CWE-190
AllowedInteger Overflow or Wraparound
Abstraction: Base · Status: Stable
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
3868 vulnerabilities reference this CWE, most recent first.
GHSA-VC29-CVHX-V56X
Vulnerability from github – Published: 2026-05-01 18:31 – Updated: 2026-05-01 18:31OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap around to a small value.
{
"affected": [],
"aliases": [
"CVE-2026-37540"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T17:16:23Z",
"severity": "HIGH"
},
"details": "OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap around to a small value.",
"id": "GHSA-vc29-cvhx-v56x",
"modified": "2026-05-01T18:31:25Z",
"published": "2026-05-01T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37540"
},
{
"type": "WEB",
"url": "https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381"
},
{
"type": "WEB",
"url": "https://github.com/OpenAMP/open-amp"
},
{
"type": "WEB",
"url": "https://github.com/OpenAMP/open-amp/blob/main/lib/remoteproc/elf_loader.c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VC3X-GX6C-G99F
Vulnerability from github – Published: 2022-02-15 01:57 – Updated: 2023-02-07 22:07In the client in Bytom before 1.0.6, checkTopicRegister in p2p/discover/net.go does not prevent negative idx values, leading to a crash.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/bytom/bytom"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-18206"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-20T18:55:02Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "In the client in Bytom before 1.0.6, checkTopicRegister in p2p/discover/net.go does not prevent negative idx values, leading to a crash.",
"id": "GHSA-vc3x-gx6c-g99f",
"modified": "2023-02-07T22:07:35Z",
"published": "2022-02-15T01:57:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18206"
},
{
"type": "WEB",
"url": "https://github.com/Bytom/bytom/pull/1307"
},
{
"type": "WEB",
"url": "https://github.com/Bytom/bytom/commit/1ac3c8ac4f2b1e1df9675228290bda6b9586ba42"
},
{
"type": "PACKAGE",
"url": "https://github.com/Bytom/bytom"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0079"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of Service in Bytom"
}
GHSA-VC72-G5GR-JP4W
Vulnerability from github – Published: 2024-07-30 09:32 – Updated: 2025-11-04 00:31In the Linux kernel, the following vulnerability has been resolved:
mm: avoid overflows in dirty throttling logic
The dirty throttling logic is interspersed with assumptions that dirty limits in PAGE_SIZE units fit into 32-bit (so that various multiplications fit into 64-bits). If limits end up being larger, we will hit overflows, possible divisions by 0 etc. Fix these problems by never allowing so large dirty limits as they have dubious practical value anyway. For dirty_bytes / dirty_background_bytes interfaces we can just refuse to set so large limits. For dirty_ratio / dirty_background_ratio it isn't so simple as the dirty limit is computed from the amount of available memory which can change due to memory hotplug etc. So when converting dirty limits from ratios to numbers of pages, we just don't allow the result to exceed UINT_MAX.
This is root-only triggerable problem which occurs when the operator sets dirty limits to >16 TB.
{
"affected": [],
"aliases": [
"CVE-2024-42131"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-30T08:15:05Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: avoid overflows in dirty throttling logic\n\nThe dirty throttling logic is interspersed with assumptions that dirty\nlimits in PAGE_SIZE units fit into 32-bit (so that various multiplications\nfit into 64-bits). If limits end up being larger, we will hit overflows,\npossible divisions by 0 etc. Fix these problems by never allowing so\nlarge dirty limits as they have dubious practical value anyway. For\ndirty_bytes / dirty_background_bytes interfaces we can just refuse to set\nso large limits. For dirty_ratio / dirty_background_ratio it isn\u0027t so\nsimple as the dirty limit is computed from the amount of available memory\nwhich can change due to memory hotplug etc. So when converting dirty\nlimits from ratios to numbers of pages, we just don\u0027t allow the result to\nexceed UINT_MAX.\n\nThis is root-only triggerable problem which occurs when the operator\nsets dirty limits to \u003e16 TB.",
"id": "GHSA-vc72-g5gr-jp4w",
"modified": "2025-11-04T00:31:07Z",
"published": "2024-07-30T09:32:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42131"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2b2d2b8766db028bd827af34075f221ae9e9efff"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/385d838df280eba6c8680f9777bfa0d0bfe7e8b2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4d3817b64eda07491bdd86a234629fe0764fb42a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7a49389771ae7666f4dc3426e2a4594bf23ae290"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8e0b5e7f2895eccef5c2a0018b589266f90c4805"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a25e8536184516b55ef89ab91dd2eea429de28d2"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/bd16a7ee339aef3ee4c90cb23902afb6af379ea0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c83ed422c24f0d4b264f89291d4fabe285f80dbc"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VC8P-8PXG-RFWG
Vulnerability from github – Published: 2026-06-12 21:02 – Updated: 2026-07-08 17:35Summary
The DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to Int values or allocating arrays.
