CWE-191
AllowedInteger Underflow (Wrap or Wraparound)
Abstraction: Base · Status: Draft
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
642 vulnerabilities reference this CWE, most recent first.
GHSA-3QRR-XCC2-M7CG
Vulnerability from github – Published: 2025-04-14 21:32 – Updated: 2025-04-14 21:32In the Linux kernel, the following vulnerability has been resolved:
NFSD: prevent underflow in nfssvc_decode_writeargs()
Smatch complains:
fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs()
warn: no lower bound on 'args->len'
Change the type to unsigned to prevent this issue.
{
"affected": [],
"aliases": [
"CVE-2022-49280"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:04Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: prevent underflow in nfssvc_decode_writeargs()\n\nSmatch complains:\n\n\tfs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs()\n\twarn: no lower bound on \u0027args-\u003elen\u0027\n\nChange the type to unsigned to prevent this issue.",
"id": "GHSA-3qrr-xcc2-m7cg",
"modified": "2025-04-14T21:32:20Z",
"published": "2025-04-14T21:32:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49280"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/184416d4b98509fb4c3d8fc3d6dc1437896cc159"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1a33e0de60feda402d05ac8a6cf409c19ea3e0b3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2764af8ce0bf03cc43ee4a11897cab96bde6caae"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/413d8fefafe531a9442bb623e3fe292a38f88d65"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/438068f4912183a59fcb6b7496a06437f7fd4e2b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/614a61e1592051cc42d3c38f899c9f7bdaad8a1d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/65e21cc042f4c1518c8c55283f53bc725b78419d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/85259340fc9bd54e3d567b41b881ecb4d0055da1"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9f0f048c1bfa7867d565a95fd8c28f4484ba1043"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3QWJ-Q697-4PPR
Vulnerability from github – Published: 2026-07-08 18:31 – Updated: 2026-07-13 21:31U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine() function (net/tcp.c) that allows a network-adjacent attacker to crash the bootloader by sending a malformed TCP SYN+ACK packet with a manipulated data offset field causing payload_len to become negative. When the TCP_SYN_SENT handler calls tcp_rx_user_data() without invoking tcp_seg_in_wnd() validation, the negative payload_len is implicitly converted to a large unsigned integer (e.g., 0xFFFFFFD8) and passed to memcpy() in store_block(), causing an immediate crash that prevents device boot and may enable memory corruption when CONFIG_LMB is disabled.
{
"affected": [],
"aliases": [
"CVE-2026-29008"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-08T17:17:21Z",
"severity": "HIGH"
},
"details": "U-Boot through 2026.04-rc3 contains an integer underflow vulnerability in the tcp_rx_state_machine() function (net/tcp.c) that allows a network-adjacent attacker to crash the bootloader by sending a malformed TCP SYN+ACK packet with a manipulated data offset field causing payload_len to become negative. When the TCP_SYN_SENT handler calls tcp_rx_user_data() without invoking tcp_seg_in_wnd() validation, the negative payload_len is implicitly converted to a large unsigned integer (e.g., 0xFFFFFFD8) and passed to memcpy() in store_block(), causing an immediate crash that prevents device boot and may enable memory corruption when CONFIG_LMB is disabled.",
"id": "GHSA-3qwj-q697-4ppr",
"modified": "2026-07-13T21:31:14Z",
"published": "2026-07-08T18:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29008"
},
{
"type": "WEB",
"url": "https://lists.denx.de/pipermail/u-boot/2026-May/617853.html"
},
{
"type": "WEB",
"url": "https://u-boot.org"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/u-boot-rc3-integer-underflow-dos-via-tcp-rx-state-machine"
},
{
"type": "WEB",
"url": "https://y637f9qq2x.com/posts/u-boot-tcp-nfs-vulns"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3WPH-8799-87R7
Vulnerability from github – Published: 2022-10-17 19:00 – Updated: 2025-05-14 21:31An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.
