Common Weakness Enumeration

CWE-190

Allowed

Integer Overflow or Wraparound

Abstraction: Base · Status: Stable

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

3870 vulnerabilities reference this CWE, most recent first.

GHSA-433F-RGXW-J2RJ

Vulnerability from github – Published: 2022-05-02 03:26 – Updated: 2025-04-09 04:16
VLAI
Details

Integer overflow in the ReadImage function in plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a BMP file with crafted width and height values that trigger a heap-based buffer overflow.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-1570"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-11-13T15:30:00Z",
    "severity": "HIGH"
  },
  "details": "Integer overflow in the ReadImage function in plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a BMP file with crafted width and height values that trigger a heap-based buffer overflow.",
  "id": "GHSA-433f-rgxw-j2rj",
  "modified": "2025-04-09T04:16:21Z",
  "published": "2022-05-02T03:26:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1570"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.gnome.org/show_bug.cgi?id=600484"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54254"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8290"
    },
    {
      "type": "WEB",
      "url": "http://git.gnome.org/cgit/gimp/commit/?h=gimp-2-6\u0026id=df2b0aca2e7cdb95ebfd3454c65aaba0a83e9bbe"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/37232"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/50737"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/secunia_research/2009-42"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-201209-23.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/59930"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0837.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0838.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/507813/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/37006"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/3228"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/3564"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2010/1021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-436C-96VR-9JCQ

Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27
VLAI
Details

Integer overflow in the plist_from_bin function in bplist.c in libimobiledevice/libplist before 2017-04-19 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted plist file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-7982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-20T14:59:00Z",
    "severity": "MODERATE"
  },
  "details": "Integer overflow in the plist_from_bin function in bplist.c in libimobiledevice/libplist before 2017-04-19 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted plist file.",
  "id": "GHSA-436c-96vr-9jcq",
  "modified": "2022-05-13T01:27:28Z",
  "published": "2022-05-13T01:27:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7982"
    },
    {
      "type": "WEB",
      "url": "https://github.com/libimobiledevice/libplist/issues/103"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00002.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-43G7-CWR8-Q3JH

Vulnerability from github – Published: 2026-05-18 20:21 – Updated: 2026-06-09 10:58
VLAI
Summary
OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI
Details

Summary

A remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large <bytes> values and adds the payload delimiter length without checking for overflow. A crafted request with <bytes> set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap negative and triggers a runtime panic in LargeBufferReader.Peek.

Details

The issue is in the memcached request parser at pkg/ebpf/common/memcached_detect_transform.go.

memcachedCommandBytesField parses the storage command <bytes> field with strconv.Atoi and only rejects negative values:

size, err := strconv.Atoi(string(fields[4]))
if err != nil || size < 0 {
    return 0, false
}

Because there is no upper bound check, values up to math.MaxInt are accepted.

memcachedConsumeStoragePayload then computes the payload length by adding the trailing \r\n delimiter length:

payloadLen := bytesField + len(memcachedDelimBytes)
payload, err := r.Peek(payloadLen)

If bytesField is math.MaxInt or math.MaxInt-1, this addition overflows the signed int and produces a negative payloadLen.

That negative length is passed into LargeBufferReader.Peek in pkg/internal/largebuf/large_buffer.go. Peek checks whether n > Remaining() but does not reject negative values before slicing:

if r.rchunk < len(r.lb.chunks) && r.roff+n <= len(r.lb.chunks[r.rchunk]) {
    return r.lb.chunks[r.rchunk][r.roff : r.roff+n], nil
}

With a negative n, the slice expression uses a negative upper bound and causes a Go runtime panic. Since OBI runs as a privileged instrumentation process and parses observed memcached traffic, an attacker who can send crafted memcached storage commands to an instrumented service can crash OBI remotely.

Affected logic identified by the scan:

  • pkg/ebpf/common/memcached_detect_transform.go:322
  • pkg/ebpf/common/memcached_detect_transform.go:386
  • pkg/internal/largebuf/large_buffer.go:501

PoC

The repository already contains a runnable memcached fixture under internal/test/oats/memcached/. The steps below reproduce the crash using only files from this repository.

