CWE-190
AllowedInteger Overflow or Wraparound
Abstraction: Base · Status: Stable
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
3870 vulnerabilities reference this CWE, most recent first.
GHSA-GP7H-5R24-JV2W
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36An integer overflow (CWE-190) led to an out-of-bounds write (CWE-787) on a heap-allocated area, leading to heap corruption in Micro Focus VisiBroker 8.5. The feasibility of leveraging this vulnerability for further attacks was not assessed.
{
"affected": [],
"aliases": [
"CVE-2017-9282"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-21T22:29:00Z",
"severity": "CRITICAL"
},
"details": "An integer overflow (CWE-190) led to an out-of-bounds write (CWE-787) on a heap-allocated area, leading to heap corruption in Micro Focus VisiBroker 8.5. The feasibility of leveraging this vulnerability for further attacks was not assessed.",
"id": "GHSA-gp7h-5r24-jv2w",
"modified": "2022-05-13T01:36:08Z",
"published": "2022-05-13T01:36:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9282"
},
{
"type": "WEB",
"url": "https://community.microfocus.com/microfocus/corba/visibroker_-_world_class_middleware/w/knowledge_base/29171/visibroker-8-5-service-pack-4-hotfix-3-security-fixes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPCR-P5WH-5X85
Vulnerability from github – Published: 2025-06-17 15:31 – Updated: 2025-12-10 00:30A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.
{
"affected": [],
"aliases": [
"CVE-2025-49180"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-17T15:15:46Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.",
"id": "GHSA-gpcr-p5wh-5x85",
"modified": "2025-12-10T00:30:21Z",
"published": "2025-06-17T15:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49180"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10258"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10376"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10377"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10378"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10381"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10410"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9303"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9304"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9305"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9306"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9392"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9964"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-49180"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369981"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/xorg/xserver/-/commit/3c3a4b767b16174d3213055947ea7f4f88e10ec6"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00028.html"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10342"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10343"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10344"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10346"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10347"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10348"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10349"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10350"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10351"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10352"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10355"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10356"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10360"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10370"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10374"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10375"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPHH-HMHF-JGCW
Vulnerability from github – Published: 2025-04-10 03:31 – Updated: 2025-04-10 03:31Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.
{
"affected": [],
"aliases": [
"CVE-2025-22471"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-10T03:15:18Z",
"severity": "MODERATE"
},
"details": "Dell PowerScale OneFS, versions 9.4.0.0 through 9.10.0.1, contains an integer overflow or wraparound vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to denial of service.",
"id": "GHSA-gphh-hmhf-jgcw",
"modified": "2025-04-10T03:31:32Z",
"published": "2025-04-10T03:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22471"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000300860/dsa-2025-119-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPQ6-RRXF-V33X
Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-30 03:37In the Linux kernel, the following vulnerability has been resolved:
KVM: Reject wrapped offset in kvm_reset_dirty_gfn()
kvm_reset_dirty_gfn() guards the gfn range with
if (!memslot || (offset + __fls(mask)) >= memslot->npages)
return;
but offset is u64 and the addition is unchecked. The check can be silently bypassed by a u64 wrap.
The dirty ring backing those entries is MAP_SHARED at KVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the slot and offset fields of any entry between when the kernel pushes them and when KVM_RESET_DIRTY_RINGS consumes them. On reset, kvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds them straight back into this check; only the flags handshake is treated as the handover, the slot/offset payload is taken on trust.
Crafting two entries
entry[i].offset = 0xffffffffffffffc1
entry[i+1].offset = 0
makes the coalescing loop in kvm_dirty_ring_reset() compute
delta = (s64)(0 - 0xffffffffffffffc1) = 63
which falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the existing mask by setting bit 63. The trailing kvm_reset_dirty_gfn() call then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63; the sum is 0 in u64 and the bounds check passes.
That offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked() unchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() == true, i.e. shadow paging, any VM that has allocated shadow roots, or a write-tracked slot -- it reaches gfn_to_rmap(), which indexes slot->arch.rmap[0][] with a near-U64_MAX gfn. That is an out-of-bounds load of a kvm_rmap_head, followed by a conditional clear of PT_WRITABLE_MASK in whatever the loaded pointer points at. The path is reachable from any process holding /dev/kvm.
Range-check offset on its own first, so the addition cannot wrap. memslot->npages is bounded well below U64_MAX, so once offset < npages holds, offset + __fls(mask) (with __fls(mask) < BITS_PER_LONG) stays in range.
