CWE-190

Integer Overflow or Wraparound

BaseStableLikelihood: Medium

Description

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Hierarchy (View 1000)

Parents

CWE-682

Children

CWE-680

Related attack patterns (CAPEC)

CAPEC-92

CVEs mapped to this weakness (689)

page 24 of 35

CVE	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2013-7353	Med	0.42	6.5	0.00	May 6, 2014	Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.
CVE-2024-38805	Med	0.41	6.3	0.00	Aug 12, 2025	EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service.
CVE-2016-5221	Med	0.41	6.3	0.00	Jan 19, 2017	Type confusion in libGLESv2 in ANGLE in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android possibly allowed a remote attacker to bypass buffer validation via a crafted HTML page.
CVE-2026-34680	Med	0.40	6.2	0.00	May 12, 2026	CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
CVE-2026-34671	Med	0.40	6.2	0.00	May 12, 2026	CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
CVE-2026-43894	Med	0.40	6.2	0.00	May 11, 2026	jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).
CVE-2026-42144	Med	0.40	6.1	0.00	May 4, 2026	CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the WHD size computation inside _load_pnm() that can bypass the memory allocation guard. A crafted PNM/PGM/PPM file with large dimension values causes the overflow to wrap around, allocating an undersized buffer and potentially triggering a heap buffer overflow. Any application using CImg to load untrusted image files is affected. This issue has been patched via commit 4ca26bc.
CVE-2026-7598	Hig	0.40	7.3	0.00	May 1, 2026	A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.
CVE-2026-41665	Med	0.40	6.1	0.00	Apr 22, 2026	Integer overflow in scratch buffer initialization size calculation in Samsung Open Source ONE cause incorrect memory initialization for large intermediate tensors. Affected version is prior to commit 1.30.0.
CVE-2025-43238	Med	0.40	6.2	0.00	Apr 2, 2026	An integer overflow was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to cause unexpected system termination.
CVE-2026-34545	Hig	0.40	7.3	0.00	Apr 1, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 32768 can write controlled data beyond the output heap buffer in any application that decodes EXR images. The write primitive is 2 bytes per overflow iteration or 4 bytes (by another path), repeating for each additional pixel past the overflow point. In this context, a heap write overflow can lead to remote code execution on systems. This issue has been patched in version 3.4.7.
CVE-2026-34544	Hig	0.40	7.3	0.00	Apr 1, 2026	OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that decodes it via exr_decoding_run(). Consequences range from immediate crash (most likely) to corruption of adjacent heap allocations (layout-dependent). This issue has been patched in version 3.4.8.
CVE-2025-49179	Hig	0.40	7.3	0.00	Jun 17, 2025	A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.
CVE-2025-49176	Hig	0.40	7.3	0.00	Jun 17, 2025	A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check.
CVE-2026-0619	Med	0.39	—	0.00	Feb 12, 2026	A reachable infinite loop via an integer wraparound is present in Silicon Labs' Matter SDK which allows an attacker to trigger a denial of service. A hard reset is required to recover the device.
CVE-2025-24528	Hig	0.39	7.1	0.00	Jan 16, 2026	In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash.
CVE-2024-57262	Hig	0.39	7.1	0.00	Feb 19, 2025	In barebox before 2025.01.0, ext4fs_read_symlink has an integer overflow for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite, a related issue to CVE-2024-57256.
CVE-2024-57261	Hig	0.39	7.1	0.00	Feb 19, 2025	In barebox before 2025.01.0, request2size in common/dlmalloc.c has an integer overflow, a related issue to CVE-2024-57258.
CVE-2024-51737	Hig	0.39	7.0	0.02	Jan 8, 2025	RediSearch is a Redis module that provides querying, secondary indexing, and full-text search for Redis. An authenticated redis user executing FT.SEARCH or FT.AGGREGATE with a specially crafted LIMIT command argument, or FT.SEARCH with a specially crafted KNN command argument, can trigger an integer overflow, leading to heap overflow and potential remote code execution. This vulnerability is fixed in 2.6.24, 2.8.21, and 2.10.10. Avoid setting value of -1 or large values for configuration parameters MAXSEARCHRESULTS and MAXAGGREGATERESULTS, to avoid exploiting large LIMIT arguments.
CVE-2024-51480	Hig	0.39	7.0	0.01	Jan 8, 2025	RedisTimeSeries is a time-series database (TSDB) module for Redis, by Redis. Executing one of these commands TS.QUERYINDEX, TS.MGET, TS.MRAGE, TS.MREVRANGE by an authenticated user, using specially crafted command arguments may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. This vulnerability is fixed in 1.6.20, 1.8.15, 1.10.15, and 1.12.3.

