Integer Overflow
Integer overflow occurs when an arithmetic operation produces a result that exceeds the maximum value a given integer type can store.
How It Works
Integer overflow occurs when an arithmetic operation produces a result that exceeds the maximum value a given integer type can store. In C/C++, this causes the value to "wrap around" to a small number—for example, if a 32-bit unsigned integer at maximum value (4,294,967,295) has 1 added, it wraps to 0. Attackers exploit this by providing carefully crafted input values that, when used in calculations, produce unexpectedly small results.
The most dangerous scenario involves memory allocation. An attacker supplies large values that overflow during size calculations (often when adding header sizes, element counts, or alignment padding), producing a small allocation size. When the program later writes the originally intended large amount of data into this undersized buffer, a heap overflow occurs. For instance: size = user_count * sizeof(struct) + header might overflow if user_count is sufficiently large, resulting in malloc() allocating a tiny buffer that subsequent operations overflow.
Integer overflows also enable logic bypasses. Length checks can be circumvented when overflowed values appear to pass validation. Loop bounds may become incorrect, causing excessive iterations or premature termination. Signed integer overflow (technically undefined behavior in C/C++) can flip positive values to negative, bypassing security checks that assume non-negative numbers.
Impact
- Heap buffer overflow: Undersized allocations lead to memory corruption, enabling arbitrary code execution
- Authentication bypass: Overflowed counters or size checks may skip security validations
- Denial of service: Invalid memory operations cause crashes or infinite loops
- Information disclosure: Incorrect bounds allow reading beyond intended memory regions
- Privilege escalation: Combined with memory corruption, can compromise system integrity
Real-World Examples
The OpenSSH authentication bypass (CVE-2002-0639) involved an integer overflow in challenge-response handling where the number of responses could overflow, allowing authentication bypass. The overflow caused allocation of insufficient memory, which subsequent code exploited to execute arbitrary code.
ImageMagick suffered multiple integer overflow vulnerabilities (CVE-2016-3714 and related) where maliciously crafted image files with extreme dimension values caused size calculations to overflow. This resulted in small heap allocations followed by large writes, enabling remote code execution through image processing.
The Linux kernel's do_brk() function (CVE-2003-0961) contained an integer overflow when calculating memory region sizes. Attackers could wrap the size value to bypass length checks and map memory at arbitrary locations, achieving local privilege escalation.
Mitigation
- Safe arithmetic libraries: Use compiler intrinsics (
__builtin_add_overflow) or libraries (SafeInt, Rust's checked arithmetic) that detect overflow - Pre-calculation validation: Check that operands won't overflow before performing arithmetic operations
- Compiler protections: Enable
-ftrapv(GCC) or/RTCc(MSVC) to trap signed overflow; use UBSan for detection - Use larger types: Perform calculations in 64-bit integers when operands are 32-bit, verify result fits before casting down
- Input validation: Enforce maximum reasonable values on user input before arithmetic
- Modern languages: Use languages with overflow checking (Rust, Swift) or arbitrary precision integers (Python, Java BigInteger)
Recent CVEs (2759)
CAI Content Credentials is affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
CAI Content Credentials is affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
CAI Content Credentials is affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Arbitrary code execution in Adobe Bridge arises from an integer overflow (CWE-190) triggered when a victim opens a maliciously crafted file, allowing an attacker to run code in the context of the current user. The flaw is local and requires user interaction, carrying a CVSS 7.8 (High) score. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Remote code execution in the Microsoft Windows Remote Desktop (RDP) component allows an unauthenticated attacker to run arbitrary code by triggering an integer overflow, but only when a victim is convinced to interact (per CVSS UI:R) - most consistent with a malicious RDP server coercing a connecting client. The flaw affects a broad range of supported Windows client and server releases from Windows Server 2012/Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; EPSS data was not provided.
Local privilege escalation in the Microsoft Windows Kernel allows an authenticated attacker to elevate to SYSTEM by triggering an integer overflow (CWE-190) in a kernel code path. The flaw affects a broad range of supported Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through Server 2025). Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis and no EPSS or KEV data supplied.