  1. From the repository root, start the checked-in memcached environment:

bash docker compose \ -f internal/test/oats/memcached/docker-compose-include-base.yml \ -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \ up --build

This starts:

  • memcached on port 11211
  • testserver, the Python app in internal/test/integration/components/pythonmemcached/main.py
  • autoinstrumenter, the OBI process launched with --config=/configs/instrumenter-config-traces.yml

The relevant repo-local files are:

  • internal/test/oats/memcached/docker-compose-obi-python-memcached.yml
  • internal/test/oats/memcached/configs/instrumenter-config-traces.yml

  • In a second shell, confirm the environment is working:

bash curl http://127.0.0.1:8080/memcached

  1. From the same repository root, send a crafted memcached storage command from inside the instrumented testserver container. On 64-bit systems, use 9223372036854775807 (math.MaxInt):

bash docker compose \ -f internal/test/oats/memcached/docker-compose-include-base.yml \ -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \ exec testserver \ python -c 'import socket; s=socket.create_connection(("memcached",11211), timeout=5); s.sendall(b"set crash 0 0 9223372036854775807\r\nvalue\r\n"); s.close()'

On 32-bit systems, replace 9223372036854775807 with 2147483647.

  1. OBI parses the request header, accepts the <bytes> field as an int, and computes:

go payloadLen = bytesField + len("\r\n")

  1. That addition overflows negative and the negative payloadLen is passed to LargeBufferReader.Peek, which slices with an invalid bound and panics.

  2. Confirm the crash by checking the autoinstrumenter container status or logs:

bash docker compose \ -f internal/test/oats/memcached/docker-compose-include-base.yml \ -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \ ps autoinstrumenter

bash docker compose \ -f internal/test/oats/memcached/docker-compose-include-base.yml \ -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \ logs autoinstrumenter

The expected result is that the OBI process crashes with a panic originating from LargeBufferReader.Peek, with the call path including memcachedConsumeStoragePayload.

Impact

This is a remote denial-of-service vulnerability in OBI's memcached protocol parsing path.

Impacted deployments are those where:

  • OBI is running with the vulnerable memcached parser, and
  • OBI observes memcached text protocol traffic from applications or services that an attacker can reach or influence.

