CWE-191
AllowedInteger Underflow (Wrap or Wraparound)
Abstraction: Base · Status: Draft
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
642 vulnerabilities reference this CWE, most recent first.
GHSA-63HQ-HRGX-PFWM
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-15 15:30In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix transaction abort on set received ioctl due to item overflow
If the set received ioctl fails due to an item overflow when attempting to add the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction since we did some metadata updates before.
This means that if a user calls this ioctl with the same received UUID field for a lot of subvolumes, we will hit the overflow, trigger the transaction abort and turn the filesystem into RO mode. A malicious user could exploit this, and this ioctl does not even requires that a user has admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.
Fix this by doing an early check for item overflow before starting a transaction. This is also race safe because we are holding the subvol_sem semaphore in exclusive (write) mode.
A test case for fstests will follow soon.
{
"affected": [],
"aliases": [
"CVE-2026-43359"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T15:16:46Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction abort on set received ioctl due to item overflow\n\nIf the set received ioctl fails due to an item overflow when attempting to\nadd the BTRFS_UUID_KEY_RECEIVED_SUBVOL we have to abort the transaction\nsince we did some metadata updates before.\n\nThis means that if a user calls this ioctl with the same received UUID\nfield for a lot of subvolumes, we will hit the overflow, trigger the\ntransaction abort and turn the filesystem into RO mode. A malicious user\ncould exploit this, and this ioctl does not even requires that a user\nhas admin privileges (CAP_SYS_ADMIN), only that he/she owns the subvolume.\n\nFix this by doing an early check for item overflow before starting a\ntransaction. This is also race safe because we are holding the subvol_sem\nsemaphore in exclusive (write) mode.\n\nA test case for fstests will follow soon.",
"id": "GHSA-63hq-hrgx-pfwm",
"modified": "2026-05-15T15:30:33Z",
"published": "2026-05-08T15:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43359"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2e57b8cac2ba0d38aac76c1ecdfd8b899e3581a5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/41fb97353ff58fa4f31904c343fc8e3df2f7517d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/87f2c46003fce4d739138aab4af1942b1afdadac"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b19c0465e4daad5aa8f60552ea0578cf31a11b1e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b9914db13ac15aca3b74544c0bb1a2e0dad1f174"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d11aefe654a04fc41996d254748d6a38b6b0a7be"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-65MG-FQ5M-QR37
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24Integer underflow in the l2cap_config_req function in net/bluetooth/l2cap_core.c in the Linux kernel before 3.0 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a small command-size value within the command header of a Logical Link Control and Adaptation Protocol (L2CAP) configuration request, leading to a buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2011-2497"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-08-29T18:55:00Z",
"severity": "HIGH"
},
"details": "Integer underflow in the l2cap_config_req function in net/bluetooth/l2cap_core.c in the Linux kernel before 3.0 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a small command-size value within the command header of a Logical Link Control and Adaptation Protocol (L2CAP) configuration request, leading to a buffer overflow.",
"id": "GHSA-65mg-fq5m-qr37",
"modified": "2022-05-13T01:24:47Z",
"published": "2022-05-13T01:24:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2497"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2011:1189"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2011:1253"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2011-2497"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=716805"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=7ac28817536797fd40e9646452183606f9e17f71"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7ac28817536797fd40e9646452183606f9e17f71"
},
{
"type": "WEB",
"url": "http://marc.info/?l=linux-kernel\u0026m=130891911909436\u0026w=2"
},
{
"type": "WEB",
"url": "http://securityreason.com/securityalert/8359"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/06/24/9"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/3"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/74679"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/48472"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-68JF-XFPM-34W7
Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-03-10 21:31In the Linux kernel, the following vulnerability has been resolved:
crypto: qat - add param check for DH
Reject requests with a source buffer that is bigger than the size of the key. This is to prevent a possible integer underflow that might happen when copying the source scatterlist into a linear buffer.
{
"affected": [],
"aliases": [
"CVE-2022-49564"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:32Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: qat - add param check for DH\n\nReject requests with a source buffer that is bigger than the size of the\nkey. This is to prevent a possible integer underflow that might happen\nwhen copying the source scatterlist into a linear buffer.",
"id": "GHSA-68jf-xfpm-34w7",
"modified": "2025-03-10T21:31:10Z",
"published": "2025-03-10T21:31:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49564"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2acbb8771f6ac82422886e63832ee7a0f4b1635b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/76c9216833e7c20a67c987cf89719a3f01666aaa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e7f979ed51f96495328157df663c835b17db1e30"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-68RC-W788-2JR7
Vulnerability from github – Published: 2022-05-14 03:24 – Updated: 2025-04-20 03:46Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request.
