CWE-682
DiscouragedIncorrect Calculation
Abstraction: Pillar · Status: Draft
The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
159 vulnerabilities reference this CWE, most recent first.
GHSA-HX96-88F5-C8JV
Vulnerability from github – Published: 2023-06-12 21:30 – Updated: 2024-04-04 04:44A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font->width and font->height greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.
{
"affected": [],
"aliases": [
"CVE-2023-3161"
],
"database_specific": {
"cwe_ids": [
"CWE-1335",
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-12T20:15:12Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the Framebuffer Console (fbcon) in the Linux Kernel. When providing font-\u003ewidth and font-\u003eheight greater than 32 to fbcon_set_font, since there are no checks in place, a shift-out-of-bounds occurs leading to undefined behavior and possible denial of service.",
"id": "GHSA-hx96-88f5-c8jv",
"modified": "2024-04-04T04:44:25Z",
"published": "2023-06-12T21:30:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3161"
},
{
"type": "WEB",
"url": "https://github.com/torvalds/linux/commit/2b09d5d364986f724f17001ccfe4126b9b43a0be"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2213485"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J64F-PWH4-GJQV
Vulnerability from github – Published: 2022-01-26 00:00 – Updated: 2022-02-02 00:02On BIG-IP AFM version 16.x before 16.1.0, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when global AFM SYN cookie protection (TCP Half Open flood vector) is activated in the AFM Device Dos or DOS profile, certain types of TCP connections will fail. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
{
"affected": [],
"aliases": [
"CVE-2022-23028"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-01-25T20:15:00Z",
"severity": "MODERATE"
},
"details": "On BIG-IP AFM version 16.x before 16.1.0, 15.1.x before 15.1.5, 14.1.x before 14.1.4.5, and all versions of 13.1.x, when global AFM SYN cookie protection (TCP Half Open flood vector) is activated in the AFM Device Dos or DOS profile, certain types of TCP connections will fail. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.",
"id": "GHSA-j64f-pwh4-gjqv",
"modified": "2022-02-02T00:02:00Z",
"published": "2022-01-26T00:00:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23028"
},
{
"type": "WEB",
"url": "https://support.f5.com/csp/article/K16101409"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JQWC-C49R-4W2X
Vulnerability from github – Published: 2022-06-29 22:08 – Updated: 2025-05-02 12:49Impact
Wasmtime's implementation of the SIMD proposal for WebAssembly on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is not affected. The bugs were presented in the i8x16.swizzle and select WebAssembly instructions. The select instruction is only affected when the inputs are of v128 type. The correspondingly affected Cranelift instructions were swizzle and select.
The swizzle instruction lowering in Cranelift erroneously overwrote the mask input register which could corrupt a constant value, for example. This means that future uses of the same constant may see a different value than the constant itself.
The select instruction lowering in Cranelift wasn't correctly implemented for vector types that are 128-bits wide. When the condition was 0 the wrong instruction was used to move the correct input to the output of the instruction meaning that only the low 32 bits were moved and the upper 96 bits of the result were left as whatever the register previously contained (instead of the input being moved from). The select instruction worked correctly if the condition was nonzero, however.
This bug in Wasmtime's implementation of these instructions on x86_64 represents an incorrect implementation of the specified semantics of these instructions according to the WebAssembly specification. The impact of this is benign for hosts running WebAssembly but represents possible vulnerabilities within the execution of a guest program. For example a WebAssembly program could take unintended branches or materialize incorrect values internally which runs the risk of exposing the program itself to other related vulnerabilities which can occur from miscompilations.
Patches
We have released Wasmtime 0.38.1 and cranelift-codegen (and other associated cranelift crates) 0.85.1 which contain the corrected implementations of these two instructions in Cranelift.
Workarounds
If upgrading is not an option for you at this time, you can avoid the vulnerability by disabling the Wasm simd proposal
config.wasm_simd(false);
Additionally the bug is only present on x86_64 hosts. Other aarch64 hosts are not affected. Note that s390x hosts don't yet implement the simd proposal and are not affected.
