CWE-190
AllowedInteger Overflow or Wraparound
Abstraction: Base · Status: Stable
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
3867 vulnerabilities reference this CWE, most recent first.
GHSA-MJHR-GJC9-XRP8
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27The mintToken function of a smart contract implementation for Carbon Exchange Coin Token (CEC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
{
"affected": [],
"aliases": [
"CVE-2018-13075"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-03T01:29:00Z",
"severity": "HIGH"
},
"details": "The mintToken function of a smart contract implementation for Carbon Exchange Coin Token (CEC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"id": "GHSA-mjhr-gjc9-xrp8",
"modified": "2022-05-13T01:27:12Z",
"published": "2022-05-13T01:27:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13075"
},
{
"type": "WEB",
"url": "https://github.com/VenusADLab/EtherTokens/blob/master/CarbonExchangeCoinToken/CarbonExchangeCoinToken.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-MJMX-X24V-29C8
Vulnerability from github – Published: 2022-05-24 17:42 – Updated: 2022-05-24 17:42Integer overflow in some Intel(R) Graphics Drivers before version 26.20.100.8476 may allow a privileged user to potentially enable an escalation of privilege via local access.
{
"affected": [],
"aliases": [
"CVE-2020-12367"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-17T14:15:00Z",
"severity": "HIGH"
},
"details": "Integer overflow in some Intel(R) Graphics Drivers before version 26.20.100.8476 may allow a privileged user to potentially enable an escalation of privilege via local access.",
"id": "GHSA-mjmx-x24v-29c8",
"modified": "2022-05-24T17:42:25Z",
"published": "2022-05-24T17:42:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-12367"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-MJVM-MHGC-Q4GP
Vulnerability from github – Published: 2022-08-18 19:18 – Updated: 2024-10-24 21:48Impact
A low severity security issue was discovered affecting parsing of the RPC result of the exit reason in case of EVM reversion. In release build, this would cause the exit reason being incorrectly parsed and returned by RPC. In debug build, this would cause an overflow panic.
No action is needed unless you have a bridge node that needs to distinguish different reversion exit reasons and you used RPC for this.
Patches
The issue is patched in https://github.com/paritytech/frontier/pull/820
Workarounds
None.
References
PR https://github.com/paritytech/frontier/pull/820
For more information
If you have any questions or comments about this advisory: * Email Wei Tang
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "fc-rpc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.0.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-36008"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2022-08-18T19:18:25Z",
"nvd_published_at": "2022-08-19T21:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA low severity security issue was discovered affecting parsing of the RPC result of the exit reason in case of EVM reversion. In release build, this would cause the exit reason being incorrectly parsed and returned by RPC. In debug build, this would cause an overflow panic.\n\nNo action is needed unless you have a bridge node that needs to distinguish different reversion exit reasons and you used RPC for this.\n\n### Patches\n\nThe issue is patched in https://github.com/paritytech/frontier/pull/820\n\n### Workarounds\n\nNone.\n\n### References\n\nPR https://github.com/paritytech/frontier/pull/820\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Email [Wei Tang](mailto:wei@that.world)",
"id": "GHSA-mjvm-mhgc-q4gp",
"modified": "2024-10-24T21:48:34Z",
"published": "2022-08-18T19:18:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/paritytech/frontier/security/advisories/GHSA-mjvm-mhgc-q4gp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36008"
},
{
"type": "WEB",
"url": "https://github.com/paritytech/frontier/pull/820"
},
{
"type": "WEB",
"url": "https://github.com/paritytech/frontier/commit/fff8cc43b7756ce3979a38fc473f38e6e24ac451"
},
{
"type": "PACKAGE",
"url": "https://github.com/paritytech/frontier"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Incorrect parsing of EVM reversion exit reason in RPC"
}
GHSA-MM68-R4MX-MGX4
Vulnerability from github – Published: 2023-10-11 18:30 – Updated: 2025-11-04 21:30Two heap-based buffer overflow vulnerabilities exist in the httpd manage_post functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.This integer overflow result is used as argument for the malloc function.
{
"affected": [],
"aliases": [
"CVE-2023-35965"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-11T16:15:13Z",
"severity": "CRITICAL"
},
"details": "Two heap-based buffer overflow vulnerabilities exist in the httpd manage_post functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.This integer overflow result is used as argument for the malloc function.",
"id": "GHSA-mm68-r4mx-mgx4",
"modified": "2025-11-04T21:30:44Z",
"published": "2023-10-11T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35965"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1787"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1787"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MM8J-7G3H-X2MJ
Vulnerability from github – Published: 2022-04-21 01:42 – Updated: 2024-02-28 00:50Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.
