CWE-190
AllowedInteger Overflow or Wraparound
Abstraction: Base · Status: Stable
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
3869 vulnerabilities reference this CWE, most recent first.
GHSA-C8RR-9GXC-JPRV
Vulnerability from github – Published: 2026-03-18 13:01 – Updated: 2026-03-20 21:19Summary
ujson.dumps() crashes the Python interpreter (segmentation fault) when the product of the indent parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the indent is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service.
(Note: A negative indent to ujson means add spaces after colons but do not add line breaks or indentation. It is unclear to the current maintainers whether this was ever even an intended feature or just a byproduct of the way it was written.)
Exploitability
To be vulnerable, a service must call ujson.dump()/ujson.dumps()/ujson.encode() whilst giving untrusted users control over the indent parameter and not restrict that indentation to reasonably small non-negative values. (Even with the fix for this vulnerability, such usage is strongly advised against since even a bug-free JSON serialiser would be vulnerable to denial of service simply by the attacker requesting indents that have the server needlessly filling out gigabytes of whitespace.)
A service may also be vulnerable to the infinite loop if it uses a fixed negative indent. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. As far as the maintainers are aware, the infinite loop can not be reached for indentations from -1 to -65536 / max_recursion_depth_as_limited_by_stack_size but users of negative indents are encouraged to consider their service affected even if the infinite loop seems unreachable.
Example
import ujson
def example(depth, indent):
a = [0]
for i in range(1000):
a = [a]
ujson.dumps(a, indent=indent)
example(1, 2**30) # segfault
example(1000, -200) # infinite loop
Patches
ujson 5.12.0, containing 486bd4553dc471a1de11613bc7347a6b318e37ea, promotes the integer types where the overflow occurred, skips the indentation code path for negative indent (which was supposed to be a no-op) and places an artificial cap of 1000 on the indent parameter.
Workarounds
Users who don't wish to upgrade can either use a fixed indentation, no indentation or ensure indentation is non-negative and not enormous (below 2**31 / max_recursion_depth_as_limited_by_stack_size).
References
The original bug report can be found at https://github.com/ultrajson/ultrajson/issues/700
This issue was independently discovered by @coco1629, @EthanKim88 and @vmfunc.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.11.0"
},
"package": {
"ecosystem": "PyPI",
"name": "ujson"
},
"ranges": [
{
"events": [
{
"introduced": "5.1.0"
},
{
"fixed": "5.12.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32875"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-787",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-18T13:01:24Z",
"nvd_published_at": "2026-03-20T02:16:35Z",
"severity": "HIGH"
},
"details": "### Summary\n\n`ujson.dumps()` crashes the Python interpreter (segmentation fault) when the product of the `indent` parameter and the nested depth of the input exceeds INT32_MAX. It can also get stuck in an infinite loop if the `indent` is a large negative number. Both are caused by an integer overflow/underflow whilst calculating how much memory to reserve for indentation. And both can be used to achieve denial of service.\n\n(Note: A negative indent to `ujson` means add spaces after colons but do not add line breaks or indentation. It is unclear to the current maintainers whether this was ever even an intended feature or just a byproduct of the way it was written.)\n\n### Exploitability\n\nTo be vulnerable, a service must call `ujson.dump()`/`ujson.dumps()`/`ujson.encode()` whilst giving untrusted users control over the `indent` parameter and not restrict that indentation to reasonably small non-negative values. (Even with the fix for this vulnerability, such usage is strongly advised against since even a bug-free JSON serialiser would be vulnerable to denial of service simply by the attacker requesting indents that have the server needlessly filling out gigabytes of whitespace.)\n\nA service may also be vulnerable to the infinite loop if it uses a fixed _negative_ `indent`. An underflow always occurs for any negative indent when the input data is at least one level nested but, for small negative indents, the underflow is usually accidentally rectified by another overflow. As far as the maintainers are aware, the infinite loop can not be reached for indentations from -1 to -65536 / max_recursion_depth_as_limited_by_stack_size but users of negative indents are encouraged to consider their service affected even if the infinite loop seems unreachable.\n\n### Example\n\n```python\nimport ujson\n\ndef example(depth, indent):\n a = [0]\n for i in range(1000):\n a = [a]\n ujson.dumps(a, indent=indent)\n\nexample(1, 2**30) # segfault\nexample(1000, -200) # infinite loop\n```\n\n### Patches\n\nujson 5.12.0, containing 486bd4553dc471a1de11613bc7347a6b318e37ea, promotes the integer types where the overflow occurred, skips the indentation code path for negative indent (which was supposed to be a no-op) and places an artificial cap of 1000 on the `indent` parameter.\n\n### Workarounds\n\nUsers who don\u0027t wish to upgrade can either use a fixed indentation, no indentation or ensure indentation is non-negative and not enormous (below `2**31 / max_recursion_depth_as_limited_by_stack_size`).\n\n### References\n\nThe original bug report can be found at https://github.com/ultrajson/ultrajson/issues/700\n\nThis issue was independently discovered by @coco1629, @EthanKim88 and @vmfunc.",
"id": "GHSA-c8rr-9gxc-jprv",
"modified": "2026-03-20T21:19:56Z",
"published": "2026-03-18T13:01:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/security/advisories/GHSA-c8rr-9gxc-jprv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32875"
},
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/issues/700"
},
{
"type": "WEB",
"url": "https://github.com/ultrajson/ultrajson/commit/486bd4553dc471a1de11613bc7347a6b318e37ea"
},
{
"type": "PACKAGE",
"url": "https://github.com/ultrajson/ultrajson"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop"
}
GHSA-C8WG-RG36-89GM
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.
