Common Weakness Enumeration

CWE-191

Allowed

Integer Underflow (Wrap or Wraparound)

Abstraction: Base · Status: Draft

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

640 vulnerabilities reference this CWE, most recent first.

GHSA-RRXC-FGQR-57WQ

Vulnerability from github – Published: 2022-05-24 19:13 – Updated: 2022-05-24 19:13
VLAI
Details

Integer underflow can occur when the RTCP length is lesser than than the actual blocks present in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice & Music, Snapdragon Wearables

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-1919"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-09-08T12:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Integer underflow can occur when the RTCP length is lesser than than the actual blocks present in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Voice \u0026 Music, Snapdragon Wearables",
  "id": "GHSA-rrxc-fgqr-57wq",
  "modified": "2022-05-24T19:13:52Z",
  "published": "2022-05-24T19:13:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-1919"
    },
    {
      "type": "WEB",
      "url": "https://www.qualcomm.com/company/product-security/bulletins/august-2021-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-RVV7-6W95-X7C7

Vulnerability from github – Published: 2022-05-17 01:16 – Updated: 2022-05-17 01:16
VLAI
Details

An integer underflow vulnerability exists in pixel-a.asm, the x86 assembly code for planeClipAndMax() in MulticoreWare x265 through 2.5, as used in libbpg and other products. A small height value can cause an integer underflow, which leads to a crash. This is a different vulnerability than CVE-2017-8906.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-13666"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-24T06:29:00Z",
    "severity": "MODERATE"
  },
  "details": "An integer underflow vulnerability exists in pixel-a.asm, the x86 assembly code for planeClipAndMax() in MulticoreWare x265 through 2.5, as used in libbpg and other products. A small height value can cause an integer underflow, which leads to a crash. This is a different vulnerability than CVE-2017-8906.",
  "id": "GHSA-rvv7-6w95-x7c7",
  "modified": "2022-05-17T01:16:31Z",
  "published": "2022-05-17T01:16:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-13666"
    },
    {
      "type": "WEB",
      "url": "https://bitbucket.org/multicoreware/x265/issues/364/integer-overflow-and-affect-top-level"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RVWG-GC58-2352

Vulnerability from github – Published: 2025-01-11 15:30 – Updated: 2025-09-24 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

virtio-net: fix overflow inside virtnet_rq_alloc

When the frag just got a page, then may lead to regression on VM. Specially if the sysctl net.core.high_order_alloc_disable value is 1, then the frag always get a page when do refill.

Which could see reliable crashes or scp failure (scp a file 100M in size to VM).

The issue is that the virtnet_rq_dma takes up 16 bytes at the beginning of a new frag. When the frag size is larger than PAGE_SIZE, everything is fine. However, if the frag is only one page and the total size of the buffer and virtnet_rq_dma is larger than one page, an overflow may occur.

The commit f9dac92ba908 ("virtio_ring: enable premapped mode whatever use_dma_api") introduced this problem. And we reverted some commits to fix this in last linux version. Now we try to enable it and fix this bug directly.

Here, when the frag size is not enough, we reduce the buffer len to fix this problem.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-57843"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-11T15:15:07Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio-net: fix overflow inside virtnet_rq_alloc\n\nWhen the frag just got a page, then may lead to regression on VM.\nSpecially if the sysctl net.core.high_order_alloc_disable value is 1,\nthen the frag always get a page when do refill.\n\nWhich could see reliable crashes or scp failure (scp a file 100M in size\nto VM).\n\nThe issue is that the virtnet_rq_dma takes up 16 bytes at the beginning\nof a new frag. When the frag size is larger than PAGE_SIZE,\neverything is fine. However, if the frag is only one page and the\ntotal size of the buffer and virtnet_rq_dma is larger than one page, an\noverflow may occur.\n\nThe commit f9dac92ba908 (\"virtio_ring: enable premapped mode whatever\nuse_dma_api\") introduced this problem. And we reverted some commits to\nfix this in last linux version. Now we try to enable it and fix this\nbug directly.\n\nHere, when the frag size is not enough, we reduce the buffer len to fix\nthis problem.",
  "id": "GHSA-rvwg-gc58-2352",
  "modified": "2025-09-24T21:30:31Z",
  "published": "2025-01-11T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-57843"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/67a11de8965c2ab19e215fb6651d44847e068614"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6aacd1484468361d1d04badfe75f264fa5314864"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8f7d6963768b114ec9644ff0148dde4c104e84b"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RWQ9-67RV-755X

Vulnerability from github – Published: 2024-05-21 18:31 – Updated: 2024-12-31 21:30
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix underflow in second superblock position calculations

Macro NILFS_SB2_OFFSET_BYTES, which computes the position of the second superblock, underflows when the argument device size is less than 4096 bytes. Therefore, when using this macro, it is necessary to check in advance that the device size is not less than a lower limit, or at least that underflow does not occur.

