CWE-191
AllowedInteger Underflow (Wrap or Wraparound)
Abstraction: Base · Status: Draft
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
642 vulnerabilities reference this CWE, most recent first.
GHSA-G5RF-95RX-Q3M2
Vulnerability from github – Published: 2022-05-17 03:45 – Updated: 2022-05-17 03:45Integer overflow in drivers/char/diag/diag_dci.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges or obtain sensitive information via a crafted application, aka Android internal bug 28769912 and Qualcomm internal bug CR565160.
{
"affected": [],
"aliases": [
"CVE-2014-9883"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-08-06T10:59:00Z",
"severity": "HIGH"
},
"details": "Integer overflow in drivers/char/diag/diag_dci.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 and 7 (2013) devices allows attackers to gain privileges or obtain sensitive information via a crafted application, aka Android internal bug 28769912 and Qualcomm internal bug CR565160.",
"id": "GHSA-g5rf-95rx-q3m2",
"modified": "2022-05-17T03:45:21Z",
"published": "2022-05-17T03:45:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9883"
},
{
"type": "WEB",
"url": "https://source.codeaurora.org/quic/la/kernel/msm/commit/?id=cbf79a67348e48557c0d0bb9bc58391b3f84bc46"
},
{
"type": "WEB",
"url": "http://source.android.com/security/bulletin/2016-08-01.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/92219"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G6HR-H94M-W92X
Vulnerability from github – Published: 2022-05-13 01:26 – Updated: 2022-05-13 01:26An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c has an integer underflow.
{
"affected": [],
"aliases": [
"CVE-2018-14353"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-17T17:29:00Z",
"severity": "CRITICAL"
},
"details": "An issue was discovered in Mutt before 1.10.1 and NeoMutt before 2018-07-16. imap_quote_string in imap/util.c has an integer underflow.",
"id": "GHSA-g6hr-h94m-w92x",
"modified": "2022-05-13T01:26:29Z",
"published": "2022-05-13T01:26:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14353"
},
{
"type": "WEB",
"url": "https://github.com/neomutt/neomutt/commit/65d64a5b60a4a3883f2cd799d92c6091d8854f23"
},
{
"type": "WEB",
"url": "https://gitlab.com/muttmua/mutt/commit/e0131852c6059107939893016c8ff56b6e42865d"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/08/msg00001.html"
},
{
"type": "WEB",
"url": "https://neomutt.org/2018/07/16/release"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201810-07"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3719-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3719-3"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4277"
},
{
"type": "WEB",
"url": "http://www.mutt.org/news.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G77G-V33M-X9RH
Vulnerability from github – Published: 2026-05-08 15:31 – Updated: 2026-05-15 15:30In the Linux kernel, the following vulnerability has been resolved:
media: chips-media: wave5: Fix PM runtime usage count underflow
Replace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in the remove path to properly pair with pm_runtime_use_autosuspend() from probe. This allows pm_runtime_disable() to handle reference count cleanup correctly regardless of current suspend state.
The driver calls pm_runtime_put_sync() unconditionally in remove, but the device may already be suspended due to autosuspend configured in probe. When autosuspend has already suspended the device, the usage count is 0, and pm_runtime_put_sync() decrements it to -1.
This causes the following warning on module unload:
------------[ cut here ]------------ WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 ... vdec 30210000.video-codec: Runtime PM usage count underflow!