{
"affected": [],
"aliases": [
"CVE-2002-2439"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-23T18:15:00Z",
"severity": "HIGH"
},
"details": "Integer overflow in the new[] operator in gcc before 4.8.0 allows attackers to have unspecified impacts.",
"id": "GHSA-mm8j-7g3h-x2mj",
"modified": "2024-02-28T00:50:48Z",
"published": "2022-04-21T01:42:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-2439"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2002-2439"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2002-2439"
},
{
"type": "WEB",
"url": "https://gcc.gnu.org/bugzilla/show_bug.cgi?id=19351"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2002-2439"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MMCM-G586-7F43
Vulnerability from github – Published: 2022-05-14 03:50 – Updated: 2022-05-14 03:50In TigerVNC 1.7.1 (SMsgReader.cxx SMsgReader::readClientCutText), by causing an integer overflow, an authenticated client can crash the server.
{
"affected": [],
"aliases": [
"CVE-2017-7395"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-01T02:59:00Z",
"severity": "MODERATE"
},
"details": "In TigerVNC 1.7.1 (SMsgReader.cxx SMsgReader::readClientCutText), by causing an integer overflow, an authenticated client can crash the server.",
"id": "GHSA-mmcm-g586-7f43",
"modified": "2022-05-14T03:50:14Z",
"published": "2022-05-14T03:50:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7395"
},
{
"type": "WEB",
"url": "https://github.com/TigerVNC/tigervnc/pull/436"
},
{
"type": "WEB",
"url": "https://github.com/TigerVNC/tigervnc/pull/436/commits/bf3bdac082978ca32895a4b6a123016094905689"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2000"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201801-13"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MMH9-QRX9-9X5H
Vulnerability from github – Published: 2025-09-23 15:31 – Updated: 2025-09-23 15:31In the Linux kernel, the following vulnerability has been resolved:
af_netlink: Fix shift out of bounds in group mask calculation
When a netlink message is received, netlink_recvmsg() fills in the address of the sender. One of the fields is the 32-bit bitfield nl_groups, which carries the multicast group on which the message was received. The least significant bit corresponds to group 1, and therefore the highest group that the field can represent is 32. Above that, the UB sanitizer flags the out-of-bounds shift attempts.
Which bits end up being set in such case is implementation defined, but it's either going to be a wrong non-zero value, or zero, which is at least not misleading. Make the latter choice deterministic by always setting to 0 for higher-numbered multicast groups.
To get information about membership in groups >= 32, userspace is expected to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO socket option. [0] https://lwn.net/Articles/147608/
The way to trigger this issue is e.g. through monitoring the BRVLAN group:
# bridge monitor vlan &
# ip link add name br type bridge
Which produces the following citation:
UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19
shift exponent 32 is too large for 32-bit type 'int'
{
"affected": [],
"aliases": [
"CVE-2022-49197"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:00:56Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_netlink: Fix shift out of bounds in group mask calculation\n\nWhen a netlink message is received, netlink_recvmsg() fills in the address\nof the sender. One of the fields is the 32-bit bitfield nl_groups, which\ncarries the multicast group on which the message was received. The least\nsignificant bit corresponds to group 1, and therefore the highest group\nthat the field can represent is 32. Above that, the UB sanitizer flags the\nout-of-bounds shift attempts.\n\nWhich bits end up being set in such case is implementation defined, but\nit\u0027s either going to be a wrong non-zero value, or zero, which is at least\nnot misleading. Make the latter choice deterministic by always setting to 0\nfor higher-numbered multicast groups.\n\nTo get information about membership in groups \u003e= 32, userspace is expected\nto use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO\nsocket option.\n[0] https://lwn.net/Articles/147608/\n\nThe way to trigger this issue is e.g. through monitoring the BRVLAN group:\n\n\t# bridge monitor vlan \u0026\n\t# ip link add name br type bridge\n\nWhich produces the following citation:\n\n\tUBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19\n\tshift exponent 32 is too large for 32-bit type \u0027int\u0027",
"id": "GHSA-mmh9-qrx9-9x5h",
"modified": "2025-09-23T15:31:08Z",
"published": "2025-09-23T15:31:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49197"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0caf6d9922192dd1afa8dc2131abfb4df1443b9f"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/41249fff507387c3323b198d0052faed08b14de4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7409ff6393a67ff9838d0ae1bd102fb5f020d07a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac5883a8890a11c00b32a19949a25d4afeaa2f5a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b0898362188e05b2202656058cc32d98fabf3bac"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e1c5d46f05aa23d740daae5cd3a6472145afac42"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e23e1e981247feb3c7d0236fe58aceb685f234ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e8aaf3134bc5e943048eefe9f2ddaabf41d92b1a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f75f4abeec4c04b600a15b50c89a481f1e7435ee"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MP83-3FXR-M45V