The current nilfs2 implementation lacks this check, causing out-of-bound block access when mounting devices smaller than 4096 bytes:

I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2 NILFS (loop0): unable to read secondary superblock (blocksize = 1024)

In addition, when trying to resize the filesystem to a size below 4096 bytes, this underflow occurs in nilfs_resize_fs(), passing a huge number of segments to nilfs_sufile_resize(), corrupting parameters such as the number of segments in superblocks. This causes excessive loop iterations in nilfs_sufile_resize() during a subsequent resize ioctl, causing semaphore ns_segctor_sem to block for a long time and hang the writer thread:

INFO: task segctord:5067 blocked for more than 143 seconds. Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:segctord state:D stack:23456 pid:5067 ppid:2 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:5293 [inline] __schedule+0x1409/0x43f0 kernel/sched/core.c:6606 schedule+0xc3/0x190 kernel/sched/core.c:6682 rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190 nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline] nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570 kthread+0x270/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 ... Call Trace: folio_mark_accessed+0x51c/0xf00 mm/swap.c:515 __nilfs_get_page_block fs/nilfs2/page.c:42 [inline] nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61 nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121 nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176 nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251 nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline] nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline] nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777 nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422 nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline] nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301 ...

This fixes these issues by inserting appropriate minimum device size checks or anti-underflow checks, depending on where the macro is used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-52705"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T16:15:12Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix underflow in second superblock position calculations\n\nMacro NILFS_SB2_OFFSET_BYTES, which computes the position of the second\nsuperblock, underflows when the argument device size is less than 4096\nbytes.  Therefore, when using this macro, it is necessary to check in\nadvance that the device size is not less than a lower limit, or at least\nthat underflow does not occur.\n\nThe current nilfs2 implementation lacks this check, causing out-of-bound\nblock access when mounting devices smaller than 4096 bytes:\n\n I/O error, dev loop0, sector 36028797018963960 op 0x0:(READ) flags 0x0\n phys_seg 1 prio class 2\n NILFS (loop0): unable to read secondary superblock (blocksize = 1024)\n\nIn addition, when trying to resize the filesystem to a size below 4096\nbytes, this underflow occurs in nilfs_resize_fs(), passing a huge number\nof segments to nilfs_sufile_resize(), corrupting parameters such as the\nnumber of segments in superblocks.  This causes excessive loop iterations\nin nilfs_sufile_resize() during a subsequent resize ioctl, causing\nsemaphore ns_segctor_sem to block for a long time and hang the writer\nthread:\n\n INFO: task segctord:5067 blocked for more than 143 seconds.\n      Not tainted 6.2.0-rc8-syzkaller-00015-gf6feea56f66d #0\n \"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\n task:segctord        state:D stack:23456 pid:5067  ppid:2\n flags:0x00004000\n Call Trace:\n  \u003cTASK\u003e\n  context_switch kernel/sched/core.c:5293 [inline]\n  __schedule+0x1409/0x43f0 kernel/sched/core.c:6606\n  schedule+0xc3/0x190 kernel/sched/core.c:6682\n  rwsem_down_write_slowpath+0xfcf/0x14a0 kernel/locking/rwsem.c:1190\n  nilfs_transaction_lock+0x25c/0x4f0 fs/nilfs2/segment.c:357\n  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2486 [inline]\n  nilfs_segctor_thread+0x52f/0x1140 fs/nilfs2/segment.c:2570\n  kthread+0x270/0x300 kernel/kthread.c:376\n  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308\n  \u003c/TASK\u003e\n ...\n Call Trace:\n  \u003cTASK\u003e\n  folio_mark_accessed+0x51c/0xf00 mm/swap.c:515\n  __nilfs_get_page_block fs/nilfs2/page.c:42 [inline]\n  nilfs_grab_buffer+0x3d3/0x540 fs/nilfs2/page.c:61\n  nilfs_mdt_submit_block+0xd7/0x8f0 fs/nilfs2/mdt.c:121\n  nilfs_mdt_read_block+0xeb/0x430 fs/nilfs2/mdt.c:176\n  nilfs_mdt_get_block+0x12d/0xbb0 fs/nilfs2/mdt.c:251\n  nilfs_sufile_get_segment_usage_block fs/nilfs2/sufile.c:92 [inline]\n  nilfs_sufile_truncate_range fs/nilfs2/sufile.c:679 [inline]\n  nilfs_sufile_resize+0x7a3/0x12b0 fs/nilfs2/sufile.c:777\n  nilfs_resize_fs+0x20c/0xed0 fs/nilfs2/super.c:422\n  nilfs_ioctl_resize fs/nilfs2/ioctl.c:1033 [inline]\n  nilfs_ioctl+0x137c/0x2440 fs/nilfs2/ioctl.c:1301\n  ...\n\nThis fixes these issues by inserting appropriate minimum device size\nchecks or anti-underflow checks, depending on where the macro is used.",
  "id": "GHSA-rwq9-67rv-755x",
  "modified": "2024-12-31T21:30:45Z",
  "published": "2024-05-21T18:31:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52705"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0ee5ed0126a2211f7174492da2ca2c29f43755c5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2f7a1135b202977b82457adde7db6c390056863b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/52844d8382cd9166d708032def8905ffc3ae550f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/99b9402a36f0799f25feee4465bfa4b8dfa74b4d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a158782b56b070485d54d25fc9aaf2c8f3752205"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a8ef5109f93cea9933bbac0455d8c18757b3fcb4"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b96591e2c35c8b47db0ec816b5fc6cb8868000ff"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RX9G-96R8-M5G4