CVE-2013-7353MedMay 6, 2014
risk 0.42cvss 6.5epss 0.00
Integer overflow in the png_set_unknown_chunks function in libpng/pngset.c in libpng before 1.5.14beta08 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a crafted image, which triggers a heap-based buffer overflow.
CVE-2024-38805MedAug 12, 2025
risk 0.41cvss 6.3epss 0.00
EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service.
CVE-2016-5221MedJan 19, 2017
risk 0.41cvss 6.3epss 0.00
Type confusion in libGLESv2 in ANGLE in Google Chrome prior to 55.0.2883.75 for Mac, Windows and Linux, and 55.0.2883.84 for Android possibly allowed a remote attacker to bypass buffer validation via a crafted HTML page.
CVE-2026-34680MedMay 12, 2026
risk 0.40cvss 6.2epss 0.00
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
CVE-2026-34671MedMay 12, 2026
risk 0.40cvss 6.2epss 0.00
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
CVE-2026-43894MedMay 11, 2026
risk 0.40cvss 6.2epss 0.00
jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the function to use a 30-byte stack buffer, and then writes ≈715 million 16-bit units (≈1.4 GiB) at an offset 1.43 GiB below the stack frame. The written content is fully attacker-controlled (the parsed decimal digits, packed 3-per-unit).
CVE-2026-42144MedMay 4, 2026
risk 0.40cvss 6.1epss 0.00
CImg Library is a C++ library for image processing. Prior to commit 4ca26bc, there is an integer overflow vulnerability in the W*H*D size computation inside _load_pnm() that can bypass the memory allocation guard. A crafted PNM/PGM/PPM file with large dimension values causes the overflow to wrap around, allocating an undersized buffer and potentially triggering a heap buffer overflow. Any application using CImg to load untrusted image files is affected. This issue has been patched via commit 4ca26bc.
CVE-2026-7598HigMay 1, 2026
risk 0.40cvss 7.3epss 0.00
A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.
CVE-2026-41665MedApr 22, 2026
risk 0.40cvss 6.1epss 0.00
Integer overflow in scratch buffer initialization size calculation in Samsung Open Source ONE cause incorrect memory initialization for large intermediate tensors. Affected version is prior to commit 1.30.0.
CVE-2025-43238MedApr 2, 2026
risk 0.40cvss 6.2epss 0.00
An integer overflow was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to cause unexpected system termination.
CVE-2026-34545HigApr 1, 2026
risk 0.40cvss 7.3epss 0.00
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.7, an attacker providing a crafted .exr file with HTJ2K compression and a channel width of 32768 can write controlled data beyond the output heap buffer in any application that decodes EXR images. The write primitive is 2 bytes per overflow iteration or 4 bytes (by another path), repeating for each additional pixel past the overflow point. In this context, a heap write overflow can lead to remote code execution on systems. This issue has been patched in version 3.4.7.
CVE-2026-34544HigApr 1, 2026
risk 0.40cvss 7.3epss 0.00
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From version 3.4.0 to before version 3.4.8, a crafted B44 or B44A EXR file can cause an out-of-bounds write in any application that decodes it via exr_decoding_run(). Consequences range from immediate crash (most likely) to corruption of adjacent heap allocations (layout-dependent). This issue has been patched in version 3.4.8.
CVE-2025-49179HigJun 17, 2025
risk 0.40cvss 7.3epss 0.00
A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.
CVE-2025-49176HigJun 17, 2025
risk 0.40cvss 7.3epss 0.00
A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check.
CVE-2026-0619MedFeb 12, 2026
risk 0.39cvss —epss 0.00
A reachable infinite loop via an integer wraparound is present in Silicon Labs' Matter SDK which allows an attacker to trigger a denial of service. A hard reset is required to recover the device.
CVE-2025-24528HigJan 16, 2026
risk 0.39cvss 7.1epss 0.00
In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash.
CVE-2024-57262HigFeb 19, 2025
risk 0.39cvss 7.1epss 0.00
In barebox before 2025.01.0, ext4fs_read_symlink has an integer overflow for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite, a related issue to CVE-2024-57256.
CVE-2024-57261HigFeb 19, 2025
risk 0.39cvss 7.1epss 0.00
In barebox before 2025.01.0, request2size in common/dlmalloc.c has an integer overflow, a related issue to CVE-2024-57258.
CVE-2024-51737HigJan 8, 2025
risk 0.39cvss 7.0epss 0.02
RediSearch is a Redis module that provides querying, secondary indexing, and full-text search for Redis. An authenticated redis user executing FT.SEARCH or FT.AGGREGATE with a specially crafted LIMIT command argument, or FT.SEARCH with a specially crafted KNN command argument, can trigger an integer overflow, leading to heap overflow and potential remote code execution. This vulnerability is fixed in 2.6.24, 2.8.21, and 2.10.10. Avoid setting value of -1 or large values for configuration parameters MAXSEARCHRESULTS and MAXAGGREGATERESULTS, to avoid exploiting large LIMIT arguments.
CVE-2024-51480HigJan 8, 2025
risk 0.39cvss 7.0epss 0.01
RedisTimeSeries is a time-series database (TSDB) module for Redis, by Redis. Executing one of these commands TS.QUERYINDEX, TS.MGET, TS.MRAGE, TS.MREVRANGE by an authenticated user, using specially crafted command arguments may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. This vulnerability is fixed in 1.6.20, 1.8.15, 1.10.15, and 1.12.3.