References
- The WebAssembly simd proposal
- Original test case showing the erroneous behavior
- Fix for the
swizzleinstruction - Fix for the
selectinstruction
For more information
If you have any questions or comments about this advisory:
- Reach out to us on the Bytecode Alliance Zulip chat
- Open an issue in the bytecodealliance/wasmtime repository
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.38.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "cranelift-codegen"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.85.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31104"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-29T22:08:25Z",
"nvd_published_at": "2022-06-28T00:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWasmtime\u0027s implementation of the [SIMD proposal for WebAssembly](https://github.com/webassembly/simd) on x86_64 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is not affected. The bugs were presented in the `i8x16.swizzle` and `select` WebAssembly instructions. The `select` instruction is only affected when the inputs are of `v128` type. The correspondingly affected Cranelift instructions were `swizzle` and `select`.\n\nThe `swizzle` instruction lowering in Cranelift erroneously overwrote the mask input register which could corrupt a constant value, for example. This means that future uses of the same constant may see a different value than the constant itself.\n\nThe `select` instruction lowering in Cranelift wasn\u0027t correctly implemented for vector types that are 128-bits wide. When the condition was 0 the wrong instruction was used to move the correct input to the output of the instruction meaning that only the low 32 bits were moved and the upper 96 bits of the result were left as whatever the register previously contained (instead of the input being moved from). The `select` instruction worked correctly if the condition was nonzero, however.\n\nThis bug in Wasmtime\u0027s implementation of these instructions on x86_64 represents an incorrect implementation of the specified semantics of these instructions according to the [WebAssembly specification](https://webassembly.github.io/spec/). The impact of this is benign for hosts running WebAssembly but represents possible vulnerabilities within the execution of a guest program. For example a WebAssembly program could take unintended branches or materialize incorrect values internally which runs the risk of exposing the program itself to other related vulnerabilities which can occur from miscompilations.\n\n### Patches\n\nWe have released Wasmtime 0.38.1 and cranelift-codegen (and other associated cranelift crates) 0.85.1 which contain the corrected implementations of these two instructions in Cranelift.\n\n### Workarounds\n\nIf upgrading is not an option for you at this time, you can avoid the vulnerability by [disabling the Wasm simd proposal](https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simd)\n\n```rust\nconfig.wasm_simd(false);\n```\n\nAdditionally the bug is only present on x86_64 hosts. Other aarch64 hosts are not affected. Note that s390x hosts don\u0027t yet implement the simd proposal and are not affected.\n\n### References\n\n* [The WebAssembly simd proposal](https://github.com/webassembly/simd)\n* [Original test case showing the erroneous behavior](https://github.com/bytecodealliance/wasmtime/issues/4315)\n* [Fix for the `swizzle` instruction](https://github.com/bytecodealliance/wasmtime/pull/4318)\n* [Fix for the `select` instruction](https://github.com/bytecodealliance/wasmtime/pull/4317)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Reach out to us on [the Bytecode Alliance Zulip chat](https://bytecodealliance.zulipchat.com/#narrow/stream/217126-wasmtime)\n* Open an issue in [the bytecodealliance/wasmtime repository](https://github.com/bytecodealliance/wasmtime/)",
"id": "GHSA-jqwc-c49r-4w2x",
"modified": "2025-05-02T12:49:13Z",
"published": "2022-06-29T22:08:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-jqwc-c49r-4w2x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31104"
},
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/pull/4317"
},
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/pull/4318"
},
{
"type": "WEB",
"url": "https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.wasm_simd"
},
{
"type": "PACKAGE",
"url": "https://github.com/bytecodealliance/wasmtime"
},
{
"type": "WEB",
"url": "https://github.com/webassembly/simd"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0095.html"
},
{
"type": "WEB",
"url": "https://webassembly.github.io/spec"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "Miscompilation of `i8x16.swizzle` and `select` with v128 inputs"
}
GHSA-JQWH-75JW-FM6M
Vulnerability from github – Published: 2022-04-16 00:00 – Updated: 2022-04-23 00:03An issue was discovered in FIS GT.M through V7.0-000 (related to the YottaDB code base). Using crafted input, an attacker can cause a size variable, stored as an signed int, to equal an extremely large value, which is interpreted as a negative value during a check. This value is then used in a memcpy call on the stack, causing a memory segmentation fault.
{
"affected": [],
"aliases": [
"CVE-2021-44504"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-15T18:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in FIS GT.M through V7.0-000 (related to the YottaDB code base). Using crafted input, an attacker can cause a size variable, stored as an signed int, to equal an extremely large value, which is interpreted as a negative value during a check. This value is then used in a memcpy call on the stack, causing a memory segmentation fault.",
"id": "GHSA-jqwh-75jw-fm6m",
"modified": "2022-04-23T00:03:13Z",
"published": "2022-04-16T00:00:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44504"
},
{
"type": "WEB",
"url": "https://gitlab.com/YottaDB/DB/YDB/-/issues/828"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/fis-gtm/files"
},
{
"type": "WEB",
"url": "http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JV4H-J224-23CC
Vulnerability from github – Published: 2026-05-07 20:54 – Updated: 2026-05-13 13:28Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit (MAX_BLOCK_SIGOPS), allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while zcashd nodes do not.
Two distinct undercounts:
A: Coinbase Hidden Legacy Sigops
zcashd's GetLegacySigOpCount() includes the coinbase input's scriptSig. Zebra's Sigops impl skipped the coinbase input entirely, so up to ~98 sigops (the 100-byte coinbase script length cap, less the height prefix) could be hidden inside the coinbase scriptSig without being charged against the block limit.
