CWE-190
Integer Overflow or Wraparound
Description
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-92
CVEs mapped to this weakness (1,551)
page 53 of 78| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-47288 | Hig | 0.46 | 7.1 | 0.01 | Jun 9, 2026 | Integer overflow or wraparound in Windows Kerberos allows an authorized attacker to execute code over an adjacent network. | ||
| CVE-2026-48690 | Hig | 0.46 | 7.1 | 0.00 | May 26, 2026 | FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture buffer allocation. In src/packet_storage.hpp, the allocate_buffer() function computes memory_size_in_bytes as 'buffer_size_in_packets * (max_captured_packet_size +… | ||
| CVE-2026-43618 | Hig | 0.46 | 8.1 | 0.01 | May 20, 2026 | Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from… | ||
| CVE-2026-44637 | Hig | 0.46 | 7.1 | 0.00 | May 14, 2026 | libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on… | ||
| CVE-2026-32316 | Hig | 0.46 | 8.2 | 0.00 | Apr 13, 2026 | jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer… | ||
| CVE-2026-25208 | Hig | 0.46 | 8.1 | 0.00 | Apr 13, 2026 | Integer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335. | ||
| CVE-2024-36320 | Hig | 0.46 | — | 0.00 | Feb 11, 2026 | Integer Overflow within atihdwt6.sys can allow a local attacker to cause out of bound read/write potentially leading to loss of confidentiality, integrity and availability | ||
| CVE-2025-55067 | — | Hig | 0.46 | 7.1 | 0.00 | Oct 23, 2025 | The TLS4B ATG system is vulnerable to improper handling of Unix time values that exceed the 2038 epoch rollover. When the system clock reaches January 19, 2038, it resets to December 13, 1901, causing authentication failures and disrupting core system functionalities such as… | |
| CVE-2024-57258 | Hig | 0.46 | 7.1 | 0.00 | Feb 18, 2025 | Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64. | ||
| CVE-2024-57256 | Hig | 0.46 | 7.1 | 0.00 | Feb 18, 2025 | An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite. | ||
| CVE-2024-37305 | Hig | 0.46 | 8.2 | 0.00 | Jun 17, 2024 | oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at… | ||
| CVE-2024-32655 | Hig | 0.46 | 8.1 | 0.02 | May 14, 2024 | Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` uses `int` variables to store the message length and the sum of parameter lengths. Both variables overflow when the sum of parameter lengths… | ||
| CVE-2021-23840 | Hig | 0.46 | 7.5 | 0.51 | Feb 16, 2021 | Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will… | ||
| CVE-2014-2885 | Hig | 0.46 | 7.1 | 0.00 | Mar 19, 2018 | Multiple integer overflows in TrueCrypt 7.1a allow local users to (1) obtain sensitive information via vectors involving a crafted item->OriginalLength value in the MainThreadProc function in EncryptedIoQueue.c or (2) cause a denial of service (memory consumption) via vectors… | ||
| CVE-2017-4950 | Hig | 0.46 | 7.0 | 0.00 | Jan 11, 2018 | VMware Workstation and Fusion contain an integer overflow vulnerability in VMware NAT service when IPv6 mode is enabled. This issue may lead to an out-of-bound read which can then be used to execute code on the host in conjunction with other issues. Note: IPv6 mode for VMNAT is… | ||
| CVE-2017-9607 | Hig | 0.46 | 7.0 | 0.01 | Sep 20, 2017 | The BL1 FWU SMC handling code in ARM Trusted Firmware before 1.4 might allow attackers to write arbitrary data to secure memory, bypass the bl1_plat_mem_check protection mechanism, cause a denial of service, or possibly have unspecified other impact via a crafted AArch32 image,… | ||
| CVE-2017-8267 | Hig | 0.46 | 7.0 | 0.00 | Aug 18, 2017 | In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in an IOCTL handler potentially leading to an integer overflow and then an out-of-bounds write. | ||
| CVE-2014-0143 | Hig | 0.46 | 7.0 | 0.00 | Aug 10, 2017 | Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in… | ||
| CVE-2017-0611 | Hig | 0.46 | 7.0 | 0.01 | May 12, 2017 | An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android.… | ||
| CVE-2017-7976 | Hig | 0.46 | 7.1 | 0.01 | Apr 19, 2017 | Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information… |
- risk 0.46cvss 7.1epss 0.01
Integer overflow or wraparound in Windows Kerberos allows an authorized attacker to execute code over an adjacent network.
