CWE-191
AllowedInteger Underflow (Wrap or Wraparound)
Abstraction: Base · Status: Draft
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
640 vulnerabilities reference this CWE, most recent first.
GHSA-PQ8M-942F-68CV
Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_mnote_data_get_value function gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow.
{
"affected": [],
"aliases": [
"CVE-2026-32775"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-16T14:19:44Z",
"severity": "HIGH"
},
"details": "libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_mnote_data_get_value function gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow.",
"id": "GHSA-pq8m-942f-68cv",
"modified": "2026-03-16T15:30:43Z",
"published": "2026-03-16T15:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32775"
},
{
"type": "WEB",
"url": "https://github.com/libexif/libexif/issues/247"
},
{
"type": "WEB",
"url": "https://github.com/libexif/libexif/commit/7df372e9d31d7c993a22b913c813a5f7ec4f3692"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PRW9-FQ4W-JFRF
Vulnerability from github – Published: 2022-05-24 17:29 – Updated: 2022-10-07 18:15An integer underflow in dpdk versions before 18.11.10 and before 19.11.5 in the move_desc function can lead to large amounts of CPU cycles being eaten up in a long running loop. An attacker could cause move_desc to get stuck in a 4,294,967,295-count iteration loop. Depending on how vhost_crypto is being used this could prevent other VMs or network tasks from being serviced by the busy DPDK lcore for an extended period.
{
"affected": [],
"aliases": [
"CVE-2020-14378"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-30T19:15:00Z",
"severity": "MODERATE"
},
"details": "An integer underflow in dpdk versions before 18.11.10 and before 19.11.5 in the `move_desc` function can lead to large amounts of CPU cycles being eaten up in a long running loop. An attacker could cause `move_desc` to get stuck in a 4,294,967,295-count iteration loop. Depending on how `vhost_crypto` is being used this could prevent other VMs or network tasks from being serviced by the busy DPDK lcore for an extended period.",
"id": "GHSA-prw9-fq4w-jfrf",
"modified": "2022-10-07T18:15:55Z",
"published": "2022-05-24T17:29:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14378"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1879473"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4550-1"
},
{
"type": "WEB",
"url": "https://www.openwall.com/lists/oss-security/2020/09/28/3"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00004.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00006.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2021/01/04/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-PVMQ-WGHP-3G56
Vulnerability from github – Published: 2022-05-24 16:51 – Updated: 2022-05-24 16:51An Integer underflow in VLC Media Player versions < 3.0.7 leads to an out-of-band read.
{
"affected": [],
"aliases": [
"CVE-2019-5459"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-30T21:15:00Z",
"severity": "HIGH"
},
"details": "An Integer underflow in VLC Media Player versions \u003c 3.0.7 leads to an out-of-band read.",
"id": "GHSA-pvmq-wghp-3g56",
"modified": "2022-05-24T16:51:48Z",
"published": "2022-05-24T16:51:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5459"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/502816"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00005.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00037.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00040.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00081.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PWH4-8CRG-2XVF
Vulnerability from github – Published: 2026-06-25 09:31 – Updated: 2026-07-06 18:30In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Reject zero-length property entries in validator
tb_property_entry_valid() accepts entries with length == 0 for DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes validation but causes an underflow in the null-termination logic:
property->value.text[property->length * 4 - 1] = '\0';
When property->length is 0 this writes to offset -1 relative to the allocation.
Reject zero-length entries early in the validator since they have no valid representation in the XDomain property protocol.
{
"affected": [],
"aliases": [
"CVE-2026-53150"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T09:16:32Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Reject zero-length property entries in validator\n\ntb_property_entry_valid() accepts entries with length == 0 for\nDIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes\nvalidation but causes an underflow in the null-termination logic:\n\n property-\u003evalue.text[property-\u003elength * 4 - 1] = \u0027\\0\u0027;\n\nWhen property-\u003elength is 0 this writes to offset -1 relative to\nthe allocation.\n\nReject zero-length entries early in the validator since they have no\nvalid representation in the XDomain property protocol.",
"id": "GHSA-pwh4-8crg-2xvf",
"modified": "2026-07-06T18:30:36Z",
"published": "2026-06-25T09:31:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53150"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e0ddac549ebd713eb9f4a15b6496e3440a17d8b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/35d6c9252a152e756768a26dbf216b9dd9dd8e92"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3b6e68cb97f725385010264a873e14a3921b6b8a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/581c2053ab4dbe27e83c9e62deb4c73aa8dc0c3a"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f56bc6bddffe8710ba0ba8844023b5a44ca90e4"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/99d9dbad1463afb510d42c9714f846361d1b726d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca11e7da4fba4b394f69e16448f4463c44c84de6"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cff8eb65d1eafe7793e54b4d0cf6bf831644630b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWVR-7GM4-F533
Vulnerability from github – Published: 2025-07-09 00:30 – Updated: 2025-07-09 00:30Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-47128"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-08T23:15:25Z",
"severity": "HIGH"
},
"details": "Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-pwvr-7gm4-f533",
"modified": "2025-07-09T00:30:33Z",
"published": "2025-07-09T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47128"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/framemaker/apsb25-66.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PWX7-84P4-42QC
Vulnerability from github – Published: 2026-02-04 18:30 – Updated: 2026-03-13 21:31In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: fix potential underflow in virtio_transport_get_credit()
The credit calculation in virtio_transport_get_credit() uses unsigned arithmetic:
ret = vvs->peer_buf_alloc - (vvs->tx_cnt - vvs->peer_fwd_cnt);
If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle.
