Common Weakness Enumeration

CWE-682

Discouraged

Incorrect Calculation

Abstraction: Pillar · Status: Draft

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

159 vulnerabilities reference this CWE, most recent first.

GHSA-7H77-H852-J28H

Vulnerability from github – Published: 2023-02-16 21:30 – Updated: 2023-03-06 21:30
VLAI
Details

Incorrect calculation in microcode keying mechanism for some 3rd Generation Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable information disclosure via local access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33972"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-02-16T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Incorrect calculation in microcode keying mechanism for some 3rd Generation Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable information disclosure via local access.",
  "id": "GHSA-7h77-h852-j28h",
  "modified": "2023-03-06T21:30:19Z",
  "published": "2023-02-16T21:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33972"
    },
    {
      "type": "WEB",
      "url": "http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00730.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-7R3Q-28JV-XMCR

Vulnerability from github – Published: 2022-05-24 17:33 – Updated: 2022-05-24 17:33
VLAI
Details

ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-27616"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-11-06T08:15:00Z",
    "severity": "MODERATE"
  },
  "details": "ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process.",
  "id": "GHSA-7r3q-28jv-xmcr",
  "modified": "2022-05-24T17:33:19Z",
  "published": "2022-05-24T17:33:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27616"
    },
    {
      "type": "WEB",
      "url": "https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg05018.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20201202-0002"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/11/03/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-878M-3G6Q-594Q

Vulnerability from github – Published: 2023-03-03 20:02 – Updated: 2023-03-10 15:30
VLAI
Summary
OpenZeppelin Contracts contains Incorrect Calculation
Details

Impact

The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by balanceOf.

The issue exclusively presents with batches of size 1.

Patches

The issue has been patched in 4.8.2.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@openzeppelin/contracts"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.8.0"
            },
            {
              "fixed": "4.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@openzeppelin/contracts-upgradeable"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.8.0"
            },
            {
              "fixed": "4.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26488"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-03T20:02:16Z",
    "nvd_published_at": "2023-03-03T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`.\n\nThe issue exclusively presents with batches of size 1.\n\n### Patches\n\nThe issue has been patched in 4.8.2.\n\n\u003c!-- ### References --\u003e\n\n",
  "id": "GHSA-878m-3g6q-594q",
  "modified": "2023-03-10T15:30:54Z",
  "published": "2023-03-03T20:02:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-878m-3g6q-594q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26488"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/commit/167bf67ed3907f4a674043496019fa346cee7705"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenZeppelin/openzeppelin-contracts/releases/tag/v4.8.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenZeppelin Contracts contains Incorrect Calculation"
}

GHSA-879Q-J3WM-R8J7

Vulnerability from github – Published: 2022-05-13 01:43 – Updated: 2022-05-13 01:43
VLAI
Details

A remote code execution vulnerability in the Android media framework (libmpeg2). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-63874456.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13151"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-12-06T14:29:00Z",
    "severity": "HIGH"
  },
  "details": "A remote code execution vulnerability in the Android media framework (libmpeg2). Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-63874456.",
  "id": "GHSA-879q-j3wm-r8j7",
  "modified": "2022-05-13T01:43:04Z",
  "published": "2022-05-13T01:43:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13151"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2017-12-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/102126"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9GG6-CM3F-WF38

Vulnerability from github – Published: 2021-05-11 22:34 – Updated: 2021-12-14 18:12
VLAI
Summary
Incorrect Calculation and Use of Insufficiently Random Values in Python
Details

Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-14422"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-682"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-06-18T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.",
  "id": "GHSA-9gg6-cm3f-wf38",
  "modified": "2021-12-14T18:12:28Z",
  "published": "2021-05-11T22:34:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14422"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python/cpython/pull/20956"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4428-1"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200724-0004"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202008-01"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X36Y523UAZY5QFXZAAORNFY63HLBWX7N"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCCZTAYZATTNSNEAXWA7U3HCO2OVQKT5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00016.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "https://bugs.python.org/issue41004"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00006.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00041.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Calculation and Use of Insufficiently Random Values in Python"
}

GHSA-9QMM-4MFR-R3WJ

Vulnerability from github – Published: 2022-05-10 00:00 – Updated: 2022-05-24 21:59
VLAI
Summary
Incorrect Calculation in solana_rbpf
Details

