CWE-190
AllowedInteger Overflow or Wraparound
Abstraction: Base · Status: Stable
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
3867 vulnerabilities reference this CWE, most recent first.
GHSA-RRF5-GRXG-Q8MM
Vulnerability from github – Published: 2026-06-30 15:30 – Updated: 2026-07-02 21:32fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic.
This issue was fixed in version 0.73.1.
{
"affected": [],
"aliases": [
"CVE-2026-53432"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T13:19:13Z",
"severity": "MODERATE"
},
"details": "fzf is vulnerable to\u00a0Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is\u00a0approximately 2,200,000 bytes and pattern length is 999 bytes, the product\u00a0overflows.\u00a0The Go runtime detects the invalid slice bounds and terminates the\u00a0process immediately with a non-recoverable panic.\n\nThis issue was fixed in version 0.73.1.",
"id": "GHSA-rrf5-grxg-q8mm",
"modified": "2026-07-02T21:32:10Z",
"published": "2026-06-30T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53432"
},
{
"type": "WEB",
"url": "https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91"
},
{
"type": "WEB",
"url": "https://cert.pl/en/posts/2026/06/CVE-2026-53432"
},
{
"type": "WEB",
"url": "https://github.com/junegunn/fzf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RRHP-C9RM-H79R
Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33u'Integer overflow to buffer overflow occurs while playback of ASF clip having unexpected number of codec entries' in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in APQ8009, APQ8009W, APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096, APQ8096AU, APQ8096SG, APQ8098, MDM9206, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8996SG, MSM8998, QCM4290, QCM6125, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QM215, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SDA429W, SDA640, SDA660, SDA670, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM455, SDM630, SDM632, SDM636, SDM640, SDM660, SDM670, SDM710, SDM830, SDM845, SDW2500, SDX20, SDX20M, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR1120, SXR1130, SXR2130, SXR2130P, WCD9330
{
"affected": [],
"aliases": [
"CVE-2020-11196"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T10:15:00Z",
"severity": "CRITICAL"
},
"details": "u\u0027Integer overflow to buffer overflow occurs while playback of ASF clip having unexpected number of codec entries\u0027 in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables in APQ8009, APQ8009W, APQ8017, APQ8037, APQ8053, APQ8064AU, APQ8096, APQ8096AU, APQ8096SG, APQ8098, MDM9206, MDM9650, MSM8905, MSM8909, MSM8909W, MSM8917, MSM8920, MSM8937, MSM8940, MSM8953, MSM8996, MSM8996AU, MSM8996SG, MSM8998, QCM4290, QCM6125, QCS405, QCS410, QCS4290, QCS603, QCS605, QCS610, QCS6125, QM215, SA6145P, SA6150P, SA6155, SA6155P, SA8150P, SA8155, SA8155P, SA8195P, SDA429W, SDA640, SDA660, SDA670, SDA845, SDM429, SDM429W, SDM439, SDM450, SDM455, SDM630, SDM632, SDM636, SDM640, SDM660, SDM670, SDM710, SDM830, SDM845, SDW2500, SDX20, SDX20M, SDX50M, SDX55, SDX55M, SM4125, SM4250, SM4250P, SM6115, SM6115P, SM6125, SM6150, SM6150P, SM6250, SM6250P, SM6350, SM7125, SM7150, SM7150P, SM7225, SM7250, SM7250P, SM8150, SM8150P, SM8250, SXR1120, SXR1130, SXR2130, SXR2130P, WCD9330",
"id": "GHSA-rrhp-c9rm-h79r",
"modified": "2022-05-24T17:33:31Z",
"published": "2022-05-24T17:33:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11196"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/november-2020-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-RRX2-R989-2C43
Vulnerability from github – Published: 2022-02-09 23:39 – Updated: 2024-11-13 22:42Impact
The implementations of Sparse*Cwise* ops are vulnerable to integer overflows. These can be used to trigger large allocations (so, OOM based denial of service) or CHECK-fails when building new TensorShape objects (so, assert failures based denial of service):
import tensorflow as tf
import numpy as np
tf.raw_ops.SparseDenseCwiseDiv(
sp_indices=np.array([[9]]),
sp_values=np.array([5]),
sp_shape=np.array([92233720368., 92233720368]),
dense=np.array([4]))
We are missing some validation on the shapes of the input tensors as well as directly constructing a large TensorShape with user-provided dimensions. The latter is an instance of TFSA-2021-198 (CVE-2021-41197) and is easily fixed by replacing a call to TensorShape constructor with a call to BuildTensorShape static helper factory.
