CWE-680
DiscouragedInteger Overflow to Buffer Overflow
Abstraction: Compound · Status: Draft
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
145 vulnerabilities reference this CWE, most recent first.
GHSA-33R8-VRX9-RMCV
Vulnerability from github – Published: 2025-08-08 00:30 – Updated: 2025-08-08 17:00An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "executorch"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54952"
],
"database_specific": {
"cwe_ids": [
"CWE-680"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-08T17:00:01Z",
"nvd_published_at": "2025-08-08T00:15:26Z",
"severity": "MODERATE"
},
"details": "An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b.",
"id": "GHSA-33r8-vrx9-rmcv",
"modified": "2025-08-08T17:00:01Z",
"published": "2025-08-08T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54952"
},
{
"type": "WEB",
"url": "https://github.com/pytorch/executorch/commit/8f062d3f661e20bb19b24b767b9a9a46e8359f2b"
},
{
"type": "PACKAGE",
"url": "https://github.com/pytorch/executorch"
},
{
"type": "WEB",
"url": "https://www.facebook.com/security/advisories/cve-2025-54952"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "ExecuTorch integer overflow vulnerability leads to code execution"
}
GHSA-3QGC-VRVV-MV2R
Vulnerability from github – Published: 2024-11-04 12:32 – Updated: 2024-11-04 12:32Memory corruption while processing voice packet with arbitrary data received from ADSP.
{
"affected": [],
"aliases": [
"CVE-2024-38422"
],
"database_specific": {
"cwe_ids": [
"CWE-680"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-04T10:15:08Z",
"severity": "HIGH"
},
"details": "Memory corruption while processing voice packet with arbitrary data received from ADSP.",
"id": "GHSA-3qgc-vrvv-mv2r",
"modified": "2024-11-04T12:32:56Z",
"published": "2024-11-04T12:32:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38422"
},
{
"type": "WEB",
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R68-64PC-X636
Vulnerability from github – Published: 2022-08-06 00:00 – Updated: 2022-08-12 00:01An integer overflow vulnerability exists in the way ESTsoft Alyac 2.5.8.544 parses OLE files. A specially-crafted OLE file can lead to a heap buffer overflow which can result in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2022-32543"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-680"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-08-05T22:15:00Z",
"severity": "HIGH"
},
"details": "An integer overflow vulnerability exists in the way ESTsoft Alyac 2.5.8.544 parses OLE files. A specially-crafted OLE file can lead to a heap buffer overflow which can result in arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-3r68-64pc-x636",
"modified": "2022-08-12T00:01:24Z",
"published": "2022-08-06T00:00:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32543"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1527"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-434X-W66G-QW3R
Vulnerability from github – Published: 2026-02-03 19:17 – Updated: 2026-02-05 00:37Details
In the unique reclaim path of BytesMut::reserve, the condition
if v_capacity >= new_cap + offset
uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB.
This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.
PoC
use bytes::*;
fn main() {
let mut a = BytesMut::from(&b"hello world"[..]);
let mut b = a.split_off(5);
// Ensure b becomes the unique owner of the backing storage
drop(a);
// Trigger overflow in new_cap + offset inside reserve
b.reserve(usize::MAX - 6);
// This call relies on the corrupted cap and may cause UB & HBO
b.put_u8(b'h');
}
Workarounds
Users of BytesMut::reserve are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.
This vulnerability is also known as RUSTSEC-2026-0007.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "bytes"
},
"ranges": [
{
"events": [
{
"introduced": "1.2.1"
},
{
"fixed": "1.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25541"
],
"database_specific": {
"cwe_ids": [
"CWE-680"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-03T19:17:46Z",
"nvd_published_at": "2026-02-04T22:16:00Z",
"severity": "MODERATE"
},
"details": "# Details\n\nIn the unique reclaim path of `BytesMut::reserve`, the condition\n```rs\nif v_capacity \u003e= new_cap + offset\n```\nuses an unchecked addition. When `new_cap + offset` overflows `usize` in release builds, this condition may incorrectly pass, causing `self.cap` to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as `spare_capacity_mut()` then trust this corrupted `cap` value and may create out-of-bounds slices, leading to UB.\n\nThis behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks.\n\n## PoC\n\n```rs\nuse bytes::*;\n\nfn main() {\n let mut a = BytesMut::from(\u0026b\"hello world\"[..]);\n let mut b = a.split_off(5);\n\n // Ensure b becomes the unique owner of the backing storage\n drop(a);\n\n // Trigger overflow in new_cap + offset inside reserve\n b.reserve(usize::MAX - 6);\n\n // This call relies on the corrupted cap and may cause UB \u0026 HBO\n b.put_u8(b\u0027h\u0027);\n}\n```\n\n# Workarounds\n\nUsers of `BytesMut::reserve` are only affected if integer overflow checks are configured to wrap. When integer overflow is configured to panic, this issue does not apply.\n\nThis vulnerability is also known as [RUSTSEC-2026-0007](https://rustsec.org/advisories/RUSTSEC-2026-0007.html).",
"id": "GHSA-434x-w66g-qw3r",
"modified": "2026-02-05T00:37:18Z",
"published": "2026-02-03T19:17:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tokio-rs/bytes/security/advisories/GHSA-434x-w66g-qw3r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25541"
},
{
"type": "WEB",
"url": "https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f"
},
{
"type": "PACKAGE",
"url": "https://github.com/tokio-rs/bytes"
},
{
"type": "WEB",
"url": "https://github.com/tokio-rs/bytes/releases/tag/v1.11.1"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2026-0007.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "bytes has integer overflow in BytesMut::reserve"
}
GHSA-43RQ-98QH-8HX4
Vulnerability from github – Published: 2025-08-26 00:31 – Updated: 2025-11-03 21:34A memory corruption vulnerability exists in the BMPv3 RLE Decoding functionality of the SAIL Image Decoding Library v0.9.8. When decompressing the image data from a specially crafted .bmp file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-52930"
],
"database_specific": {
"cwe_ids": [
"CWE-680"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-25T15:15:40Z",
"severity": "HIGH"
},
