CWE-190
AllowedInteger Overflow or Wraparound
Abstraction: Base · Status: Stable
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
3868 vulnerabilities reference this CWE, most recent first.
GHSA-X57C-56XP-XRPH
Vulnerability from github – Published: 2024-02-13 18:38 – Updated: 2024-02-13 18:38Microsoft Word Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-21379"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-13T18:15:55Z",
"severity": "HIGH"
},
"details": "Microsoft Word Remote Code Execution Vulnerability",
"id": "GHSA-x57c-56xp-xrph",
"modified": "2024-02-13T18:38:24Z",
"published": "2024-02-13T18:38:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21379"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21379"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X582-7573-343X
Vulnerability from github – Published: 2026-03-20 03:31 – Updated: 2026-03-20 15:31Integer overflow in Dawn in Google Chrome on Mac prior to 146.0.7680.153 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
{
"affected": [],
"aliases": [
"CVE-2026-4453"
],
"database_specific": {
"cwe_ids": [
"CWE-190",
"CWE-472"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-20T02:16:38Z",
"severity": "MODERATE"
},
"details": "Integer overflow in Dawn in Google Chrome on Mac prior to 146.0.7680.153 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)",
"id": "GHSA-x582-7573-343x",
"modified": "2026-03-20T15:31:11Z",
"published": "2026-03-20T03:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4453"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop_18.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/488400770"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X58R-7627-PG7C
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-30072"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T17:15:53Z",
"severity": "HIGH"
},
"details": "Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability",
"id": "GHSA-x58r-7627-pg7c",
"modified": "2024-06-11T18:30:49Z",
"published": "2024-06-11T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30072"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30072"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X59Q-66Q3-MMF8
Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2024-04-04 02:50In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Due to the granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library's heap memory through remote input, this vulnerability may be abused to achieve full Remote Code Execution against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis.
{
"affected": [],
"aliases": [
"CVE-2020-11939"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-04-23T15:15:00Z",
"severity": "CRITICAL"
},
"details": "In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KEXINIT integer overflows that result in a controlled remote heap overflow in concat_hash_string in ssh.c. Due to the granular nature of the overflow primitive and the ability to control both the contents and layout of the nDPI library\u0027s heap memory through remote input, this vulnerability may be abused to achieve full Remote Code Execution against any network inspection stack that is linked against nDPI and uses it to perform network traffic analysis.",
"id": "GHSA-x59q-66q3-mmf8",
"modified": "2024-04-04T02:50:05Z",
"published": "2022-05-24T17:16:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11939"
},
{
"type": "WEB",
"url": "https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202"
},
{
"type": "ADVISORY",
"url": "https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X5FR-93XJ-6PP3
Vulnerability from github – Published: 2022-05-24 19:11 – Updated: 2022-05-24 19:11In OMA DRM, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05722434; Issue ID: ALPS05722434.
{
"affected": [],
"aliases": [
"CVE-2021-0627"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-18T15:15:00Z",
"severity": "MODERATE"
},
"details": "In OMA DRM, there is a possible memory corruption due to an integer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05722434; Issue ID: ALPS05722434.",
"id": "GHSA-x5fr-93xj-6pp3",
"modified": "2022-05-24T19:11:31Z",
"published": "2022-05-24T19:11:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-0627"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/August-2021"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X5GR-9MC7-WWFG
Vulnerability from github – Published: 2022-04-21 01:57 – Updated: 2023-02-02 15:30An integer overflow condition in poppler before 0.16.3 can occur when parsing CharCodes for fonts.
{
"affected": [],
"aliases": [
"CVE-2010-4653"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-13T20:15:00Z",
"severity": "MODERATE"
},
"details": "An integer overflow condition in poppler before 0.16.3 can occur when parsing CharCodes for fonts.",
"id": "GHSA-x5gr-9mc7-wwfg",
"modified": "2023-02-02T15:30:40Z",
"published": "2022-04-21T01:57:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4653"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/cve-2010-4653"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=672165"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4653"
},
{
"type": "WEB",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4653"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201310-03.xml"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/45948"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-X5HW-CVGG-Q39Q
Vulnerability from github – Published: 2022-05-14 03:12 – Updated: 2022-05-14 03:12The mintToken function of a smart contract implementation for YAMBYO, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.
