CWE-681
AllowedIncorrect Conversion between Numeric Types
Abstraction: Base · Status: Draft
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
126 vulnerabilities reference this CWE, most recent first.
GHSA-X4XQ-7W28-Q486
Vulnerability from github – Published: 2026-04-07 18:31 – Updated: 2026-04-08 15:31Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.
{
"affected": [],
"aliases": [
"CVE-2026-4931"
],
"database_specific": {
"cwe_ids": [
"CWE-681"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-07T16:16:30Z",
"severity": "MODERATE"
},
"details": "Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.",
"id": "GHSA-x4xq-7w28-q486",
"modified": "2026-04-08T15:31:43Z",
"published": "2026-04-07T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4931"
},
{
"type": "WEB",
"url": "https://cvefeed.io/cwe/detail/cwe-681-incorrect-conversion-between-numeric-types"
},
{
"type": "WEB",
"url": "https://github.com/MarginalProtocol"
},
{
"type": "WEB",
"url": "https://marginal.gitbook.io/docs"
},
{
"type": "WEB",
"url": "https://medium.com/@clarkcorrin/cve-2026-4931-how-spearbits-cantina-denied-a-critical-vulnerability-using-verifiably-false-0a27b92ac2db"
},
{
"type": "WEB",
"url": "https://scs.owasp.org/SCWE/SCSVS-CODE/SCWE-041"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X7GM-RFGV-W973
Vulnerability from github – Published: 2020-09-28 19:05 – Updated: 2024-09-16 22:10Impact
Automatically generated NumberFilter instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents.
Patches
Version 2.4.0+ applies a MaxValueValidator with a a default limit_value of 1e50 to the form field used by NumberFilter instances.
In addition, NumberFilter implements the new get_max_validator() which should return a configured validator instance to customise the limit, or else None to disable the additional validation.
Workarounds
Users may manually apply an equivalent validator if they are not able to upgrade.
For more information
If you have any questions or comments about this advisory: * Open an issue in the django-filter repo
Thanks to Marcin Waraksa for the report.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "django-filter"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15225"
],
"database_specific": {
"cwe_ids": [
"CWE-681"
],
"github_reviewed": true,
"github_reviewed_at": "2020-09-28T19:04:39Z",
"nvd_published_at": "2021-04-29T21:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAutomatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. \n\n### Patches\n\nVersion 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. \n\nIn addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. \n\n### Workarounds\n\nUsers may manually apply an equivalent validator if they are not able to upgrade. \n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the django-filter repo](https://github.com/carltongibson/django-filter)\n\nThanks to Marcin Waraksa for the report. \n",
"id": "GHSA-x7gm-rfgv-w973",
"modified": "2024-09-16T22:10:02Z",
"published": "2020-09-28T19:05:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15225"
},
{
"type": "WEB",
"url": "https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b"
},
{
"type": "PACKAGE",
"url": "https://github.com/carltongibson/django-filter"
},
{
"type": "WEB",
"url": "https://github.com/carltongibson/django-filter/releases/tag/2.4.0"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-filter/PYSEC-2021-64.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVJ7AYU6FUSU3F653YCGW5LFD3IULRSX"
},
{
"type": "WEB",
"url": "https://pypi.org/project/django-filter"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210604-0010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Potential DoS with NumberFilter conversion to integer values."
}
GHSA-XHJJ-JG7J-PQRX
Vulnerability from github – Published: 2022-05-01 18:29 – Updated: 2024-02-02 03:30Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2007-4988"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-681"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2007-09-24T22:17:00Z",
"severity": "MODERATE"
},
"details": "Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.",
"id": "GHSA-xhjj-jg7j-pqrx",
"modified": "2024-02-02T03:30:31Z",
"published": "2022-05-01T18:29:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4988"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36737"
},
{
"type": "WEB",
"url": "https://issues.rpath.com/browse/RPL-1743"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9656"
},
{
"type": "WEB",
"url": "http://bugs.gentoo.org/show_bug.cgi?id=186030"
},
{
"type": "WEB",
"url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=597"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/26926"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27048"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27309"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27364"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/27439"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/28721"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/29786"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/36260"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-200710-27.xml"
},
{
"type": "WEB",
"url": "http://studio.imagemagick.org/pipermail/magick-announce/2007-September/000037.html"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2009/dsa-1858"
},
{
"type": "WEB",
"url": "http://www.imagemagick.org/script/changelog.php"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:035"
},
{
"type": "WEB",
"url": "http://www.novell.com/linux/security/advisories/2007_23_sr.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2008-0145.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/483572/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/25765"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1018729"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/usn-523-1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2007/3245"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRQM-FPGR-6HHX
Vulnerability from github – Published: 2021-11-10 19:13 – Updated: 2024-11-13 21:48Impact
While calculating the size of the output within the tf.range kernel, there is a conditional statement of type int64 = condition ? int64 : double. Due to C++ implicit conversion rules, both branches of the condition will be cast to double and the result would be truncated before the assignment. This result in overflows:
import tensorflow as tf
tf.sparse.eye(num_rows=9223372036854775807, num_columns=None)
Similarly, tf.range would result in crashes due to overflows if the start or end point are too large.
