CWE-190
AllowedInteger Overflow or Wraparound
Abstraction: Base · Status: Stable
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
3866 vulnerabilities reference this CWE, most recent first.
GHSA-Q4R9-VXP8-26X5
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-06-16 15:33In the Linux kernel, the following vulnerability has been resolved:
slub: fix data loss and overflow in krealloc()
Commit 2cd8231796b5 ("mm/slub: allow to set node and align in k[v]realloc") introduced the ability to force a reallocation if the original object does not satisfy new alignment or NUMA node, even when the object is being shrunk.
This introduced two bugs in the reallocation fallback path:
-
Data loss during NUMA migration: The jump to 'alloc_new' happens before 'ks' and 'orig_size' are initialized. As a result, the memcpy() in the 'alloc_new' block would copy 0 bytes into the new allocation.
-
Buffer overflow during shrinking: When shrinking an object while forcing a new alignment, 'new_size' is smaller than the old size. However, the memcpy() used the old size ('orig_size ?: ks'), leading to an out-of-bounds write.
The same overflow bug exists in the kvrealloc() fallback path, where the old bucket size ksize(p) is copied into the new buffer without being bounded by the new size.
A simple reproducer:
// e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW
while (1) {
void *p = kmalloc(128, GFP_KERNEL);
p = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE);
kfree(p);
}
demonstrates the issue:
================================================================== BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130
Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47): memcpy_orig+0x68/0x130 krealloc_node_align_noprof+0x1c8/0x340 lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm] lkdtm_do_action+0x3a/0x60 [lkdtm] ...
kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64
allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago): krealloc_node_align_noprof+0x19c/0x340 lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm] lkdtm_do_action+0x3a/0x60 [lkdtm] ... ==================================================================
Fix it by moving the old size calculation to the top of __do_krealloc() and bounding all copy lengths by the new allocation size.
{
"affected": [],
"aliases": [
"CVE-2026-45990"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:16Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nslub: fix data loss and overflow in krealloc()\n\nCommit 2cd8231796b5 (\"mm/slub: allow to set node and align in\nk[v]realloc\") introduced the ability to force a reallocation if the\noriginal object does not satisfy new alignment or NUMA node, even when\nthe object is being shrunk.\n\nThis introduced two bugs in the reallocation fallback path:\n\n1. Data loss during NUMA migration: The jump to \u0027alloc_new\u0027 happens\n before \u0027ks\u0027 and \u0027orig_size\u0027 are initialized. As a result, the\n memcpy() in the \u0027alloc_new\u0027 block would copy 0 bytes into the new\n allocation.\n\n2. Buffer overflow during shrinking: When shrinking an object while\n forcing a new alignment, \u0027new_size\u0027 is smaller than the old size.\n However, the memcpy() used the old size (\u0027orig_size ?: ks\u0027), leading\n to an out-of-bounds write.\n\nThe same overflow bug exists in the kvrealloc() fallback path, where the\nold bucket size ksize(p) is copied into the new buffer without being\nbounded by the new size.\n\nA simple reproducer:\n\n\t// e.g. add to lkdtm as KREALLOC_SHRINK_OVERFLOW\n\twhile (1) {\n\t\tvoid *p = kmalloc(128, GFP_KERNEL);\n\t\tp = krealloc_node_align(p, 64, 256, GFP_KERNEL, NUMA_NO_NODE);\n\t\tkfree(p);\n\t}\n\ndemonstrates the issue:\n\n ==================================================================\n BUG: KFENCE: out-of-bounds write in memcpy_orig+0x68/0x130\n\n Out-of-bounds write at 0xffff8883ad757038 (120B right of kfence-#47):\n memcpy_orig+0x68/0x130\n krealloc_node_align_noprof+0x1c8/0x340\n lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]\n lkdtm_do_action+0x3a/0x60 [lkdtm]\n ...\n\n kfence-#47: 0xffff8883ad756fc0-0xffff8883ad756fff, size=64, cache=kmalloc-64\n\n allocated by task 316 on cpu 7 at 97.680481s (0.021813s ago):\n krealloc_node_align_noprof+0x19c/0x340\n lkdtm_KREALLOC_SHRINK_OVERFLOW+0x8c/0xc0 [lkdtm]\n lkdtm_do_action+0x3a/0x60 [lkdtm]\n ...\n ==================================================================\n\nFix it by moving the old size calculation to the top of __do_krealloc()\nand bounding all copy lengths by the new allocation size.",
"id": "GHSA-q4r9-vxp8-26x5",
"modified": "2026-06-16T15:33:40Z",
"published": "2026-05-27T15:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45990"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/082a6d03a2d685a83a332666b500ad3966349588"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/38387ccc0fbe38d14fb4c2ad7ee1d7404e5e59fd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/550fa6b5aabb096554536ac1e3ec96b76cbb35fd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q4XW-PVX9-6FRJ
Vulnerability from github – Published: 2022-05-14 03:03 – Updated: 2022-05-14 03:03The mintToken function of a smart contract implementation for BetterThanAdrien, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