Vulnerability from github – Published: 2024-01-09 18:30 – Updated: 2024-01-09 18:30
VLAI
Details

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-21309"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-09T18:15:54Z",
    "severity": "HIGH"
  },
  "details": "Windows Kernel-Mode Driver Elevation of Privilege Vulnerability",
  "id": "GHSA-rx9g-96r8-m5g4",
  "modified": "2024-01-09T18:30:29Z",
  "published": "2024-01-09T18:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21309"
    },
    {
      "type": "WEB",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21309"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V24G-WPQ8-CWQX

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-06-30 03:36
VLAI
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()

The block_len read from the host-supplied NTB header is checked against ntb_max but has no lower bound. When block_len is smaller than opts->ndp_size, the bounds check of: ndp_index > (block_len - opts->ndp_size) will underflow producing a huge unsigned value that ndp_index can never exceed, defeating the check entirely.

The same underflow occurs in the datagram index checks against block_len - opts->dpe_size. With those checks neutered, a malicious USB host can choose ndp_index and datagram offsets that point past the actual transfer, and the skb_put_data() copies adjacent kernel memory into the network skb.

Fix this by rejecting block lengths that cannot hold at least the NTB header plus one NDP. This will make block_len - opts->ndp_size and block_len - opts->dpe_size both well-defined.

Commit 8d2b1a1ec9f5 ("CDC-NCM: avoid overflow in sanity checking") fixed a related class of issues on the host side of NCM.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-31617"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:40Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_ncm: validate minimum block_len in ncm_unwrap_ntb()\n\nThe block_len read from the host-supplied NTB header is checked against\nntb_max but has no lower bound. When block_len is smaller than\nopts-\u003endp_size, the bounds check of:\n\tndp_index \u003e (block_len - opts-\u003endp_size)\nwill underflow producing a huge unsigned value that ndp_index can never\nexceed, defeating the check entirely.\n\nThe same underflow occurs in the datagram index checks against block_len\n- opts-\u003edpe_size.  With those checks neutered, a malicious USB host can\nchoose ndp_index and datagram offsets that point past the actual\ntransfer, and the skb_put_data() copies adjacent kernel memory into the\nnetwork skb.\n\nFix this by rejecting block lengths that cannot hold at least the NTB\nheader plus one NDP.  This will make block_len - opts-\u003endp_size and\nblock_len - opts-\u003edpe_size both well-defined.\n\nCommit 8d2b1a1ec9f5 (\"CDC-NCM: avoid overflow in sanity checking\") fixed\na related class of issues on the host side of NCM.",
  "id": "GHSA-v24g-wpq8-cwqx",
  "modified": "2026-06-30T03:36:23Z",
  "published": "2026-04-24T15:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31617"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-31617"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461448"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/068a7f2749fff6462a0a908ec415b885fe430f50"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0f156bb5334e588034ca68ac2ee92b23f66e56e7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1425655c2870054c3ab4712e2b6dbdd331597ada"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6762f8a95772265dd0c2ffe7f400493f3115b135"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/74908b0318d1df1188457040b8714ff4d4b68126"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8757a2593631443648218244b9788e193ae0fdc1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8b3b7bd3c02f98634baaf36c7fc7ac915f6517ca"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8f993d30b95dc9557a8a96ceca11abed674c8acb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d58ba8f6546232f8414f396c189297dbee03f1a7"
    },
    {
      "type": "WEB",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-31617.json"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VC34-39Q2-M6Q3

Vulnerability from github – Published: 2026-04-22 19:18 – Updated: 2026-04-27 16:22
VLAI
Summary
nimiq-account: Vesting insufficient funds error can panic
Details

Impact

VestingContract::can_change_balance returns AccountError::InsufficientFunds when new_balance < min_cap, but it constructs the error using balance: self.balance - min_cap. Coin::sub panics on underflow, so if an attacker can reach a state where min_cap > balance, the node crashes while trying to return an error.

