CWE-682
DiscouragedIncorrect Calculation
Abstraction: Pillar · Status: Draft
The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
159 vulnerabilities reference this CWE, most recent first.
GHSA-55V6-VVQW-J3QQ
Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2024-02-02 15:30In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715
{
"affected": [],
"aliases": [
"CVE-2020-0022"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-02-13T15:15:00Z",
"severity": "HIGH"
},
"details": "In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-143894715",
"id": "GHSA-55v6-vvqw-j3qq",
"modified": "2024-02-02T15:30:27Z",
"published": "2022-05-24T17:08:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-0022"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2020-02-01"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/156891/Android-Bluetooth-Remote-Denial-Of-Service.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/Feb/10"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200513-03-smartphone-en"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-59W5-J22F-H3RV
Vulnerability from github – Published: 2025-07-04 06:30 – Updated: 2026-06-15 03:30A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.
{
"affected": [],
"aliases": [
"CVE-2025-5372"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-04T06:15:24Z",
"severity": "MODERATE"
},
"details": "A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success\u2014the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions\u0027 confidentiality, integrity, and availability.",
"id": "GHSA-59w5-j22f-h3rv",
"modified": "2026-06-15T03:30:31Z",
"published": "2025-07-04T06:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5372"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:21977"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2025:23024"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:20610"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:24349"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25911"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-5372"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369388"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-5GQV-PHJ4-9RWG
Vulnerability from github – Published: 2022-05-14 02:59 – Updated: 2022-05-14 02:59espritblock eos4j, an unofficial SDK for EOS, through 2018-07-12 mishandles floating-point numbers with more than four digits after the decimal point, which might allow attackers to trigger currency transfers of unintended amounts.
{
"affected": [],
"aliases": [
"CVE-2018-14439"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-20T00:29:00Z",
"severity": "HIGH"
},
"details": "espritblock eos4j, an unofficial SDK for EOS, through 2018-07-12 mishandles floating-point numbers with more than four digits after the decimal point, which might allow attackers to trigger currency transfers of unintended amounts.",
"id": "GHSA-5gqv-phj4-9rwg",
"modified": "2022-05-14T02:59:17Z",
"published": "2022-05-14T02:59:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14439"
},
{
"type": "WEB",
"url": "https://github.com/espritblock/eos4j/issues/6"
},
{
"type": "WEB",
"url": "http://www.bishijie.com/kuaixun_80841"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5X79-WFVW-985R
Vulnerability from github – Published: 2022-05-13 01:08 – Updated: 2025-04-20 03:31NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."
{
"affected": [],
"aliases": [
"CVE-2016-7433"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-01-13T16:59:00Z",
"severity": "MODERATE"
},
"details": "NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a \"root distance that did not include the peer dispersion.\"",
"id": "GHSA-5x79-wfvw-985r",
"modified": "2025-04-20T03:31:11Z",
"published": "2022-05-13T01:08:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7433"
},
{
"type": "WEB",
"url": "https://bto.bluecoat.com/security-advisory/sa139"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf"
},
{
"type": "WEB",
"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbux03706en_us"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ILMSYVQMMF37MANYEO7KBHOPSC74EKGN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PABKEYX6ABBFJZGMXKH57X756EJUDS3C"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U5E3XBBCK5IXOLDAH2E4M3QKIYIHUMMP"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMSYVQMMF37MANYEO7KBHOPSC74EKGN"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PABKEYX6ABBFJZGMXKH57X756EJUDS3C"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5E3XBBCK5IXOLDAH2E4M3QKIYIHUMMP"
},
{
"type": "WEB",
"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:39.ntp.asc"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11"
},
{
"type": "WEB",
"url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2017-227"
},
{
"type": "WEB",
"url": "https://www.kb.cert.org/vuls/id/633847"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2016-12/msg00153.html"
},
{
"type": "WEB",
"url": "http://nwtime.org/ntp428p9_release"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0252.html"
},
{
"type": "WEB",
"url": "http://support.ntp.org/bin/view/Main/NtpBug3067"
},
{
"type": "WEB",
"url": "http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities"
},
{
"type": "WEB",
"url": "http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20171129-01-ntpd-en"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/539955/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/540254/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/archive/1/539955/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/archive/1/540254/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94455"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1037354"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-3349-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-69V6-XC2J-R2JF
Vulnerability from github – Published: 2021-06-29 21:13 – Updated: 2025-01-30 14:37Impact
This is a Consensus vulnerability, which can be used to cause a chain-split where vulnerable nodes reject the canonical chain.