B: Aggregate P2SH Sigops.
zcashd's GetP2SHSigOpCount() parses each P2SH input's redeem script with accurate=true and sums those sigops into the block-wide total via ConnectBlock. The check is per-block, not per-transaction, and the limit applies regardless of who mines the offending block — a miner just needs to include enough P2SH-spending transactions whose redeem scripts together exceed 20000 sigops. Zebra computed P2SH sigops only on the mempool-acceptance path (used for ZIP-317 weighting) and never accumulated them during block validation. A block whose aggregate redeem-script sigops exceed 20000 (e.g. 1334 P2SH spends × 15 sigops = 20010) would be accepted by Zebra and rejected by zcashd.
Patches
Fixed in this release: https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0.
Workarounds
None. Operators relying on Zebra for consensus should upgrade.
Resources
MAX_BLOCK_SIGOPSconstant inherited from Bitcoin via the Zcash protocol spec's §7.6 catch-all "Other rules inherited from Bitcoin", tracked for explicit documentation in zcash/zips#568.zcashdGetLegacySigOpCount: https://github.com/zcash/zcash/blob/v6.11.0/src/main.cpp#L826-L836zcashdGetP2SHSigOpCount: https://github.com/zcash/zcash/blob/v6.11.0/src/main.cpp#L840-L852zcashdConnectBlockaggregates per-tx sigops and compares againstMAX_BLOCK_SIGOPS.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "zebrad"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44498"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-07T20:54:33Z",
"nvd_published_at": "2026-05-08T15:17:01Z",
"severity": "CRITICAL"
},
"details": "Zebra\u0027s block validator undercounts transparent signature operations against the 20000-sigop block limit (`MAX_BLOCK_SIGOPS`), allowing it to accept blocks that `zcashd` rejects with `bad-blk-sigops`. A miner who produces such a block can split the network: Zebra nodes follow the offending chain while `zcashd` nodes do not.\n\nTwo distinct undercounts:\n\n#### A: Coinbase Hidden Legacy Sigops\n\n`zcashd`\u0027s `GetLegacySigOpCount()` includes the coinbase input\u0027s `scriptSig`. Zebra\u0027s `Sigops` impl skipped the coinbase input entirely, so up to ~98 sigops (the 100-byte coinbase script length cap, less the height prefix) could be hidden inside the coinbase `scriptSig` without being charged against the block limit.\n\n#### B: Aggregate P2SH Sigops.\n\n`zcashd`\u0027s `GetP2SHSigOpCount()` parses each P2SH input\u0027s redeem script with `accurate=true` and sums those sigops into the block-wide total via `ConnectBlock`. The check is per-block, not per-transaction, and the limit applies regardless of who mines the offending block \u2014 a miner just needs to include enough P2SH-spending transactions whose redeem scripts together exceed 20000 sigops. Zebra computed P2SH sigops only on the mempool-acceptance path (used for ZIP-317 weighting) and never accumulated them during block validation. A block whose aggregate redeem-script sigops exceed 20000 (e.g. 1334 P2SH spends \u00d7 15 sigops = 20010) would be accepted by Zebra and rejected by `zcashd`.\n\n### Patches\n\nFixed in this release: https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0.\n\n### Workarounds\n\nNone. Operators relying on Zebra for consensus should upgrade.\n\n### Resources\n\n- `MAX_BLOCK_SIGOPS` constant inherited from Bitcoin via the Zcash protocol spec\u0027s \u00a77.6 catch-all \"Other rules inherited from Bitcoin\", tracked for explicit documentation in [zcash/zips#568](https://github.com/zcash/zips/issues/568).\n- `zcashd` `GetLegacySigOpCount`: \u003chttps://github.com/zcash/zcash/blob/v6.11.0/src/main.cpp#L826-L836\u003e\n- `zcashd` `GetP2SHSigOpCount`: \u003chttps://github.com/zcash/zcash/blob/v6.11.0/src/main.cpp#L840-L852\u003e\n- `zcashd` `ConnectBlock` aggregates per-tx sigops and compares against `MAX_BLOCK_SIGOPS`.",
"id": "GHSA-jv4h-j224-23cc",
"modified": "2026-05-13T13:28:47Z",
"published": "2026-05-07T20:54:33Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-jv4h-j224-23cc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44498"
},
{
"type": "PACKAGE",
"url": "https://github.com/ZcashFoundation/zebra"
},
{
"type": "WEB",
"url": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.4.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Zebra\u0027s Block Validator Undercounts Coinbase and P2SH Sigops"
}
GHSA-JV89-HCW9-2WWR
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31When loading a document with Apache Open Office 4.1.5 and earlier with smaller end line termination than the operating system uses, the defect occurs. In this case OpenOffice runs into an Arithmetic Overflow at a string length calculation.