A malformed private-key file could encode a length that overflowed or wrapped around, or request an allocation much larger than the available input. This could cause parsing errors or an uncaught OutOfMemoryError, potentially terminating the application process.
Details
The issue was in DerReader.readLength() and primitive readers such as readInteger().
readLength() previously accepted up to 127 length octets and accumulated them into an Int:
length = (length shl 8) or nextByte
This permitted integer overflow. For example:
0x1_0000_0001wrapped to1.0x8000_0000wrapped toInt.MIN_VALUE.
Primitive readers then allocated memory based on the resulting value without first checking it against the remaining input:
val bytes = ByteArray(length)
data.get(bytes)
A six-byte DER value declaring a 1 GiB INTEGER caused an immediate OutOfMemoryError when tested with a constrained JVM heap. Because OutOfMemoryError is not an Exception, it is not caught by the public-key authentication error handling and may terminate the application process.
A zero-length DER INTEGER is also invalid, but it does not produce BigInteger.ZERO: Java throws NumberFormatException when constructing a BigInteger from an empty byte array. No weakened or usable cryptographic key has been demonstrated through this issue.
Attack Requirements
The affected DER parser processes private-key material explicitly supplied by the application through APIs such as:
SshClient.authenticatePublicKey()SshKeys.decodePemPrivateKey()SshSigning.sign()SshSigning.getPublicKey()
The DER input is not populated from SSH server host keys or agent-forwarding requests. Exploitation therefore requires a user or application to load an attacker-provided private-key file. The issue is not remotely exploitable by an SSH server.
Impact
Successful exploitation can cause:
- Incorrect DER length interpretation due to integer wraparound
- Excessive memory allocation
- An uncaught
OutOfMemoryError - Loss of availability of the affected application process
There is no demonstrated confidentiality or integrity impact.
Remediation
The DER parser now:
- Rejects indefinite lengths
- Explicitly limits long-form lengths to
Int.SIZE_BYTES(four octets) and rejects values aboveInt.MAX_VALUE - Accumulates long-form lengths in a
Longbefore converting toInt - Rejects truncated and non-minimal length encodings
- Checks declared lengths against the remaining input before allocation or advancing the input position
- Rejects zero-length DER INTEGER, BIT STRING, and OBJECT IDENTIFIER values where an empty encoding is invalid
- Rejects non-canonical DER INTEGER encodings with redundant sign octets
The bounds checks are implemented in shared DER reader helpers and apply to INTEGER, OCTET STRING, BIT STRING, OBJECT IDENTIFIER, SEQUENCE, context-specific values, and skipped values. PKCS#1 RSA and SEC1 EC private keys pass application-supplied DER directly through these helpers. PKCS#8 input is parsed by the JCA provider, and OpenSSH private keys use a separate wire-format parser rather than DerReader.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.connectbot.sshlib:sshlib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54697"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-12T21:02:15Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe DER parser used for application-supplied private keys did not safely validate encoded length values before converting them to `Int` values or allocating arrays.\n\nA malformed private-key file could encode a length that overflowed or wrapped around, or request an allocation much larger than the available input. This could cause parsing errors or an uncaught `OutOfMemoryError`, potentially terminating the application process.\n\n## Details\n\nThe issue was in `DerReader.readLength()` and primitive readers such as `readInteger()`.\n\n`readLength()` previously accepted up to 127 length octets and accumulated them into an `Int`:\n\n```kotlin\nlength = (length shl 8) or nextByte\n```\n\nThis permitted integer overflow. For example:\n\n- `0x1_0000_0001` wrapped to `1`.\n- `0x8000_0000` wrapped to `Int.MIN_VALUE`.\n\nPrimitive readers then allocated memory based on the resulting value without first checking it against the remaining input:\n\n```kotlin\nval bytes = ByteArray(length)\ndata.get(bytes)\n```\n\nA six-byte DER value declaring a 1 GiB INTEGER caused an immediate `OutOfMemoryError` when tested with a constrained JVM heap. Because `OutOfMemoryError` is not an `Exception`, it is not caught by the public-key authentication error handling and may terminate the application process.