Patches
We have patched the issue in GitHub commits 1b54cadd19391b60b6fcccd8d076426f7221d5e8 and e952a89b7026b98fe8cbe626514a93ed68b7c510.
The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.7.0"
]
}
],
"aliases": [
"CVE-2022-23567"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-03T21:08:01Z",
"nvd_published_at": "2022-02-03T12:15:00Z",
"severity": "HIGH"
},
"details": "### Impact \nThe [implementations of `Sparse*Cwise*` ops](https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc) are vulnerable to integer overflows. These can be used to trigger large allocations (so, OOM based denial of service) or `CHECK`-fails when building new `TensorShape` objects (so, assert failures based denial of service):\n\n```python\nimport tensorflow as tf\nimport numpy as np\n\ntf.raw_ops.SparseDenseCwiseDiv(\n sp_indices=np.array([[9]]),\n sp_values=np.array([5]),\n sp_shape=np.array([92233720368., 92233720368]),\n dense=np.array([4]))\n```\n\nWe are missing some validation on the shapes of the input tensors as well as directly constructing a large `TensorShape` with user-provided dimensions. The latter is an instance of [TFSA-2021-198](https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-198.md) (CVE-2021-41197) and is easily fixed by replacing a call to `TensorShape` constructor with a call to `BuildTensorShape` static helper factory.\n\n### Patches\nWe have patched the issue in GitHub commits [1b54cadd19391b60b6fcccd8d076426f7221d5e8](https://github.com/tensorflow/tensorflow/commit/1b54cadd19391b60b6fcccd8d076426f7221d5e8) and [e952a89b7026b98fe8cbe626514a93ed68b7c510](https://github.com/tensorflow/tensorflow/commit/e952a89b7026b98fe8cbe626514a93ed68b7c510).\n\nThe fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported by Faysal Hossain Shezan from University of Virginia.",
"id": "GHSA-rrx2-r989-2c43",
"modified": "2024-11-13T22:42:07Z",
"published": "2022-02-09T23:39:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-rrx2-r989-2c43"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23567"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/1b54cadd19391b60b6fcccd8d076426f7221d5e8"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/e952a89b7026b98fe8cbe626514a93ed68b7c510"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-76.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-131.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/5100e359aef5c8021f2e71c7b986420b85ce7b3d/tensorflow/core/kernels/sparse_dense_binary_op_shared.cc"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2021-198.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Integer overflows in Tensorflow"
}
GHSA-RRXP-JC5M-RX5P
Vulnerability from github – Published: 2022-05-14 03:45 – Updated: 2022-05-14 03:45The js_strtod function in jsdtoa.c in Artifex MuJS through 1.0.2 has an integer overflow because of incorrect exponent validation.
{
"affected": [],
"aliases": [
"CVE-2018-6191"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-01-24T21:29:00Z",
"severity": "MODERATE"
},
"details": "The js_strtod function in jsdtoa.c in Artifex MuJS through 1.0.2 has an integer overflow because of incorrect exponent validation.",
"id": "GHSA-rrxp-jc5m-rx5p",
"modified": "2022-05-14T03:45:28Z",
"published": "2022-05-14T03:45:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6191"
},
{
"type": "WEB",
"url": "https://bugs.ghostscript.com/show_bug.cgi?id=698920"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/43903"
},
{
"type": "WEB",
"url": "http://git.ghostscript.com/?p=mujs.git;a=commit;h=25821e6d74fab5fcc200fe5e818362e03e114428"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/102840"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RRXV-Q8M4-WCH3
Vulnerability from github – Published: 2023-08-01 19:48 – Updated: 2023-08-10 22:10Description
According to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the expiration time of existing domains. However, a preliminary analysis suggests that an attacker-controlled controller may be able to reduce the expiration time of existing domains due to an integer overflow in the renew function.