{
"affected": [],
"aliases": [
"CVE-2018-13675"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-09T06:29:00Z",
"severity": "HIGH"
},
"details": "The mintToken function of a smart contract implementation for YAMBYO, an Ethereum token, has an integer overflow that allows the owner of the contract to set the balance of an arbitrary user to any value.",
"id": "GHSA-x5hw-cvgg-q39q",
"modified": "2022-05-14T03:12:36Z",
"published": "2022-05-14T03:12:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-13675"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/blob/master/GEMCHAIN/mint%20integer%20overflow.md"
},
{
"type": "WEB",
"url": "https://github.com/BlockChainsSecurity/EtherTokens/tree/master/YAMBYO"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X5MV-8WGW-29HG
Vulnerability from github – Published: 2026-06-18 15:05 – Updated: 2026-06-18 15:05- Component:
tract-nnef(nnef/src/tensors.rs::read_tensor) +tract-data(data/src/tensor.rs) - Affected versions:
< 0.21.16,0.22.0–0.22.2,0.23.0–0.23.1— the denseDatLoaderpath was unguarded across all three release lines; patched in 0.21.16 / 0.22.2 / 0.23.1 - Class: CWE-190 (integer overflow) → CWE-125 (out-of-bounds read)
- Trigger: loading a crafted NNEF model archive (
*.nnef.tgz/*.nnef.tar/ dir) via the publictract_nnef::nnef().model_for_path/model_for_read - Impact:
read_tensorreturns a memory-unsafe tensor (reportedlen2^61 over a 56-byte heap allocation). Always-on primitive: a bounded heap out-of-bounds read during model build (as_uniform), an adjacent-heap information-disclosure reachable via the public load API. The resulting slice is an unsoundfrom_raw_parts(ptr, 2^61)that SIGSEGVs (DoS) on any access past the mapped region (demonstrated by direct access). No out-of-bounds write and no RCE were achieved — tract's const-folding/as_uniformfast-paths fold simple consuming graphs without the full read. - Severity: Medium
Summary
read_tensor builds a tensor shape from attacker-controlled 32-bit dimensions and computes the element count len = product(shape) and the byte allocation product(shape) * size_of(dt) with unchecked usize arithmetic. In --release (no overflow-checks), both products wrap modulo 2^64. An attacker chooses dimensions so that the wrapped products collapse to a small value that satisfies the header consistency check, while the true element count remains astronomically large. read_tensor returns Ok with a Tensor whose reported len (e.g. 2^61+7) is far larger than its backing heap allocation (e.g. 56 bytes). The unchecked slice accessor as_slice_unchecked (from_raw_parts(ptr, self.len)) then produces a slice spanning ~18 exabytes over a 56-byte buffer. The out-of-bounds read fires automatically during model build (no inference required), reachable through the default DatLoader resource loader.
Root cause
nnef/src/tensors.rs, read_tensor:
let shape: TVec<usize> = header.dims[0..header.rank as usize].iter().map(|d| *d as _).collect();
let len = shape.iter().product::<usize>(); // (1) unchecked, wraps
...
} else if header.bits_per_item != u32::MAX
&& len * (header.bits_per_item as usize / 8) != header.data_size_bytes as usize // (2) wrapped == u32
{
bail!(...);
}
...
let mut tensor = unsafe { Tensor::uninitialized_dt(dt, &shape)? }; // (3) alloc off the same wrapped product
...
reader.read_exact(plain.as_bytes_mut())?; // storage-bounded read, no overflow here
Ok(tensor)
data/src/tensor.rs, uninitialized_aligned_dt:
let bytes = shape.iter().cloned().product::<usize>() * dt.size_of(); // (3) wraps to the same small value
let storage = ... Blob::new_for_size_and_align(bytes, alignment) ...;
...
tensor.update_strides_and_len(); // len = product(shape), wraps, no clamp
The three quantities — the consistency-check LHS (2), the allocation (3), and the reported len — are all the same wrapped product(shape)*size_of, so they stay mutually consistent and the consistency check at (2) cannot catch the overflow. data_size_bytes is a u32, so the attacker simply sets it to the wrapped value.
Corruption sink — data/src/tensor.rs::as_slice_unchecked (and data/src/tensor/plain_view.rs::as_slice_unchecked):
if self.storage.byte_len() == 0 { &[] }
else { std::slice::from_raw_parts(self.as_ptr_unchecked(), self.len()) } // len = 2^61 over a 56-byte alloc
The only guard is byte_len() == 0. A small non-zero allocation defeats it and yields an unsound oversized slice.