{
"affected": [],
"aliases": [
"CVE-2018-13529"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T06:29:00Z",
"severity": "HIGH"
},
"details": "The mintToken function of a smart contract implementation for BetterThanAdrien, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"id": "GHSA-q4xw-pvx9-6frj",
"modified": "2022-05-14T03:03:56Z",
"published": "2022-05-14T03:03:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13529"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.md"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/BetterThanAdrien"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q52F-6M4P-V2QR
Vulnerability from github – Published: 2022-05-24 17:46 – Updated: 2022-05-24 17:46Unintended reads and writes by NS EL2 in access control driver due to lack of check of input validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking
{
"affected": [],
"aliases": [
"CVE-2020-11245"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-07T08:15:00Z",
"severity": "HIGH"
},
"details": "Unintended reads and writes by NS EL2 in access control driver due to lack of check of input validation in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wired Infrastructure and Networking",
"id": "GHSA-q52f-6m4p-v2qr",
"modified": "2022-05-24T17:46:43Z",
"published": "2022-05-24T17:46:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11245"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/april-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q547-25X8-MX66
Vulnerability from github – Published: 2025-06-17 15:31 – Updated: 2025-12-11 18:30A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.
{
"affected": [],
"aliases": [
"CVE-2025-49179"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-17T15:15:46Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.",
"id": "GHSA-q547-25x8-mx66",
"modified": "2025-12-11T18:30:32Z",
"published": "2025-06-17T15:31:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49179"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10376"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10377"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10378"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10381"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10410"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9303"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9304"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9305"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9306"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9392"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:9964"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-49179"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369978"
},
{
"type": "WEB",
"url": "https://gitlab.freedesktop.org/xorg/xserver/-/commit/2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00028.html"
},
{
"type": "WEB",
"url": "https://www.x.org/wiki/Development/Security"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10258"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10342"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10343"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10344"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10346"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10347"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10348"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10349"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10350"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10351"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10352"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10355"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10356"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10360"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10370"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10374"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:10375"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q56W-M7H5-J43F
Vulnerability from github – Published: 2024-12-02 15:31 – Updated: 2024-12-11 21:31In the Linux kernel, the following vulnerability has been resolved:
mm/mremap: fix address wraparound in move_page_tables()
On 32-bit platforms, it is possible for the expression len + old_addr <
old_end to be false-positive if len + old_addr wraps around.
old_addr is the cursor in the old range up to which page table entries
have been moved; so if the operation succeeded, old_addr is the end of
the old region, and adding len to it can wrap.
The overflow causes mremap() to mistakenly believe that PTEs have been copied; the consequence is that mremap() bails out, but doesn't move the PTEs back before the new VMA is unmapped, causing anonymous pages in the region to be lost. So basically if userspace tries to mremap() a private-anon region and hits this bug, mremap() will return an error and the private-anon region's contents appear to have been zeroed.
The idea of this check is that old_end - len is the original start
address, and writing the check that way also makes it easier to read; so
fix the check by rearranging the comparison accordingly.
(An alternate fix would be to refactor this function by introducing an "orig_old_start" variable or such.)
