CWE-190
Integer Overflow or Wraparound
Description
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-92
CVEs mapped to this weakness (1,551)
page 62 of 78| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-9082 | Med | 0.36 | 5.5 | 0.02 | Feb 3, 2017 | Integer overflow in the write_png function in cairo 1.14.6 allows remote attackers to cause a denial of service (invalid pointer dereference) via a large svg file. | ||
| CVE-2016-4352 | Med | 0.36 | 5.5 | 0.01 | Feb 3, 2017 | Integer overflow in the demuxer function in libmpdemux/demux_gif.c in Mplayer allows remote attackers to cause a denial of service (crash) via large dimensions in a gif file. | ||
| CVE-2016-9189 | Med | 0.36 | 5.5 | 0.02 | Nov 4, 2016 | Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component. | ||
| CVE-2015-8933 | Med | 0.36 | 5.5 | 0.02 | Sep 20, 2016 | Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file. | ||
| CVE-2016-3895 | Med | 0.36 | 5.5 | 0.00 | Sep 11, 2016 | Integer overflow in the Region::unflatten function in libs/ui/Region.cpp in mediaserver in Android 6.x before 2016-09-01 and 7.0 before 2016-09-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 29983260. | ||
| CVE-2016-3712 | Med | 0.36 | 5.5 | 0.01 | May 11, 2016 | Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. | ||
| CVE-2026-6045 | Med | 0.35 | — | 0.00 | Jun 15, 2026 | LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could… | ||
| CVE-2026-47223 | — | Med | 0.35 | 5.4 | 0.00 | Jun 12, 2026 | NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). A 32-bit… | |
| CVE-2026-28532 | Med | 0.35 | 6.5 | 0.00 | Apr 30, 2026 | FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition… | ||
| CVE-2026-33611 | Med | 0.35 | 6.5 | 0.00 | Apr 22, 2026 | An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend. | ||
| CVE-2026-28214 | Med | 0.35 | 6.5 | 0.01 | Apr 17, 2026 | Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user… | ||
| CVE-2026-34378 | Med | 0.35 | 6.5 | 0.00 | Apr 6, 2026 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a… | ||
| CVE-2026-33983 | Med | 0.35 | 6.5 | 0.00 | Mar 30, 2026 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped value (247) is used as a shift… | ||
| CVE-2025-66168 | Med | 0.35 | 5.4 | 0.01 | Mar 4, 2026 | WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the following for more details: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046 … | ||
| CVE-2025-48515 | Med | 0.35 | — | 0.00 | Feb 10, 2026 | Insufficient parameter sanitization in AMD Secure Processor (ASP) Boot Loader could allow an attacker with access to SPIROM upgrade to overwrite the memory, potentially resulting in arbitrary code execution. | ||
| CVE-2025-14512 | Med | 0.35 | 6.5 | 0.01 | Dec 11, 2025 | A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values. | ||
| CVE-2025-48964 | Med | 0.35 | 6.5 | 0.00 | Jul 22, 2025 | ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared… | ||
| CVE-2023-28908 | — | Med | 0.35 | 5.4 | 0.00 | Jun 28, 2025 | A specific flaw exists within the Bluetooth stack of the MIB3 infotainment. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow when receiving non-fragmented HCI packets on a channel. The vulnerability was… | |
| CVE-2025-47268 | Med | 0.35 | 6.5 | 0.01 | May 5, 2025 | ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication. | ||
| CVE-2024-22396 | Med | 0.35 | 5.3 | 0.01 | Mar 14, 2024 | An Integer-based buffer overflow vulnerability in the SonicOS via IPSec allows a remote attacker in specific conditions to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a specially crafted IKEv2 payload. |
- risk 0.36cvss 5.5epss 0.02
Integer overflow in the write_png function in cairo 1.14.6 allows remote attackers to cause a denial of service (invalid pointer dereference) via a large svg file.
- risk 0.36cvss 5.5epss 0.01
Integer overflow in the demuxer function in libmpdemux/demux_gif.c in Mplayer allows remote attackers to cause a denial of service (crash) via large dimensions in a gif file.
- risk 0.36cvss 5.5epss 0.02
Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.
- risk 0.36cvss 5.5epss 0.02
Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file.
- risk 0.36cvss 5.5epss 0.00
Integer overflow in the Region::unflatten function in libs/ui/Region.cpp in mediaserver in Android 6.x before 2016-09-01 and 7.0 before 2016-09-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 29983260.
- risk 0.36cvss 5.5epss 0.01
Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode.
- risk 0.35cvss —epss 0.00
LibreOffice can import EMF+ graphics, which may be embedded in documents. A heap buffer overflow existed when importing an EMF+ gradient brush. The number of gradient blend points was read from the file and used to compute an allocation size, but that multiplication could…
- risk 0.35cvss 5.4epss 0.00
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). A 32-bit…
- risk 0.35cvss 6.5epss 0.00
FRRouting before 10.5.3 contains an integer overflow vulnerability in seven OSPF Traffic Engineering and Segment Routing TLV parser functions where a uint16_t accumulator variable truncates uint32_t values returned by the TLV_SIZE() macro, causing the loop termination condition…
- risk 0.35cvss 6.5epss 0.00
An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.
- risk 0.35cvss 6.5epss 0.01
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the ClumpletReader::getClumpletSize() function can overflow the totalLength value when parsing a Wide type clumplet, causing an infinite loop. An authenticated user…
- risk 0.35cvss 6.5epss 0.00
OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a…
- risk 0.35cvss 6.5epss 0.00
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.24.2, progressive_decompress_tile_upgrade() detects a mismatch via progressive_rfx_quant_cmp_equal() but only emits WLog_WARN, execution continues. The wrapped value (247) is used as a shift…
- risk 0.35cvss 5.4epss 0.01
WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the following for more details: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046 …
- risk 0.35cvss —epss 0.00
Insufficient parameter sanitization in AMD Secure Processor (ASP) Boot Loader could allow an attacker with access to SPIROM upgrade to overwrite the memory, potentially resulting in arbitrary code execution.
- risk 0.35cvss 6.5epss 0.01
A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.
- risk 0.35cvss 6.5epss 0.00
ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared…
- risk 0.35cvss 5.4epss 0.00
A specific flaw exists within the Bluetooth stack of the MIB3 infotainment. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow when receiving non-fragmented HCI packets on a channel. The vulnerability was…
- risk 0.35cvss 6.5epss 0.01
ping in iputils before 20250602 allows a denial of service (application error or incorrect data collection) via a crafted ICMP Echo Reply packet, because of a signed 64-bit integer overflow in timestamp multiplication.
- risk 0.35cvss 5.3epss 0.01
An Integer-based buffer overflow vulnerability in the SonicOS via IPSec allows a remote attacker in specific conditions to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a specially crafted IKEv2 payload.