Common Weakness Enumeration

CWE-191

Allowed

Integer Underflow (Wrap or Wraparound)

Abstraction: Base · Status: Draft

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

643 vulnerabilities reference this CWE, most recent first.

GHSA-2J9J-P8F4-HWP3

Vulnerability from github – Published: 2026-06-24 18:32 – Updated: 2026-06-28 09:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

fs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START

omfs_fill_super() rejects oversized s_sys_blocksize values (> PAGE_SIZE), but it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).

Later, omfs_make_empty() uses

sbi->s_sys_blocksize - OMFS_DIR_START

as the length argument to memset(). Since s_sys_blocksize is u32, a crafted filesystem image with s_sys_blocksize < OMFS_DIR_START causes an unsigned underflow there, wrapping to a value near 2^32. That drives a ~4 GiB memset() from bh->b_data + OMFS_DIR_START and overwrites kernel memory far beyond the backing block buffer.

Add the corresponding lower-bound check alongside the existing upper-bound check in omfs_fill_super(), so that malformed images are rejected during superblock validation before any filesystem data is processed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-53130"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T17:17:28Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/omfs: reject s_sys_blocksize smaller than OMFS_DIR_START\n\nomfs_fill_super() rejects oversized s_sys_blocksize values (\u003e PAGE_SIZE),\nbut it does not reject values smaller than OMFS_DIR_START (0x1b8 = 440).\n\nLater, omfs_make_empty() uses\n\n    sbi-\u003es_sys_blocksize - OMFS_DIR_START\n\nas the length argument to memset().  Since s_sys_blocksize is u32,\na crafted filesystem image with s_sys_blocksize \u003c OMFS_DIR_START causes\nan unsigned underflow there, wrapping to a value near 2^32.  That drives\na ~4 GiB memset() from bh-\u003eb_data + OMFS_DIR_START and overwrites kernel\nmemory far beyond the backing block buffer.\n\nAdd the corresponding lower-bound check alongside the existing upper-bound\ncheck in omfs_fill_super(), so that malformed images are rejected during\nsuperblock validation before any filesystem data is processed.",
  "id": "GHSA-2j9j-p8f4-hwp3",
  "modified": "2026-06-28T09:31:42Z",
  "published": "2026-06-24T18:32:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53130"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0621c385fda1376e967f37ccd534c26c3e511d14"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/131ea3e57fc22936ed0e2c8330f2e36106172f51"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5822a05a841a10794ad818620dd2af490b0705d3"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6561afc38398e3518a29c5eebb975c30468f98a6"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/754ff1bea3819a90c6f33cccfc1a299ef7609f07"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/79f84af38c9fef9deb0e02c79eb969b5541c2644"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/817f16ed62bc58a168417bfb5e859c2a370bab03"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fbc72f5c645155dc2ed3573243ed20f9913e3a54"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2JVP-H4W4-2VXH

Vulnerability from github – Published: 2026-04-10 00:30 – Updated: 2026-04-29 15:30
VLAI
Details

Integer underflow in wolfSSL packet sniffer <= 5.9.0 allows an attacker to cause a program crash in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing a large out-of-bounds read and crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-09T22:16:37Z",
    "severity": "LOW"
  },
  "details": "Integer underflow in wolfSSL packet sniffer \u003c= 5.9.0 allows an attacker to cause a program crash in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing a large out-of-bounds read and crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records.",
  "id": "GHSA-2jvp-h4w4-2vxh",
  "modified": "2026-04-29T15:30:34Z",
  "published": "2026-04-10T00:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5778"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wolfSSL/wolfssl/pull/10125"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2P6V-8334-H8V4

Vulnerability from github – Published: 2024-07-09 18:30 – Updated: 2024-07-09 18:30
VLAI
Details

Secure Boot Security Feature Bypass Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-07-09T17:15:25Z",
    "severity": "HIGH"
  },
  "details": "Secure Boot Security Feature Bypass Vulnerability",
  "id": "GHSA-2p6v-8334-h8v4",
  "modified": "2024-07-09T18:30:50Z",
  "published": "2024-07-09T18:30:50Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37986"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-37986"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2Q9G-Q8JJ-FR53

Vulnerability from github – Published: 2026-03-19 18:31 – Updated: 2026-04-29 21:31
VLAI
Details

Integer underflow in wolfSSL packet sniffer <= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer overflow and a crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1005"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-19T17:16:21Z",
    "severity": "LOW"
  },
  "details": "Integer underflow in wolfSSL packet sniffer \u003c= 5.8.4 allows an attacker to cause a buffer overflow in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing heap buffer overflow and a crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records.",
  "id": "GHSA-2q9g-q8jj-fr53",
  "modified": "2026-04-29T21:31:19Z",
  "published": "2026-03-19T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1005"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wolfSSL/wolfssl/pull/9571"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-2QHJ-XVHG-5RMF

