99p-cqx5",
  "modified": "2026-05-07T13:24:36Z",
  "published": "2025-08-08T00:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30405"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pytorch/executorch/commit/0830af8207240df8d7f35b984cdf8bc35d74fa73"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pytorch/executorch"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2025-30405"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ExecuTorch integer overflow vulnerability"
}

GHSA-84M6-5M72-45FP

Vulnerability from github – Published: 2025-04-07 18:59 – Updated: 2025-04-08 17:50
VLAI
Summary
Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow
Details

Impact

Summary

A vulnerability in Apollo Router allowed certain queries to bypass configured operation limits, specifically due to integer overflow.

Details

The operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query's height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments.

Fix/Mitigation

Logic was updated to ensure counter overflow is handled correctly and does not wrap around to 0.

Patches

This has been remediated in apollo-router versions 1.61.2 and 2.1.1.

Workarounds

The only known workaround is "Safelisting" or "Safelisting with IDs only" per Safelisting with Persisted Queries - Apollo GraphQL Docs.

Acknowledgements

We appreciate the efforts of the security community in identifying and improving the performance and security of operation limiting mechanisms.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "apollo-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.61.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "apollo-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0-alpha.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-07T18:59:21Z",
    "nvd_published_at": "2025-04-07T21:15:43Z",
    "severity": "HIGH"
  },
  "details": "# Impact\n\n## Summary\n\nA vulnerability in Apollo Router allowed certain queries to bypass configured operation limits, specifically due to integer overflow.\n\n## Details\n\nThe operation limits plugin uses unsigned 32-bit integers to track limit counters (e.g. for a query\u0027s height). If a counter exceeded the maximum value for this data type (4,294,967,295), it wrapped around to 0, unintentionally allowing queries to bypass configured thresholds. This could occur for large queries if the payload limit were sufficiently increased, but could also occur for small queries with deeply nested and reused named fragments.\n\n## Fix/Mitigation\n\nLogic was updated to ensure counter overflow is handled correctly and does not wrap around to 0.\n\n# Patches\n\nThis has been remediated in `apollo-router` versions 1.61.2 and 2.1.1.\n\n# Workarounds\n\nThe only known workaround is \"Safelisting\" or \"Safelisting with IDs only\" per [Safelisting with Persisted Queries - Apollo GraphQL Docs](https://www.apollographql.com/docs/graphos/routing/security/persisted-queries#router-security-levels).\n\n## Acknowledgements\n\nWe appreciate the efforts of the security community in identifying and improving the performance and security of operation limiting mechanisms.",
  "id": "GHSA-84m6-5m72-45fp",
  "modified": "2025-04-08T17:50:40Z",
  "published": "2025-04-07T18:59:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/security/advisories/GHSA-84m6-5m72-45fp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32033"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/commit/ab6675a63174715ea6ff50881fc957831d4e9564"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apollographql/router/commit/bba032e183b861348a466d3123c7137a1ae18952"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apollographql/router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apollo Router Operation Limits Vulnerable to Bypass via Integer Overflow"
}

GHSA-84M9-RVCG-7JV7

Vulnerability from github – Published: 2024-09-02 12:30 – Updated: 2024-09-02 12:30
VLAI
Details

Memory corruption while calculating total metadata size when a very high reserved size is requested by gralloc clients.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33035"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-02T12:15:16Z",
    "severity": "HIGH"
  },
  "details": "Memory corruption while calculating total metadata size when a very high reserved size is requested by gralloc clients.",
  "id": "GHSA-84m9-rvcg-7jv7",
  "modified": "2024-09-02T12:30:45Z",
  "published": "2024-09-02T12:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33035"
    },
    {
      "type": "WEB",
      "url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2024-bulletin.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
  • Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Implementation

Strategy: Input Validation

  • Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
  • Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
Implementation
  • Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
  • Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-26
Implementation

Strategy: Compilation or Build Hardening

Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.

CAPEC-92: Forced Integer Overflow

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.