Reuse virtio_transport_has_space() which already handles this case and add a comment to make it clear why we are doing that.
[Stefano: use virtio_transport_has_space() instead of duplicating the code] [Stefano: tweak the commit message]
{
"affected": [],
"aliases": [
"CVE-2026-23069"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-04T17:16:17Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock/virtio: fix potential underflow in virtio_transport_get_credit()\n\nThe credit calculation in virtio_transport_get_credit() uses unsigned\narithmetic:\n\n ret = vvs-\u003epeer_buf_alloc - (vvs-\u003etx_cnt - vvs-\u003epeer_fwd_cnt);\n\nIf the peer shrinks its advertised buffer (peer_buf_alloc) while bytes\nare in flight, the subtraction can underflow and produce a large\npositive value, potentially allowing more data to be queued than the\npeer can handle.\n\nReuse virtio_transport_has_space() which already handles this case and\nadd a comment to make it clear why we are doing that.\n\n[Stefano: use virtio_transport_has_space() instead of duplicating the code]\n[Stefano: tweak the commit message]",
"id": "GHSA-pwx7-84p4-42qc",
"modified": "2026-03-13T21:31:40Z",
"published": "2026-02-04T18:30:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23069"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/02f9af192b98d15883c70dd41ac76d1b0217c899"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3ef3d52a1a9860d094395c7a3e593f3aa26ff012"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d05bc313788f0684b27f0f5b60c52a844669b542"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d96de882d6b99955604669d962ae14e94b66a551"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ec0f1b3da8061be3173d1c39faaf9504f91942c3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PXCF-WGW3-GWC6
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13Integer underflow can occur due to improper handling of incoming RTCP packets in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables
{
"affected": [],
"aliases": [
"CVE-2021-1920"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T12:15:00Z",
"severity": "CRITICAL"
},
"details": "Integer underflow can occur due to improper handling of incoming RTCP packets in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice \u0026 Music, Snapdragon Wearables",
"id": "GHSA-pxcf-wgw3-gwc6",
"modified": "2022-05-24T19:13:52Z",
"published": "2022-05-24T19:13:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1920"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/august-2021-bulletin"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-Q2Q4-VX5M-7XC9
Vulnerability from github – Published: 2025-02-11 18:31 – Updated: 2025-02-11 18:31InCopy versions 20.0, 19.5.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-21156"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-11T18:15:27Z",
"severity": "HIGH"
},
"details": "InCopy versions 20.0, 19.5.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-q2q4-vx5m-7xc9",
"modified": "2025-02-11T18:31:35Z",
"published": "2025-02-11T18:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21156"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/incopy/apsb25-10.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q3RR-XQPW-VV2X
Vulnerability from github – Published: 2024-02-20 18:30 – Updated: 2025-11-04 21:31An integer underflow vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to an out-of-bounds write which in turn can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2024-23313"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-20T16:15:09Z",
"severity": "CRITICAL"
},
"details": "An integer underflow vulnerability exists in the sopen_FAMOS_read functionality of The Biosig Project libbiosig 2.5.0 and Master Branch (ab0ee111). A specially crafted .famos file can lead to an out-of-bounds write which in turn can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-q3rr-xqpw-vv2x",
"modified": "2025-11-04T21:31:10Z",
"published": "2024-02-20T18:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23313"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIRLGNQM33KAWVWP5RPMAPHWNP3IY5YW"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2024-1922"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1922"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-Q43W-G673-M6F4
Vulnerability from github – Published: 2024-04-17 12:32 – Updated: 2024-11-04 21:30In the Linux kernel, the following vulnerability has been resolved:
cifs: fix underflow in parse_server_interfaces()
In this loop, we step through the buffer and after each item we check if the size_left is greater than the minimum size we need. However, the problem is that "bytes_left" is type ssize_t while sizeof() is type size_t. That means that because of type promotion, the comparison is done as an unsigned and if we have negative bytes left the loop continues instead of ending.
{
"affected": [],
"aliases": [
"CVE-2024-26828"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-17T10:15:09Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix underflow in parse_server_interfaces()\n\nIn this loop, we step through the buffer and after each item we check\nif the size_left is greater than the minimum size we need. However,\nthe problem is that \"bytes_left\" is type ssize_t while sizeof() is type\nsize_t. That means that because of type promotion, the comparison is\ndone as an unsigned and if we have negative bytes left the loop\ncontinues instead of ending.",
"id": "GHSA-q43w-g673-m6f4",
"modified": "2024-11-04T21:30:26Z",
"published": "2024-04-17T12:32:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26828"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/7190353835b4a219abb70f90b06cdcae97f11512"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cffe487026be13eaf37ea28b783d9638ab147204"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/df2af9fdbc4ddde18a3371c4ca1a86596e8be301"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f7ff1c89fb6e9610d2b01c1821727729e6609308"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.