Privilege escalation in the Windows Remote Access Service (RRAS) Infrastructure allows an authenticated attacker to elevate privileges over the network by triggering an integer overflow (CWE-190) in affected code paths. The flaw affects a broad range of Windows 10, Windows 11, and Windows Server releases (2012 R2 through 2025), and Microsoft has released a patch. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the network-reachable EoP profile with only low privileges required makes it a meaningful patch priority.
Local code execution in Microsoft Windows Terminal (shipped on Windows 10 21H2/22H2, Windows 11 24H2/25H2/26H1, and Windows Server 2022/2025) arises from an integer overflow (CWE-190) that an unauthorized attacker can trigger, but only after luring a logged-on user into interacting with malicious content. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, so this is a defense-in-depth patch rather than an emergency, though the CVSS 7.8 reflects full confidentiality, integrity, and availability impact once triggered. Microsoft has released a patch via the MSRC update guide.
Local privilege escalation in the Windows NTFS file system driver allows an authenticated low-privileged user to gain SYSTEM-level rights by triggering an integer overflow (CWE-190) during filesystem processing. It affects a broad range of supported Windows client and server releases, from Windows 10 1607 and Server 2012 through Windows 11 26H1 and Server 2025. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; a vendor patch is available from Microsoft.
Integer overflow or wraparound in Microsoft Office allows an unauthorized attacker to disclose information locally.
Local code execution in Microsoft Word (and Office/SharePoint components that render Word content) stems from an integer overflow in the file-parsing path, letting an attacker who convinces a victim to open a crafted document run arbitrary code with the victim's privileges. It affects a broad Office footprint including Microsoft 365 Apps, Office 2019, Office LTSC 2021/2024, the macOS editions, and SharePoint Server 2016/2019/Subscription Edition. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the 7.8 CVSS and Word's ubiquity make it a routine priority patch.
Local code execution in Microsoft Excel (and the broader Office suite through Microsoft 365 Apps, Office 2019/2021/2024 LTSC, Office for Mac, and Office Online Server) arises from an integer underflow (CWE-191) in Excel's file parsing, letting an attacker run arbitrary code in the context of the user who opens a maliciously crafted spreadsheet. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R) shows no attacker privileges are needed but the victim must open the file, giving full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV; a vendor patch is available.
Local code execution in Microsoft Excel (spanning Microsoft 365 Apps for Enterprise, Excel 2016, Office 2019, Office LTSC 2021/2024, the macOS Office builds, and Office Online Server) arises from an integer overflow (CWE-190) triggered when the application parses a maliciously crafted spreadsheet. An unauthorized attacker who convinces a victim to open a booby-trapped file can run arbitrary code in the context of the current user, with full confidentiality, integrity, and availability impact per the 7.8 CVSS vector. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Integer overflow or wraparound in Microsoft Office allows an unauthorized attacker to disclose information locally.
Local privilege escalation in Windows Active Directory across a broad range of Windows client and server releases (Windows 10 1607 through Windows 11 26H1, and Windows Server 2012 through 2025) allows an authenticated local attacker to elevate privileges by triggering an integer overflow (CWE-190). Successful exploitation yields high confidentiality, integrity, and availability impact, effectively enabling escalation to SYSTEM-level control on the affected host. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV; Microsoft has issued a patch via MSRC.
Integer overflow or wraparound in Windows Devices Human Interface allows an authorized attacker to disclose information locally.
Integer underflow in the Windows Kernel enables a locally authenticated attacker to disclose sensitive kernel memory contents across a broad range of Windows 10, Windows 11, and Windows Server platforms. The CVSS vector (AV:L/AC:L/PR:L/UI:N) confirms that any low-privilege local user can trigger the flaw without special configuration or user interaction, yielding high confidentiality impact with no integrity or availability consequences. Microsoft has released a patch via the July 2026 Security Update Guide; no public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Integer overflow or wraparound in Windows Spaceport.sys allows an unauthorized attacker to elevate privileges with a physical attack.