The vulnerability resides in the following GitHub repository: https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171
The vulnerable line of code is:
require(
expiries[id] + duration + GRACE_PERIOD > duration + GRACE_PERIOD
); // Prevent future overflow
In this code snippet, the duration variable is user-supplied, making it possible to provide a value that would cause an overflow on both sides of the '>' expression, ultimately rendering the condition true. Specifically, when the duration is set to 2^256 - GRACE_PERIOD, the subsequent line expiries[id] += duration; also experiences an overflow, as expiries[id] is greater than GRACE_PERIOD. This results in the reduction of expiries[id] by GRACE_PERIOD. By repeatedly calling the renew function, an attacker could potentially force the expiration of an ENS record.
You can find the PoC included in the attached document. To execute the test, please use the following command:
forge test -vvv --match-contract RegistrarExploit --fork-url <alchemy_url>
Replace <alchemy_url> with your Alchemy API URL. This command will run the Foundry test file and demonstrate the potential vulnerability.
Impact
If successfully exploited, this vulnerability would enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves.
Currently, it would require a malicious DAO to exploit it. Nevertheless, any vulnerability present in the controllers could potentially render this issue exploitable in the future.
An additional concern is the possibility of renewal discounts. Should ENS decide to implement a system that offers unlimited .eth domains for a fixed fee in the future, the vulnerability could become exploitable by any user due to the reduced attack cost.
Patches
A mitigation is being developed.
Workarounds
As long as registration cost remains linear or superlinear based on registration duration, or limited to a reasonable maximum (eg, 1 million years), this vulnerability could only be exploited by a malicious DAO. The interim workaround is thus to take no action.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.0.21"
},
"package": {
"ecosystem": "npm",
"name": "@ensdomains/ens-contracts"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-38698"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-01T19:48:31Z",
"nvd_published_at": "2023-08-04T18:15:15Z",
"severity": "MODERATE"
},
"details": "### Description\nAccording to the documentation, controllers are allowed to register new domains and extend the expiry of existing domains, but they cannot change the ownership or reduce the expiration time of existing domains. However, a preliminary analysis suggests that an attacker-controlled controller may be able to reduce the expiration time of existing domains due to an integer overflow in the renew function.\n\nThe vulnerability resides in the following GitHub repository: https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171 \n\nThe vulnerable line of code is:\n```js\nrequire(\n expiries[id] + duration + GRACE_PERIOD \u003e duration + GRACE_PERIOD\n ); // Prevent future overflow\n```\n\nIn this code snippet, the `duration` variable is user-supplied, making it possible to provide a value that would cause an overflow on both sides of the \u0027\u003e\u0027 expression, ultimately rendering the condition true. Specifically, when the duration is set to `2^256 - GRACE_PERIOD`, the subsequent line `expiries[id] += duration;` also experiences an overflow, as `expiries[id]` is greater than `GRACE_PERIOD`. This results in the reduction of `expiries[id]` by `GRACE_PERIOD`. By repeatedly calling the renew function, an attacker could potentially force the expiration of an ENS record.\n\nYou can find the PoC included in the attached document. To execute the test, please use the following command:\n```\nforge test -vvv --match-contract RegistrarExploit --fork-url \u003calchemy_url\u003e\n```\n\nReplace `\u003calchemy_url\u003e` with your Alchemy API URL. This command will run the Foundry test file and demonstrate the potential vulnerability.\n\n### Impact\nIf successfully exploited, this vulnerability would enable attackers to force the expiration of any ENS record, ultimately allowing them to claim the affected domains for themselves.\n\nCurrently, it would require a malicious DAO to exploit it. Nevertheless, any vulnerability present in the controllers could potentially render this issue exploitable in the future.\n\nAn additional concern is the possibility of renewal discounts. Should ENS decide to implement a system that offers unlimited .eth domains for a fixed fee in the future, the vulnerability could become exploitable by any user due to the reduced attack cost.\n\n### Patches\nA mitigation is being developed.\n\n### Workarounds\nAs long as registration cost remains linear or superlinear based on registration duration, or limited to a reasonable maximum (eg, 1 million years), this vulnerability could only be exploited by a malicious DAO. The interim workaround is thus to take no action.\n",
"id": "GHSA-rrxv-q8m4-wch3",
"modified": "2023-08-10T22:10:22Z",
"published": "2023-08-01T19:48:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ensdomains/ens-contracts/security/advisories/GHSA-rrxv-q8m4-wch3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38698"