Geth’s pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could deploy a contract that
- writes
Xto an EVM memory regionR, - calls
0x00..04withRas an argument, - overwrites
RtoY, - and finally invokes the
RETURNDATACOPYopcode.
When this contract is invoked, a consensus-compliant node would push X on the EVM stack, whereas Geth would push Y.
Patches
No standalone patches have been made.
Workarounds
Upgrade to 1.9.17 or higher.
References
https://blog.ethereum.org/2020/11/12/geth_security_release/
For more information
If you have any questions or comments about this advisory: * Open an issue in go-ethereum * Email us at security@ethereum.org
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ethereum/go-ethereum"
},
"ranges": [
{
"events": [
{
"introduced": "1.9.7"
},
{
"fixed": "1.9.17"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26241"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T21:51:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nThis is a Consensus vulnerability, which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. \n\nGeth\u2019s pre-compiled `dataCopy` (at `0x00...04`) contract did a shallow copy on invocation. An attacker could deploy a contract that \n\n- writes `X` to an EVM memory region `R`,\n- calls `0x00..04` with `R` as an argument,\n- overwrites `R` to `Y`,\n- and finally invokes the `RETURNDATACOPY` opcode.\n\nWhen this contract is invoked, a consensus-compliant node would push `X` on the EVM stack, whereas Geth would push `Y`.\n\n\n### Patches\n\nNo standalone patches have been made. \n\n### Workarounds\n\nUpgrade to `1.9.17` or higher.\n\n### References\n\nhttps://blog.ethereum.org/2020/11/12/geth_security_release/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)\n",
"id": "GHSA-69v6-xc2j-r2jf",
"modified": "2025-01-30T14:37:49Z",
"published": "2021-06-29T21:13:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-69v6-xc2j-r2jf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26241"
},
{
"type": "WEB",
"url": "https://github.com/ethereum/go-ethereum/commit/295693759e5ded05fec0b2fb39359965b60da785"
},
{
"type": "WEB",
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethereum/go-ethereum"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Shallow copy bug in geth"
}
GHSA-6FVR-R66P-5W4V
Vulnerability from github – Published: 2026-01-15 21:31 – Updated: 2026-01-15 21:31An Incorrect Calculation vulnerability in the Layer 2 Control
Protocol
Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a flood of logs, resulting in high CPU usage.
When the issue is seen, the following log message will be generated:
op:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP,
This issue affects Junos OS Evolved:
- all versions before 21.4R3-S7-EVO,
- from 22.2 before 22.2R3-S4-EVO,
- from 22.3 before 22.3R3-S3-EVO,
- from 22.4 before 22.4R3-S2-EVO,
- from 23.2 before 23.2R2-S1-EVO,
- from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO.