A successful attack does not require code execution or authentication against OBI itself. An attacker only needs to cause a vulnerable instrumented service to emit or receive a crafted memcached storage command. The result is a panic in OBI and loss of telemetry collection until the process is restarted.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.opentelemetry.io/obi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45686"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T20:21:52Z",
    "nvd_published_at": "2026-06-02T16:16:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nA remotely reachable integer overflow in OBI\u0027s memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as `set`, `add`, `replace`, `append`, `prepend`, or `cas`, OBI accepts extremely large `\u003cbytes\u003e` values and adds the payload delimiter length without checking for overflow. A crafted request with `\u003cbytes\u003e` set to `math.MaxInt` or `math.MaxInt-1` causes the computed payload length to wrap negative and triggers a runtime panic in `LargeBufferReader.Peek`.\n\n### Details\n\nThe issue is in the memcached request parser at `pkg/ebpf/common/memcached_detect_transform.go`.\n\n`memcachedCommandBytesField` parses the storage command `\u003cbytes\u003e` field with `strconv.Atoi` and only rejects negative values:\n\n```go\nsize, err := strconv.Atoi(string(fields[4]))\nif err != nil || size \u003c 0 {\n\treturn 0, false\n}\n```\n\nBecause there is no upper bound check, values up to `math.MaxInt` are accepted.\n\n`memcachedConsumeStoragePayload` then computes the payload length by adding the trailing `\\r\\n` delimiter length:\n\n```go\npayloadLen := bytesField + len(memcachedDelimBytes)\npayload, err := r.Peek(payloadLen)\n```\n\nIf `bytesField` is `math.MaxInt` or `math.MaxInt-1`, this addition overflows the signed `int` and produces a negative `payloadLen`.\n\nThat negative length is passed into `LargeBufferReader.Peek` in `pkg/internal/largebuf/large_buffer.go`. `Peek` checks whether `n \u003e Remaining()` but does not reject negative values before slicing:\n\n```go\nif r.rchunk \u003c len(r.lb.chunks) \u0026\u0026 r.roff+n \u003c= len(r.lb.chunks[r.rchunk]) {\n\treturn r.lb.chunks[r.rchunk][r.roff : r.roff+n], nil\n}\n```\n\nWith a negative `n`, the slice expression uses a negative upper bound and causes a Go runtime panic. Since OBI runs as a privileged instrumentation process and parses observed memcached traffic, an attacker who can send crafted memcached storage commands to an instrumented service can crash OBI remotely.\n\nAffected logic identified by the scan:\n\n- `pkg/ebpf/common/memcached_detect_transform.go:322`\n- `pkg/ebpf/common/memcached_detect_transform.go:386`\n- `pkg/internal/largebuf/large_buffer.go:501`\n\n### PoC\n\nThe repository already contains a runnable memcached fixture under `internal/test/oats/memcached/`. The steps below reproduce the crash using only files from this repository.\n\n1. From the repository root, start the checked-in memcached environment:\n\n   ```bash\n   docker compose \\\n     -f internal/test/oats/memcached/docker-compose-include-base.yml \\\n     -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \\\n     up --build\n   ```\n\n   This starts:\n\n   - `memcached` on port `11211`\n   - `testserver`, the Python app in `internal/test/integration/components/pythonmemcached/main.py`\n   - `autoinstrumenter`, the OBI process launched with `--config=/configs/instrumenter-config-traces.yml`\n\n   The relevant repo-local files are:\n\n   - `internal/test/oats/memcached/docker-compose-obi-python-memcached.yml`\n   - `internal/test/oats/memcached/configs/instrumenter-config-traces.yml`\n\n2. In a second shell, confirm the environment is working:\n\n   ```bash\n   curl http://127.0.0.1:8080/memcached\n   ```\n\n3. From the same repository root, send a crafted memcached storage command from inside the instrumented `testserver` container. On 64-bit systems, use `9223372036854775807` (`math.MaxInt`):\n\n   ```bash\n   docker compose \\\n     -f internal/test/oats/memcached/docker-compose-include-base.yml \\\n     -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \\\n     exec testserver \\\n     python -c \u0027import socket; s=socket.create_connection((\"memcached\",11211), timeout=5); s.sendall(b\"set crash 0 0 9223372036854775807\\r\\nvalue\\r\\n\"); s.close()\u0027\n   ```\n\n   On 32-bit systems, replace `9223372036854775807` with `2147483647`.\n\n4. OBI parses the request header, accepts the `\u003cbytes\u003e` field as an `int`, and computes:\n\n   ```go\n   payloadLen = bytesField + len(\"\\r\\n\")\n   ```\n\n5. That addition overflows negative and the negative `payloadLen` is passed to `LargeBufferReader.Peek`, which slices with an invalid bound and panics.\n\n6. Confirm the crash by checking the `autoinstrumenter` container status or logs:\n\n   ```bash\n   docker compose \\\n     -f internal/test/oats/memcached/docker-compose-include-base.yml \\\n     -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \\\n     ps autoinstrumenter\n   ```\n\n   ```bash\n   docker compose \\\n     -f internal/test/oats/memcached/docker-compose-include-base.yml \\\n     -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \\\n     logs autoinstrumenter\n   ```\n\n   The expected result is that the OBI process crashes with a panic originating from `LargeBufferReader.Peek`, with the call path including `memcachedConsumeStoragePayload`.\n\n### Impact\n\nThis is a remote denial-of-service vulnerability in OBI\u0027s memcached protocol parsing path.\n\nImpacted deployments are those where:\n\n- OBI is running with the vulnerable memcached parser, and\n- OBI observes memcached text protocol traffic from applications or services that an attacker can reach or influence.\n\nA successful attack does not require code execution or authentication against OBI itself. An attacker only needs to cause a vulnerable instrumented service to emit or receive a crafted memcached storage command. The result is a panic in OBI and loss of telemetry collection until the process is restarted.",
  "id": "GHSA-43g7-cwr8-q3jh",
  "modified": "2026-06-09T10:58:58Z",
  "published": "2026-05-18T20:21:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-43g7-cwr8-q3jh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45686"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI"
}

GHSA-43MW-6W68-5PVW

Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2025-04-12 12:39
VLAI
Details

Integer overflow in Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and OS X and before 11.2.202.411 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302 allows attackers to execute arbitrary code via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2014-0569"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-10-15T10:55:00Z",
    "severity": "HIGH"
  },
  "details": "Integer overflow in Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and OS X and before 11.2.202.411 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK \u0026 Compiler before 15.0.0.302 allows attackers to execute arbitrary code via unspecified vectors.",
  "id": "GHSA-43mw-6w68-5pvw",
  "modified": "2025-04-12T12:39:38Z",
  "published": "2022-05-13T01:05:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0569"
    },
    {
      "type": "WEB",
      "url": "http://helpx.adobe.com/security/products/flash-player/apsb14-22.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2014-10/msg00033.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1648.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/61980"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/70441"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1031019"
    },
    {
      "type": "WEB",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-14-365"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-43QX-5G4Q-QV73