\n\nA zero-length DER INTEGER is also invalid, but it does not produce `BigInteger.ZERO`: Java throws `NumberFormatException` when constructing a `BigInteger` from an empty byte array. No weakened or usable cryptographic key has been demonstrated through this issue.\n\n## Attack Requirements\n\nThe affected DER parser processes private-key material explicitly supplied by the application through APIs such as:\n\n- `SshClient.authenticatePublicKey()`\n- `SshKeys.decodePemPrivateKey()`\n- `SshSigning.sign()`\n- `SshSigning.getPublicKey()`\n\nThe DER input is not populated from SSH server host keys or agent-forwarding requests. Exploitation therefore requires a user or application to load an attacker-provided private-key file. The issue is not remotely exploitable by an SSH server.\n\n## Impact\n\nSuccessful exploitation can cause:\n\n- Incorrect DER length interpretation due to integer wraparound\n- Excessive memory allocation\n- An uncaught `OutOfMemoryError`\n- Loss of availability of the affected application process\n\nThere is no demonstrated confidentiality or integrity impact.\n\n## Remediation\n\nThe DER parser now:\n\n- Rejects indefinite lengths\n- Explicitly limits long-form lengths to `Int.SIZE_BYTES` (four octets) and rejects values above `Int.MAX_VALUE`\n- Accumulates long-form lengths in a `Long` before converting to `Int`\n- Rejects truncated and non-minimal length encodings\n- Checks declared lengths against the remaining input before allocation or advancing the input position\n- Rejects zero-length DER INTEGER, BIT STRING, and OBJECT IDENTIFIER values where an empty encoding is invalid\n- Rejects non-canonical DER INTEGER encodings with redundant sign octets\n\nThe bounds checks are implemented in shared DER reader helpers and apply to INTEGER, OCTET STRING, BIT STRING, OBJECT IDENTIFIER, SEQUENCE, context-specific values, and skipped values. PKCS#1 RSA and SEC1 EC private keys pass application-supplied DER directly through these helpers. PKCS#8 input is parsed by the JCA provider, and OpenSSH private keys use a separate wire-format parser rather than `DerReader`.",
"id": "GHSA-vc8p-8pxg-rfwg",
"modified": "2026-07-08T17:35:52Z",
"published": "2026-06-12T21:02:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/connectbot/cbssh/security/advisories/GHSA-vc8p-8pxg-rfwg"
},
{
"type": "PACKAGE",
"url": "https://github.com/connectbot/cbssh"
},
{
"type": "WEB",
"url": "https://github.com/connectbot/cbssh/releases/tag/v0.3.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "ConnectBot SSH Client Library: Excessive allocation and integer overflow in DER private-key parsing"
}
GHSA-VC9M-4W2W-692J
Vulnerability from github – Published: 2022-05-17 02:50 – Updated: 2022-05-17 02:50In ARM Trusted Firmware 1.2 and 1.3, a malformed firmware update SMC can result in copying unexpectedly large data into secure memory because of integer overflows. This affects certain cases involving execution of both AArch64 Generic Trusted Firmware (TF) BL1 code and other firmware update code.
{
"affected": [],
"aliases": [
"CVE-2016-10319"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-06T15:59:00Z",
"severity": "MODERATE"
},
"details": "In ARM Trusted Firmware 1.2 and 1.3, a malformed firmware update SMC can result in copying unexpectedly large data into secure memory because of integer overflows. This affects certain cases involving execution of both AArch64 Generic Trusted Firmware (TF) BL1 code and other firmware update code.",
"id": "GHSA-vc9m-4w2w-692j",
"modified": "2022-05-17T02:50:37Z",
"published": "2022-05-17T02:50:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10319"
},
{
"type": "WEB",
"url": "https://github.com/ARM-software/arm-trusted-firmware/wiki/ARM-Trusted-Firmware-Security-Advisory-TFV-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VCFG-VCQ2-8XC9
Vulnerability from github – Published: 2022-07-05 00:00 – Updated: 2022-07-05 00:00NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmmCore, where a user with high privileges can chain another vulnerability to this vulnerability, causing an integer overflow, possibly leading to code execution, escalation of privileges, denial of service, compromised integrity, and information disclosure. The scope of impact can extend to other components.