},
{
"type": "WEB",
"url": "https://github.com/ensdomains/ens-contracts/commit/e6b136e979084de3761c125142620304173990ca"
},
{
"type": "PACKAGE",
"url": "https://github.com/ensdomains/ens-contracts"
},
{
"type": "WEB",
"url": "https://github.com/ensdomains/ens-contracts/blob/master/contracts/ethregistrar/BaseRegistrarImplementation.sol#L171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": ".eth registrar controller can shorten the duration of registered names"
}
GHSA-RV3M-28Q9-FC3R
Vulnerability from github – Published: 2022-05-14 03:02 – Updated: 2022-05-14 03:02The mintToken function of a smart contract implementation for GalacticX, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
{
"affected": [],
"aliases": [
"CVE-2018-13601"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T06:29:00Z",
"severity": "HIGH"
},
"details": "The mintToken function of a smart contract implementation for GalacticX, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"id": "GHSA-rv3m-28q9-fc3r",
"modified": "2022-05-14T03:02:38Z",
"published": "2022-05-14T03:02:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13601"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.md"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/GalacticX"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RV46-GC6R-8FFX
Vulnerability from github – Published: 2022-05-17 00:22 – Updated: 2022-05-17 00:22The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, does not properly validate message size metadata, allowing a compromised secondary process to trigger an integer overflow and subsequent buffer overflow in the UI process. This vulnerability does not affect Apple products.
{
"affected": [],
"aliases": [
"CVE-2017-1000121"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-11-01T21:29:00Z",
"severity": "CRITICAL"
},
"details": "The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, does not properly validate message size metadata, allowing a compromised secondary process to trigger an integer overflow and subsequent buffer overflow in the UI process. This vulnerability does not affect Apple products.",
"id": "GHSA-rv46-gc6r-8ffx",
"modified": "2022-05-17T00:22:27Z",
"published": "2022-05-17T00:22:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000121"
},
{
"type": "WEB",
"url": "https://webkitgtk.org/security/WSA-2017-0007.html"
},
{
"type": "WEB",
"url": "http://trac.webkit.org/changeset/217126/webkit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RV4P-RHHC-PXCX
Vulnerability from github – Published: 2025-09-09 18:31 – Updated: 2025-09-09 18:31Integer overflow or wraparound in Windows SPNEGO Extended Negotiation allows an authorized attacker to elevate privileges locally.
{
"affected": [],
"aliases": [
"CVE-2025-54895"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-09T17:16:00Z",
"severity": "HIGH"
},
"details": "Integer overflow or wraparound in Windows SPNEGO Extended Negotiation allows an authorized attacker to elevate privileges locally.",
"id": "GHSA-rv4p-rhhc-pxcx",
"modified": "2025-09-09T18:31:22Z",
"published": "2025-09-09T18:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54895"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-54895"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RV9J-MW3Q-QPPG
Vulnerability from github – Published: 2025-11-24 21:30 – Updated: 2025-11-24 21:30Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in crash or denial of service.
{
"affected": [],
"aliases": [
"CVE-2025-0005"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-24T20:15:47Z",
"severity": "HIGH"
},
"details": "Improper input validation within the XOCL driver may allow a local attacker to generate an integer overflow condition, potentially resulting in crash or denial of service.",
"id": "GHSA-rv9j-mw3q-qppg",
"modified": "2025-11-24T21:30:59Z",
"published": "2025-11-24T21:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0005"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-8014.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RVG3-9F28-P29Q
Vulnerability from github – Published: 2026-07-13 06:31 – Updated: 2026-07-13 06:31Successful exploitation of the integer overflow vulnerability could allow an attacker to achieve system-level access to the affected software.
{
"affected": [],
"aliases": [
"CVE-2026-7162"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T04:16:29Z",
"severity": "HIGH"
},
"details": "Successful\nexploitation of the integer overflow vulnerability could allow an attacker to\nachieve system-level access to the affected software.",
"id": "GHSA-rvg3-9f28-p29q",
"modified": "2026-07-13T06:31:32Z",
"published": "2026-07-13T06:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7162"
},
{
"type": "WEB",
"url": "https://github.com/winfsp/winfsp/releases/tag/v2.2B2"
},
{
"type": "WEB",
"url": "https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-086"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Strategy: Input Validation
- Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
- Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.