{
"affected": [],
"aliases": [
"CVE-2021-29946"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-24T14:15:00Z",
"severity": "HIGH"
},
"details": "Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header. This vulnerability affects Firefox ESR \u003c 78.10, Thunderbird \u003c 78.10, and Firefox \u003c 88.",
"id": "GHSA-c8wg-rg36-89gm",
"modified": "2022-05-24T19:06:10Z",
"published": "2022-05-24T19:06:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29946"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1698503"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-14"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-15"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-16"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C8X3-XMJ9-WHGH
Vulnerability from github – Published: 2024-04-01 03:30 – Updated: 2024-07-03 18:34In battery, there is a possible escalation of privilege due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08485622; Issue ID: ALPS08485622.
{
"affected": [],
"aliases": [
"CVE-2024-20046"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-01T03:15:08Z",
"severity": "MODERATE"
},
"details": "In battery, there is a possible escalation of privilege due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08485622; Issue ID: ALPS08485622.",
"id": "GHSA-c8x3-xmj9-whgh",
"modified": "2024-07-03T18:34:01Z",
"published": "2024-04-01T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20046"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2024"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C94W-C95P-PHF8
Vulnerability from github – Published: 2022-02-10 00:32 – Updated: 2024-11-13 22:48Impact
The implementation of OpLevelCostEstimator::CalculateTensorSize is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements:
int64_t OpLevelCostEstimator::CalculateTensorSize(
const OpInfo::TensorProperties& tensor, bool* found_unknown_shapes) {
int64_t count = CalculateTensorElementCount(tensor, found_unknown_shapes);
int size = DataTypeSize(BaseType(tensor.dtype()));
VLOG(2) << "Count: " << count << " DataTypeSize: " << size;
return count * size;
}
Here, count and size can be large enough to cause count * size to overflow.
Patches
We have patched the issue in GitHub commit fcd18ce3101f245b083b30655c27b239dc72221e.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
}
],
"aliases": [
"CVE-2022-23575"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-04T20:19:53Z",
"nvd_published_at": "2022-02-04T23:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nThe [implementation of `OpLevelCostEstimator::CalculateTensorSize`](https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/costs/op_level_cost_estimator.cc#L1552-L1558) is vulnerable to an integer overflow if an attacker can create an operation which would involve a tensor with large enough number of elements:\n```cc\nint64_t OpLevelCostEstimator::CalculateTensorSize(\n const OpInfo::TensorProperties\u0026 tensor, bool* found_unknown_shapes) {\n int64_t count = CalculateTensorElementCount(tensor, found_unknown_shapes);\n int size = DataTypeSize(BaseType(tensor.dtype()));\n VLOG(2) \u003c\u003c \"Count: \" \u003c\u003c count \u003c\u003c \" DataTypeSize: \" \u003c\u003c size;\n return count * size;\n}\n```\nHere, `count` and `size` can be large enough to cause `count * size` to overflow.\n\n### Patches\nWe have patched the issue in GitHub commit [fcd18ce3101f245b083b30655c27b239dc72221e](https://github.com/tensorflow/tensorflow/commit/fcd18ce3101f245b083b30655c27b239dc72221e).\n\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.",
"id": "GHSA-c94w-c95p-phf8",
"modified": "2024-11-13T22:48:17Z",
"published": "2022-02-10T00:32:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-c94w-c95p-phf8"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23575"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/fcd18ce3101f245b083b30655c27b239dc72221e"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-84.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-139.yaml"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/grappler/costs/op_level_cost_estimator.cc#L1552-L1558"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Integer overflow in Tensorflow"
}
GHSA-C95C-FFHC-7PWP
Vulnerability from github – Published: 2022-05-14 03:04 – Updated: 2022-05-14 03:04The sell function of a smart contract implementation for EthereumLegit, an Ethereum token, has an integer overflow in which "amount * sellPrice" can be zero, consequently reducing a seller's assets.