Local code execution in the Microsoft Windows NTFS file-system driver lets an attacker run arbitrary code by inducing a victim to interact with a specially crafted NTFS artifact (e.g., a malicious volume, VHD, or file). The flaw stems from an integer underflow (CWE-191) and spans a broad range of Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10/11. Microsoft has released a patch; there is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local privilege escalation in the Windows Web Proxy Auto-Discovery Protocol (WPAD) component lets an already-authenticated local user run code with SYSTEM-level rights by triggering an integer overflow (CWE-190). The flaw affects a broad range of Windows client and server builds, from Windows 10 1809 through Windows 11 26H1 and Windows Server 2019 through 2025. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low attack complexity and high triad impact make it a meaningful patch-tier issue.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to execute code with a physical attack.
Elevation of privilege in the Windows Universal Disk Format File System driver (UDFS.sys) lets a low-privileged local user gain elevated (kernel/SYSTEM) rights after the victim mounts or opens a maliciously crafted UDF volume. The flaw stems from an integer arithmetic error (CWE-191) in the driver that parses UDF-formatted media such as ISO images, optical discs, and virtual disk files, and affects a broad range of Windows client and server releases from Windows Server 2012 and Windows 10 1607 through Windows 11 26H1 and Windows Server 2025. Microsoft reported the issue and has shipped a patch; there is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Information disclosure (and vendor-labeled privilege elevation) in the Windows DHCP Client affects Windows 10 (1607/1809), Windows Server 2012 through 2025, and their Server Core installations via an integer underflow (CWE-191) reachable over the network. A remote attacker positioned to answer DHCP traffic can craft malformed responses that wrap a length/counter calculation, with a CVSS 3.1 base of 7.5 (confidentiality impact only per the published vector). No public exploit is identified at time of analysis and it is not listed in CISA KEV, but Microsoft ships a patch.
Local code execution in Microsoft Defender (Microsoft Malware Protection Engine) allows an unauthorized attacker to run arbitrary code by having a maliciously crafted file processed by the scanning engine. The flaw stems from an integer overflow (CWE-190) that corrupts memory during scanning, yielding full confidentiality, integrity, and availability impact. Reported by Microsoft with a vendor patch available; no public exploit identified at time of analysis.
Local code execution in Microsoft Defender's Malware Protection Engine (mpengine) arises from an integer underflow (CWE-191) that a local attacker can trigger with no prior authentication but requiring user interaction, yielding high confidentiality, integrity, and availability impact. Because Defender's scanning engine runs with SYSTEM-level privileges, successful exploitation would grant full compromise of the host. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; Microsoft has released a fix.
Remote code execution in the Windows Reliable Multicast Transport Driver (RMCAST) lets an unauthenticated attacker on the same network segment run arbitrary code by triggering an integer underflow (CWE-191) during multicast message processing. All supported Windows client and server builds from Windows Server 2012 through Windows Server 2025 and Windows 10 1607 through Windows 11 26H1 are affected. There is no public exploit identified at time of analysis, but the CVSS 8.8 adjacent-network unauthenticated profile and Microsoft's own reporting make this a high-priority patch.
Local privilege escalation to code execution in the Windows Resilient File System (ReFS) driver affects a broad range of Windows 10/11 and Windows Server 2016 through 2025 releases, where an integer overflow (CWE-190) in filesystem processing lets an already-authenticated local user run arbitrary code in an elevated context. The CVSS 3.1 vector (AV:L/PR:L) confirms low-privileged local access is required rather than remote exploitation, and there is no public exploit identified at time of analysis. Microsoft has released a patch via MSRC.
Integer overflow or wraparound in Windows Storage Spaces Direct allows an unauthorized attacker to elevate privileges with a physical attack.
Denial of service (and potential memory corruption) in Python Pillow before 12.3.0 arises when public image coordinate APIs - Image.paste(), Image.crop(), and Image.alpha_composite() - are handed box coordinates near the signed 32-bit integer boundary (±2**31), causing a native heap out-of-bounds write in the C imaging core. Any application that forwards untrusted coordinate values into these calls can be crashed, and the OOB write raises the theoretical prospect of heap corruption. No public exploit identified at time of analysis; the fix (integer-overflow-safe int64_t arithmetic) shipped in 12.3.0.