Witness (F64)
dims = [33955849, 7005787, 359, 3, 3, 3] (rank 6, each <= u32::MAX)
product(shape)= 2_305_843_009_213_693_959 = 2^61 + 7
bits_per_item = 64 (F64), item_type = 0, item_type_vendor = 0
data_size_bytes = 56 # == (2^61+7)*8 mod 2^64
len * (bits/8) mod 2^64 = (2^61+7)*8 mod 2^64 = 56 == data_size_bytes→ consistency check passes.- allocation =
(2^61+7)*8 mod 2^64 = 56bytes (7 × F64). - reported
len=2^61+7elements.
Only the is_copy() numeric arms (F16/F32/F64/int, and likely the complex arms) are exploitable. F64 is the cleanest (bits/8 divides evenly). The bool, String, and block-quant paths are each guarded by an independent mechanism (size_of==1 prevents byte/element divergence; String bails on a missing num_traits::Zero impl; block-quant has its own ensure!(expected_len == data_size_bytes) and uses non-plain Exotic storage).
Reachability (load-time, public API)
nnef().model_for_read(tar)
-> proto_model_for_read nnef/src/framework.rs:303
-> DatLoader.try_load (any *.dat) nnef/src/resource.rs:97 (default loader, framework.rs:33)
-> read_tensor -> Ok(Tensor{len=2^61+7, storage=56B}) nnef/src/tensors.rs:61
-> into_typed_model -> variable() fragment nnef/src/ops/nnef/deser.rs:74
ensure!(tensor.shape() == &*shape) deser.rs:122 (attacker matches shape in graph.nnef -> passes)
-> Const::new -> wire_node core/src/model/typed.rs:67
-> Const::output_facts core/src/ops/konst.rs:54
-> TypedFact::try_from core/src/model/fact.rs:459
-> Tensor::as_uniform -> is_uniform_t::<f64> data/src/tensor.rs:1099
-> as_slice_unchecked::<f64> data/src/tensor.rs:1044
-> from_raw_parts(ptr, 2^61+7) over 56-byte buffer -> OOB READ
No shape-vs-storage re-validation exists anywhere on this path (proto.validate() checks only the AST; Const::new checks only is_plain; check_for_access checks only the datum type; even the safe PlainView::as_slice does from_raw_parts(ptr, self.len) with no length guard).
Execution (proof of concept)
Reproduced against the crate at the affected revision, --release, x86_64-linux. Three scenarios:
- Direct
read_tensor— feed the crafted 128-byte header + 56-byte payload: read_tensor -> Ok,shape=[33955849,7005787,359,3,3,3],len()=2305843009213693959,as_bytes().len()=56,as_slice::<f64>().len()=2305843009213693959.s[7](first element past the 56-byte allocation) returns0x0000000000000041→ heap OOB read (adjacent-heap disclosure).s[1<<40]→ SIGSEGV (signal 11).- Public load API — build a malicious
.nnef.tar(graph.nnefwithvariable(label='weights', shape=[...])+weights.dat) and callnnef().model_for_read(): - returns
Okwith oneConstnode,out[0].fact.uniform=Some(...),len()=2305843009213693959over a 56-byte buffer → confirmsas_uniform/is_uniform_t/as_slice_uncheckedperformed an OOB read on load (bounded over-read here becauseis_uniform's.all()short-circuits on the uniform0x41payload). - Optimized graph — same archive but the const is consumed (
output = mul(weights, weights)), theninto_optimized/run: - Does not crash. With both a uniform (
0x41×56) and a non-uniform (0..56) payload,into_optimizedconst-foldsmul(const, const)to a single node without a full-length materialization of the oversized const, andruncompletes. A reliable arbitrary-length crash through a normal optimized graph was therefore NOT demonstrated; the always-on primitive is the bounded load-time over-read (scenario 2), and the wild-slice SIGSEGV is shown via direct access (scenario 1).
Runnable PoC sources are available to the maintainers on request.