import tensorflow as tf
tf.range(start=-1e+38, limit=1)
Patches
We have patched the issue in GitHub commits 6d94002a09711d297dbba90390d5482b76113899 (merging #51359) and 1b0e0ec27e7895b9985076eab32445026ae5ca94 (merging #51711).
The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.
For more information
Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.
Attribution
This vulnerability has been reported externally via GitHub issue, GitHub issue and GitHub issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-cpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "tensorflow-gpu"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.4.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-41202"
],
"database_specific": {
"cwe_ids": [
"CWE-681"
],
"github_reviewed": true,
"github_reviewed_at": "2021-11-08T22:47:54Z",
"nvd_published_at": "2021-11-05T22:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\nWhile calculating the size of the output within the `tf.range` kernel, there is a conditional statement of type `int64 = condition ? int64 : double`. Due to C++ implicit conversion rules, both branches of the condition will be cast to `double` and the result would be truncated before the assignment. This result in overflows:\n\n```python\nimport tensorflow as tf\n\ntf.sparse.eye(num_rows=9223372036854775807, num_columns=None)\n```\n \nSimilarly, `tf.range` would result in crashes due to overflows if the start or end point are too large.\n\n```python\nimport tensorflow as tf\n\ntf.range(start=-1e+38, limit=1)\n```\n\n### Patches\nWe have patched the issue in GitHub commits [6d94002a09711d297dbba90390d5482b76113899](https://github.com/tensorflow/tensorflow/commit/6d94002a09711d297dbba90390d5482b76113899) (merging [#51359](https://github.com/tensorflow/tensorflow/pull/51359)) and [1b0e0ec27e7895b9985076eab32445026ae5ca94](https://github.com/tensorflow/tensorflow/commit/1b0e0ec27e7895b9985076eab32445026ae5ca94) (merging [#51711](https://github.com/tensorflow/tensorflow/pull/51711)).\n\nThe fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported externally via [GitHub issue](https://github.com/tensorflow/tensorflow/issues/46912), [GitHub issue](https://github.com/tensorflow/tensorflow/issues/46899) and [GitHub issue](https://github.com/tensorflow/tensorflow/issues/46889).\n",
"id": "GHSA-xrqm-fpgr-6hhx",
"modified": "2024-11-13T21:48:29Z",
"published": "2021-11-10T19:13:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xrqm-fpgr-6hhx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41202"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/issues/46889"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/issues/46912"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/1b0e0ec27e7895b9985076eab32445026ae5ca94"
},
{
"type": "WEB",
"url": "https://github.com/tensorflow/tensorflow/commit/6d94002a09711d297dbba90390d5482b76113899"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-612.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-810.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-395.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/tensorflow/tensorflow"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Overflow/crash in `tf.range`"
}
GHSA-XV5G-H355-J9V9
Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2022-12-01 00:30Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. A bounds check which was supposed to test for chunk offsets smaller than the beginning of the request did not work because of signed/unsigned confusion. If one of these chunks contains a negative offset then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution.
{
"affected": [],
"aliases": [
"CVE-2019-14842"
],
"database_specific": {
"cwe_ids": [
"CWE-681"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-26T16:15:00Z",
"severity": "CRITICAL"
},
"details": "Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. A bounds check which was supposed to test for chunk offsets smaller than the beginning of the request did not work because of signed/unsigned confusion. If one of these chunks contains a negative offset then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution.",
"id": "GHSA-xv5g-h355-j9v9",
"modified": "2022-12-01T00:30:42Z",
"published": "2022-05-24T17:02:07Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14842"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14842"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XXV6-GGG8-68MQ
Vulnerability from github – Published: 2022-05-24 22:33 – Updated: 2022-05-24 22:33An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it’s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.
{
"affected": [],
"aliases": [
"CVE-2020-28588"
],
"database_specific": {
"cwe_ids": [
"CWE-681"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-10T19:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it\u2019s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.",
"id": "GHSA-xxv6-ggg8-68mq",
"modified": "2022-05-24T22:33:56Z",
"published": "2022-05-24T22:33:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28588"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1211"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Avoid making conversion between numeric types. Always check for the allowed ranges.
No CAPEC attack patterns related to this CWE.