Silently incorrect regular-expression matching in the Perl interpreter (all versions through 5.43.9) lets an oversized alternation of more than 65,535 fixed-string branches overflow a 16-bit delta field when the branches are optimized into a trie, truncating the match-decision table. The result is both false-positive and false-negative matches, so any Perl program that uses such a pattern to gate access or filter input can make wrong security decisions. There is no public exploit identified at time of analysis, though the fixing commit ships a deterministic reproducer test, and the flaw is not listed in CISA KEV.
Out-of-bounds heap read in the Perl interpreter (through version 5.43.10) lets an attacker who controls a pack or unpack template disclose adjacent heap memory back to the calling program. An unchecked integer overflow in S_measure_struct wraps the running size total negative, defeating the signed-length guards on the @, X, and x position codes and walking the buffer pointer outside its bounds. No public exploit is identified at time of analysis; the flaw was reported by CPANSec with vendor patches already committed upstream.
Denial-of-service in the Storable module for Perl (versions before 3.41) allows remote attackers to abort deserialization by supplying a crafted SX_HOOK record whose item count equals I32_MAX. The signed 32-bit count plus one wraps to a negative value, which av_extend rejects with a fatal panic, terminating any thaw() or retrieve() call on attacker-controlled data. No public exploit identified at time of analysis; despite the assigned CVSS of 9.8 (C:H/I:H/A:H), the documented outcome is a controlled abort rather than memory corruption or code execution.
Integer overflow in gawk's do_sub() routine (builtin.c) enables heap metadata corruption on 32-bit builds, crashing the process. Affecting all gawk versions through 5.4.0 compiled for 32-bit architectures, this flaw was reported by CERT-PL and is limited exclusively to the availability domain - the CVSS 4.0 vector confirms no confidentiality or integrity impact. No public exploit code or active exploitation has been identified at time of analysis, and a patch commit is available upstream.
Integer overflow in GNU gawk's builtin.c (versions 5.4.0 and below) enables heap metadata corruption and memory exhaustion when gawk processes attacker-crafted input. The flaw stems from a CWE-190 integer wraparound condition that can be triggered locally to overwrite heap objects with attacker-controlled bytes, potentially escalating from a denial-of-service to memory corruption with partial integrity impact. No public exploit identified at time of analysis, and CERT-PL reported this with a low CVSS 4.0 base score of 2.1, reflecting a limited, local attack surface with specific attack prerequisites.
Local privilege escalation to SYSTEM in WinFsp (Windows File System Proxy) stems from an integer overflow (CWE-190) that a low-privileged local user can trigger to achieve system-level access on the host. The flaw crosses a privilege boundary (CVSS scope change) and is fixed in release v2.2B2. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so exploitation is theoretical but the SYSTEM-level impact makes it a meaningful local escalation risk.
Integer overflow in Samsung's open-source rlottie animation rendering library leads to buffer overflow, with high availability impact including potential crash or memory corruption. Exploitation requires local access, low privileges, user interaction, and high attack complexity, making this a lower-urgency finding despite the buffer overflow class. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog. The upstream fix is available as a GitHub pull request (#595), though a formally tagged patched release version has not been independently confirmed.
Remote memory corruption in the OpENer EtherNet/IP stack (2.3.0 master branch up to commit 76b95cf) stems from an integer underflow while parsing connected explicit messages via the SendUnitData encapsulation command, allowing network attackers to corrupt memory on the target device. The CVSS 3.1 score of 9.8 (AV:N/PR:N) indicates unauthenticated remote exploitation with full confidentiality, integrity, and availability impact. A public gist by researcher MrAlaskan and a filed GitHub issue accompany the disclosure, so publicly available exploit code exists, though EPSS is low (0.15%, 5th percentile) and it is not on the CISA KEV list.