{
"affected": [],
"aliases": [
"CVE-2026-52969"
],
"database_specific": {
"cwe_ids": [
"CWE-129",
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T17:17:07Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Reject wrapped offset in kvm_reset_dirty_gfn()\n\nkvm_reset_dirty_gfn() guards the gfn range with\n\n\tif (!memslot || (offset + __fls(mask)) \u003e= memslot-\u003enpages)\n\t\treturn;\n\nbut offset is u64 and the addition is unchecked. The check can be\nsilently bypassed by a u64 wrap.\n\nThe dirty ring backing those entries is MAP_SHARED at\nKVM_DIRTY_LOG_PAGE_OFFSET of the vcpu fd, so the VMM can rewrite the\nslot and offset fields of any entry between when the kernel pushes\nthem and when KVM_RESET_DIRTY_RINGS consumes them. On reset,\nkvm_dirty_ring_reset() re-reads the values via READ_ONCE() and feeds\nthem straight back into this check; only the flags handshake is\ntreated as the handover, the slot/offset payload is taken on trust.\n\nCrafting two entries\n\n\tentry[i].offset = 0xffffffffffffffc1\n\tentry[i+1].offset = 0\n\nmakes the coalescing loop in kvm_dirty_ring_reset() compute\n\n\tdelta = (s64)(0 - 0xffffffffffffffc1) = 63\n\nwhich falls in [0, BITS_PER_LONG), so it folds entry[i+1] into the\nexisting mask by setting bit 63. The trailing kvm_reset_dirty_gfn()\ncall then sees offset = 0xffffffffffffffc1 and __fls(mask) = 63;\nthe sum is 0 in u64 and the bounds check passes.\n\nThat offset propagates into kvm_arch_mmu_enable_log_dirty_pt_masked()\nunchanged. On the legacy MMU path -- kvm_memslots_have_rmaps() ==\ntrue, i.e. shadow paging, any VM that has allocated shadow roots, or\na write-tracked slot -- it reaches gfn_to_rmap(), which indexes\nslot-\u003earch.rmap[0][] with a near-U64_MAX gfn. That is an\nout-of-bounds load of a kvm_rmap_head, followed by a conditional\nclear of PT_WRITABLE_MASK in whatever the loaded pointer points at.\nThe path is reachable from any process holding /dev/kvm.\n\nRange-check offset on its own first, so the addition cannot wrap.\nmemslot-\u003enpages is bounded well below U64_MAX, so once offset \u003c\nnpages holds, offset + __fls(mask) (with __fls(mask) \u003c BITS_PER_LONG)\nstays in range.",
"id": "GHSA-gpq6-rrxf-v33x",
"modified": "2026-06-30T03:37:12Z",
"published": "2026-06-24T18:32:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52969"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-52969"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492434"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/01b71b930f15728aa8599478a7ce90c19dcd9fc2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0d419c23bb11b5c9664de777c47c1f04a235882d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0eb281eb95b2d4eea4db1da5fe91023aecc97095"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/577a8d3bae0531f0e5ccfac919cd8192f920a804"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/74f1a22f7a80f03d28ad8551a2d25d563433addf"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b315b033a877b1ee6d827810b5d7bb4392ffcf8d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ecf9b3ea7847fe14f34b8c41f00de1eb95c747da"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-52969.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GPQ9-QCF2-PJ58
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2022-05-24 17:03A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with network access to the MS3000 Server can trigger a Denial-of-Service condition by sending specifically crafted packets to port 5010/tcp. This vulnerability is independent from CVE-2019-18290, CVE-2019-18291, CVE-2019-18292, CVE-2019-18294, CVE-2019-18298, CVE-2019-18299, CVE-2019-18300, CVE-2019-18301, CVE-2019-18302, CVE-2019-18304, CVE-2019-18305, CVE-2019-18306, and CVE-2019-18307. Please note that an attacker needs to have network access to the MS3000 in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.
{
"affected": [],
"aliases": [
"CVE-2019-18303"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-12T19:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been identified in SPPA-T3000 MS3000 Migration Server (All versions). An attacker with network access to the MS3000 Server can trigger a Denial-of-Service condition by sending specifically crafted packets to port 5010/tcp. This vulnerability is independent from CVE-2019-18290, CVE-2019-18291, CVE-2019-18292, CVE-2019-18294, CVE-2019-18298, CVE-2019-18299, CVE-2019-18300, CVE-2019-18301, CVE-2019-18302, CVE-2019-18304, CVE-2019-18305, CVE-2019-18306, and CVE-2019-18307. Please note that an attacker needs to have network access to the MS3000 in order to exploit this vulnerability. At the time of advisory publication no public exploitation of this security vulnerability was known.",
"id": "GHSA-gpq9-qcf2-pj58",
"modified": "2022-05-24T17:03:25Z",
"published": "2022-05-24T17:03:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-18303"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/155665/Siemens-Security-Advisory-SPPA-T3000-Code-Execution.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-GPWW-PPH3-M8M9
Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-04-09 18:30Secure Boot Security Feature Bypass Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-26171"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T17:15:35Z",
"severity": "MODERATE"
},
"details": "Secure Boot Security Feature Bypass Vulnerability",
"id": "GHSA-gpww-pph3-m8m9",
"modified": "2024-04-09T18:30:25Z",
"published": "2024-04-09T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26171"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GQ7Q-6P5C-GPCC
Vulnerability from github – Published: 2024-07-16 15:30 – Updated: 2024-07-18 18:31In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: rndis: prevent integer overflow in rndis_set_response()
If "BufOffset" is very large the "BufOffset + 8" operation can have an integer overflow.