Vulnerability from github – Published: 2025-04-01 18:30 – Updated: 2025-11-03 21:33In the Linux kernel, the following vulnerability has been resolved:
cifs: Fix integer overflow while processing acregmax mount option
User-provided mount parameter acregmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
{
"affected": [],
"aliases": [
"CVE-2025-21964"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-01T16:15:27Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix integer overflow while processing acregmax mount option\n\nUser-provided mount parameter acregmax of type u32 is intended to have\nan upper limit, but before it is validated, the value is converted from\nseconds to jiffies which can lead to an integer overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE.",
"id": "GHSA-mp83-3fxr-m45v",
"modified": "2025-11-03T21:33:26Z",
"published": "2025-04-01T18:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21964"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0252c33cc943e9e48ddfafaa6b1eb72adb68a099"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f500874ab9b3cc8c169c2ab49f00b838520b9c5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7489161b1852390b4413d57f2457cd40b34da6cc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/833f2903eb8b70faca7967319e580e9ce69729fc"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a13351624a6af8d91398860b8c9d4cf6c8e63de5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/dd190168e60ac15408f074a1fe0ce36aff34027b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MP8H-4283-JR44
Vulnerability from github – Published: 2024-12-24 12:30 – Updated: 2025-11-03 21:31In the Linux kernel, the following vulnerability has been resolved:
EDAC/bluefield: Fix potential integer overflow
The 64-bit argument for the "get DIMM info" SMC call consists of mem_ctrl_idx left-shifted 16 bits and OR-ed with DIMM index. With mem_ctrl_idx defined as 32-bits wide the left-shift operation truncates the upper 16 bits of information during the calculation of the SMC argument.
The mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any potential integer overflow, i.e. loss of data from upper 16 bits.
{
"affected": [],
"aliases": [
"CVE-2024-53161"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-24T12:15:24Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nEDAC/bluefield: Fix potential integer overflow\n\nThe 64-bit argument for the \"get DIMM info\" SMC call consists of mem_ctrl_idx\nleft-shifted 16 bits and OR-ed with DIMM index. With mem_ctrl_idx defined as\n32-bits wide the left-shift operation truncates the upper 16 bits of\ninformation during the calculation of the SMC argument.\n\nThe mem_ctrl_idx stack variable must be defined as 64-bits wide to prevent any\npotential integer overflow, i.e. loss of data from upper 16 bits.",
"id": "GHSA-mp8h-4283-jr44",
"modified": "2025-11-03T21:31:45Z",
"published": "2024-12-24T12:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53161"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/000930193fe5eb79ce5563ee2e9ddb0c6e4e1bb5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1fe774a93b46bb029b8f6fa9d1f25affa53f06c6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4ad7033de109d0fec99086f352f58a3412e378b8"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/578ca89b04680145d41011e7cec8806fefbb59e7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8cc31cfa36ff37aff399b72faa2ded58110112ae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ac6ebb9edcdb7077e841862c402697c4c48a7c0a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e0269ea7a628fdeddd65b92fe29c09655dbb80b9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/fdb90006184aa84c7b4e09144ed0936d4e1891a7"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MPF8-2M2F-QXJ6
Vulnerability from github – Published: 2022-05-24 16:46 – Updated: 2024-04-04 00:47Improper check before assigning value can lead to integer overflow in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA4020, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, QCN5502, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SDX20, SDX24, SM7150, Snapdragon_High_Med_2016, SXR1130
{
"affected": [],
"aliases": [
"CVE-2018-11968"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-24T17:29:00Z",
"severity": "HIGH"
},
"details": "Improper check before assigning value can lead to integer overflow in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wired Infrastructure and Networking in IPQ4019, IPQ8064, IPQ8074, MDM9206, MDM9607, MDM9640, MDM9650, MSM8996AU, QCA4020, QCA6174A, QCA6564, QCA6574, QCA6574AU, QCA6584, QCA6584AU, QCA8081, QCA9377, QCA9379, QCA9531, QCA9558, QCA9563, QCA9880, QCA9886, QCA9980, QCN5502, QCS605, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 600, SD 625, SD 636, SD 675, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, SDX20, SDX24, SM7150, Snapdragon_High_Med_2016, SXR1130",
"id": "GHSA-mpf8-2m2f-qxj6",
"modified": "2024-04-04T00:47:01Z",
"published": "2022-05-24T16:46:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11968"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins#_CVE-2018-11968"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Strategy: Input Validation
- Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
- Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.