Common Weakness Enumeration

CWE-191

Allowed

Integer Underflow (Wrap or Wraparound)

Abstraction: Base · Status: Draft

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

640 vulnerabilities reference this CWE, most recent first.

GHSA-WXVJ-HC4R-FQ45

Vulnerability from github – Published: 2026-06-28 03:33 – Updated: 2026-06-28 03:33
VLAI
Details

Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-58058"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-28T02:16:33Z",
    "severity": "MODERATE"
  },
  "details": "Nmap through 7.99 does not keep the IPv6 extension-header walk within the captured packet in ipv6_get_data_primitive (libnetutil/netutil.cc), so the pointer advances past the buffer and the remaining-length computation underflows to a large value. A scanned target or on-path attacker returning a crafted IPv6 response with a truncated extension header can trigger out-of-bounds reads and a crash during raw IPv6 scans.",
  "id": "GHSA-wxvj-hc4r-fq45",
  "modified": "2026-06-28T03:33:41Z",
  "published": "2026-06-28T03:33:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-58058"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nmap/nmap/commit/bb6754e76bb1686315008e1aa1c40202a513fb83"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bikini/exploitarium/tree/main/nmap-ipv6-extlen-wrap-poc"
    },
    {
      "type": "WEB",
      "url": "https://nmap.org/changelog.html"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/nmap-integer-underflow-in-ipv6-extension-header-parsing"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-X326-JQ76-33FR

Vulnerability from github – Published: 2022-05-14 01:50 – Updated: 2022-05-14 01:50
VLAI
Details

Improper input validation in Bluetooth Controller function can lead to possible memory corruption in Snapdragon Mobile in version QCA9379, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, SD 850, SDM630, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-18170"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-10-23T13:29:00Z",
    "severity": "HIGH"
  },
  "details": "Improper input validation in Bluetooth Controller function can lead to possible memory corruption in Snapdragon Mobile in version QCA9379, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 820, SD 835, SD 845, SD 850, SDM630, SDM636, SDM660, SDM710, Snapdragon_High_Med_2016.",
  "id": "GHSA-x326-jq76-33fr",
  "modified": "2022-05-14T01:50:11Z",
  "published": "2022-05-14T01:50:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18170"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2018-07-01#qualcomm-closed-source-components"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X37P-5RXC-RC3H

Vulnerability from github – Published: 2024-12-12 03:33 – Updated: 2024-12-12 03:33
VLAI
Details

XnSoft XnView Classic RWZ File Parsing Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of XnSoft XnView Classic. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of RWZ files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22913.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-11950"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-12T01:40:21Z",
    "severity": "HIGH"
  },
  "details": "XnSoft XnView Classic RWZ File Parsing Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of XnSoft XnView Classic. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\n\nThe specific flaw exists within the parsing of RWZ files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22913.",
  "id": "GHSA-x37p-5rxc-rc3h",
  "modified": "2024-12-12T03:33:02Z",
  "published": "2024-12-12T03:33:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11950"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1640"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X62J-P92Q-X3QM

Vulnerability from github – Published: 2022-02-19 00:01 – Updated: 2022-03-08 00:00
VLAI
Details

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos One Speaker prior to 3.4.1 (S2 systems) and 11.2.13 build 57923290 (S1 systems). Authentication is not required to exploit this vulnerability. The specific flaw exists within the anacapd daemon. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15828.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24046"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-18T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos One Speaker prior to 3.4.1 (S2 systems) and 11.2.13 build 57923290 (S1 systems). Authentication is not required to exploit this vulnerability. The specific flaw exists within the anacapd daemon. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15828.",
  "id": "GHSA-x62j-p92q-x3qm",
  "modified": "2022-03-08T00:00:48Z",
  "published": "2022-02-19T00:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24046"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-22-260"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X83F-9M8F-428Q

Vulnerability from github – Published: 2024-01-24 00:30 – Updated: 2025-03-17 18:31
VLAI
Details

Integer underflow in WebUI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a malicious file. (Chromium security severity: High)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-0808"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-24T00:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "Integer underflow in WebUI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a malicious file. (Chromium security severity: High)",
  "id": "GHSA-x83f-9m8f-428q",
  "modified": "2025-03-17T18:31:36Z",
  "published": "2024-01-24T00:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0808"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html"
    },
    {
      "type": "WEB",
      "url": "https://crbug.com/1504936"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMI6GXFONZV6HE3BPZO3AP6GUVQLG4JQ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXDSGAFQD4BDB4IB2O4ZUSHC3JCVQEKC"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCJ3-M9C5-2PRQ

Vulnerability from github – Published: 2026-01-02 18:30 – Updated: 2026-06-30 03:35
VLAI
Details