Tested in a VM with a 32-bit X86 kernel; without the patch:
user@horn:~/big_mremap$ cat test.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <err.h>
#include <sys/mman.h>
#define ADDR1 ((void*)0x60000000)
#define ADDR2 ((void*)0x10000000)
#define SIZE 0x50000000uL
int main(void) {
unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE,
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);
if (p1 == MAP_FAILED)
err(1, "mmap 1");
unsigned char *p2 = mmap(ADDR2, SIZE, PROT_NONE,
MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);
if (p2 == MAP_FAILED)
err(1, "mmap 2");
*p1 = 0x41;
printf("first char is 0x%02hhx\n", *p1);
unsigned char *p3 = mremap(p1, SIZE, SIZE,
MREMAP_MAYMOVE|MREMAP_FIXED, p2);
if (p3 == MAP_FAILED) {
printf("mremap() failed; first char is 0x%02hhx\n", *p1);
} else {
printf("mremap() succeeded; first char is 0x%02hhx\n", *p3);
}
}
user@horn:~/big_mremap$ gcc -static -o test test.c
user@horn:~/big_mremap$ setarch -R ./test
first char is 0x41
mremap() failed; first char is 0x00
With the patch:
user@horn:~/big_mremap$ setarch -R ./test
first char is 0x41
mremap() succeeded; first char is 0x41
{
"affected": [],
"aliases": [
"CVE-2024-53111"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-02T14:15:11Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mremap: fix address wraparound in move_page_tables()\n\nOn 32-bit platforms, it is possible for the expression `len + old_addr \u003c\nold_end` to be false-positive if `len + old_addr` wraps around. \n`old_addr` is the cursor in the old range up to which page table entries\nhave been moved; so if the operation succeeded, `old_addr` is the *end* of\nthe old region, and adding `len` to it can wrap.\n\nThe overflow causes mremap() to mistakenly believe that PTEs have been\ncopied; the consequence is that mremap() bails out, but doesn\u0027t move the\nPTEs back before the new VMA is unmapped, causing anonymous pages in the\nregion to be lost. So basically if userspace tries to mremap() a\nprivate-anon region and hits this bug, mremap() will return an error and\nthe private-anon region\u0027s contents appear to have been zeroed.\n\nThe idea of this check is that `old_end - len` is the original start\naddress, and writing the check that way also makes it easier to read; so\nfix the check by rearranging the comparison accordingly.\n\n(An alternate fix would be to refactor this function by introducing an\n\"orig_old_start\" variable or such.)\n\n\nTested in a VM with a 32-bit X86 kernel; without the patch:\n\n```\nuser@horn:~/big_mremap$ cat test.c\n#define _GNU_SOURCE\n#include \u003cstdlib.h\u003e\n#include \u003cstdio.h\u003e\n#include \u003cerr.h\u003e\n#include \u003csys/mman.h\u003e\n\n#define ADDR1 ((void*)0x60000000)\n#define ADDR2 ((void*)0x10000000)\n#define SIZE 0x50000000uL\n\nint main(void) {\n unsigned char *p1 = mmap(ADDR1, SIZE, PROT_READ|PROT_WRITE,\n MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);\n if (p1 == MAP_FAILED)\n err(1, \"mmap 1\");\n unsigned char *p2 = mmap(ADDR2, SIZE, PROT_NONE,\n MAP_ANONYMOUS|MAP_PRIVATE|MAP_FIXED_NOREPLACE, -1, 0);\n if (p2 == MAP_FAILED)\n err(1, \"mmap 2\");\n *p1 = 0x41;\n printf(\"first char is 0x%02hhx\\n\", *p1);\n unsigned char *p3 = mremap(p1, SIZE, SIZE,\n MREMAP_MAYMOVE|MREMAP_FIXED, p2);\n if (p3 == MAP_FAILED) {\n printf(\"mremap() failed; first char is 0x%02hhx\\n\", *p1);\n } else {\n printf(\"mremap() succeeded; first char is 0x%02hhx\\n\", *p3);\n }\n}\nuser@horn:~/big_mremap$ gcc -static -o test test.c\nuser@horn:~/big_mremap$ setarch -R ./test\nfirst char is 0x41\nmremap() failed; first char is 0x00\n```\n\nWith the patch:\n\n```\nuser@horn:~/big_mremap$ setarch -R ./test\nfirst char is 0x41\nmremap() succeeded; first char is 0x41\n```",
"id": "GHSA-q56w-m7h5-j43f",
"modified": "2024-12-11T21:31:57Z",
"published": "2024-12-02T15:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53111"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/909543dc279a91122fb08e4653a72b82f0ad28f4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a4a282daf1a190f03790bf163458ea3c8d28d217"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q58R-WXW5-2G3G
Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2024-05-03 03:31GIMP PSP File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22096.