{
"affected": [],
"aliases": [
"CVE-2026-43301"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T14:16:37Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix PM runtime usage count underflow\n\nReplace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in\nthe remove path to properly pair with pm_runtime_use_autosuspend() from\nprobe. This allows pm_runtime_disable() to handle reference count cleanup\ncorrectly regardless of current suspend state.\n\nThe driver calls pm_runtime_put_sync() unconditionally in remove, but the\ndevice may already be suspended due to autosuspend configured in probe.\nWhen autosuspend has already suspended the device, the usage count is 0,\nand pm_runtime_put_sync() decrements it to -1.\n\nThis causes the following warning on module unload:\n\n ------------[ cut here ]------------\n WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430\n kthread_destroy_worker+0x84/0x98\n ...\n vdec 30210000.video-codec: Runtime PM usage count underflow!",
"id": "GHSA-g77g-v33m-x9rh",
"modified": "2026-05-15T15:30:33Z",
"published": "2026-05-08T15:31:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43301"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0bffda02317989f8d5cdc2d4462a4110b1290cf0"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a278a55ead50db2444c8f01410c7f5a68723990"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/9cf4452e824c1e2d41c9c0b13cc8a32a0a7dec38"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G8CQ-PWCV-27G6
Vulnerability from github – Published: 2025-05-13 18:30 – Updated: 2025-05-13 18:30Photoshop Desktop versions 26.5, 25.12.2 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2025-30324"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-13T18:15:38Z",
"severity": "HIGH"
},
"details": "Photoshop Desktop versions 26.5, 25.12.2 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
"id": "GHSA-g8cq-pwcv-27g6",
"modified": "2025-05-13T18:30:58Z",
"published": "2025-05-13T18:30:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30324"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/photoshop/apsb25-40.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G8JP-JV8P-3QR4
Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2023-03-03 18:30An issue was discovered in Schism Tracker through 20190722. There is an integer underflow via a large plen in fmt_okt_load_song in the Amiga Oktalyzer parser in fmt/okt.c.
{
"affected": [],
"aliases": [
"CVE-2019-14523"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-08-02T12:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Schism Tracker through 20190722. There is an integer underflow via a large plen in fmt_okt_load_song in the Amiga Oktalyzer parser in fmt/okt.c.",
"id": "GHSA-g8jp-jv8p-3qr4",
"modified": "2023-03-03T18:30:25Z",
"published": "2022-05-24T16:52:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14523"
},
{
"type": "WEB",
"url": "https://github.com/schismtracker/schismtracker/issues/202"
},
{
"type": "WEB",
"url": "https://github.com/schismtracker/schismtracker/releases/tag/20190805"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-12"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00072.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00083.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-G8PH-56PG-H88P
Vulnerability from github – Published: 2022-05-24 19:01 – Updated: 2022-05-24 19:01Improper validation of the ChassisID TLV in userdisk/vport_lldpd in Moxa Camera VPort 06EC-2V Series, version 1.1, allows attackers to cause a denial of service due to a negative number passed to the memcpy function via a crafted lldp packet.
{
"affected": [],
"aliases": [
"CVE-2021-25846"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-10T11:15:00Z",
"severity": "HIGH"
},
"details": "Improper validation of the ChassisID TLV in userdisk/vport_lldpd in Moxa Camera VPort 06EC-2V Series, version 1.1, allows attackers to cause a denial of service due to a negative number passed to the memcpy function via a crafted lldp packet.",
"id": "GHSA-g8ph-56pg-h88p",
"modified": "2022-05-24T19:01:56Z",
"published": "2022-05-24T19:01:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25846"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en"
},
{
"type": "WEB",
"url": "https://www.moxa.com/en/support/product-support/security-advisory/vport-06ec-2v-series-ip-cameras-vulnerabilities"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-G8RQ-RJVV-4HCC
Vulnerability from github – Published: 2025-10-16 18:30 – Updated: 2025-10-29 21:30An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size.
-
The regular expression bytecode is stored in a DynBuf structure, which correctly uses a $\text{size}_\text{t}$ (an unsigned type, typically 64-bit) for its size member.
-
However, several functions, such as re_emit_op_u32 and other internal parsing routines, incorrectly cast or store this DynBuf $\text{size}_\text{t}$ value into a signed int (typically 32-bit).
-
When a large or complex regular expression (such as those generated by a recursive pattern in a Proof-of-Concept) causes the bytecode size to exceed $2^{31}$ bytes (the maximum positive value for a signed 32-bit integer), the size value wraps around, resulting in a negative integer when stored in the int variable (Integer Overflow).
-
This negative value is subsequently used in offset calculations. For example, within functions like re_parse_disjunction, the negative size is used to compute an offset (pos) for patching a jump instruction.
