CWE-682
Incorrect Calculation
Description
The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-128 · CAPEC-129
CVEs mapped to this weakness (64)
page 3 of 4| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-26622 | 0.00 | — | 0.00 | Feb 21, 2025 | vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This… | |||
| CVE-2024-32873 | 0.00 | — | 0.00 | Jun 6, 2024 | Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0. | |||
| CVE-2023-42460 | 0.00 | — | 0.01 | Sep 26, 2023 | Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue… | |||
| CVE-2023-28431 | 0.00 | — | 0.01 | Mar 22, 2023 | Frontier is an Ethereum compatibility layer for Substrate. Frontier's `modexp` precompile uses `num-bigint` crate under the hood. In the implementation prior to pull request 1017, the cases for modulus being even and modulus being odd are treated separately. Odd modulus uses the… | |||
| CVE-2023-24533 | — | 0.00 | — | 0.01 | Mar 8, 2023 | Multiplication of certain unreduced P-256 scalars produce incorrect results. There are no protocols known at this time that can be attacked due to this. | ||
| CVE-2023-26488 | 0.00 | — | 0.01 | Mar 3, 2023 | OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token… | |||
| CVE-2022-39242 | 0.00 | — | 0.01 | Sep 24, 2022 | Frontier is an Ethereum compatibility layer for Substrate. Prior to commit d3beddc6911a559a3ecc9b3f08e153dbe37a8658, the worst case weight was always accounted as the block weight for all cases. In case of large EVM gas refunds, this can lead to block spamming attacks -- the… | |||
| CVE-2022-31198 | 0.00 | — | 0.01 | Aug 1, 2022 | OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected… | |||
| CVE-2022-31169 | 0.00 | — | 0.01 | Jul 21, 2022 | Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2.… | |||
| CVE-2022-31104 | 0.00 | — | 0.02 | Jun 27, 2022 | Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is… | |||
| CVE-2022-22138 | — | 0.00 | — | 0.01 | Jun 17, 2022 | All versions of package fast-string-search are vulnerable to Denial of Service (DoS) when computations are incorrect for non-string inputs. One can cause the V8 to attempt reading from non-permitted locations and cause a segmentation fault due to the violation. | ||
| CVE-2022-30600 | 0.00 | — | 0.05 | May 18, 2022 | A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed. | |||
| CVE-2022-23066 | 0.00 | — | 0.02 | May 9, 2022 | In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may… | |||
| CVE-2022-23628 | 0.00 | — | 0.01 | Feb 9, 2022 | OPA is an open source, general-purpose policy engine. Under certain conditions, pretty-printing an abstract syntax tree (AST) that contains synthetic nodes could change the logic of some statements by reordering array literals. Example of policies impacted are those that parse… | |||
| CVE-2021-41222 | 0.00 | — | 0.00 | Nov 5, 2021 | TensorFlow is an open source platform for machine learning. In affected versions the implementation of `SplitV` can trigger a segfault is an attacker supplies negative arguments. This occurs whenever `size_splits` contains more than one value and at least one value is negative.… | |||
| CVE-2021-41122 | 0.00 | — | 0.01 | Oct 5, 2021 | Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0. | |||
| CVE-2021-38194 | — | 0.00 | — | 0.01 | Aug 8, 2021 | An issue was discovered in the ark-r1cs-std crate before 0.3.1 for Rust. It does not enforce any constraints in the FieldVar::mul_by_inverse method. Thus, a prover can produce a proof that is unsound but is nonetheless verified. | ||
| CVE-2020-26265 | 0.00 | — | 0.01 | Dec 11, 2020 | Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included… | |||
| CVE-2020-26240 | 0.00 | — | 0.02 | Nov 25, 2020 | Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the… | |||
| CVE-2020-26241 | 0.00 | — | 0.01 | Nov 25, 2020 | Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at… |
- CVE-2025-26622Feb 21, 2025risk 0.00cvss —epss 0.00
vyper is a Pythonic Smart Contract Language for the EVM. Vyper `sqrt()` builtin uses the babylonian method to calculate square roots of decimals. Unfortunately, improper handling of the oscillating final states may lead to sqrt incorrectly returning rounded up results. This…
- CVE-2024-32873Jun 6, 2024risk 0.00cvss —epss 0.00
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0.