{
"affected": [],
"aliases": [
"CVE-2026-21911"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-15T21:16:07Z",
"severity": "HIGH"
},
"details": "An Incorrect Calculation vulnerability in the Layer 2 Control\n\nProtocol \n\n Daemon (l2cpd) of Juniper Networks Junos OS Evolved allows an unauthenticated network-adjacent attacker flapping the management interface to cause the learning of new MACs over label-switched interfaces (LSI) to stop while generating a\u00a0flood of logs, resulting in high CPU usage.\n\nWhen the issue is seen, the following log message will be generated:\n\nop:1 flag:0x6 mac:xx:xx:xx:xx:xx:xx bd:2 ifl:13302 reason:0(REASON_NONE) i-op:6(INTRNL_OP_HW_FORCE_DELETE) status:10 lstatus:10 err:26(GETIFBD_VALIDATE_FAILED) err-reason 4(IFBD_VALIDATE_FAIL_EPOCH_MISMATCH) hw_wr:0x4 ctxsync:0 fwdsync:0 rtt-id:51 p_ifl:0 fwd_nh:0 svlbnh:0 event:- smask:0x100000000 dmask:0x0 mplsmask 0x1 act:0x5800 extf:0x0 pfe-id 0 hw-notif-ifl 13302 programmed-ifl 4294967295 pseudo-vtep underlay-ifl-idx 0 stack:GET_MAC, ALLOCATE_MAC, GET_IFL, GET_IFF, GET_IFBD, STOP, \n\n\nThis issue affects Junos OS Evolved:\u00a0\n\n * all versions before 21.4R3-S7-EVO,\u00a0\n * from 22.2 before 22.2R3-S4-EVO,\u00a0\n * from 22.3 before 22.3R3-S3-EVO,\u00a0\n * from 22.4 before 22.4R3-S2-EVO,\u00a0\n * from 23.2 before 23.2R2-S1-EVO,\u00a0\n * from 23.4 before 23.4R1-S2-EVO, 23.4R2-EVO.",
"id": "GHSA-6fvr-r66p-5w4v",
"modified": "2026-01-15T21:31:48Z",
"published": "2026-01-15T21:31:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21911"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA106010"
},
{
"type": "WEB",
"url": "https://supportportal.juniper.net/JSA106010"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-7258-PH5H-MHXM
Vulnerability from github – Published: 2022-05-13 01:40 – Updated: 2022-05-13 01:40An elevation of privilege vulnerability in Audioserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32591350.
{
"affected": [],
"aliases": [
"CVE-2017-0545"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-07T22:59:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability in Audioserver could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-32591350.",
"id": "GHSA-7258-ph5h-mhxm",
"modified": "2022-05-13T01:40:14Z",
"published": "2022-05-13T01:40:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0545"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-04-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97346"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038201"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-766C-RR8X-XJVP
Vulnerability from github – Published: 2026-05-21 09:32 – Updated: 2026-05-21 09:32An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification via crafted hexadecimal input.
{
"affected": [],
"aliases": [
"CVE-2026-7836"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-21T08:16:23Z",
"severity": "LOW"
},
"details": "An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification via crafted hexadecimal input.",
"id": "GHSA-766c-rr8x-xjvp",
"modified": "2026-05-21T09:32:11Z",
"published": "2026-05-21T09:32:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7836"
},
{
"type": "WEB",
"url": "https://netatalk.io/security/CVE-2026-7836"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-79CG-JG39-89HQ
Vulnerability from github – Published: 2022-05-24 19:06 – Updated: 2022-05-24 19:06The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. Note: This issue only affected x86-32 platforms. Other platforms are unaffected.. This vulnerability affects Firefox ESR < 78.10, Thunderbird < 78.10, and Firefox < 88.
{
"affected": [],
"aliases": [
"CVE-2021-29945"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-24T14:15:00Z",
"severity": "MODERATE"
},
"details": "The WebAssembly JIT could miscalculate the size of a return type, which could lead to a null read and result in a crash. *Note: This issue only affected x86-32 platforms. Other platforms are unaffected.*. This vulnerability affects Firefox ESR \u003c 78.10, Thunderbird \u003c 78.10, and Firefox \u003c 88.",
"id": "GHSA-79cg-jg39-89hq",
"modified": "2022-05-24T19:06:10Z",
"published": "2022-05-24T19:06:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29945"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1700690"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-14"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-15"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2021-16"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-7F6X-JWH5-M9R4
Vulnerability from github – Published: 2022-07-21 22:34 – Updated: 2025-05-02 12:49Impact
There was a bug in Wasmtime's code generator, Cranelift, for AArch64 targets where constant divisors could result in incorrect division results at runtime. The translation rules for constants did not take into account whether sign- or zero-extension should happen, which resulted in an incorrect value being placed into a register when a division was encountered. For example, a constant 32-bit unsigned divisor of 0xfffffffe would be incorrectly sign-extended to 64-bits to 0xfffffffffffffffe. Any kind of division of operands smaller than 64 bits is implemented with a 64-bit division instruction which would then result in an incorrect result because the divisor was larger than expected.
The impact of this bug is that programs executing within the WebAssembly sandbox would not behave according to the WebAssembly specification. This means that it is hypothetically possible for execution within the sandbox to go awry and WebAssembly programs could produce unexpected results. This should not impact hosts executing WebAssembly, but does affect the correctness of guest programs.