Detection
- Static: flag
*.iter().product::<usize>()over externally-controlled dimensions withoutchecked_*/try_into, especially when the result feeds an allocation and a separately-trackedlen. - Runtime / fleet: crash telemetry showing SIGSEGV inside
is_uniform_t/from_raw_partsduring NNEF model load; an ASAN build flagsheap-buffer-overflow READinread_tensor→as_uniform. - Input filter (compensating): reject NNEF
.dattensors whereproduct(dims)overflowsu64, or whereproduct(dims) * size_of(dt) != data_size_bytescomputed in checked arithmetic, before constructing the tensor. - YARA-ish heuristic for
.datblobs: NNEF magic4E EF 01 00,rank<=8, and anydim >= 0x10000whose checked product with the others overflows.
Mitigation (suggested fix)
In read_tensor, compute the element count and byte size with checked arithmetic and reject on overflow, mirroring the guard already present on the block-quant path (ensure!(expected_len == data_size_bytes) added in eacd13ccb):
let len = shape.iter().try_fold(1usize, |a, &d| a.checked_mul(d))
.context("tensor shape product overflows usize")?;
let byte_size = len.checked_mul(dt.size_of())
.context("tensor byte size overflows usize")?;
ensure!(byte_size == header.data_size_bytes as usize, "shape/len vs data_size_bytes mismatch");
Defense in depth: make Tensor::uninitialized_aligned_dt reject when product(shape)*size_of overflows, and add a len * size_of == storage.byte_len() invariant check in the as_slice* accessors (or at Tensor construction) so a len/storage mismatch can never reach from_raw_parts.
Mapping: CWE-190, CWE-125; mitigations align with input validation (OWASP ASVS V5) and safe integer handling (CERT INT32-C analogue).
Prior art / why this is not already fixed
eacd13ccb(2026-03-23, "Add blob-size validation to BlockQuantStorage constructors") added overflow/blob-size validation only to the block-quant path; the denseDatLoader/read_tensorpath was left unguarded. The maintainers fixed the sibling and missed this one.- PR #745 ("Fix UB by creating uninit Tensors with a non-null pointer") is a different UB (null base pointer on zero-length slices) in the same module family.
- No CVE / RustSec / GHSA / OSV / Huntr entry matches this bug; last change to
nnef/src/tensors.rspredates HEAD and added no overflow guard to the dense path.
Reported by: s1ko (s1ko@riseup.net · github.com/s1ko)
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "tract-nnef"
},
"ranges": [
{
"events": [
{
"introduced": "0.23.0"
},
{
"fixed": "0.23.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "tract-nnef"
},
"ranges": [
{
"events": [
{
"introduced": "0.22.0"
},
{
"fixed": "0.22.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "crates.io",
"name": "tract-nnef"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.21.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55093"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T15:05:23Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "- **Component:** `tract-nnef` (`nnef/src/tensors.rs::read_tensor`) + `tract-data` (`data/src/tensor.rs`)\n- **Affected versions:** `\u003c 0.21.16`, `0.22.0`\u2013`0.22.2`, `0.23.0`\u2013`0.23.1` \u2014 the dense `DatLoader` path was unguarded across all three release lines; patched in 0.21.16 / 0.22.2 / 0.23.1\n- **Class:** CWE-190 (integer overflow) \u2192 CWE-125 (out-of-bounds read)\n- **Trigger:** loading a crafted NNEF model archive (`*.nnef.tgz` / `*.nnef.tar` / dir) via the public `tract_nnef::nnef().model_for_path` / `model_for_read`\n- **Impact:** `read_tensor` returns a memory-unsafe tensor (reported `len` 2^61 over a 56-byte heap allocation). Always-on primitive: a **bounded heap out-of-bounds read** during model build (`as_uniform`), an adjacent-heap information-disclosure reachable via the public load API. The resulting slice is an unsound `from_raw_parts(ptr, 2^61)` that **SIGSEGVs (DoS)** on any access past the mapped region (demonstrated by direct access). No out-of-bounds write and no RCE were achieved \u2014 tract\u0027s const-folding/`as_uniform` fast-paths fold simple consuming graphs without the full read.