{
"affected": [],
"aliases": [
"CVE-2018-11790"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-01-31T16:29:00Z",
"severity": "HIGH"
},
"details": "When loading a document with Apache Open Office 4.1.5 and earlier with smaller end line termination than the operating system uses, the defect occurs. In this case OpenOffice runs into an Arithmetic Overflow at a string length calculation.",
"id": "GHSA-jv89-hcw9-2wwr",
"modified": "2022-05-13T01:31:05Z",
"published": "2022-05-13T01:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11790"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/7394e6b5f78a878bd0c44e9bc9adf90b8cdf49e9adc0f287145aba9b@%3Ccommits.openoffice.apache.org%3E"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3883-1"
},
{
"type": "WEB",
"url": "https://www.openoffice.org/security/cves/CVE-2018-11790.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/106803"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JX3C-V4XF-JMPC
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2025-04-20 03:37libimageworsener.a in ImageWorsener before 1.3.1 has "left shift cannot be represented in type int" undefined behavior issues, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image, related to imagew-bmp.c and imagew-util.c.
{
"affected": [],
"aliases": [
"CVE-2017-8326"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-29T20:59:00Z",
"severity": "HIGH"
},
"details": "libimageworsener.a in ImageWorsener before 1.3.1 has \"left shift cannot be represented in type int\" undefined behavior issues, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted image, related to imagew-bmp.c and imagew-util.c.",
"id": "GHSA-jx3c-v4xf-jmpc",
"modified": "2025-04-20T03:37:03Z",
"published": "2022-05-13T01:47:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-8326"
},
{
"type": "WEB",
"url": "https://github.com/jsummers/imageworsener/commit/a00183107d4b84bc8a714290e824ca9c68dac738"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2017/04/27/imageworsener-two-left-shift"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201706-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M265-HW72-834Q
Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash. This was addressed in epan/dissectors/packet-coap.c by ensuring that the piv length is correctly computed.
{
"affected": [],
"aliases": [
"CVE-2018-18225"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-10-12T06:29:00Z",
"severity": "HIGH"
},
"details": "In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash. This was addressed in epan/dissectors/packet-coap.c by ensuring that the piv length is correctly computed.",
"id": "GHSA-m265-hw72-834q",
"modified": "2022-05-13T01:14:36Z",
"published": "2022-05-13T01:14:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-18225"
},
{
"type": "WEB",
"url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15172"
},
{
"type": "WEB",
"url": "https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b2bbd9fdf209911d94b23cc33f4daccbceb7fa8a"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4359"
},
{
"type": "WEB",
"url": "https://www.wireshark.org/security/wnpa-sec-2018-49.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00027.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/105583"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1041909"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M466-GRMG-W82Q
Vulnerability from github – Published: 2022-05-13 01:24 – Updated: 2022-05-13 01:24net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used, does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data.
{
"affected": [],
"aliases": [
"CVE-2011-1573"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2012-02-02T04:09:00Z",
"severity": "MODERATE"
},
"details": "net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used, does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data.",
"id": "GHSA-m466-grmg-w82q",
"modified": "2022-05-13T01:24:34Z",
"published": "2022-05-13T01:24:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1573"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=695383"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=a8170c35e738d62e9919ce5b109cf4ed66e95bde"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a8170c35e738d62e9919ce5b109cf4ed66e95bde"
},
{
"type": "WEB",
"url": "http://mirror.anl.gov/pub/linux/kernel/v2.6/ChangeLog-2.6.34"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/04/11/12"
},
{
"type": "WEB",
"url": "http://openwall.com/lists/oss-security/2011/04/11/4"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2011-0927.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M96M-QC9M-GFXJ
Vulnerability from github – Published: 2022-05-13 01:48 – Updated: 2022-05-13 01:48In all Qualcomm products with Android releases from CAF using the Linux kernel, during DMA allocation, due to wrong data type of size, allocation size gets truncated which makes allocation succeed when it should fail.
{
"affected": [],
"aliases": [
"CVE-2017-9725"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-21T15:29:00Z",
"severity": "HIGH"
},
"details": "In all Qualcomm products with Android releases from CAF using the Linux kernel, during DMA allocation, due to wrong data type of size, allocation size gets truncated which makes allocation succeed when it should fail.",
"id": "GHSA-m96m-qc9m-gfxj",
"modified": "2022-05-13T01:48:06Z",
"published": "2022-05-13T01:48:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9725"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:0676"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1062"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1130"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1170"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-09-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/100658"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Understand your programming language's underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how your language handles numbers that are too large or too small for its underlying representation.
Mitigation MIT-8
Strategy: Input Validation
Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
Mitigation
Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity.
Mitigation
Strategy: Language Selection
- Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
Mitigation
Strategy: Libraries or Frameworks
- Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-128: Integer Attacks
An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.
CAPEC-129: Pointer Manipulation
This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.