This bug was found with differential fuzzing of Wasmtime against other engines on the AArch64 platform. Fuzzing on AArch64 is not regularly performed at this time and the Wasmtime team is investigating how best to continuously fuzz AArch64 in the same manner as x86_64.
Patches
This bug has been patched and users should upgrade to Wasmtime version 0.38.2.
Workarounds
If upgrading is not an option at this time, direct users of Cranelift that control the exact Cranelift instructions being compiled can avoid the vulnerability by explicitly extending constant divisors to 64 bits using either the sextend.i64 or the uextend.i64 operation.
Note, though, that this issue only affects the AArch64 targets. Other platforms are not affected.
For more information
If you have any questions or comments about this advisory:
- Reach out to us on the Bytecode Alliance Zulip chat
- Open an issue in the bytecodealliance/wasmtime repository
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "wasmtime"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.38.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "cranelift-codegen"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.85.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-31169"
],
"database_specific": {
"cwe_ids": [
"CWE-682"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-21T22:34:38Z",
"nvd_published_at": "2022-07-22T04:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nThere was a bug in Wasmtime\u0027s code generator, Cranelift, for AArch64 targets where constant divisors could result in incorrect division results at runtime. The translation rules for constants did not take into account whether sign- or zero-extension should happen, which resulted in an incorrect value being placed into a register when a division was encountered. For example, a constant 32-bit unsigned divisor of `0xfffffffe` would be incorrectly sign-extended to 64-bits to `0xfffffffffffffffe`. Any kind of division of operands smaller than 64 bits is implemented with a 64-bit division instruction which would then result in an incorrect result because the divisor was larger than expected.\n\nThe impact of this bug is that programs executing within the WebAssembly sandbox would not behave according to the WebAssembly specification. This means that it is hypothetically possible for execution within the sandbox to go awry and WebAssembly programs could produce unexpected results. This should not impact hosts executing WebAssembly, but does affect the correctness of guest programs.\n\nThis bug was found with differential fuzzing of Wasmtime against other engines on the AArch64 platform. Fuzzing on AArch64 is not regularly performed at this time and the Wasmtime team is investigating how best to continuously fuzz AArch64 in the same manner as x86_64.\n\n### Patches\n\nThis bug has been patched and users should upgrade to Wasmtime version 0.38.2.\n\n### Workarounds\n\nIf upgrading is not an option at this time, direct users of Cranelift that control the exact Cranelift instructions being compiled can avoid the vulnerability by explicitly extending constant divisors to 64 bits using either the `sextend.i64` or the `uextend.i64` operation.\n\nNote, though, that this issue only affects the AArch64 targets. Other platforms are not affected.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Reach out to us on [the Bytecode Alliance Zulip chat](https://bytecodealliance.zulipchat.com/#narrow/stream/217126-wasmtime)\n* Open an issue in [the bytecodealliance/wasmtime repository](https://github.com/bytecodealliance/wasmtime/)",
"id": "GHSA-7f6x-jwh5-m9r4",
"modified": "2025-05-02T12:49:25Z",
"published": "2022-07-21T22:34:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-7f6x-jwh5-m9r4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31169"
},
{
"type": "WEB",
"url": "https://github.com/bytecodealliance/wasmtime/commit/2ba4bce5cc719e5a74e571a534424614e62ecc41"
},
{
"type": "PACKAGE",
"url": "https://github.com/bytecodealliance/wasmtime"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2022-0101.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Cranelift vulnerable to miscompilation of constant values in division on AArch64"
}
Mitigation
Understand your programming language's underlying representation and how it interacts with numeric calculation. Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how your language handles numbers that are too large or too small for its underlying representation.
Mitigation MIT-8
Strategy: Input Validation
Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
Mitigation
Use the appropriate type for the desired action. For example, in C/C++, only use unsigned types for values that could never be negative, such as height, width, or other numbers related to quantity.
Mitigation
Strategy: Language Selection
- Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
Mitigation
Strategy: Libraries or Frameworks
- Use languages, libraries, or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++).
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-128: Integer Attacks
An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.
CAPEC-129: Pointer Manipulation
This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.