{
"affected": [],
"aliases": [
"CVE-2022-3165"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T16:15:00Z",
"severity": "MODERATE"
},
"details": "An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.",
"id": "GHSA-3wph-8799-87r7",
"modified": "2025-05-14T21:31:10Z",
"published": "2022-10-17T19:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3165"
},
{
"type": "WEB",
"url": "https://gitlab.com/qemu-project/qemu/-/commit/d307040b18"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I36LKZA7Z65J3LJU2P37LVTWDFTXBMPU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZTY7TVHX62OJWF6IOBCIGLR2N5K4QN3E"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I36LKZA7Z65J3LJU2P37LVTWDFTXBMPU"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTY7TVHX62OJWF6IOBCIGLR2N5K4QN3E"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20221223-0006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-428C-JVG5-R285
Vulnerability from github – Published: 2026-06-24 09:30 – Updated: 2026-06-28 09:31In the Linux kernel, the following vulnerability has been resolved:
batman-adv: fix tp_meter counter underflow during shutdown
batadv_tp_sender_shutdown() unconditionally decrements the "sending" atomic counter. If multiple paths (e.g. timeout, user cancel, and normal finish) call this function, the counter can underflow to -1.
Since the sender logic treats any non-zero value as "still sending", a negative value causes the sender kthread to loop indefinitely. This leads to a use-after-free when the interface is removed while the zombie thread is still active.
Fix this by using atomic_xchg() to ensure the counter only transitions from 1 to 0 once.
[sven: added missing change in batadv_tp_send]
{
"affected": [],
"aliases": [
"CVE-2026-52919"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-24T08:16:21Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nbatman-adv: fix tp_meter counter underflow during shutdown\n\nbatadv_tp_sender_shutdown() unconditionally decrements the \"sending\"\natomic counter. If multiple paths (e.g. timeout, user cancel, and\nnormal finish) call this function, the counter can underflow to -1.\n\nSince the sender logic treats any non-zero value as \"still sending\",\na negative value causes the sender kthread to loop indefinitely.\nThis leads to a use-after-free when the interface is removed while\nthe zombie thread is still active.\n\nFix this by using atomic_xchg() to ensure the counter only transitions\nfrom 1 to 0 once.\n\n[sven: added missing change in batadv_tp_send]",
"id": "GHSA-428c-jvg5-r285",
"modified": "2026-06-28T09:31:36Z",
"published": "2026-06-24T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-52919"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/01cefc5923889e29dbb5f281c3d457714ceb9c00"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/90ae3eae06b7b8ab9f6250b9497c860915b4c17b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/94f3b133168d1c49895e7cc6afbcf1cc0b354602"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/abae88fa254f2981d39ac003a7b302528a22af64"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/aeae11c5dad9cd0d50723890bdd866f8e6db2e7d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c1bac194733aabd731aafa6a01350c229e187dba"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/c66d20a3ff095e3f000551d208ec2606616db15c"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e75e2ab463b5b34df6b98f94d740aff327ce9f6b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-454G-4QQQ-2J4G
Vulnerability from github – Published: 2024-04-09 18:30 – Updated: 2024-04-09 18:30Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-28930"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T17:15:53Z",
"severity": "HIGH"
},
"details": "Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability",
"id": "GHSA-454g-4qqq-2j4g",
"modified": "2024-04-09T18:30:27Z",
"published": "2024-04-09T18:30:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28930"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-28930"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-45CF-Q4MP-FGVX
Vulnerability from github – Published: 2022-03-11 00:02 – Updated: 2022-03-17 00:01There is an integer underflow vulnerability in the atcmdserver module. Successful exploitation of this vulnerability may affect integrity.