\n- **Severity:** Medium\n\n## Summary\n\n`read_tensor` builds a tensor `shape` from attacker-controlled 32-bit dimensions and computes the element count `len = product(shape)` and the byte allocation `product(shape) * size_of(dt)` with **unchecked `usize` arithmetic**. In `--release` (no `overflow-checks`), both products wrap modulo 2^64. An attacker chooses dimensions so that the wrapped products collapse to a small value that satisfies the header consistency check, while the *true* element count remains astronomically large. `read_tensor` returns `Ok` with a `Tensor` whose reported `len` (e.g. 2^61+7) is far larger than its backing heap allocation (e.g. 56 bytes). The unchecked slice accessor `as_slice_unchecked` (`from_raw_parts(ptr, self.len)`) then produces a slice spanning ~18 exabytes over a 56-byte buffer. The out-of-bounds read fires automatically during model build (no inference required), reachable through the default `DatLoader` resource loader.\n\n## Root cause\n\n`nnef/src/tensors.rs`, `read_tensor`:\n\n```\nlet shape: TVec\u003cusize\u003e = header.dims[0..header.rank as usize].iter().map(|d| *d as _).collect();\nlet len = shape.iter().product::\u003cusize\u003e(); // (1) unchecked, wraps\n...\n} else if header.bits_per_item != u32::MAX\n \u0026\u0026 len * (header.bits_per_item as usize / 8) != header.data_size_bytes as usize // (2) wrapped == u32\n{\n bail!(...);\n}\n...\nlet mut tensor = unsafe { Tensor::uninitialized_dt(dt, \u0026shape)? }; // (3) alloc off the same wrapped product\n...\nreader.read_exact(plain.as_bytes_mut())?; // storage-bounded read, no overflow here\nOk(tensor)\n```\n\n`data/src/tensor.rs`, `uninitialized_aligned_dt`:\n\n```\nlet bytes = shape.iter().cloned().product::\u003cusize\u003e() * dt.size_of(); // (3) wraps to the same small value\nlet storage = ... Blob::new_for_size_and_align(bytes, alignment) ...;\n...\ntensor.update_strides_and_len(); // len = product(shape), wraps, no clamp\n```\n\nThe three quantities \u2014 the consistency-check LHS `(2)`, the allocation `(3)`, and the reported `len` \u2014 are all the same wrapped `product(shape)*size_of`, so they stay mutually consistent and **the consistency check at `(2)` cannot catch the overflow**. `data_size_bytes` is a `u32`, so the attacker simply sets it to the wrapped value.\n\nCorruption sink \u2014 `data/src/tensor.rs::as_slice_unchecked` (and `data/src/tensor/plain_view.rs::as_slice_unchecked`):\n\n```\nif self.storage.byte_len() == 0 { \u0026[] }\nelse { std::slice::from_raw_parts(self.as_ptr_unchecked(), self.len()) } // len = 2^61 over a 56-byte alloc\n```\n\nThe only guard is `byte_len() == 0`. A small **non-zero** allocation defeats it and yields an unsound oversized slice.\n\n## Witness (F64)\n\n```\ndims = [33955849, 7005787, 359, 3, 3, 3] (rank 6, each \u003c= u32::MAX)\nproduct(shape)= 2_305_843_009_213_693_959 = 2^61 + 7\nbits_per_item = 64 (F64), item_type = 0, item_type_vendor = 0\ndata_size_bytes = 56 # == (2^61+7)*8 mod 2^64\n```\n\n- `len * (bits/8) mod 2^64 = (2^61+7)*8 mod 2^64 = 56 == data_size_bytes` \u2192 consistency check passes.\n- allocation = `(2^61+7)*8 mod 2^64 = 56` bytes (7 \u00d7 F64).\n- reported `len` = `2^61+7` elements.\n\nOnly the `is_copy()` numeric arms (F16/F32/F64/int, and likely the `complex` arms) are exploitable. F64 is the cleanest (`bits/8` divides evenly). The `bool`, `String`, and block-quant paths are each guarded by an independent mechanism (size_of==1 prevents byte/element divergence; `String` bails on a missing `num_traits::Zero` impl; block-quant has its own `ensure!(expected_len == data_size_bytes)` and uses non-plain `Exotic` storage).\n\n## Reachability (load-time, public API)\n\n```\nnnef().model_for_read(tar)\n -\u003e proto_model_for_read nnef/src/framework.rs:303\n -\u003e DatLoader.try_load (any *.dat) nnef/src/resource.rs:97 (default loader, framework.rs:33)\n -\u003e read_tensor -\u003e Ok(Tensor{len=2^61+7, storage=56B}) nnef/src/tensors.rs:61\n -\u003e into_typed_model -\u003e variable() fragment nnef/src/ops/nnef/deser.rs:74\n ensure!