{
"affected": [],
"aliases": [
"CVE-2018-13212"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-05T02:29:00Z",
"severity": "HIGH"
},
"details": "The sell function of a smart contract implementation for EthereumLegit, an Ethereum token, has an integer overflow in which \"amount * sellPrice\" can be zero, consequently reducing a seller\u0027s assets.",
"id": "GHSA-c95c-ffhc-7pwp",
"modified": "2022-05-14T03:04:49Z",
"published": "2022-05-14T03:04:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13212"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/ETHEREUMBLACK/sell%20integer%20overflow.md"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/EthereumLegit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C96M-4X43-Q999
Vulnerability from github – Published: 2022-05-14 01:37 – Updated: 2025-07-25 18:30Integer overflow in Trihedral Engineering VTScada (formerly VTS) 6.5 through 9.x before 9.1.20, 10.x before 10.2.22, and 11.x before 11.1.07 allows remote attackers to cause a denial of service (server crash) via a crafted request, which triggers a large memory allocation.
{
"affected": [],
"aliases": [
"CVE-2014-9192"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-12-11T15:59:00Z",
"severity": "MODERATE"
},
"details": "Integer overflow in Trihedral Engineering VTScada (formerly VTS) 6.5 through 9.x before 9.1.20, 10.x before 10.2.22, and 11.x before 11.1.07 allows remote attackers to cause a denial of service (server crash) via a crafted request, which triggers a large memory allocation.",
"id": "GHSA-c96m-4x43-q999",
"modified": "2025-07-25T18:30:32Z",
"published": "2022-05-14T01:37:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9192"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov//advisories/ICSA-14-343-02"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-343-02"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/71591"
},
{
"type": "WEB",
"url": "http://www.trihedral.com/help/#Op_Welcome/Wel_UpgradeNotes.htm"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C98F-Q8WC-VQXW
Vulnerability from github – Published: 2023-06-26 18:30 – Updated: 2024-04-04 05:10Widevine Trusted Application (TA) 5.0.0 through 7.1.1 has a PRDiagParseAndStoreData integer overflow and resultant buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2022-48336"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-26T17:15:12Z",
"severity": "CRITICAL"
},
"details": "Widevine Trusted Application (TA) 5.0.0 through 7.1.1 has a PRDiagParseAndStoreData integer overflow and resultant buffer overflow.",
"id": "GHSA-c98f-q8wc-vqxw",
"modified": "2024-04-04T05:10:34Z",
"published": "2023-06-26T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48336"
},
{
"type": "WEB",
"url": "https://cyberintel.es/cve/CVE-2022-48336_Buffer_Overflow_in_Widevine_PRDiagParseAndStoreData_0x5cc8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-C99V-P88G-44F5
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01An integer overflow exists in the APIs of the host MCU while trying to connect to a WIFI network may lead to issues such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior).
{
"affected": [],
"aliases": [
"CVE-2021-22677"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-07T16:15:00Z",
"severity": "HIGH"
},
"details": "An integer overflow exists in the APIs of the host MCU while trying to connect to a WIFI network may lead to issues such as a denial-of-service condition or code execution on the SimpleLink Wi-Fi (MSP432E4 SDK: v4.20.00.12 and prior, CC32XX SDK v4.30.00.06 and prior, CC13X0 SDK versions prior to v4.10.03, CC13X2 and CC26XX SDK versions prior to v4.40.00, CC3200 SDK v1.5.0 and prior, CC3100 SDK v1.3.0 and prior).",
"id": "GHSA-c99v-p88g-44f5",
"modified": "2022-05-24T19:01:46Z",
"published": "2022-05-24T19:01:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-22677"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-119-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-C9H5-C8WM-8M25
Vulnerability from github – Published: 2025-04-07 15:31 – Updated: 2025-04-07 15:31in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through integer overflow.
{
"affected": [],
"aliases": [
"CVE-2025-22851"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-07T03:15:20Z",
"severity": "MODERATE"
},
"details": "in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through integer overflow.",
"id": "GHSA-c9h5-c8wm-8m25",
"modified": "2025-04-07T15:31:15Z",
"published": "2025-04-07T15:31:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22851"
},
{
"type": "WEB",
"url": "https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-04.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-C9JH-PP3M-MQR9
Vulnerability from github – Published: 2024-02-26 18:30 – Updated: 2025-11-04 21:31A heap-based buffer overflow vulnerability exists in the GGUF library header.n_kv functionality of llama.cpp Commit 18c2e17. A specially crafted .gguf file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-23605"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-26T16:27:57Z",
"severity": "HIGH"
},
"details": "A heap-based buffer overflow vulnerability exists in the GGUF library header.n_kv functionality of llama.cpp Commit 18c2e17. A specially crafted .gguf file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-c9jh-pp3m-mqr9",
"modified": "2025-11-04T21:31:13Z",
"published": "2024-02-26T18:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23605"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1916"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1916"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Strategy: Input Validation
- Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
- Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.