Vulnerability from github – Published: 2025-04-08 21:31 – Updated: 2025-04-08 21:31
VLAI
Details

Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-30296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-08T19:15:49Z",
    "severity": "HIGH"
  },
  "details": "Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
  "id": "GHSA-2qhj-xvhg-5rmf",
  "modified": "2025-04-08T21:31:39Z",
  "published": "2025-04-08T21:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30296"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/framemaker/apsb25-33.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2QW2-MF8F-R46G

Vulnerability from github – Published: 2024-04-17 18:31 – Updated: 2024-04-29 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

drm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue

[why] odm calculation is missing for pipe split policy determination and cause Underflow/Corruption issue.

[how] Add the odm calculation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-26913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-17T16:15:08Z",
    "severity": "HIGH"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix dcn35 8k30 Underflow/Corruption Issue\n\n[why]\nodm calculation is missing for pipe split policy determination\nand cause Underflow/Corruption issue.\n\n[how]\nAdd the odm calculation.",
  "id": "GHSA-2qw2-mf8f-r46g",
  "modified": "2024-04-29T21:30:34Z",
  "published": "2024-04-17T18:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26913"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cdbe0be8874c63bca85b8c38e5b1eecbdd18df31"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/faf51b201bc42adf500945732abb6220c707d6f3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2RVR-836W-4QQV

Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42
VLAI
Details

Heap-based buffer overflow in Actian Pervasive PSQL v12.10 and Zen v13 allows remote attackers to execute arbitrary code via crafted traffic to TCP port 1583. The overflow occurs after Server-Client encryption-key exchange. The issue results from an integer underflow that leads to a zero-byte allocation. The _srvLnaConnectMP1 function is affected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-11757"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-07-31T14:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Heap-based buffer overflow in Actian Pervasive PSQL v12.10 and Zen v13 allows remote attackers to execute arbitrary code via crafted traffic to TCP port 1583. The overflow occurs after Server-Client encryption-key exchange. The issue results from an integer underflow that leads to a zero-byte allocation. The _srvLnaConnectMP1 function is affected.",
  "id": "GHSA-2rvr-836w-4qqv",
  "modified": "2022-05-13T01:42:31Z",
  "published": "2022-05-13T01:42:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11757"
    },
    {
      "type": "WEB",
      "url": "https://blogs.securiteam.com/index.php/archives/2924"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/SecuriTeam_SSD/status/815567538318954496"
    },
    {
      "type": "WEB",
      "url": "http://supportservices.actian.com/support-services/security-center#announcements"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2RXJ-VWP2-V63V

Vulnerability from github – Published: 2023-07-20 03:30 – Updated: 2024-04-04 06:17
VLAI
Details

Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm->total_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-28733"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-20T01:15:10Z",
    "severity": "HIGH"
  },
  "details": "Integer underflow in grub_net_recv_ip4_packets; A malicious crafted IP packet can lead to an integer underflow in grub_net_recv_ip4_packets() function on rsm-\u003etotal_len value. Under certain circumstances the total_len value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.",
  "id": "GHSA-2rxj-vwp2-v63v",
  "modified": "2024-04-04T06:17:28Z",
  "published": "2023-07-20T03:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28733"
    },
    {
      "type": "WEB",
      "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28733"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230825-0002"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2022/06/07/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2VQ7-8VVF-W66V

Vulnerability from github – Published: 2024-05-03 03:31 – Updated: 2025-03-28 12:31
VLAI
Details

Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-17578.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-42118"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-03T03:15:50Z",
    "severity": "HIGH"
  },
  "details": "Exim libspf2 Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Exim libspf2. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within the parsing of SPF macros. When parsing SPF macros, the process does not properly validate user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-17578.",
  "id": "GHSA-2vq7-8vvf-w66v",
  "modified": "2025-03-28T12:31:34Z",
  "published": "2024-05-03T03:31:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42118"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-1472"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/03/28/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2WM2-CFR8-8VW9

Vulnerability from github – Published: 2022-04-29 02:58 – Updated: 2025-04-03 04:08
VLAI
Details

Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attackers to cause a denial of service (daemon crash) via a CBCP packet with an invalid length value that causes pppd to access an incorrect memory location.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2004-1002"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-03-01T05:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attackers to cause a denial of service (daemon crash) via a CBCP packet with an invalid length value that causes pppd to access an incorrect memory location.",
  "id": "GHSA-2wm2-cfr8-8vw9",
  "modified": "2025-04-03T04:08:21Z",
  "published": "2022-04-29T02:58:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-1002"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17874"
    },
    {
      "type": "WEB",
      "url": "https://www.ubuntu.com/usn/usn-12-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/379450"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.