CWE-190
AllowedInteger Overflow or Wraparound
Abstraction: Base · Status: Stable
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
3870 vulnerabilities reference this CWE, most recent first.
GHSA-433F-RGXW-J2RJ
Vulnerability from github – Published: 2022-05-02 03:26 – Updated: 2025-04-09 04:16Integer overflow in the ReadImage function in plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a BMP file with crafted width and height values that trigger a heap-based buffer overflow.
{
"affected": [],
"aliases": [
"CVE-2009-1570"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2009-11-13T15:30:00Z",
"severity": "HIGH"
},
"details": "Integer overflow in the ReadImage function in plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a BMP file with crafted width and height values that trigger a heap-based buffer overflow.",
"id": "GHSA-433f-rgxw-j2rj",
"modified": "2025-04-09T04:16:21Z",
"published": "2022-05-02T03:26:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2009-1570"
},
{
"type": "WEB",
"url": "https://bugzilla.gnome.org/show_bug.cgi?id=600484"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/54254"
},
{
"type": "WEB",
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8290"
},
{
"type": "WEB",
"url": "http://git.gnome.org/cgit/gimp/commit/?h=gimp-2-6\u0026id=df2b0aca2e7cdb95ebfd3454c65aaba0a83e9bbe"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/37232"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/50737"
},
{
"type": "WEB",
"url": "http://secunia.com/secunia_research/2009-42"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201209-23.xml"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/59930"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0837.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0838.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/507813/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/37006"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/3228"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2009/3564"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/1021"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-436C-96VR-9JCQ
Vulnerability from github – Published: 2022-05-13 01:27 – Updated: 2022-05-13 01:27Integer overflow in the plist_from_bin function in bplist.c in libimobiledevice/libplist before 2017-04-19 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted plist file.
{
"affected": [],
"aliases": [
"CVE-2017-7982"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-04-20T14:59:00Z",
"severity": "MODERATE"
},
"details": "Integer overflow in the plist_from_bin function in bplist.c in libimobiledevice/libplist before 2017-04-19 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted plist file.",
"id": "GHSA-436c-96vr-9jcq",
"modified": "2022-05-13T01:27:28Z",
"published": "2022-05-13T01:27:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7982"
},
{
"type": "WEB",
"url": "https://github.com/libimobiledevice/libplist/issues/103"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/04/msg00002.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-43G7-CWR8-Q3JH
Vulnerability from github – Published: 2026-05-18 20:21 – Updated: 2026-06-09 10:58Summary
A remotely reachable integer overflow in OBI's memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as set, add, replace, append, prepend, or cas, OBI accepts extremely large <bytes> values and adds the payload delimiter length without checking for overflow. A crafted request with <bytes> set to math.MaxInt or math.MaxInt-1 causes the computed payload length to wrap negative and triggers a runtime panic in LargeBufferReader.Peek.
Details
The issue is in the memcached request parser at pkg/ebpf/common/memcached_detect_transform.go.
memcachedCommandBytesField parses the storage command <bytes> field with strconv.Atoi and only rejects negative values:
size, err := strconv.Atoi(string(fields[4]))
if err != nil || size < 0 {
return 0, false
}
Because there is no upper bound check, values up to math.MaxInt are accepted.
memcachedConsumeStoragePayload then computes the payload length by adding the trailing \r\n delimiter length:
payloadLen := bytesField + len(memcachedDelimBytes)
payload, err := r.Peek(payloadLen)
If bytesField is math.MaxInt or math.MaxInt-1, this addition overflows the signed int and produces a negative payloadLen.
That negative length is passed into LargeBufferReader.Peek in pkg/internal/largebuf/large_buffer.go. Peek checks whether n > Remaining() but does not reject negative values before slicing:
if r.rchunk < len(r.lb.chunks) && r.roff+n <= len(r.lb.chunks[r.rchunk]) {
return r.lb.chunks[r.rchunk][r.roff : r.roff+n], nil
}
With a negative n, the slice expression uses a negative upper bound and causes a Go runtime panic. Since OBI runs as a privileged instrumentation process and parses observed memcached traffic, an attacker who can send crafted memcached storage commands to an instrumented service can crash OBI remotely.