(tensor.shape() == \u0026*shape) deser.rs:122 (attacker matches shape in graph.nnef -\u003e passes)\n -\u003e Const::new -\u003e wire_node core/src/model/typed.rs:67\n -\u003e Const::output_facts core/src/ops/konst.rs:54\n -\u003e TypedFact::try_from core/src/model/fact.rs:459\n -\u003e Tensor::as_uniform -\u003e is_uniform_t::\u003cf64\u003e data/src/tensor.rs:1099\n -\u003e as_slice_unchecked::\u003cf64\u003e data/src/tensor.rs:1044\n -\u003e from_raw_parts(ptr, 2^61+7) over 56-byte buffer -\u003e OOB READ\n```\n\nNo shape-vs-storage re-validation exists anywhere on this path (`proto.validate()` checks only the AST; `Const::new` checks only `is_plain`; `check_for_access` checks only the datum type; even the *safe* `PlainView::as_slice` does `from_raw_parts(ptr, self.len)` with no length guard).\n\n## Execution (proof of concept)\n\nReproduced against the crate at the affected revision, `--release`, x86_64-linux. Three scenarios:\n\n1. **Direct `read_tensor`** \u2014 feed the crafted 128-byte header + 56-byte payload:\n - `read_tensor -\u003e Ok`, `shape=[33955849,7005787,359,3,3,3]`, `len()=2305843009213693959`, `as_bytes().len()=56`, `as_slice::\u003cf64\u003e().len()=2305843009213693959`.\n - `s[7]` (first element past the 56-byte allocation) returns `0x0000000000000041` \u2192 **heap OOB read** (adjacent-heap disclosure).\n - `s[1\u003c\u003c40]` \u2192 **SIGSEGV** (signal 11).\n2. **Public load API** \u2014 build a malicious `.nnef.tar` (`graph.nnef` with `variable(label=\u0027weights\u0027, shape=[...])` + `weights.dat`) and call `nnef().model_for_read()`:\n - returns `Ok` with one `Const` node, `out[0].fact.uniform=Some(...)`, `len()=2305843009213693959` over a 56-byte buffer \u2192 confirms `as_uniform`/`is_uniform_t`/`as_slice_unchecked` performed an **OOB read on load** (bounded over-read here because `is_uniform`\u0027s `.all()` short-circuits on the uniform `0x41` payload).\n3. **Optimized graph** \u2014 same archive but the const is consumed (`output = mul(weights, weights)`), then `into_optimized` / `run`:\n - **Does not crash.** With both a uniform (`0x41\u00d756`) and a non-uniform (`0..56`) payload, `into_optimized` const-folds `mul(const, const)` to a single node **without a full-length materialization** of the oversized const, and `run` completes. A reliable arbitrary-length crash through a *normal optimized graph* was therefore NOT demonstrated; the always-on primitive is the bounded load-time over-read (scenario 2), and the wild-slice SIGSEGV is shown via direct access (scenario 1).\n\nRunnable PoC sources are available to the maintainers on request.\n\n## Detection\n\n- **Static:** flag `*.iter().product::\u003cusize\u003e()` over externally-controlled dimensions without `checked_*`/`try_into`, especially when the result feeds an allocation and a separately-tracked `len`.\n- **Runtime / fleet:** crash telemetry showing SIGSEGV inside `is_uniform_t` / `from_raw_parts` during NNEF model load; an ASAN build flags `heap-buffer-overflow READ` in `read_tensor`\u2192`as_uniform`.\n- **Input filter (compensating):** reject NNEF `.dat` tensors where `product(dims)` overflows `u64`, or where `product(dims) * size_of(dt) != data_size_bytes` computed in **checked** arithmetic, before constructing the tensor.\n- **YARA-ish heuristic for `.dat` blobs:** NNEF magic `4E EF 01 00`, `rank\u003c=8`, and any `dim \u003e= 0x10000` whose checked product with the others overflows.\n\n## Mitigation (suggested fix)\n\nIn `read_tensor`, compute the element count and byte size with checked arithmetic and reject on overflow, mirroring the guard already present on the block-quant path (`ensure!(expected_len == data_size_bytes)` added in `eacd13ccb`):\n\n```\nlet len = shape.iter().try_fold(1usize, |a, \u0026d| a.checked_mul(d))\n .context(\"tensor shape product overflows usize\")?;\nlet byte_size = len.checked_mul(dt.size_of())\n .context(\"tensor byte size overflows usize\")?;\nensure!(byte_size == header.data_size_bytes as usize, \"shape/len vs data_size_bytes mismatch\");\n```\n\nDefense in depth: make `Tensor::uninitialized_aligned_dt` reject when `product(shape)*size_of` overflows, and add a `len * size_of == storage.byte_len()` invariant check in the `as_slice*` accessors (or at `Tensor` construction) so a `len`/storage mismatch can never reach `from_raw_parts`.\n\nMapping: CWE-190, CWE-125; mitigations align with input validation (OWASP ASVS V5) and safe integer handling (CERT INT32-C analogue).