The min_cap > balance precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding total_amount without validating total_amount <= transaction.value (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing.

Patches

The patch for this vulnerability is included as part of v1.3.0.

Workarounds

No known workarounds.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "nimiq-account"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34064"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T19:18:55Z",
    "nvd_published_at": "2026-04-22T20:16:40Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n`VestingContract::can_change_balance` returns `AccountError::InsufficientFunds` when `new_balance \u003c min_cap`, but it constructs the error using `balance: self.balance - min_cap`. `Coin::sub` panics on underflow, so if an attacker can reach a state where `min_cap \u003e balance`, the node crashes while trying to return an error.\n\nThe `min_cap \u003e balance` precondition is attacker-reachable because the vesting contract creation data (32-byte format) allows encoding `total_amount` without validating `total_amount \u003c= transaction.value` (the real contract balance). After creating such a vesting contract, the attacker can broadcast an outgoing transaction to trigger the panic during mempool admission and block processing.\n\n### Patches\n[The patch for this vulnerability](https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0) is included as part of [v1.3.0](https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0).\n\n### Workarounds\nNo known workarounds.",
  "id": "GHSA-vc34-39q2-m6q3",
  "modified": "2026-04-27T16:22:14Z",
  "published": "2026-04-22T19:18:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-vc34-39q2-m6q3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34064"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/pull/3658"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/commit/4d01946f0b3d6c6e31786f91cdfb3eb902908da0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nimiq/core-rs-albatross"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nimiq-account: Vesting insufficient funds error can panic"
}

GHSA-VCG5-3355-6JF2

Vulnerability from github – Published: 2022-02-25 00:00 – Updated: 2022-06-30 00:00
VLAI
Details

An integer underflow in the DDS loader of Blender leads to an out-of-bounds read, possibly allowing an attacker to read sensitive data using a crafted DDS image file. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-0544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-24T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An integer underflow in the DDS loader of Blender leads to an out-of-bounds read, possibly allowing an attacker to read sensitive data using a crafted DDS image file. This flaw affects Blender versions prior to 2.83.19, 2.93.8 and 3.1.",
  "id": "GHSA-vcg5-3355-6jf2",
  "modified": "2022-06-30T00:00:42Z",
  "published": "2022-02-25T00:00:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0544"
    },
    {
      "type": "WEB",
      "url": "https://developer.blender.org/T94661"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/06/msg00021.html"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5176"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFHX-W4XW-3MWG

Vulnerability from github – Published: 2022-05-14 02:04 – Updated: 2022-05-14 02:04
VLAI
Details

Multiple Integer underflows in the geonet_print function in tcpdump 4.5.0 through 4.6.2, when in verbose mode, allow remote attackers to cause a denial of service (segmentation fault and crash) via a crafted length value in a Geonet frame.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-8768"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-11-20T17:50:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple Integer underflows in the geonet_print function in tcpdump 4.5.0 through 4.6.2, when in verbose mode, allow remote attackers to cause a denial of service (segmentation fault and crash) via a crafted length value in a Geonet frame.",
  "id": "GHSA-vfhx-w4xw-3mwg",
  "modified": "2022-05-14T02:04:38Z",
  "published": "2022-05-14T02:04:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8768"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98766"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-02/msg00062.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/129156/tcpdump-4.6.2-Geonet-Denial-Of-Service.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2014/Nov/48"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/35359"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/534010/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/71155"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2433-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-VG32-CM75-RJR5

Vulnerability from github – Published: 2025-05-06 21:30 – Updated: 2025-05-06 21:30
VLAI
Details

Libxmp through 4.6.2 has a stack-based buffer overflow in depack_pha in loaders/prowizard/pha.c via a malformed Pha format tracker module in a .mod file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-191"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-05-06T20:15:27Z",
    "severity": "MODERATE"
  },
  "details": "Libxmp through 4.6.2 has a stack-based buffer overflow in depack_pha in loaders/prowizard/pha.c via a malformed Pha format tracker module in a .mod file.",
  "id": "GHSA-vg32-cm75-rjr5",
  "modified": "2025-05-06T21:30:48Z",
  "published": "2025-05-06T21:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47256"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libxmp/libxmp/issues/847"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GCatt-AS/CVE-2025-47256"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libxmp/libxmp/blob/ec22d1c7b93c8f681f8504a6c61c6f8a52458a10/src/loaders/prowizard/pha.c#L35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.