CWE-191
AllowedInteger Underflow (Wrap or Wraparound)
Abstraction: Base · Status: Draft
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
642 vulnerabilities reference this CWE, most recent first.
GHSA-J4R7-4685-8M4M
Vulnerability from github – Published: 2026-04-13 15:31 – Updated: 2026-07-14 15:31In the Linux kernel, the following vulnerability has been resolved:
net/x25: Fix overflow when accumulating packets
Add a check to ensure that x25_sock.fraglen does not overflow.
The fraglen also needs to be resetted when purging fragment_queue in
x25_clear_queues().
{
"affected": [],
"aliases": [
"CVE-2026-31417"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-13T14:16:11Z",
"severity": "HIGH"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix overflow when accumulating packets\n\nAdd a check to ensure that `x25_sock.fraglen` does not overflow.\n\nThe `fraglen` also needs to be resetted when purging `fragment_queue` in\n`x25_clear_queues()`.",
"id": "GHSA-j4r7-4685-8m4m",
"modified": "2026-07-14T15:31:51Z",
"published": "2026-04-13T15:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31417"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-019113.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-082556.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/1734bd85c5e0a7a801295b729efb56b009cb8fc3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4e2d1bcef78d21247fe8fef13bc7ed95885df2b5"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/6e568835ea54a3e1d08e310e34f95d434e739477"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/798d613afb64b01a203f448fb0f43c37c6afe79d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8c92969c197b91c134be27dc3afb64ab468853a9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/96fc16370b0bceb289c7e0479bd0540b81e257aa"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/a1822cb524e89b4cd2cf0b82e484a2335496a6d9"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f953f11ccf4afe6feb635c08145f4240d9a6b544"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J7GW-XCVP-F76Q
Vulnerability from github – Published: 2024-07-16 12:30 – Updated: 2026-05-12 12:32In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix ia_size underflow
iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle.
Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr().
{
"affected": [],
"aliases": [
"CVE-2022-48828"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-16T12:15:06Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix ia_size underflow\n\niattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and\nNFSv4 both define file size as an unsigned 64-bit type. Thus there\nis a range of valid file size values an NFS client can send that is\nalready larger than Linux can handle.\n\nCurrently decode_fattr4() dumps a full u64 value into ia_size. If\nthat value happens to be larger than S64_MAX, then ia_size\nunderflows. I\u0027m about to fix up the NFSv3 behavior as well, so let\u0027s\ncatch the underflow in the common code path: nfsd_setattr().",
"id": "GHSA-j7gw-xcvp-f76q",
"modified": "2026-05-12T12:32:03Z",
"published": "2024-07-16T12:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48828"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
},
{
"type": "WEB",
"url": "https://cert-portal.siemens.com/productcert/html/ssa-355557.html"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/38d02ba22e43b6fc7d291cf724bc6e3b7be6626b"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/8e0ecaf7a7e57b30284d6b3289cc436100fadc48"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/d2211e6e34d0755f35e2f8c22d81999fa81cfc71"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/da22ca1ad548429d7822011c54cfe210718e0aa7"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/e6faac3f58c7c4176b66f63def17a34232a17b0e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J8GQ-JMQ2-28CW
Vulnerability from github – Published: 2023-12-05 12:30 – Updated: 2023-12-05 12:30An integer overflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. A specially crafted network packet can lead to memory corruption. An attacker can send a malicious packet to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-43628"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-05T12:15:43Z",
"severity": "MODERATE"
},
"details": "An integer overflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1~dev. A specially crafted network packet can lead to memory corruption. An attacker can send a malicious packet to trigger this vulnerability.",
"id": "GHSA-j8gq-jmq2-28cw",
"modified": "2023-12-05T12:30:45Z",
"published": "2023-12-05T12:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43628"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1860"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1860"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JFCR-39Q8-HMPX
Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05When processing subtitles format media file, KMPlayer version 2018.12.24.14 or lower doesn't check object size correctly, which leads to integer underflow then to memory out-of-bound read/write. An attacker can exploit this issue by enticing an unsuspecting user to open a malicious file.
{
"affected": [],
"aliases": [
"CVE-2019-9133"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-09T18:29:00Z",
"severity": "MODERATE"
},
"details": "When processing subtitles format media file, KMPlayer version 2018.12.24.14 or lower doesn\u0027t check object size correctly, which leads to integer underflow then to memory out-of-bound read/write. An attacker can exploit this issue by enticing an unsuspecting user to open a malicious file.",
"id": "GHSA-jfcr-39q8-hmpx",
"modified": "2022-05-13T01:05:21Z",
"published": "2022-05-13T01:05:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-9133"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4D55BLGBNWNIMNI5N57WDPAFQCUIM6XX"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT5HBIKH64YRZFFAPXGOTHIQJHSTQJF7"
},
{
"type": "WEB",
"url": "https://www.boho.or.kr/krcert/secNoticeView.do?bulletin_writing_sequence=34991"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JHF3-XXHW-2WPP
Vulnerability from github – Published: 2026-03-30 17:17 – Updated: 2026-03-31 18:50Impact
A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.
Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files.
Patches
Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.
Credit
The go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.17.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/go-git/go-git/v5"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.17.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34165"
],
"database_specific": {
"cwe_ids": [
"CWE-191",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T17:17:54Z",
"nvd_published_at": "2026-03-31T15:16:17Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nA vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.\n\nExploitation requires write access to the local repository\u0027s `.git` directory, it order to create or alter existing `.idx` files. \n\n### Patches\n\nUsers should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability.\n\n### Credit\n\nThe go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.",
"id": "GHSA-jhf3-xxhw-2wpp",
"modified": "2026-03-31T18:50:40Z",
"published": "2026-03-30T17:17:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34165"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-git/go-git"
},
{
"type": "WEB",
"url": "https://github.com/go-git/go-git/releases/tag/v5.17.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "go-git: Maliciously crafted idx file can cause asymmetric memory consumption"
}
GHSA-JJ4Q-6C47-CGGX
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2025-10-22 00:32Windows NTFS Elevation of Privilege Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-31956"
],
"database_specific": {
"cwe_ids": [
"CWE-191",
"CWE-269"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-08T23:15:00Z",
"severity": "HIGH"
},
"details": "Windows NTFS Elevation of Privilege Vulnerability",
"id": "GHSA-jj4q-6c47-cggx",
"modified": "2025-10-22T00:32:13Z",
"published": "2022-05-24T19:04:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31956"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31956"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-31956"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJQX-M459-2X33
Vulnerability from github – Published: 2026-06-09 15:32 – Updated: 2026-06-09 15:32A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.
{
"affected": [],
"aliases": [
"CVE-2026-11789"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T14:16:37Z",
"severity": "MODERATE"
},
"details": "A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.",
"id": "GHSA-jjqx-m459-2x33",
"modified": "2026-06-09T15:32:18Z",
"published": "2026-06-09T15:32:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11789"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-11789"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2485422"
},
{
"type": "WEB",
"url": "https://redhat.atlassian.net/browse/PSIRTSUPT-7600"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJVG-65V4-V3CQ
Vulnerability from github – Published: 2022-05-14 02:47 – Updated: 2024-10-21 18:30Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error.
{
"affected": [],
"aliases": [
"CVE-2015-8370"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2015-12-16T21:59:00Z",
"severity": "MODERATE"
},
"details": "Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an \"Off-by-two\" or \"Out of bounds overwrite\" memory error.",
"id": "GHSA-jjvg-65v4-v3cq",
"modified": "2024-10-21T18:30:44Z",
"published": "2022-05-14T02:47:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8370"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201512-03"
},
{
"type": "WEB",
"url": "http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173703.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174049.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00037.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00039.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00040.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00041.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00043.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00044.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00003.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/134831/Grub2-Authentication-Bypass.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-2623.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2015/Dec/69"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2015/dsa-3421"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2015/12/15/6"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/15/3"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/537115/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/79358"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1034422"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-2836-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JM36-7355-XC6R
Vulnerability from github – Published: 2025-10-23 12:31 – Updated: 2025-10-23 12:31In the Linux kernel, the following vulnerability has been resolved:
dmaengine: qcom: bam_dma: fix runtime PM underflow
Commit dbad41e7bb5f ("dmaengine: qcom: bam_dma: check if the runtime pm enabled") caused unbalanced pm_runtime_get/put() calls when the bam is controlled remotely. This commit reverts it and just enables pm_runtime in all cases, the clk_* functions already just nop when the clock is NULL.
Also clean up a bit by removing unnecessary bamclk null checks.
{
"affected": [],
"aliases": [
"CVE-2022-49650"
],
"database_specific": {
"cwe_ids": [
"CWE-191"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-26T07:01:40Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: qcom: bam_dma: fix runtime PM underflow\n\nCommit dbad41e7bb5f (\"dmaengine: qcom: bam_dma: check if the runtime pm enabled\")\ncaused unbalanced pm_runtime_get/put() calls when the bam is\ncontrolled remotely. This commit reverts it and just enables pm_runtime\nin all cases, the clk_* functions already just nop when the clock is NULL.\n\nAlso clean up a bit by removing unnecessary bamclk null checks.",
"id": "GHSA-jm36-7355-xc6r",
"modified": "2025-10-23T12:31:16Z",
"published": "2025-10-23T12:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49650"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/0ac9c3dd0d6fe293cd5044cfad10bec27d171e4e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/2f6ded79068cac8cff41d5d5632564165d98ee12"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/b702a1077b51fcb39507cc3bd39206f539319a96"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JM5C-RV3W-W83M
Vulnerability from github – Published: 2021-06-29 21:13 – Updated: 2025-01-30 14:38Impact
Denial-of-service (crash) during block processing
Details
Affected versions suffer from a vulnerability which can be exploited through the MULMOD operation, by specifying a modulo of 0: mulmod(a,b,0), causing a panic in the underlying library.
