Common Weakness Enumeration

CWE-681

Allowed

Incorrect Conversion between Numeric Types

Abstraction: Base · Status: Draft

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

126 vulnerabilities reference this CWE, most recent first.

GHSA-X4XQ-7W28-Q486

Vulnerability from github – Published: 2026-04-07 18:31 – Updated: 2026-04-08 15:31
VLAI
Details

Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4931"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-681"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-07T16:16:30Z",
    "severity": "MODERATE"
  },
  "details": "Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.",
  "id": "GHSA-x4xq-7w28-q486",
  "modified": "2026-04-08T15:31:43Z",
  "published": "2026-04-07T18:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4931"
    },
    {
      "type": "WEB",
      "url": "https://cvefeed.io/cwe/detail/cwe-681-incorrect-conversion-between-numeric-types"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MarginalProtocol"
    },
    {
      "type": "WEB",
      "url": "https://marginal.gitbook.io/docs"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@clarkcorrin/cve-2026-4931-how-spearbits-cantina-denied-a-critical-vulnerability-using-verifiably-false-0a27b92ac2db"
    },
    {
      "type": "WEB",
      "url": "https://scs.owasp.org/SCWE/SCSVS-CODE/SCWE-041"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X7GM-RFGV-W973

Vulnerability from github – Published: 2020-09-28 19:05 – Updated: 2024-09-16 22:10
VLAI
Summary
Potential DoS with NumberFilter conversion to integer values.
Details

Impact

Automatically generated NumberFilter instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents.

Patches

Version 2.4.0+ applies a MaxValueValidator with a a default limit_value of 1e50 to the form field used by NumberFilter instances.

In addition, NumberFilter implements the new get_max_validator() which should return a configured validator instance to customise the limit, or else None to disable the additional validation.

Workarounds

Users may manually apply an equivalent validator if they are not able to upgrade.

For more information

If you have any questions or comments about this advisory: * Open an issue in the django-filter repo

Thanks to Marcin Waraksa for the report.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "django-filter"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15225"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-681"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-09-28T19:04:39Z",
    "nvd_published_at": "2021-04-29T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAutomatically generated `NumberFilter` instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. \n\n### Patches\n\nVersion 2.4.0+ applies a `MaxValueValidator` with a a default `limit_value` of 1e50 to the form field used by `NumberFilter` instances. \n\nIn addition, `NumberFilter` implements the new `get_max_validator()` which should return a configured validator instance to customise the limit, or else `None` to disable the additional validation. \n\n### Workarounds\n\nUsers may manually apply an equivalent validator if they are not able to upgrade.  \n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [the django-filter repo](https://github.com/carltongibson/django-filter)\n\nThanks to Marcin Waraksa for the report. \n",
  "id": "GHSA-x7gm-rfgv-w973",
  "modified": "2024-09-16T22:10:02Z",
  "published": "2020-09-28T19:05:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15225"
    },
    {
      "type": "WEB",
      "url": "https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/carltongibson/django-filter"
    },
    {
      "type": "WEB",
      "url": "https://github.com/carltongibson/django-filter/releases/tag/2.4.0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django-filter/PYSEC-2021-64.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DPHENTRHRAYFXYPPBT7JRHZRWILRY44S"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FAT2ZAEF6DM3VFSOHKB7X3ASSHGQHJAK"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SVJ7AYU6FUSU3F653YCGW5LFD3IULRSX"
    },
    {
      "type": "WEB",
      "url": "https://pypi.org/project/django-filter"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210604-0010"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Potential DoS with NumberFilter conversion to integer values."
}

GHSA-XHJJ-JG7J-PQRX

Vulnerability from github – Published: 2022-05-01 18:29 – Updated: 2024-02-02 03:30
VLAI
Details

Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-4988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-681"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-09-24T22:17:00Z",
    "severity": "MODERATE"
  },
  "details": "Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.",
  "id": "GHSA-xhjj-jg7j-pqrx",
  "modified": "2024-02-02T03:30:31Z",
  "published": "2022-05-01T18:29:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-4988"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/36737"
    },
    {
      "type": "WEB",
      "url": "https://issues.rpath.com/browse/RPL-1743"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9656"
    },
    {
      "type": "WEB",
      "url": "http://bugs.gentoo.org/show_bug.cgi?id=186030"
    },
    {
      "type": "WEB",
      "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=597"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26926"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27048"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27309"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27364"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27439"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/28721"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29786"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/36260"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200710-27.xml"
    },
    {
      "type": "WEB",
      "url": "http://studio.imagemagick.org/pipermail/magick-announce/2007-September/000037.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2009/dsa-1858"
    },
    {
      "type": "WEB",
      "url": "http://www.imagemagick.org/script/changelog.php"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:035"
    },
    {
      "type": "WEB",
      "url": "http://www.novell.com/linux/security/advisories/2007_23_sr.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0145.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/483572/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25765"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1018729"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/usn-523-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3245"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XRQM-FPGR-6HHX