{
"affected": [],
"aliases": [
"CVE-2022-31600"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-04T18:15:00Z",
"severity": "HIGH"
},
"details": "NVIDIA DGX A100 contains a vulnerability in SBIOS in the SmmCore, where a user with high privileges can chain another vulnerability to this vulnerability, causing an integer overflow, possibly leading to code execution, escalation of privileges, denial of service, compromised integrity, and information disclosure. The scope of impact can extend to other components.",
"id": "GHSA-vcfg-vcq2-8xc9",
"modified": "2022-07-05T00:00:53Z",
"published": "2022-07-05T00:00:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31600"
},
{
"type": "WEB",
"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5367"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VCJ3-2X94-HVHP
Vulnerability from github – Published: 2022-05-14 03:05 – Updated: 2022-05-14 03:05The mintToken function of a smart contract implementation for Betcash (BC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
{
"affected": [],
"aliases": [
"CVE-2018-13076"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-03T01:29:00Z",
"severity": "HIGH"
},
"details": "The mintToken function of a smart contract implementation for Betcash (BC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"id": "GHSA-vcj3-2x94-hvhp",
"modified": "2022-05-14T03:05:39Z",
"published": "2022-05-14T03:05:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13076"
},
{
"type": "WEB",
"url": "https://github.com/VenusADLab/EtherTokens/blob/master/Betcash/Betcash.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VCQG-3P29-XW73
Vulnerability from github – Published: 2021-11-03 18:04 – Updated: 2024-10-08 13:03libImaging/TiffDecode.c in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pillow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5310"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-03T17:23:34Z",
"nvd_published_at": "2020-01-03T01:15:00Z",
"severity": "CRITICAL"
},
"details": "`libImaging/TiffDecode.c` in Pillow before 6.2.2 has a TIFF decoding integer overflow, related to realloc.",
"id": "GHSA-vcqg-3p29-xw73",
"modified": "2024-10-08T13:03:45Z",
"published": "2021-11-03T18:04:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5310"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/commit/4e2def2539ec13e53a82e06c4b3daf00454100c4"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-vcqg-3p29-xw73"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/pillow/PYSEC-2020-81.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-db/blob/7872b0a91b4d980f749e6d75a81f8cc1af32829f/vulns/pillow/PYSEC-2020-81.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-pillow/Pillow"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2MMU3WT2X64GS5WHDPKKC2WZA7UIIQ3A"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3DUMIBUYGJRAVJCTFUWBRLVQKOUTVX5P"
},
{
"type": "WEB",
"url": "https://pillow.readthedocs.io/en/stable/releasenotes/6.2.2.html"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4272-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Integer overflow in Pillow"
}
GHSA-VF2H-7FG9-FHFJ
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-14 18:30A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow attacker to denial of service via
{
"affected": [],
"aliases": [
"CVE-2026-39811"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T16:16:45Z",
"severity": "MODERATE"
},
"details": "A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow attacker to denial of service via \u003cinsert attack vector here\u003e",
"id": "GHSA-vf2h-7fg9-fhfj",
"modified": "2026-04-14T18:30:36Z",
"published": "2026-04-14T18:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39811"
},
{
"type": "WEB",
"url": "https://fortiguard.fortinet.com/psirt/FG-IR-26-108"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VF32-JFM3-G5GW
Vulnerability from github – Published: 2024-05-14 18:31 – Updated: 2024-05-14 18:31Windows Mobile Broadband Driver Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-30004"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-14T17:16:32Z",
"severity": "MODERATE"
},
"details": "Windows Mobile Broadband Driver Remote Code Execution Vulnerability",
"id": "GHSA-vf32-jfm3-g5gw",
"modified": "2024-05-14T18:31:03Z",
"published": "2024-05-14T18:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30004"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30004"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Strategy: Input Validation
- Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
- Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.