- risk 0.46cvss 7.1epss 0.00
FastNetMon Community Edition through 1.2.9 contains an integer overflow vulnerability in the packet capture buffer allocation. In src/packet_storage.hpp, the allocate_buffer() function computes memory_size_in_bytes as 'buffer_size_in_packets * (max_captured_packet_size +…
- risk 0.46cvss 8.1epss 0.01
Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from…
- risk 0.46cvss 7.1epss 0.00
libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. From to 1.8.7-r1, a signed integer overflow in the SIXEL parser's image-buffer doubling loop can lead to an out-of-bounds heap write in sixel_decode_raw_impl. context->pos_x grows by repeat_count on…
- risk 0.46cvss 8.2epss 0.00
jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer…
- risk 0.46cvss 8.1epss 0.00
Integer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.
- risk 0.46cvss —epss 0.00
Integer Overflow within atihdwt6.sys can allow a local attacker to cause out of bound read/write potentially leading to loss of confidentiality, integrity and availability
- risk 0.46cvss 7.1epss 0.00
The TLS4B ATG system is vulnerable to improper handling of Unix time values that exceed the 2038 epoch rollover. When the system clock reaches January 19, 2038, it resets to December 13, 1901, causing authentication failures and disrupting core system functionalities such as…
- risk 0.46cvss 7.1epss 0.00
Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64.
- risk 0.46cvss 7.1epss 0.00
An integer overflow in ext4fs_read_symlink in Das U-Boot before 2025.01-rc1 occurs for zalloc (adding one to an le32 variable) via a crafted ext4 filesystem with an inode size of 0xffffffff, resulting in a malloc of zero and resultant memory overwrite.
- risk 0.46cvss 8.2epss 0.00
oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at…
- risk 0.46cvss 8.1epss 0.02
Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` uses `int` variables to store the message length and the sum of parameter lengths. Both variables overflow when the sum of parameter lengths…
- risk 0.46cvss 7.5epss 0.51
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will…
- risk 0.46cvss 7.1epss 0.00
Multiple integer overflows in TrueCrypt 7.1a allow local users to (1) obtain sensitive information via vectors involving a crafted item->OriginalLength value in the MainThreadProc function in EncryptedIoQueue.c or (2) cause a denial of service (memory consumption) via vectors…
- risk 0.46cvss 7.0epss 0.00
VMware Workstation and Fusion contain an integer overflow vulnerability in VMware NAT service when IPv6 mode is enabled. This issue may lead to an out-of-bound read which can then be used to execute code on the host in conjunction with other issues. Note: IPv6 mode for VMNAT is…
- risk 0.46cvss 7.0epss 0.01
The BL1 FWU SMC handling code in ARM Trusted Firmware before 1.4 might allow attackers to write arbitrary data to secure memory, bypass the bl1_plat_mem_check protection mechanism, cause a denial of service, or possibly have unspecified other impact via a crafted AArch32 image,…
- risk 0.46cvss 7.0epss 0.00
In all Qualcomm products with Android releases from CAF using the Linux kernel, a race condition exists in an IOCTL handler potentially leading to an integer overflow and then an out-of-bounds write.
- risk 0.46cvss 7.0epss 0.00
Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in…
- risk 0.46cvss 7.0epss 0.01
An elevation of privilege vulnerability in the Qualcomm sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android.…
- risk 0.46cvss 7.1epss 0.01
Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of an integer overflow in the jbig2_image_compose function in jbig2_image.c during operations on a crafted .jb2 file, leading to a denial of service (application crash) or disclosure of sensitive information…