{
"affected": [],
"aliases": [
"CVE-2021-40054"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-10T17:43:00Z",
"severity": "HIGH"
},
"details": "There is an integer underflow vulnerability in the atcmdserver module. Successful exploitation of this vulnerability may affect integrity.",
"id": "GHSA-45cf-q4mp-fgvx",
"modified": "2022-03-17T00:01:53Z",
"published": "2022-03-11T00:02:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40054"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2022/3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-45W8-HP4W-6FR6
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2022-05-13 01:04Integer underflow in the base64-decoding implementation in EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x before 4.1.3, RSA BSAFE Crypto-C Micro Edition (Crypto-C ME) before 4.0.4 and 4.1, and RSA BSAFE SSL-C 2.8.9 and earlier allows remote attackers to cause a denial of service (memory corruption or segmentation fault) or possibly have unspecified other impact via crafted base64 data, a similar issue to CVE-2015-0292.
{
"affected": [],
"aliases": [
"CVE-2015-0537"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-08-20T10:59:00Z",
"severity": "CRITICAL"
},
"details": "Integer underflow in the base64-decoding implementation in EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x before 4.1.3, RSA BSAFE Crypto-C Micro Edition (Crypto-C ME) before 4.0.4 and 4.1, and RSA BSAFE SSL-C 2.8.9 and earlier allows remote attackers to cause a denial of service (memory corruption or segmentation fault) or possibly have unspecified other impact via crafted base64 data, a similar issue to CVE-2015-0292.",
"id": "GHSA-45w8-hp4w-6fr6",
"modified": "2022-05-13T01:04:38Z",
"published": "2022-05-13T01:04:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0537"
},
{
"type": "WEB",
"url": "http://seclists.org/bugtraq/2015/Aug/84"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/76377"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1033299"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-46GP-CXCX-7C88
Vulnerability from github – Published: 2022-05-24 17:40 – Updated: 2022-05-24 17:40An integer underflow was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Certificate List Exact Assertion processing, resulting in denial of service.
{
"affected": [],
"aliases": [
"CVE-2020-36228"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-26T18:15:00Z",
"severity": "HIGH"
},
"details": "An integer underflow was discovered in OpenLDAP before 2.4.57 leading to a slapd crash in the Certificate List Exact Assertion processing, resulting in denial of service.",
"id": "GHSA-46gp-cxcx-7c88",
"modified": "2022-05-24T17:40:18Z",
"published": "2022-05-24T17:40:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36228"
},
{
"type": "WEB",
"url": "https://bugs.openldap.org/show_bug.cgi?id=9427"
},
{
"type": "WEB",
"url": "https://git.openldap.org/openldap/openldap/-/commit/91dccd25c347733b365adc74cb07d074512ed5ad"
},
{
"type": "WEB",
"url": "https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210226-0002"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT212529"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT212530"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT212531"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4845"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/May/64"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/May/65"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2021/May/70"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-483F-26R4-2FVR
Vulnerability from github – Published: 2022-05-24 17:28 – Updated: 2025-08-29 15:30A flaw was found in xorg-x11-server before 1.20.9. An integer underflow in the X input extension protocol decoding in the X server may lead to arbitrary access of memory contents. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
{
"affected": [],
"aliases": [
"CVE-2020-14346"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-09-15T19:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in xorg-x11-server before 1.20.9. An integer underflow in the X input extension protocol decoding in the X server may lead to arbitrary access of memory contents. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
"id": "GHSA-483f-26r4-2fvr",
"modified": "2025-08-29T15:30:36Z",
"published": "2022-05-24T17:28:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14346"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1862246"
},
{
"type": "WEB",
"url": "https://lists.x.org/archives/xorg-announce/2020-August/003058.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202012-01"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4488-2"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1417"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-48V9-672P-CVJR
Vulnerability from github – Published: 2022-05-17 02:34 – Updated: 2022-05-17 02:34In all Android releases from CAF using the Linux kernel, an integer underflow vulnerability exists while processing the boot image.
{
"affected": [],
"aliases": [
"CVE-2017-7367"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-13T20:29:00Z",
"severity": "HIGH"
},
"details": "In all Android releases from CAF using the Linux kernel, an integer underflow vulnerability exists while processing the boot image.",
"id": "GHSA-48v9-672p-cvjr",
"modified": "2022-05-17T02:34:17Z",
"published": "2022-05-17T02:34:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7367"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2017-06-01"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1038623"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.