-
This negative offset is then incorrectly added to the buffer pointer (s->byte_code.buf + pos), leading to an out-of-bounds write on the first line of the snippet below:
put_u32(s->byte_code.buf + pos, len);
{
"affected": [],
"aliases": [
"CVE-2025-62495"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-16T16:15:40Z",
"severity": "HIGH"
},
"details": "An integer overflow vulnerability exists in the QuickJS regular expression engine (libregexp) due to an inconsistent representation of the bytecode buffer size.\n\n * The regular expression bytecode is stored in a DynBuf structure, which correctly uses a $\\text{size}\\_\\text{t}$ (an unsigned type, typically 64-bit) for its size member.\n\n\n * However, several functions, such as re_emit_op_u32 and other internal parsing routines, incorrectly cast or store this DynBuf $\\text{size}\\_\\text{t}$ value into a signed int (typically 32-bit).\n\n\n * When a large or complex regular expression (such as those generated by a recursive pattern in a Proof-of-Concept) causes the bytecode size to exceed $2^{31}$ bytes (the maximum positive value for a signed 32-bit integer), the size value wraps around, resulting in a negative integer when stored in the int variable (Integer Overflow).\n\n\n * This negative value is subsequently used in offset calculations. For example, within functions like re_parse_disjunction, the negative size is used to compute an offset (pos) for patching a jump instruction.\n\n\n * This negative offset is then incorrectly added to the buffer pointer (s-\u003ebyte\\_code.buf + pos), leading to an out-of-bounds write on the first line of the snippet below:\n\nput_u32(s-\u003ebyte_code.buf + pos, len);",
"id": "GHSA-g8rq-rjvv-4hcc",
"modified": "2025-10-29T21:30:32Z",
"published": "2025-10-16T18:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62495"
},
{
"type": "WEB",
"url": "https://bellard.org/quickjs/Changelog"
},
{
"type": "WEB",
"url": "https://issuetracker.google.com/434196926"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-GCVV-7WHM-PV7C
Vulnerability from github – Published: 2022-05-24 17:24 – Updated: 2024-04-04 02:55napi_get_value_string_*() allows various kinds of memory corruption in node < 10.21.0, 12.18.0, and < 14.4.0.
{
"affected": [],
"aliases": [
"CVE-2020-8174"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-07-24T22:15:00Z",
"severity": "HIGH"
},
"details": "napi_get_value_string_*() allows various kinds of memory corruption in node \u003c 10.21.0, 12.18.0, and \u003c 14.4.0.",
"id": "GHSA-gcvv-7whm-pv7c",
"modified": "2024-04-04T02:55:10Z",
"published": "2022-05-24T17:24:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8174"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/784186"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202101-07"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201023-0003"
},
{
"type": "WEB",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-GFR4-C37G-MM3V
Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2024-09-09 15:30ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).
{
"affected": [],
"aliases": [
"CVE-2020-24370"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-17T17:15:00Z",
"severity": "MODERATE"
},
"details": "ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).",
"id": "GHSA-gfr4-c37g-mm3v",
"modified": "2024-09-09T15:30:37Z",
"published": "2022-05-24T17:26:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-24370"
},
{
"type": "WEB",
"url": "https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00019.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00031.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6KONNG6UEI3FMEOY67NDZC32NBGBI44"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXYMCIUNGK26VHAYHGP5LPW56G2KWOHQ"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E6KONNG6UEI3FMEOY67NDZC32NBGBI44"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXYMCIUNGK26VHAYHGP5LPW56G2KWOHQ"
},
{
"type": "WEB",
"url": "http://lua-users.org/lists/lua-l/2020-07/msg00324.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-GHGG-V38H-7V7M
Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13A code execution vulnerability exists in the DL_Dxf::handleLWPolylineData functionality of Ribbonsoft dxflib 3.17.0. A specially-crafted .dxf file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2021-21897"
],
"database_specific": {
"cwe_ids": [
"CWE-191",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-08T16:15:00Z",
"severity": "HIGH"
},
"details": "A code execution vulnerability exists in the DL_Dxf::handleLWPolylineData functionality of Ribbonsoft dxflib 3.17.0. A specially-crafted .dxf file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.",
"id": "GHSA-ghgg-v38h-7v7m",
"modified": "2022-05-24T19:13:21Z",
"published": "2022-05-24T19:13:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21897"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5BUOTYU3KKIYE4BEBUFA4MRS462P3OWM"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DA4C4X5GMM65VYLUW7Q7YL6P5NDB633A"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IMGMEPTYL7WTQ333J6SMC6MUHDMMWT3O"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L2H36XRMAPQBIOVIIFX6KUT5YOG2ETM6"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2021-1346"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.