Stack buffer overflow in the OpENer EtherNet/IP stack (version 2.3.0, commit 76b95cf) lets remote attackers corrupt memory by sending a crafted CIP network packet whose length field is truncated into a negative value, bypassing bounds checks in DecodePaddedEPath. The CVSS vector (AV:N/PR:N/UI:N) indicates unauthenticated remote reachability with high confidentiality and availability impact; no public exploit is identified at time of analysis (not in CISA KEV), though a referenced gist and GitHub issue suggest researcher analysis and possible proof-of-concept material exist. As an OT/ICS protocol stack, exploitation would most plausibly cause denial of service or memory disclosure on embedded industrial devices.
Denial of service in MikroTik RouterOS 7.21.x (before 7.21.4) and 7.22.x (before 7.22.2) allows a remote unauthenticated attacker to crash the core inter-process communication layer by triggering an integer overflow in the unflatten() function of the bundled libumsg.so library. Successfully exploiting it disrupts device availability without touching data confidentiality or integrity. There is no public exploit identified at time of analysis, though a third-party research blog documents the underlying integer overflow; EPSS is low at 0.20% (10th percentile).
Denial of service in Artifex jbig2dec (JBIG2 decoder, commit cc37d0) lets a remote attacker crash the decoder by supplying a crafted JBIG2 image that triggers an integer overflow in jbig2_arith_iaid_ctx_new(). Impact is availability-only (CVSS 7.5, A:H) with no data exposure or code execution indicated. There is no public exploit identified at time of analysis, though a researcher gist referenced by NVD may contain reproduction material; EPSS is low at 0.17% (6th percentile) and the flaw is not in CISA KEV.
Integer overflow in Extensions API in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. (Chromium security severity: High)
Denial of service (with conditional memory corruption) in Das U-Boot bootloader versions through 2026.04-rc3 lets a network-adjacent attacker crash the device before the OS loads by returning a malformed TCP SYN+ACK to a connection U-Boot has initiated. Because the CVSS 4.0 vector (VA:H, no confidentiality/integrity impact) reflects an availability-only bug rooted in an integer underflow (CWE-191), the practical outcome is a bricked/failed boot; when CONFIG_LMB is disabled, the same underflow can corrupt memory. No public exploit identified at time of analysis; not listed in CISA KEV.
Denial of service in the Immutable.js JavaScript library (versions before 4.3.9 and 5.1.8) allows attackers who can influence an index or size value to crash or hang a Node.js/browser process. Passing a value between 2^30 and 2^31 to List#set, setSize, setIn, updateIn (or the functional equivalents) drives setListBounds into an uncatchable infinite loop on empty Lists, unbounded memory allocation until process abort on populated Lists, or a silent integer wrap on setSize. No public exploit code has been identified at time of analysis, and the flaw is not on the CISA KEV list; impact is availability-only.
Denial of service in Dell PowerProtect Data Domain (DDOS versions 7.7.1.0 through 8.7, plus LTS2026 8.6.1.0-8.6.1.10, LTS2025 8.3.1.0-8.3.1.30, and LTS2024 7.13.1.0-7.13.1.70) allows a remote, unauthenticated attacker to crash or hang the appliance by triggering an integer overflow (CWE-190). Per the CVSS vector (PR:N/UI:N), no authentication or user interaction is required, and the impact is confined to availability (C:N/I:N/A:H) - no data disclosure or code execution. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; EPSS was not provided.
Integer underflow in the OpenWrt Emergency Access Daemon crashes the daemon when any unauthenticated attacker on the local network sends a single crafted UDP packet to it. Affected are all OpenWrt versions prior to v25.12.5. The CVSS adjacent-network vector (AV:A) constrains the attack surface to local or adjacent network segments, but within that context exploitation requires no credentials and no user interaction - a single malformed packet suffices. No public exploit code or CISA KEV listing has been identified at time of analysis; the patch is confirmed available in v25.12.5.