- CVE-2023-42460Sep 26, 2023risk 0.00cvss —epss 0.01
Vyper is a Pythonic Smart Contract Language for the EVM. The `_abi_decode()` function does not validate input when it is nested in an expression. Uses of `_abi_decode()` can be constructed which allow for bounds checking to be bypassed resulting in incorrect results. This issue…
- CVE-2023-28431Mar 22, 2023risk 0.00cvss —epss 0.01
Frontier is an Ethereum compatibility layer for Substrate. Frontier's `modexp` precompile uses `num-bigint` crate under the hood. In the implementation prior to pull request 1017, the cases for modulus being even and modulus being odd are treated separately. Odd modulus uses the…
- CVE-2023-24533Mar 8, 2023risk 0.00cvss —epss 0.01
Multiplication of certain unreduced P-256 scalars produce incorrect results. There are no protocols known at this time that can be attacked due to this.
- CVE-2023-26488Mar 3, 2023risk 0.00cvss —epss 0.01
OpenZeppelin Contracts is a library for secure smart contract development. The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token…
- CVE-2022-39242Sep 24, 2022risk 0.00cvss —epss 0.01
Frontier is an Ethereum compatibility layer for Substrate. Prior to commit d3beddc6911a559a3ecc9b3f08e153dbe37a8658, the worst case weight was always accounted as the block weight for all cases. In case of large EVM gas refunds, this can lead to block spamming attacks -- the…
- CVE-2022-31198Aug 1, 2022risk 0.00cvss —epss 0.01
OpenZeppelin Contracts is a library for secure smart contract development. This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected…
- CVE-2022-31169Jul 21, 2022risk 0.00cvss —epss 0.01
Wasmtime is a standalone runtime for WebAssembly. There is a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors can result in incorrect division results at runtime. This affects Wasmtime prior to version 0.38.2 and Cranelift prior to 0.85.2.…
- CVE-2022-31104Jun 27, 2022risk 0.00cvss —epss 0.02
Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is…
- CVE-2022-22138Jun 17, 2022risk 0.00cvss —epss 0.01
All versions of package fast-string-search are vulnerable to Denial of Service (DoS) when computations are incorrect for non-string inputs. One can cause the V8 to attempt reading from non-permitted locations and cause a segmentation fault due to the violation.
- CVE-2022-30600May 18, 2022risk 0.00cvss —epss 0.05
A flaw was found in moodle where logic used to count failed login attempts could result in the account lockout threshold being bypassed.
- CVE-2022-23066May 9, 2022risk 0.00cvss —epss 0.02
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may…
- CVE-2022-23628Feb 9, 2022risk 0.00cvss —epss 0.01
OPA is an open source, general-purpose policy engine. Under certain conditions, pretty-printing an abstract syntax tree (AST) that contains synthetic nodes could change the logic of some statements by reordering array literals. Example of policies impacted are those that parse…
- CVE-2021-41222Nov 5, 2021risk 0.00cvss —epss 0.00
TensorFlow is an open source platform for machine learning. In affected versions the implementation of `SplitV` can trigger a segfault is an attacker supplies negative arguments. This occurs whenever `size_splits` contains more than one value and at least one value is negative.…
- CVE-2021-41122Oct 5, 2021risk 0.00cvss —epss 0.01
Vyper is a Pythonic Smart Contract Language for the EVM. In affected versions external functions did not properly validate the bounds of decimal arguments. The can lead to logic errors. This issue has been resolved in version 0.3.0.
- CVE-2021-38194Aug 8, 2021risk 0.00cvss —epss 0.01
An issue was discovered in the ark-r1cs-std crate before 0.3.1 for Rust. It does not enforce any constraints in the FieldVar::mul_by_inverse method. Thus, a prover can produce a proof that is unsound but is nonetheless verified.
- CVE-2020-26265Dec 11, 2020risk 0.00cvss —epss 0.01
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included…
- CVE-2020-26240Nov 25, 2020risk 0.00cvss —epss 0.02
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the…
- CVE-2020-26241Nov 25, 2020risk 0.00cvss —epss 0.01
Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at…