The crash was in the uint256 library, where a buffer underflowed.
if `d == 0`, `dLen` remains `0`
and https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2c30/uint256.go#L451 will try to access index [-1].
The uint256 library was first merged in this commit, on 2020-06-08.
Exploiting this vulnerabilty would cause all vulnerable nodes to drop off the network.
The issue was brought to our attention through a bug report, showing a panic occurring on sync from genesis on the Ropsten network.
It was estimated that the least obvious way to fix this would be to merge the fix into uint256, make a new release of that library and then update the geth-dependency.
- https://github.com/holiman/uint256/releases/tag/v1.1.1 was made the same day,
- PR to address the issue: https://github.com/holiman/uint256/pull/80
- PR to update geth deps: https://github.com/ethereum/go-ethereum/pull/21368
Patches
Upgrade to v1.9.18 or higher
Workarounds
Not at this time
References
https://blog.ethereum.org/2020/11/12/geth_security_release/
For more information
If you have any questions or comments about this advisory: * Open an issue in go-ethereum * Email us at security@ethereum.org
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ethereum/go-ethereum"
},
"ranges": [
{
"events": [
{
"introduced": "1.9.16"
},
{
"fixed": "1.9.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/holiman/uint256"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0"
},
{
"fixed": "1.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-26242"
],
"database_specific": {
"cwe_ids": [
"CWE-125",
"CWE-191",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-21T21:50:44Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nDenial-of-service (crash) during block processing\n\n### Details\n\nAffected versions suffer from a vulnerability which can be exploited through the `MULMOD` operation, by specifying a modulo of `0`: `mulmod(a,b,0)`, causing a `panic` in the underlying library. \nThe crash was in the `uint256` library, where a buffer [underflowed](https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2c30/uint256.go#L442).\n\n\tif `d == 0`, `dLen` remains `0`\n\nand https://github.com/holiman/uint256/blob/4ce82e695c10ddad57215bdbeafb68b8c5df2c30/uint256.go#L451 will try to access index `[-1]`.\n\nThe `uint256` library was first merged in this [commit](https://github.com/ethereum/go-ethereum/commit/cf6674539c589f80031f3371a71c6a80addbe454), on 2020-06-08. \nExploiting this vulnerabilty would cause all vulnerable nodes to drop off the network. \n\nThe issue was brought to our attention through a [bug report](https://github.com/ethereum/go-ethereum/issues/21367), showing a `panic` occurring on sync from genesis on the Ropsten network.\n \nIt was estimated that the least obvious way to fix this would be to merge the fix into `uint256`, make a new release of that library and then update the geth-dependency.\n\n- https://github.com/holiman/uint256/releases/tag/v1.1.1 was made the same day, \n- PR to address the issue: https://github.com/holiman/uint256/pull/80 \n- PR to update geth deps: https://github.com/ethereum/go-ethereum/pull/21368 \n\n\n\n### Patches\n\nUpgrade to v1.9.18 or higher\n\n### Workarounds\n\nNot at this time\n\n### References\n\nhttps://blog.ethereum.org/2020/11/12/geth_security_release/\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [go-ethereum](https://github.com/ethereum/go-ethereum)\n* Email us at [security@ethereum.org](mailto:security@ethereum.org)\n",
"id": "GHSA-jm5c-rv3w-w83m",
"modified": "2025-01-30T14:38:53Z",
"published": "2021-06-29T21:13:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-jm5c-rv3w-w83m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26242"
},
{
"type": "WEB",
"url": "https://github.com/holiman/uint256/pull/80"
},
{
"type": "WEB",
"url": "https://github.com/ethereum/go-ethereum/commit/7163a6664ee664df81b9028ab3ba13b9d65a7196"
},
{
"type": "WEB",
"url": "https://github.com/holiman/uint256/commit/6785da6e3eea403260a5760029e722aa4ff1716d"
},
{
"type": "WEB",
"url": "https://blog.ethereum.org/2020/11/12/geth_security_release"
},
{
"type": "PACKAGE",
"url": "https://github.com/ethereum/go-ethereum"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2021-0103"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Denial of service in geth"
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.