"details": "A memory corruption vulnerability exists in the BMPv3 RLE Decoding functionality of the SAIL Image Decoding Library v0.9.8. When decompressing the image data from a specially crafted .bmp file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.",
"id": "GHSA-43rq-98qh-8hx4",
"modified": "2025-11-03T21:34:24Z",
"published": "2025-08-26T00:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52930"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2221"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2221"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-44WM-F244-XHP3
Vulnerability from github – Published: 2024-04-03 03:30 – Updated: 2025-10-15 15:46In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "pillow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28219"
],
"database_specific": {
"cwe_ids": [
"CWE-120",
"CWE-676",
"CWE-680"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-03T14:53:39Z",
"nvd_published_at": "2024-04-03T03:15:09Z",
"severity": "HIGH"
},
"details": "In _imagingcms.c in Pillow before 10.3.0, a buffer overflow exists because strcpy is used instead of strncpy.",
"id": "GHSA-44wm-f244-xhp3",
"modified": "2025-10-15T15:46:18Z",
"published": "2024-04-03T03:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28219"
},
{
"type": "WEB",
"url": "https://github.com/python-pillow/Pillow/commit/2a93aba5cfcf6e241ab4f9392c13e3b74032c061"
},
{
"type": "PACKAGE",
"url": "https://github.com/python-pillow/Pillow"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4XLPUT3VK4GQ6EVY525TT2QNUIXNRU5M"
},
{
"type": "WEB",
"url": "https://pillow.readthedocs.io/en/stable/releasenotes/10.3.0.html#security"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Pillow buffer overflow vulnerability"
}
GHSA-48VM-FQ56-767F
Vulnerability from github – Published: 2023-12-05 03:30 – Updated: 2023-12-05 03:30Memory corruption in HLOS while invoking IOCTL calls from user-space.
{
"affected": [],
"aliases": [
"CVE-2023-33022"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-680"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-05T03:15:10Z",
"severity": "HIGH"
},
"details": "Memory corruption in HLOS while invoking IOCTL calls from user-space.",
"id": "GHSA-48vm-fq56-767f",
"modified": "2023-12-05T03:30:22Z",
"published": "2023-12-05T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-33022"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/december-2023-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4WX3-GV33-FJG8
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2023-05-27 06:30Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input at “stss” decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-21852"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-680"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-18T13:15:00Z",
"severity": "HIGH"
},
"details": "Multiple exploitable integer overflow vulnerabilities exist within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input at \u201cstss\u201d decoder can cause an integer overflow due to unchecked arithmetic resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.",
"id": "GHSA-4wx3-gv33-fjg8",
"modified": "2023-05-27T06:30:36Z",
"published": "2022-05-24T22:28:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21852"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1297"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2023/dsa-5411"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1297"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-58RJ-GW3P-387M
Vulnerability from github – Published: 2025-08-26 00:31 – Updated: 2025-11-03 21:34A memory corruption vulnerability exists in the BMPv3 Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When loading a specially crafted .bmp file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2025-32468"
],
"database_specific": {
"cwe_ids": [
"CWE-680"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-25T15:15:38Z",
"severity": "HIGH"
},
"details": "A memory corruption vulnerability exists in the BMPv3 Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When loading a specially crafted .bmp file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability.",
"id": "GHSA-58rj-gw3p-387m",
"modified": "2025-11-03T21:34:23Z",
"published": "2025-08-26T00:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32468"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2216"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2216"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-5R37-FX4G-5C7H
Vulnerability from github – Published: 2023-11-14 21:31 – Updated: 2023-11-14 21:31Integer overflow in some Intel(R) Aptio* V UEFI Firmware Integrator Tools may allow an authenticated user to potentially enable denial of service via local access.
{
"affected": [],
"aliases": [
"CVE-2023-22305"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-680"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-14T19:15:16Z",
"severity": "MODERATE"
},
"details": "Integer overflow in some Intel(R) Aptio* V UEFI Firmware Integrator Tools may allow an authenticated user to potentially enable denial of service via local access.",
"id": "GHSA-5r37-fx4g-5c7h",
"modified": "2023-11-14T21:31:01Z",
"published": "2023-11-14T21:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22305"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00908.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-10: Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
CAPEC-100: Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.
CAPEC-14: Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.
CAPEC-24: Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
CAPEC-45: Buffer Overflow via Symbolic Links
This type of attack leverages the use of symbolic links to cause buffer overflows. An adversary can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
CAPEC-46: Overflow Variables and Tags
This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The adversary crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
CAPEC-47: Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
CAPEC-67: String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.
CAPEC-8: Buffer Overflow in an API Call
This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An adversary who has knowledge of known vulnerable libraries or shared code can easily target software that makes use of these libraries. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
CAPEC-9: Buffer Overflow in Local Command-Line Utilities
This attack targets command-line utilities available in a number of shells. An adversary can leverage a vulnerability found in a command-line utility to escalate privilege to root.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.