Heap buffer overflow in GNU Wget through 1.25.0 allows a remote server to corrupt client-side memory by serving a crafted HTML page containing attributes with a large number of characters requiring entity encoding. The flaw originates in the `html_quote_string()` function in `src/convert.c`, where a signed integer counter overflows during output size accumulation, causing an undersized heap allocation; the subsequent copy phase then writes beyond that buffer's bounds. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but the memory corruption class warrants patching, particularly in environments where wget is used to fetch content from untrusted servers.
Integer overflow in GNU Wget through 1.25.0 allows a malicious or compromised web server to corrupt client download sessions by supplying crafted Content-Range response headers. The parse_content_range() function in src/http.c performs signed integer arithmetic on server-supplied values without overflow guards, triggering undefined behavior under C's signed overflow rules and causing download desynchronization on the affected client. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code is known at time of analysis; real-world impact is bounded to availability disruption rather than host compromise based on current data.
Heap memory corruption in GIMP's PSD (Photoshop) file parser allows a malicious .psd image to overflow an integer in read_RLE_channel(), producing an undersized heap allocation for the RLE row-length table that is then overwritten row-by-row, potentially yielding denial of service or arbitrary code execution. The flaw affects GIMP as shipped across Red Hat Enterprise Linux 6 through 9 and is triggered when a victim opens or imports a crafted PSD file. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Integer overflow in GIMP's PlayStation TIM image loader crashes the plug-in when processing a maliciously crafted TIM file, resulting in denial of service. The flaw affects GIMP as packaged on Red Hat Enterprise Linux 6 through 9, where the TIM loader multiplies two 16-bit unsigned short values (num_colors × num_cluts) without bounds checking, producing a 32-bit overflow that corrupts CLUT size calculation and triggers an abort. No public exploit code has been identified at time of analysis, and exploitation requires user interaction to open a crafted file, limiting real-world impact to targeted social engineering scenarios.
Integer overflow in OP-TEE OS's AES-GCM implementation silently corrupts authentication tag computation when a single operation processes more than 512 megabytes of payload or Additional Authenticated Data (AAD), affecting all deployments running versions 3.0.0 through 4.10.x on Arm TrustZone platforms. The overflow causes the GHASH length counters to wrap, meaning the GCM authentication tag is derived from incorrect bit-length values - defeating AES-GCM's core integrity guarantee without any runtime error or exception. No public exploit has been identified at time of analysis, but the practical impact for systems using OP-TEE for high-value integrity assurance (DRM, secure key storage, attestation) is significant when large payloads traverse the TEE boundary.
Integer overflow in radare2's pb Print Command Handler affects all versions through 6.1.6, exploitable locally by a low-privileged user to crash the radare2 process. The flaw resides in the cmd_print function within libr/core/cmd_print.inc and results in availability impact only - no confidentiality or integrity loss is indicated. Publicly available exploit code exists per the GitHub issue tracker, though no active exploitation has been confirmed via CISA KEV.
Integer overflow in radare2's `r_str_word_get0set` function (libr/util/str.c) allows a local low-privileged attacker to crash the application on versions up to 6.1.6. The CWE-190 integer wraparound can produce a buffer overflow condition, degrading availability of the radare2 analysis session. A public proof-of-concept exists (GitHub issue #26047), though the vulnerability is not listed in CISA KEV and the CVSS 4.0 score of 1.9 reflects genuinely minimal real-world risk given its local-only, low-impact nature.
Denial of service in NATS Server (nats-io/nats-server) affects the HTTP monitoring endpoints /connz and /subsz, where attacker-controlled offset and limit pagination parameters trigger a signed integer overflow (Offset+Limit wrapping from math.MaxInt64 to math.MinInt64), producing invalid slice bounds and a server panic. Any client able to reach the monitoring interface can crash the broker, disrupting all connected messaging clients. There is no public exploit identified at time of analysis and the issue is not in CISA KEV; the upstream fix clamps offsets using min/max bounds.