Affected logic identified by the scan:
pkg/ebpf/common/memcached_detect_transform.go:322pkg/ebpf/common/memcached_detect_transform.go:386pkg/internal/largebuf/large_buffer.go:501
PoC
The repository already contains a runnable memcached fixture under internal/test/oats/memcached/. The steps below reproduce the crash using only files from this repository.
- From the repository root, start the checked-in memcached environment:
bash
docker compose \
-f internal/test/oats/memcached/docker-compose-include-base.yml \
-f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \
up --build
This starts:
memcachedon port11211testserver, the Python app ininternal/test/integration/components/pythonmemcached/main.pyautoinstrumenter, the OBI process launched with--config=/configs/instrumenter-config-traces.yml
The relevant repo-local files are:
internal/test/oats/memcached/docker-compose-obi-python-memcached.yml-
internal/test/oats/memcached/configs/instrumenter-config-traces.yml -
In a second shell, confirm the environment is working:
bash
curl http://127.0.0.1:8080/memcached
- From the same repository root, send a crafted memcached storage command from inside the instrumented
testservercontainer. On 64-bit systems, use9223372036854775807(math.MaxInt):
bash
docker compose \
-f internal/test/oats/memcached/docker-compose-include-base.yml \
-f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \
exec testserver \
python -c 'import socket; s=socket.create_connection(("memcached",11211), timeout=5); s.sendall(b"set crash 0 0 9223372036854775807\r\nvalue\r\n"); s.close()'
On 32-bit systems, replace 9223372036854775807 with 2147483647.
- OBI parses the request header, accepts the
<bytes>field as anint, and computes:
go
payloadLen = bytesField + len("\r\n")
-
That addition overflows negative and the negative
payloadLenis passed toLargeBufferReader.Peek, which slices with an invalid bound and panics. -
Confirm the crash by checking the
autoinstrumentercontainer status or logs:
bash
docker compose \
-f internal/test/oats/memcached/docker-compose-include-base.yml \
-f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \
ps autoinstrumenter
bash
docker compose \
-f internal/test/oats/memcached/docker-compose-include-base.yml \
-f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \
logs autoinstrumenter
The expected result is that the OBI process crashes with a panic originating from LargeBufferReader.Peek, with the call path including memcachedConsumeStoragePayload.
Impact
This is a remote denial-of-service vulnerability in OBI's memcached protocol parsing path.
Impacted deployments are those where:
- OBI is running with the vulnerable memcached parser, and
- OBI observes memcached text protocol traffic from applications or services that an attacker can reach or influence.