Vulnerability from github – Published: 2022-05-14 03:03 – Updated: 2022-05-14 03:03
VLAI
Details

The mintToken function of a smart contract implementation for ETHERCASH (ETC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-13482"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-09T06:29:00Z",
    "severity": "HIGH"
  },
  "details": "The mintToken function of a smart contract implementation for ETHERCASH (ETC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
  "id": "GHSA-43qx-5g4q-qv73",
  "modified": "2022-05-14T03:03:34Z",
  "published": "2022-05-14T03:03:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13482"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ETHERCASH"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-43W4-9CV8-5G98

Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07
VLAI
Details

Integer overflow vulnerability in function Jsi_ObjArraySizer in jsish before 3.0.8, allows remote attackers to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-22874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-13T15:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "Integer overflow vulnerability in function Jsi_ObjArraySizer in jsish before 3.0.8, allows remote attackers to execute arbitrary code.",
  "id": "GHSA-43w4-9cv8-5g98",
  "modified": "2022-05-24T19:07:35Z",
  "published": "2022-05-24T19:07:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22874"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pcmacdon/jsish/issues/5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pcmacdon/jsish/commit/858da537bde4de9d8c92466d5a866505310bc328"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-444W-XM89-R2P5

Vulnerability from github – Published: 2022-05-07 00:01 – Updated: 2022-05-07 00:01
VLAI
Details

In versions of mruby up to and including 1.4.0, an integer overflow exists in src/vm.c::mrb_vm_exec() when handling OP_GETUPVAR in the presence of deep scope nesting, resulting in a use-after-free. An attacker that can cause Ruby code to be run can use this to possibly execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-04-17T21:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "In versions of mruby up to and including 1.4.0, an integer overflow exists in src/vm.c::mrb_vm_exec() when handling OP_GETUPVAR in the presence of deep scope nesting, resulting in a use-after-free. An attacker that can cause Ruby code to be run can use this to possibly execute arbitrary code.",
  "id": "GHSA-444w-xm89-r2p5",
  "modified": "2022-05-07T00:01:25Z",
  "published": "2022-05-07T00:01:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10191"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mruby/mruby/issues/3995"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mruby/mruby/commit/1905091634a6a2925c911484434448e568330626"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00006.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4463-879Q-57JX

Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-10-26 12:00
VLAI
Details

An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-23215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190",
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-06-08T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.",
  "id": "GHSA-4463-879q-57jx",
  "modified": "2022-10-26T12:00:32Z",
  "published": "2022-05-24T19:04:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23215"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947586"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BXFLD4ZAXKAIWO6ZPBCQEEDZB5IG676K"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5299"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-446W-Q44C-4XJ9

Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23
VLAI
Details

Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-3067"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2010-09-21T18:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.",
  "id": "GHSA-446w-q44c-4xj9",
  "modified": "2022-05-13T01:23:37Z",
  "published": "2022-05-13T01:23:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3067"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=629441"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61884"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=75e1c70fc31490ef8a373ea2a4bea2524099b478"
    },
    {
      "type": "WEB",
      "url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=75e1c70fc31490ef8a373ea2a4bea2524099b478"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42778"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42801"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/42890"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/43291"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/46397"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2010/dsa-2126"
    },
    {
      "type": "WEB",
      "url": "http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.36-rc4-next-20100915.bz2"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:257"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:029"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:051"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2010-0758.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2010-0779.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2010-0839.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2011-0007.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/520102/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1000-1"
    },
    {
      "type": "WEB",
      "url": "http://www.vmware.com/security/advisories/VMSA-2011-0012.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0012"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0298"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2011/0375"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-448H-8RG5-XXVG

Vulnerability from github – Published: 2022-05-17 00:36 – Updated: 2022-05-17 00:36
VLAI
Details

The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-14745"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-09-26T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
  "id": "GHSA-448h-8rg5-xxvg",
  "modified": "2022-05-17T00:36:06Z",
  "published": "2022-05-17T00:36:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14745"
    },
    {
      "type": "WEB",
      "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22148"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.

Mitigation MIT-3
Requirements

Strategy: Language Selection

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
  • Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
  • Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Implementation

Strategy: Input Validation

  • Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
  • Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
Implementation
  • Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
  • Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
Architecture and Design

For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Mitigation MIT-26
Implementation

Strategy: Compilation or Build Hardening

Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.

CAPEC-92: Forced Integer Overflow

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.