{
"affected": [],
"aliases": [
"CVE-2017-14496"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-10-03T01:29:00Z",
"severity": "HIGH"
},
"details": "Integer underflow in the add_pseudoheader function in dnsmasq before 2.78 , when the --add-mac, --add-cpe-id or --add-subnet option is specified, allows remote attackers to cause a denial of service via a crafted DNS request.",
"id": "GHSA-68rc-w788-2jr7",
"modified": "2025-04-20T03:46:12Z",
"published": "2022-05-14T03:24:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14496"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2836"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/vulnerabilities/3199382"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-689071.pdf"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201710-27"
},
{
"type": "WEB",
"url": "https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-10-01"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/42946"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/973527"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11664.html"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/dnsmasq-discuss%40lists.thekelleys.org.uk/msg11665.html"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg11664.html"
},
{
"type": "WEB",
"url": "https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg11665.html"
},
{
"type": "WEB",
"url": "https://www.synology.com/support/security/Synology_SA_17_59_Dnsmasq"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00006.html"
},
{
"type": "WEB",
"url": "http://nvidia.custhelp.com/app/answers/detail/a_id/4561"
},
{
"type": "WEB",
"url": "http://thekelleys.org.uk/dnsmasq/CHANGELOG"
},
{
"type": "WEB",
"url": "http://thekelleys.org.uk/gitweb/?p=dnsmasq.git%3Ba=commit%3Bh=897c113fda0886a28a986cc6ba17bb93bd6cb1c7"
},
{
"type": "WEB",
"url": "http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=897c113fda0886a28a986cc6ba17bb93bd6cb1c7"
},
{
"type": "WEB",
"url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-005.txt"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2017/dsa-3989"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101085"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/101977"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1039474"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3430-1"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3430-2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6973-4PP3-GVJ6
Vulnerability from github – Published: 2022-12-20 18:30 – Updated: 2022-12-20 18:30In rw_t3t_act_handle_check_ndef_rsp of rw_t3t.cc, there is a possible out of bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-224002331
{
"affected": [],
"aliases": [
"CVE-2022-20516"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-16T16:15:00Z",
"severity": "HIGH"
},
"details": "In rw_t3t_act_handle_check_ndef_rsp of rw_t3t.cc, there is a possible out of bounds read due to an integer overflow. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-224002331",
"id": "GHSA-6973-4pp3-gvj6",
"modified": "2022-12-20T18:30:20Z",
"published": "2022-12-20T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20516"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2022-12-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-69FJ-7Q6W-CCG6
Vulnerability from github – Published: 2026-07-15 21:31 – Updated: 2026-07-16 03:32CVE-2026-40955 is an integer underflow vulnerability in the traffic parsing function of Secure Access clients prior to 14.55. Attackers with intimate knowledge of and total control over the tunnel protocol can create a non-persistent DoS against their client.
{
"affected": [],
"aliases": [
"CVE-2026-40955"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-15T20:16:59Z",
"severity": "LOW"
},
"details": "CVE-2026-40955 is an integer underflow\nvulnerability in the traffic parsing function of Secure Access clients prior to\n14.55. Attackers with intimate knowledge of and total control over the tunnel\nprotocol can create a non-persistent DoS against their client.",
"id": "GHSA-69fj-7q6w-ccg6",
"modified": "2026-07-16T03:32:43Z",
"published": "2026-07-15T21:31:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40955"
},
{
"type": "WEB",
"url": "https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-40955"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-69PM-F5WG-2W72
Vulnerability from github – Published: 2023-04-12 21:30 – Updated: 2023-04-12 21:30Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Integer Underflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2023-26421"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-04-12T21:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat Reader versions 23.001.20093 (and earlier) and 20.005.30441 (and earlier) are affected by an Integer Underflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-69pm-f5wg-2w72",
"modified": "2023-04-12T21:30:18Z",
"published": "2023-04-12T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26421"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb23-24.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6C7X-Q2RF-G6CC
Vulnerability from github – Published: 2022-05-24 17:00 – Updated: 2024-04-04 02:38An exploitable integer underflow vulnerability exists in the CMP-parsing functionality of LEADTOOLS 20. A specially crafted CMP image file can cause an integer underflow, potentially resulting in code execution. An attacker can specially craft a CMP image to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2019-5099"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-06T20:15:00Z",
"severity": "HIGH"
},
"details": "An exploitable integer underflow vulnerability exists in the CMP-parsing functionality of LEADTOOLS 20. A specially crafted CMP image file can cause an integer underflow, potentially resulting in code execution. An attacker can specially craft a CMP image to trigger this vulnerability.",
"id": "GHSA-6c7x-q2rf-g6cc",
"modified": "2024-04-04T02:38:29Z",
"published": "2022-05-24T17:00:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5099"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2019-0891"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6HG8-2CXF-7P6V
Vulnerability from github – Published: 2026-04-15 00:31 – Updated: 2026-04-15 00:31Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2026-27296"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-14T23:16:26Z",
"severity": "HIGH"
},
"details": "Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-6hg8-2cxf-7p6v",
"modified": "2026-04-15T00:31:35Z",
"published": "2026-04-15T00:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27296"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6MX7-79GG-F646
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2022-05-24 16:52An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an off-by-one overwrite due to an underflow on tools/hashtools/hfind.cpp while using a bogus hash table.
{
"affected": [],
"aliases": [
"CVE-2019-14532"
],
"database_specific": {
"cwe_ids": [
"CWE-191",
"CWE-193"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-02T15:15:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an off-by-one overwrite due to an underflow on tools/hashtools/hfind.cpp while using a bogus hash table.",
"id": "GHSA-6mx7-79gg-f646",
"modified": "2022-05-24T16:52:21Z",
"published": "2022-05-24T16:52:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14532"
},
{
"type": "WEB",
"url": "https://github.com/sleuthkit/sleuthkit/issues/1575"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EY53OYU7UZLAJWNIVVNR3EX2RNCCFTB"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AQR2QY3IAF2IG6HGBSKGL66VUDOTC3OA"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFQKIE5U3LS5U7POPGS7YHLUSW2URWGJ"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.