Remote code execution in Microsoft Edge (Chromium-based) allows an unauthenticated attacker to run arbitrary code by luring a victim to a malicious web page that triggers an integer overflow (CWE-190). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R) indicates network-based exploitation requiring user interaction, with high confidentiality, integrity, and availability impact. Microsoft has released a fix; no public exploit has been identified at time of analysis, and the flaw is not listed in CISA KEV.
Integer overflow in Dell PowerProtect Data Domain across multiple release trains (main, LTS2024, LTS2025, LTS2026) exposes backup and data protection infrastructure to remote denial of service by an unauthenticated attacker. The CVSS vector (AV:N/AC:H/PR:N) confirms network-accessible, unauthenticated exploitation, though high attack complexity constrains practical exploitation to adversaries who can satisfy specific preconditions. No public exploit has been identified at time of analysis, and the vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog.
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter across Red Hat Enterprise Linux 6 through 10, where an integer overflow triggered by specially crafted print data can corrupt memory. This is an incomplete-fix follow-up to CVE-2026-8631, meaning the original patch did not fully close the flaw, and no public exploit has been identified at time of analysis. The Red Hat CVSS of 9.8 reflects a network-reachable, unauthenticated attack path, though realistic exploitation depends on how the CUPS print pipeline is exposed.
Integer overflow in ImageMagick's XCF (GIMP native format) decoder allows remote unauthenticated attackers to trigger an out-of-bounds read by supplying a crafted XCF image file, resulting in an application crash or limited memory disclosure. All ImageMagick releases prior to 6.9.13-51 (legacy branch) and 7.1.2-26 (current branch) are affected. No public exploit code or active exploitation has been identified at time of analysis, but the zero-complexity, pre-authentication attack surface makes this a meaningful risk for any internet-facing service that processes user-supplied images via ImageMagick.
Integer underflow in FatFs R0.16 and earlier corrupts filesystem integrity via a stale dirty-cache skip during interleaved read/write operations on fragmented volumes. The condition `fp->sect - sect < cc` in f_read() and f_write() uses unsigned arithmetic - when `sect` exceeds `fp->sect`, the subtraction wraps to a large unsigned value, bypassing the required cache flush and leaving stale or inconsistent data on disk. A proof-of-concept exists per SSVC assessment, and technical impact is rated Total, though physical access is required per the CVSS vector. No confirmed active exploitation (not in CISA KEV).
Integer overflow in ELM-Chan FatFS R0.16 and earlier lets a crafted FAT32 volume corrupt file-size metadata during mount_volume(), where `fasize *= fs->n_fats` wraps and produces attacker-controlled, oversized read lengths in downstream callers. The affected code is a widely embedded FAT filesystem library used across microcontrollers and IoT firmware, and while primarily triggered by mounting malicious media, the vendor notes remote delivery is feasible via OTA/update pipelines. Publicly available exploit code exists (runZero research and proof-of-concept repository); no public exploit identified as actively used and it is not listed in CISA KEV.
Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB failure-response parser: a malicious or man-in-the-middle VNC server can send a reasonLen of 0xFFFFFFFF that wraps to 0 during buffer sizing, then stream 4 GiB into a 256-byte heap allocation. The flaw is reachable pre-authentication through connection-failure and auth-failure messages, so merely connecting a viewer to an attacker-controlled endpoint can corrupt the heap and potentially execute code as the user running the viewer. No public exploit identified at time of analysis, though the researcher confirmed a reliable heap-buffer-overflow write with AddressSanitizer.
Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging function win_log(), where a malloc size calculation wraps around on 32-bit builds when processing oversized URIs, producing an undersized heap allocation followed by an unchecked strcpy. Remote unauthenticated attackers can trigger this path by sending a maximally-sized URI to the repeater HTTP port, with practical impact bounded by the 153,600-byte HTTP receive buffer and currently assessed at availability disruption rather than reliable code execution. No public exploit code has been identified at time of analysis, and this CVE is not listed in CISA KEV.