\n\n## Prior art / why this is not already fixed\n\n- `eacd13ccb` (2026-03-23, \"Add blob-size validation to BlockQuantStorage constructors\") added overflow/blob-size validation **only to the block-quant path**; the dense `DatLoader`/`read_tensor` path was left unguarded. The maintainers fixed the sibling and missed this one.\n- PR #745 (\"Fix UB by creating uninit Tensors with a non-null pointer\") is a *different* UB (null base pointer on zero-length slices) in the same module family.\n- No CVE / RustSec / GHSA / OSV / Huntr entry matches this bug; last change to `nnef/src/tensors.rs` predates HEAD and added no overflow guard to the dense path.\n\n---\n\nReported by: s1ko (s1ko@riseup.net \u00b7 github.com/s1ko)",
"id": "GHSA-x5mv-8wgw-29hg",
"modified": "2026-06-18T15:05:23Z",
"published": "2026-06-18T15:05:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sonos/tract/security/advisories/GHSA-x5mv-8wgw-29hg"
},
{
"type": "PACKAGE",
"url": "https://github.com/sonos/tract"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "tract-nnef: integer overflow in NNEF `.dat` tensor parser yields an out-of-bounds read on model load"
}
GHSA-X5QG-8P6P-Q42W
Vulnerability from github – Published: 2022-05-24 17:32 – Updated: 2022-05-24 17:32Integer overflow in SwiftShader in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2020-15975"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-03T03:15:00Z",
"severity": "HIGH"
},
"details": "Integer overflow in SwiftShader in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.",
"id": "GHSA-x5qg-8p6p-q42w",
"modified": "2022-05-24T17:32:51Z",
"published": "2022-05-24T17:32:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15975"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1110800"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/24QFL4C3AZKMFVL7LVSYMU2DNE5VVUGS"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4GWCWNHTTYOH6HSFUXPGPBB6J6JYZHZE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SC3U3H6AISVZB5PLZLLNF4HMQ4UFFL7M"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4824"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00016.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-X5VH-2F73-J7V4
Vulnerability from github – Published: 2022-05-14 03:00 – Updated: 2022-05-14 03:00Possible buffer overflow in msm_adsp_stream_callback_put due to lack of input validation of user-provided data that leads to integer overflow in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel.
{
"affected": [],
"aliases": [
"CVE-2018-11304"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-06T19:29:00Z",
"severity": "HIGH"
},
"details": "Possible buffer overflow in msm_adsp_stream_callback_put due to lack of input validation of user-provided data that leads to integer overflow in all Android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the Linux kernel.",
"id": "GHSA-x5vh-2f73-j7v4",
"modified": "2022-05-14T03:00:35Z",
"published": "2022-05-14T03:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11304"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/pixel/2018-07-01#qualcomm-components"
},
{
"type": "WEB",
"url": "https://www.vulnerabilitycenter.com/#!vul=87338"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
Mitigation MIT-3
Strategy: Language Selection
- Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- If possible, choose a language or compiler that performs automatic bounds checking.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Use libraries or frameworks that make it easier to handle numbers without unexpected consequences.
- Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [REF-106]
Mitigation MIT-8
Strategy: Input Validation
- Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range.
- Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Mitigation MIT-36
- Understand the programming language's underlying representation and how it interacts with numeric calculation (CWE-681). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [REF-7]
- Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Mitigation MIT-15
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Mitigation MIT-26
Strategy: Compilation or Build Hardening
Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.