An integer underflow vulnerability exists in the nextstate() function in gpsd/packet.c of gpsd versions prior to commit ffa1d6f40bca0b035fc7f5e563160ebb67199da7. When parsing a NAVCOM packet, the payload length is calculated using lexer->length = (size_t)c - 4 without checking if the input byte c is less than 4. This results in an unsigned integer underflow, setting lexer->length to a very large value (near SIZE_MAX). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-67269"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-02T16:17:01Z",
    "severity": "HIGH"
  },
  "details": "An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer-\u003elength = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer-\u003elength` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition.",
  "id": "GHSA-xcj3-m9c5-2prq",
  "modified": "2026-06-30T03:35:23Z",
  "published": "2026-01-02T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67269"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0770"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2026:0771"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-67269"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426810"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Jaenact/gspd_cve/blob/main/CVE-2025-67269/README.md"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gpsd/gpsd"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gpsd/gpsd/-/commit/ffa1d6f40bca0b035fc7f5e563160ebb67199da7"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-67269.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCRG-GX97-7FJ9

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2024-04-04 00:31
VLAI
Details

An integer underflow may occur due to lack of check when received data length from font_mgr_qsee_request_service is bigger than the minimal value of the segment header, which may result in a buffer overflow, in Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear in MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-18278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-06T23:29:00Z",
    "severity": "HIGH"
  },
  "details": "An integer underflow may occur due to lack of check when received data length from font_mgr_qsee_request_service is bigger than the minimal value of the segment header, which may result in a buffer overflow, in Snapdragon Automobile, Snapdragon Mobile, Snapdragon Wear in MDM9206, MDM9607, MDM9650, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 820, SD 820A, SD 835, SD 845, SD 850.",
  "id": "GHSA-xcrg-gx97-7fj9",
  "modified": "2024-04-04T00:31:45Z",
  "published": "2022-05-24T16:45:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18278"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XCWV-GJ8Q-63VM

Vulnerability from github – Published: 2025-03-18 21:31 – Updated: 2025-03-18 21:31
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

RDMA/irdma: Prevent some integer underflows

My static checker complains that:

drivers/infiniband/hw/irdma/ctrl.c:3605 irdma_sc_ceq_init()
warn: can subtract underflow 'info->dev->hmc_fpm_misc.max_ceqs'?

It appears that "info->dev->hmc_fpm_misc.max_ceqs" comes from the firmware in irdma_sc_parse_fpm_query_buf() so, yes, there is a chance that it could be zero. Even if we trust the firmware, it's easy enough to change the condition just as a hardenning measure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-49208"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:00:57Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/irdma: Prevent some integer underflows\n\nMy static checker complains that:\n\n    drivers/infiniband/hw/irdma/ctrl.c:3605 irdma_sc_ceq_init()\n    warn: can subtract underflow \u0027info-\u003edev-\u003ehmc_fpm_misc.max_ceqs\u0027?\n\nIt appears that \"info-\u003edev-\u003ehmc_fpm_misc.max_ceqs\" comes from the firmware\nin irdma_sc_parse_fpm_query_buf() so, yes, there is a chance that it could\nbe zero.  Even if we trust the firmware, it\u0027s easy enough to change the\ncondition just as a hardenning measure.",
  "id": "GHSA-xcwv-gj8q-63vm",
  "modified": "2025-03-18T21:31:59Z",
  "published": "2025-03-18T21:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49208"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6f6dbb819dfc1a35bcb8b709b5c83a3ea8beff75"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7340c3675d7ac946f4019b84cd7c64ed542dfe4c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d52dab6e03550f9c97121b0c11c0a3ed78ee76a4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f21056f15bbeacab7b4b87af232f5599d1f2bff1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XHP4-6G9V-4XVJ

Vulnerability from github – Published: 2025-06-02 06:30 – Updated: 2025-06-02 06:30
VLAI
Details

setDeferredReply in networking.c in Valkey through 8.1.1 has an integer underflow for prev->size - prev->used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-49112"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-02T05:15:21Z",
    "severity": "LOW"
  },
  "details": "setDeferredReply in networking.c in Valkey through 8.1.1 has an integer underflow for prev-\u003esize - prev-\u003eused.",
  "id": "GHSA-xhp4-6g9v-4xvj",
  "modified": "2025-06-02T06:30:32Z",
  "published": "2025-06-02T06:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49112"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valkey-io/valkey/pull/2101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/redis/redis/blob/994bc96bb1744cb153392fc96bdba43eae56e17f/src/networking.c#L783"
    },
    {
      "type": "WEB",
      "url": "https://github.com/valkey-io/valkey/blob/daea05b1e26db29bfd1c033e27f9d519a2f8ccbb/src/networking.c#L886"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XJPV-2H98-WPC7

Vulnerability from github – Published: 2022-05-13 00:00 – Updated: 2022-05-22 00:00
VLAI
Details

Allowing long password leads to denial of service in GitHub repository causefx/organizr prior to 2.1.2000. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1698"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-05-12T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Allowing long password leads to denial of service in GitHub repository causefx/organizr prior to 2.1.2000. This vulnerability can be abused by doing a DDoS attack for which genuine users will not able to access resources/applications.",
  "id": "GHSA-xjpv-2h98-wpc7",
  "modified": "2022-05-22T00:00:32Z",
  "published": "2022-05-13T00:00:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1698"
    },
    {
      "type": "WEB",
      "url": "https://github.com/causefx/organizr/commit/e4b4cff66c526f7b5bbaef0073c92c315c29bd56"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/f4ab747b-e89a-4514-9432-ac1ea56639f3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.