{
"affected": [],
"aliases": [
"CVE-2023-44443"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-03T03:16:00Z",
"severity": "HIGH"
},
"details": "GIMP PSP File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22096.",
"id": "GHSA-q58r-wxw5-2g3g",
"modified": "2024-05-03T03:31:05Z",
"published": "2024-05-03T03:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44443"
},
{
"type": "WEB",
"url": "https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1593"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q59M-F65P-JCQ3
Vulnerability from github – Published: 2022-05-13 01:28 – Updated: 2022-05-13 01:28The mintToken function of a smart contract implementation for GZS Token (GZS), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
{
"affected": [],
"aliases": [
"CVE-2018-13081"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-03T01:29:00Z",
"severity": "HIGH"
},
"details": "The mintToken function of a smart contract implementation for GZS Token (GZS), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"id": "GHSA-q59m-f65p-jcq3",
"modified": "2022-05-13T01:28:16Z",
"published": "2022-05-13T01:28:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13081"
},
{
"type": "WEB",
"url": "https://github.com/VenusADLab/EtherTokens/blob/master/GZSToken/GZSToken.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q5FF-63C8-HCX3
Vulnerability from github – Published: 2024-10-25 12:31 – Updated: 2024-10-25 18:30In ffu_flash_pack of ffu.c, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2024-47028"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-25T11:15:17Z",
"severity": "MODERATE"
},
"details": "In ffu_flash_pack of ffu.c, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-q5ff-63c8-hcx3",
"modified": "2024-10-25T18:30:48Z",
"published": "2024-10-25T12:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47028"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2024-10-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-Q5FM-55C2-V6J9
Vulnerability from github – Published: 2024-07-16 19:32 – Updated: 2024-08-21 22:30Summary
Vulnerability scan of fiona shows CVE-2023-45853. The vulnerability is in GDAL, a dependency of fiona.
Details
Fiona depends on GDAL and GDAL has a port of minizip. MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. The GDAL project has addressed the CVE in version 3.8.0. See https://lists.osgeo.org/pipermail/gdal-dev/2023-November/057881.html.
The Fiona version 1.9.6 wheels on PyPI include GDAL version 3.6.4 and thus could be vulnerable. All of the Fiona 1.10 pre-release wheels in PyPI include GDAL version 3.8.4 and are not vulnerable.
Impact
Systems which use GDAL versions prior to 3.8.0 to open unchecked zip files, whether in combination with fiona or not, could be susceptible to buffer overflows.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fiona"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.10b1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2024-07-16T19:32:45Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nVulnerability scan of fiona shows [CVE-2023-45853](https://nvd.nist.gov/vuln/detail/CVE-2023-45853). The vulnerability is in GDAL, a dependency of fiona.\n\n### Details\nFiona depends on GDAL and GDAL has a port of minizip. MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. The GDAL project has addressed the CVE in version 3.8.0. See https://lists.osgeo.org/pipermail/gdal-dev/2023-November/057881.html.\n\nThe Fiona version 1.9.6 wheels on PyPI include GDAL version 3.6.4 and thus could be vulnerable. All of the Fiona 1.10 pre-release wheels in PyPI include GDAL version 3.8.4 and are not vulnerable.\n\n### Impact\nSystems which use GDAL versions prior to 3.8.0 to open unchecked zip files, whether in combination with fiona or not, could be susceptible to buffer overflows.",
"id": "GHSA-q5fm-55c2-v6j9",
"modified": "2024-08-21T22:30:04Z",
"published": "2024-07-16T19:32:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/Toblerity/Fiona/security/advisories/GHSA-q5fm-55c2-v6j9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45853"
},
{
"type": "WEB",
"url": "https://github.com/OSGeo/gdal/commit/4aa7ca61c1d2191baf1eea2a97d0dec33a41691f"
},
{
"type": "WEB",
"url": "https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c"
},
{
"type": "PACKAGE",
"url": "https://github.com/Toblerity/Fiona"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fiona affected by CVE-2023-45853 related to MiniZip madler-zlib"
}
GHSA-Q5G5-FC84-93H4
Vulnerability from github – Published: 2022-05-24 17:49 – Updated: 2022-05-24 17:49An issue was discovered in klibc before 2.0.9. Multiplication in the calloc() function may result in an integer overflow and a subsequent heap buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2021-31870"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-04-30T06:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in klibc before 2.0.9. Multiplication in the calloc() function may result in an integer overflow and a subsequent heap buffer overflow.",
"id": "GHSA-q5g5-fc84-93h4",
"modified": "2022-05-24T17:49:19Z",
"published": "2022-05-24T17:49:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31870"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2"
},
{
"type": "WEB",
"url": "https://kernel.org/pub/linux/libs/klibc/2.0"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00025.html"
},
{
"type": "WEB",
"url": "https://lists.zytor.com/archives/klibc/2021-April/004593.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/04/30/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Strategy: Input Validation
- Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
- Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.