A successful attack does not require code execution or authentication against OBI itself. An attacker only needs to cause a vulnerable instrumented service to emit or receive a crafted memcached storage command. The result is a panic in OBI and loss of telemetry collection until the process is restarted.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.opentelemetry.io/obi"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.0"
},
{
"fixed": "0.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-45686"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T20:21:52Z",
"nvd_published_at": "2026-06-02T16:16:43Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA remotely reachable integer overflow in OBI\u0027s memcached text protocol parser can crash the OBI process and cause denial of service. When parsing memcached storage commands such as `set`, `add`, `replace`, `append`, `prepend`, or `cas`, OBI accepts extremely large `\u003cbytes\u003e` values and adds the payload delimiter length without checking for overflow. A crafted request with `\u003cbytes\u003e` set to `math.MaxInt` or `math.MaxInt-1` causes the computed payload length to wrap negative and triggers a runtime panic in `LargeBufferReader.Peek`.\n\n### Details\n\nThe issue is in the memcached request parser at `pkg/ebpf/common/memcached_detect_transform.go`.\n\n`memcachedCommandBytesField` parses the storage command `\u003cbytes\u003e` field with `strconv.Atoi` and only rejects negative values:\n\n```go\nsize, err := strconv.Atoi(string(fields[4]))\nif err != nil || size \u003c 0 {\n\treturn 0, false\n}\n```\n\nBecause there is no upper bound check, values up to `math.MaxInt` are accepted.\n\n`memcachedConsumeStoragePayload` then computes the payload length by adding the trailing `\\r\\n` delimiter length:\n\n```go\npayloadLen := bytesField + len(memcachedDelimBytes)\npayload, err := r.Peek(payloadLen)\n```\n\nIf `bytesField` is `math.MaxInt` or `math.MaxInt-1`, this addition overflows the signed `int` and produces a negative `payloadLen`.\n\nThat negative length is passed into `LargeBufferReader.Peek` in `pkg/internal/largebuf/large_buffer.go`. `Peek` checks whether `n \u003e Remaining()` but does not reject negative values before slicing:\n\n```go\nif r.rchunk \u003c len(r.lb.chunks) \u0026\u0026 r.roff+n \u003c= len(r.lb.chunks[r.rchunk]) {\n\treturn r.lb.chunks[r.rchunk][r.roff : r.roff+n], nil\n}\n```\n\nWith a negative `n`, the slice expression uses a negative upper bound and causes a Go runtime panic. Since OBI runs as a privileged instrumentation process and parses observed memcached traffic, an attacker who can send crafted memcached storage commands to an instrumented service can crash OBI remotely.\n\nAffected logic identified by the scan:\n\n- `pkg/ebpf/common/memcached_detect_transform.go:322`\n- `pkg/ebpf/common/memcached_detect_transform.go:386`\n- `pkg/internal/largebuf/large_buffer.go:501`\n\n### PoC\n\nThe repository already contains a runnable memcached fixture under `internal/test/oats/memcached/`. The steps below reproduce the crash using only files from this repository.\n\n1. From the repository root, start the checked-in memcached environment:\n\n ```bash\n docker compose \\\n -f internal/test/oats/memcached/docker-compose-include-base.yml \\\n -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \\\n up --build\n ```\n\n This starts:\n\n - `memcached` on port `11211`\n - `testserver`, the Python app in `internal/test/integration/components/pythonmemcached/main.py`\n - `autoinstrumenter`, the OBI process launched with `--config=/configs/instrumenter-config-traces.yml`\n\n The relevant repo-local files are:\n\n - `internal/test/oats/memcached/docker-compose-obi-python-memcached.yml`\n - `internal/test/oats/memcached/configs/instrumenter-config-traces.yml`\n\n2. In a second shell, confirm the environment is working:\n\n ```bash\n curl http://127.0.0.1:8080/memcached\n ```\n\n3. From the same repository root, send a crafted memcached storage command from inside the instrumented `testserver` container. On 64-bit systems, use `9223372036854775807` (`math.MaxInt`):\n\n ```bash\n docker compose \\\n -f internal/test/oats/memcached/docker-compose-include-base.yml \\\n -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \\\n exec testserver \\\n python -c \u0027import socket; s=socket.create_connection((\"memcached\",11211), timeout=5); s.sendall(b\"set crash 0 0 9223372036854775807\\r\\nvalue\\r\\n\"); s.close()\u0027\n ```\n\n On 32-bit systems, replace `9223372036854775807` with `2147483647`.\n\n4. OBI parses the request header, accepts the `\u003cbytes\u003e` field as an `int`, and computes:\n\n ```go\n payloadLen = bytesField + len(\"\\r\\n\")\n ```\n\n5. That addition overflows negative and the negative `payloadLen` is passed to `LargeBufferReader.Peek`, which slices with an invalid bound and panics.\n\n6. Confirm the crash by checking the `autoinstrumenter` container status or logs:\n\n ```bash\n docker compose \\\n -f internal/test/oats/memcached/docker-compose-include-base.yml \\\n -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \\\n ps autoinstrumenter\n ```\n\n ```bash\n docker compose \\\n -f internal/test/oats/memcached/docker-compose-include-base.yml \\\n -f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \\\n logs autoinstrumenter\n ```\n\n The expected result is that the OBI process crashes with a panic originating from `LargeBufferReader.Peek`, with the call path including `memcachedConsumeStoragePayload`.