{
"affected": [],
"aliases": [
"CVE-2022-48837"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-16T13:15:11Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: rndis: prevent integer overflow in rndis_set_response()\n\nIf \"BufOffset\" is very large the \"BufOffset + 8\" operation can have an\ninteger overflow.",
"id": "GHSA-gq7q-6p5c-gpcc",
"modified": "2024-07-18T18:31:42Z",
"published": "2024-07-16T15:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48837"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/138d4f739b35dfb40438a0d5d7054965763bfbe7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/21829376268397f9fd2c35cfa9135937b6aa3a1e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/28bc0267399f42f987916a7174e2e32f0833cc65"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/56b38e3ca4064041d93c1ca18828c8cedad2e16c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65f3324f4b6fed78b8761c3b74615ecf0ffa81fa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8b3e4d26bc9cd0f6373d0095b9ffd99e7da8006b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c7953cf03a26876d676145ce5d2ae6d8c9630b90"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df7e088d51cdf78b1a0bf1f3d405c2593295c7b0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GQ8X-7GG9-322P
Vulnerability from github – Published: 2022-05-14 03:13 – Updated: 2022-05-14 03:13The mintToken function of a smart contract implementation for NetkillerAdvancedTokenAirDrop, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
{
"affected": [],
"aliases": [
"CVE-2018-13761"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T06:29:00Z",
"severity": "HIGH"
},
"details": "The mintToken function of a smart contract implementation for NetkillerAdvancedTokenAirDrop, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"id": "GHSA-gq8x-7gg9-322p",
"modified": "2022-05-14T03:13:48Z",
"published": "2022-05-14T03:13:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13761"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.md"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/NetkillerAdvancedTokenAirDrop"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-GQ96-59XW-28WJ
Vulnerability from github – Published: 2024-11-29 21:31 – Updated: 2024-12-02 18:31FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking.
{
"affected": [],
"aliases": [
"CVE-2024-35366"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-29T20:15:19Z",
"severity": "CRITICAL"
},
"details": "FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the parse_options function of sbgdec.c within the libavformat module. When parsing certain options, the software does not adequately validate the input. This allows for negative duration values to be accepted without proper bounds checking.",
"id": "GHSA-gq96-59xw-28wj",
"modified": "2024-12-02T18:31:55Z",
"published": "2024-11-29T21:31:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35366"
},
{
"type": "WEB",
"url": "https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6"
},
{
"type": "WEB",
"url": "https://gist.github.com/1047524396/1e72f170d58c2547ebd4db4cdf6cfabf"
},
{
"type": "WEB",
"url": "https://github.com/FFmpeg/FFmpeg/blob/n6.1.1/libavformat/sbgdec.c#L389"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GQ9F-9XMR-RC2Q
Vulnerability from github – Published: 2022-05-04 00:27 – Updated: 2022-05-04 00:27Integer overflow in the drm_mode_dirtyfb_ioctl function in drivers/gpu/drm/drm_crtc.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.1.5 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted ioctl call.
{
"affected": [],
"aliases": [
"CVE-2012-0044"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-05-17T11:00:00Z",
"severity": "HIGH"
},
"details": "Integer overflow in the drm_mode_dirtyfb_ioctl function in drivers/gpu/drm/drm_crtc.c in the Direct Rendering Manager (DRM) subsystem in the Linux kernel before 3.1.5 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted ioctl call.",
"id": "GHSA-gq9f-9xmr-rc2q",
"modified": "2022-05-04T00:27:46Z",
"published": "2022-05-04T00:27:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0044"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/a5cd335165e31db9dbab636fd29895d41da55dd2"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2012:0333"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2012:0743"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2012:1042"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2012-0044"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=772894"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=a5cd335165e31db9dbab636fd29895d41da55dd2"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a5cd335165e31db9dbab636fd29895d41da55dd2"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2012-0743.html"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1.5"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/01/12/1"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/51371"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1555-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1556-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Strategy: Input Validation
- Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
- Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.