In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to transfer tokens or not. The vulnerability affects both integrity and may cause serious availability problems.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "solana_rbpf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.26"
            },
            {
              "fixed": "0.2.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-23066"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-24T21:59:55Z",
    "nvd_published_at": "2022-05-09T07:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to transfer tokens or not. The vulnerability affects both integrity and may cause serious availability problems.",
  "id": "GHSA-9qmm-4mfr-r3wj",
  "modified": "2022-05-24T21:59:55Z",
  "published": "2022-05-10T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23066"
    },
    {
      "type": "WEB",
      "url": "https://github.com/solana-labs/rbpf/commit/e61e045f8c244de978401d186dcfd50838817297"
    },
    {
      "type": "WEB",
      "url": "https://blocksecteam.medium.com/how-a-critical-bug-in-solana-network-was-detected-and-timely-patched-a701870e1324"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/solana-labs/rbpf"
    },
    {
      "type": "WEB",
      "url": "https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-23066"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Calculation in solana_rbpf"
}

GHSA-9R3M-MHFM-39CM

Vulnerability from github – Published: 2020-09-11 21:10 – Updated: 2020-08-31 18:42
VLAI
Summary
Incorrect Calculation in bigint-money
Details

Versions of bigint-money prior to 0.6.2 are vulnerable to an Incorrect Calculation. The package incorrectly rounded certain numbers, which could have drastic consequences due to its usage in financial systems.

Recommendation

Upgrade to version 0.6.2 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "bigint-money"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-08-31T18:42:08Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Versions of `bigint-money` prior to 0.6.2 are vulnerable to an Incorrect Calculation. The package incorrectly rounded certain numbers, which could have drastic consequences due to its usage in financial systems.\n\n\n## Recommendation\n\nUpgrade to version 0.6.2 or later.",
  "id": "GHSA-9r3m-mhfm-39cm",
  "modified": "2020-08-31T18:42:08Z",
  "published": "2020-09-11T21:10:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/962"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Incorrect Calculation in bigint-money"
}

GHSA-9X9J-836W-8F55

Vulnerability from github – Published: 2022-01-06 19:44 – Updated: 2021-10-20 22:19
VLAI
Summary
Incorrect Calculation in the MSR JavaScript Cryptography Library
Details

A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library's Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server's private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "msrcrypto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.5.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-1026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-25T19:19:10Z",
    "nvd_published_at": "2020-04-15T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A Security Feature Bypass vulnerability exists in the MSR JavaScript Cryptography Library that is caused by multiple bugs in the library\u0027s Elliptic Curve Cryptography (ECC) implementation.An attacker could potentially abuse these bugs to learn information about a server\u0027s private ECC key (a key leakage attack) or craft an invalid ECDSA signature that nevertheless passes as valid.The security update addresses the vulnerability by fixing the bugs disclosed in the ECC implementation, aka `MSR JavaScript Cryptography Library Security Feature Bypass Vulnerability`.",
  "id": "GHSA-9x9j-836w-8f55",
  "modified": "2021-10-20T22:19:13Z",
  "published": "2022-01-06T19:44:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1026"
    },
    {
      "type": "WEB",
      "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1026"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Calculation in the MSR JavaScript Cryptography Library"
}

GHSA-C25V-4W9P-QQHX

Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40
VLAI
Details

A vulnerability in the Android media framework (n/a). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63045918.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-0819"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-10-04T01:29:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the Android media framework (n/a). Product: Android. Versions: 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63045918.",
  "id": "GHSA-c25v-4w9p-qqhx",
  "modified": "2022-05-13T01:40:46Z",
  "published": "2022-05-13T01:40:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0819"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/external/libhevc/+/87fb7909c49e6a4510ba86ace1ffc83459c7e1b9"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/pixel/2017-10-01"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101151"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C2RP-G99G-J6GV

Vulnerability from github – Published: 2023-09-11 15:31 – Updated: 2024-04-04 07:35
VLAI
Details

An issue in Ethereum Blockchain v0.1.1+commit.6ff4cd6 cause the balance to be zeroed out when the value of betsize+casino.balance exceeds the threshold.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-36980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-682"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-11T14:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An issue in Ethereum Blockchain v0.1.1+commit.6ff4cd6 cause the balance to be zeroed out when the value of betsize+casino.balance exceeds the threshold.",
  "id": "GHSA-c2rp-g99g-j6gv",
  "modified": "2024-04-04T07:35:19Z",
  "published": "2023-09-11T15:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36980"
    },
    {
      "type": "WEB",
      "url": "https://etherscan.io"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WayneLi12/CVEs/tree/master/CVE-2023-36980"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Understand your programming language's underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how your language handles numbers that are too large or too small for its underlying representation.

Mitigation MIT-8
Implementation

Strategy: Input Validation

Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.

Mitigation
Implementation

Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity.

Mitigation
Architecture and Design

Strategy: Language Selection

  • Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
  • Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

  • Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
  • Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
Mitigation MIT-26
Implementation

Strategy: Compilation or Build Hardening

Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.

CAPEC-128: Integer Attacks

An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.

CAPEC-129: Pointer Manipulation

This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.