Vulnerability from github – Published: 2021-11-10 19:13 – Updated: 2024-11-13 21:48
VLAI
Summary
Overflow/crash in `tf.range`
Details

Impact

While calculating the size of the output within the tf.range kernel, there is a conditional statement of type int64 = condition ? int64 : double. Due to C++ implicit conversion rules, both branches of the condition will be cast to double and the result would be truncated before the assignment. This result in overflows:

import tensorflow as tf

tf.sparse.eye(num_rows=9223372036854775807, num_columns=None)

Similarly, tf.range would result in crashes due to overflows if the start or end point are too large.

import tensorflow as tf

tf.range(start=-1e+38, limit=1)

Patches

We have patched the issue in GitHub commits 6d94002a09711d297dbba90390d5482b76113899 (merging #51359) and 1b0e0ec27e7895b9985076eab32445026ae5ca94 (merging #51711).

The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

For more information

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

Attribution

This vulnerability has been reported externally via GitHub issue, GitHub issue and GitHub issue.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-cpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "tensorflow-gpu"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41202"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-681"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-08T22:47:54Z",
    "nvd_published_at": "2021-11-05T22:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nWhile calculating the size of the output within the `tf.range` kernel, there is a conditional statement of type `int64 = condition ? int64 : double`. Due to C++ implicit conversion rules, both branches of the condition will be cast to `double` and the result would be truncated before the assignment. This result in overflows:\n\n```python\nimport tensorflow as tf\n\ntf.sparse.eye(num_rows=9223372036854775807, num_columns=None)\n```\n  \nSimilarly, `tf.range` would result in crashes due to overflows if the start or end point are too large.\n\n```python\nimport tensorflow as tf\n\ntf.range(start=-1e+38, limit=1)\n```\n\n### Patches\nWe have patched the issue in GitHub commits [6d94002a09711d297dbba90390d5482b76113899](https://github.com/tensorflow/tensorflow/commit/6d94002a09711d297dbba90390d5482b76113899) (merging [#51359](https://github.com/tensorflow/tensorflow/pull/51359)) and [1b0e0ec27e7895b9985076eab32445026ae5ca94](https://github.com/tensorflow/tensorflow/commit/1b0e0ec27e7895b9985076eab32445026ae5ca94) (merging [#51711](https://github.com/tensorflow/tensorflow/pull/51711)).\n\nThe fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.\n\n### For more information\nPlease consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.\n\n### Attribution\nThis vulnerability has been reported externally via [GitHub issue](https://github.com/tensorflow/tensorflow/issues/46912), [GitHub issue](https://github.com/tensorflow/tensorflow/issues/46899) and [GitHub issue](https://github.com/tensorflow/tensorflow/issues/46889).\n",
  "id": "GHSA-xrqm-fpgr-6hhx",
  "modified": "2024-11-13T21:48:29Z",
  "published": "2021-11-10T19:13:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/security/advisories/GHSA-xrqm-fpgr-6hhx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41202"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/issues/46889"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/issues/46912"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/1b0e0ec27e7895b9985076eab32445026ae5ca94"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tensorflow/tensorflow/commit/6d94002a09711d297dbba90390d5482b76113899"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2021-612.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2021-810.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow/PYSEC-2021-395.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/tensorflow/tensorflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Overflow/crash in `tf.range`"
}

GHSA-XV5G-H355-J9V9

Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2022-12-01 00:30
VLAI
Details

Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. A bounds check which was supposed to test for chunk offsets smaller than the beginning of the request did not work because of signed/unsigned confusion. If one of these chunks contains a negative offset then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-14842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-681"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-11-26T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. A bounds check which was supposed to test for chunk offsets smaller than the beginning of the request did not work because of signed/unsigned confusion. If one of these chunks contains a negative offset then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution.",
  "id": "GHSA-xv5g-h355-j9v9",
  "modified": "2022-12-01T00:30:42Z",
  "published": "2022-05-24T17:02:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14842"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14842"
    },
    {
      "type": "WEB",
      "url": "https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-XXV6-GGG8-68MQ

Vulnerability from github – Published: 2022-05-24 22:33 – Updated: 2022-05-24 22:33
VLAI
Details

An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it’s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-28588"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-681"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-05-10T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure vulnerability exists in the /proc/pid/syscall functionality of Linux Kernel 5.1 Stable and 5.4.66. More specifically, this issue has been introduced in v5.1-rc4 (commit 631b7abacd02b88f4b0795c08b54ad4fc3e7c7c0) and is still present in v5.10-rc4, so it\u2019s likely that all versions in between are affected. An attacker can read /proc/pid/syscall to trigger this vulnerability, which leads to the kernel leaking memory contents.",
  "id": "GHSA-xxv6-ggg8-68mq",
  "modified": "2022-05-24T22:33:56Z",
  "published": "2022-05-24T22:33:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28588"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2020-1211"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Implementation

Avoid making conversion between numeric types. Always check for the allowed ranges.

No CAPEC attack patterns related to this CWE.