\n\n### Impact\n\nThis is a remote denial-of-service vulnerability in OBI\u0027s memcached protocol parsing path.\n\nImpacted deployments are those where:\n\n- OBI is running with the vulnerable memcached parser, and\n- OBI observes memcached text protocol traffic from applications or services that an attacker can reach or influence.\n\nA successful attack does not require code execution or authentication against OBI itself. An attacker only needs to cause a vulnerable instrumented service to emit or receive a crafted memcached storage command. The result is a panic in OBI and loss of telemetry collection until the process is restarted.",
"id": "GHSA-43g7-cwr8-q3jh",
"modified": "2026-06-09T10:58:58Z",
"published": "2026-05-18T20:21:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/security/advisories/GHSA-43g7-cwr8-q3jh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45686"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation"
},
{
"type": "WEB",
"url": "https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation/releases/tag/v0.9.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "OpenTelemetry eBPF Instrumentation: Memcached payload length overflow can crash OBI"
}
GHSA-43MW-6W68-5PVW
Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2025-04-12 12:39Integer overflow in Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and OS X and before 11.2.202.411 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK & Compiler before 15.0.0.302 allows attackers to execute arbitrary code via unspecified vectors.
{
"affected": [],
"aliases": [
"CVE-2014-0569"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-10-15T10:55:00Z",
"severity": "HIGH"
},
"details": "Integer overflow in Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and OS X and before 11.2.202.411 on Linux, Adobe AIR before 15.0.0.293, Adobe AIR SDK before 15.0.0.302, and Adobe AIR SDK \u0026 Compiler before 15.0.0.302 allows attackers to execute arbitrary code via unspecified vectors.",
"id": "GHSA-43mw-6w68-5pvw",
"modified": "2025-04-12T12:39:38Z",
"published": "2022-05-13T01:05:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0569"
},
{
"type": "WEB",
"url": "http://helpx.adobe.com/security/products/flash-player/apsb14-22.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00002.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00013.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2014-10/msg00033.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1648.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/61980"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/70441"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1031019"
},
{
"type": "WEB",
"url": "http://www.zerodayinitiative.com/advisories/ZDI-14-365"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-43QX-5G4Q-QV73
Vulnerability from github – Published: 2022-05-14 03:03 – Updated: 2022-05-14 03:03The mintToken function of a smart contract implementation for ETHERCASH (ETC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
{
"affected": [],
"aliases": [
"CVE-2018-13482"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T06:29:00Z",
"severity": "HIGH"
},
"details": "The mintToken function of a smart contract implementation for ETHERCASH (ETC), an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"id": "GHSA-43qx-5g4q-qv73",
"modified": "2022-05-14T03:03:34Z",
"published": "2022-05-14T03:03:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13482"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.md"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/ETHERCASH"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-43W4-9CV8-5G98
Vulnerability from github – Published: 2022-05-24 19:07 – Updated: 2022-05-24 19:07Integer overflow vulnerability in function Jsi_ObjArraySizer in jsish before 3.0.8, allows remote attackers to execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2020-22874"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-13T15:15:00Z",
"severity": "CRITICAL"
},
"details": "Integer overflow vulnerability in function Jsi_ObjArraySizer in jsish before 3.0.8, allows remote attackers to execute arbitrary code.",
"id": "GHSA-43w4-9cv8-5g98",
"modified": "2022-05-24T19:07:35Z",
"published": "2022-05-24T19:07:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-22874"
},
{
"type": "WEB",
"url": "https://github.com/pcmacdon/jsish/issues/5"
},
{
"type": "WEB",
"url": "https://github.com/pcmacdon/jsish/commit/858da537bde4de9d8c92466d5a866505310bc328"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-444W-XM89-R2P5
Vulnerability from github – Published: 2022-05-07 00:01 – Updated: 2022-05-07 00:01In versions of mruby up to and including 1.4.0, an integer overflow exists in src/vm.c::mrb_vm_exec() when handling OP_GETUPVAR in the presence of deep scope nesting, resulting in a use-after-free. An attacker that can cause Ruby code to be run can use this to possibly execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2018-10191"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-17T21:29:00Z",
"severity": "CRITICAL"
},
"details": "In versions of mruby up to and including 1.4.0, an integer overflow exists in src/vm.c::mrb_vm_exec() when handling OP_GETUPVAR in the presence of deep scope nesting, resulting in a use-after-free. An attacker that can cause Ruby code to be run can use this to possibly execute arbitrary code.",
"id": "GHSA-444w-xm89-r2p5",
"modified": "2022-05-07T00:01:25Z",
"published": "2022-05-07T00:01:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10191"
},
{
"type": "WEB",
"url": "https://github.com/mruby/mruby/issues/3995"
},
{
"type": "WEB",
"url": "https://github.com/mruby/mruby/commit/1905091634a6a2925c911484434448e568330626"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00006.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-4463-879Q-57JX
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-10-26 12:00An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.
{
"affected": [],
"aliases": [
"CVE-2021-23215"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-08T12:15:00Z",
"severity": "MODERATE"
},
"details": "An integer overflow leading to a heap-buffer overflow was found in the DwaCompressor of OpenEXR in versions before 3.0.1. An attacker could use this flaw to crash an application compiled with OpenEXR.",
"id": "GHSA-4463-879q-57jx",
"modified": "2022-10-26T12:00:32Z",
"published": "2022-05-24T19:04:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23215"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1947586"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2021/07/msg00001.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BXFLD4ZAXKAIWO6ZPBCQEEDZB5IG676K"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2022/dsa-5299"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-446W-Q44C-4XJ9
Vulnerability from github – Published: 2022-05-13 01:23 – Updated: 2022-05-13 01:23Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.
{
"affected": [],
"aliases": [
"CVE-2010-3067"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-09-21T18:00:00Z",
"severity": "MODERATE"
},
"details": "Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.",
"id": "GHSA-446w-q44c-4xj9",
"modified": "2022-05-13T01:23:37Z",
"published": "2022-05-13T01:23:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-3067"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=629441"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/61884"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=75e1c70fc31490ef8a373ea2a4bea2524099b478"
},
{
"type": "WEB",
"url": "http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=75e1c70fc31490ef8a373ea2a4bea2524099b478"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00004.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2011-02/msg00002.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42778"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42801"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42890"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/43291"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/46397"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2010/dsa-2126"
},
{
"type": "WEB",
"url": "http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.36-rc4-next-20100915.bz2"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:257"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:029"
},
{
"type": "WEB",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:051"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0758.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0779.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0839.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2011-0007.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/520102/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1000-1"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2011-0012.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0012"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0298"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0375"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-448H-8RG5-XXVG
Vulnerability from github – Published: 2022-05-17 00:36 – Updated: 2022-05-17 00:36The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.
{
"affected": [],
"aliases": [
"CVE-2017-14745"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-09-26T16:29:00Z",
"severity": "HIGH"
},
"details": "The *_get_synthetic_symtab functions in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.29, interpret a -1 value as a sorting count instead of an error flag, which allows remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact via a crafted ELF file, related to elf32-i386.c and elf64-x86-64.c.",
"id": "GHSA-448h-8rg5-xxvg",
"modified": "2022-05-17T00:36:06Z",
"published": "2022-05-17T00:36:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-14745"
},
{
"type": "WEB",
"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=22148"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Strategy: Input Validation
- Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
- Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.