Division by zero in ImageMagick's binomial kernel processing path, affecting all versions before 7.1.2-22, allows an attacker to crash the application by supplying a crafted image with an oversized binomial kernel value. The integer overflow corrupts the kernel size calculation, and a subsequent division by the resulting zero value causes an unhandled exception and process termination. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, automated image-processing pipelines that accept untrusted uploads are at elevated practical risk despite the local-vector CVSS rating.
Denial of service in GNOME GLib (versions before 2.88.1) arises when g_dbus_node_info_new_for_xml() parses malformed D-Bus introspection XML that nests a <node> element inside <method>, <signal>, <property>, or <arg>. This state-confusion bug triggers an unsigned integer underflow/overflow (CWE-191) and a subsequent out-of-bounds read, crashing any application or service that parses attacker-influenced introspection data. No public exploit identified at time of analysis, EPSS is low (0.34%), and CISA SSVC rates exploitation as none with only partial technical impact.
Integer overflow in fzf's FuzzyMatchV2 function causes a non-recoverable process crash (denial of service) when input lines reach approximately 2,200,000 bytes and a search pattern of ~999 bytes is active. The Go runtime detects the resulting invalid slice bounds and immediately terminates the process with a panic - there is no recovery path and no possibility of memory corruption or code execution. No public exploit code has been identified and this CVE is not listed in CISA KEV; the CVSS 4.0 score of 5.6 (AT:P, UI:A) reflects that exploitation requires atypical input volumes and active user or script interaction.
Integer overflow in spice-vdagent's message parsing allows a malicious or compromised SPICE host to crash the guest VM's vdagent daemon by delivering a specially crafted message that triggers a downstream heap buffer overflow. Affected deployments span spice-vdagent as packaged in Red Hat Enterprise Linux 6 through 10, where the daemon runs inside guests handling host-to-guest SPICE protocol communications. No public exploit code or CISA KEV listing exists at time of analysis; exploitation is structurally constrained by the requirement that the attacking SPICE host itself be untrusted or already compromised prior to the attack.
Out-of-bounds reads and a process crash in Nmap through 7.99 can be triggered remotely by any host that is being scanned, or by an on-path attacker, via a crafted IPv6 packet with a truncated extension header. The root cause is an integer underflow in the `ipv6_get_data_primitive` function (libnetutil/netutil.cc) where an insufficiently strict bounds check allows the extension-header walk pointer to advance past the captured packet buffer, causing the remaining-length subtraction to wraparound to a very large value. A publicly available exploit proof-of-concept exists; this vulnerability is not currently listed in the CISA KEV catalog.
Heap buffer overflow in the libssh2 SSH client library (all versions through 1.11.1) lets a malicious or compromised SSH server corrupt memory in any connecting client on 32-bit platforms. The publickey subsystem reads an attacker-supplied 32-bit attribute count and multiplies it by the attribute structure size without bounds checking, so the allocation integer-overflows to an undersized buffer that the parsing loop then writes past. Publicly available exploit code exists; this is a CWE-190 integer overflow with no public exploit identified in CISA KEV, so it is not confirmed actively exploited.
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTORY ioctl handler, where an unvalidated history-size value undersizes a heap allocation and a subsequent buffer initialization writes past its end. Any unprivileged local user with access to a vt(4) terminal device can corrupt kernel heap memory and potentially escalate to root. Exploitation is local (PR:L) with no public exploit identified at time of analysis and a low EPSS of 0.18% (8th percentile).
Client-side memory-safety failure in libnfs (through 6.0.2, fixed by commit f0b109d/935b8db) lets a malicious or compromised NFS server trigger an unsigned integer underflow in the RPC record-marker handling of rpc_read_from_socket(). When a victim application using libnfs connects to a crafted server, the server can supply a record marker whose declared xid/pdu length is smaller than the size libnfs expects to read, wrapping the length value and driving an oversized READ_IOVEC read with corresponding heap memory disclosure or corruption. There is no public exploit identified at time of analysis and it is not in CISA KEV; exploitation requires the victim to initiate a connection to an attacker-controlled NFS endpoint.
Integer underflow in wolfSSL's PKCS#7 ORI decryption path allows a local low-privileged attacker to cause incorrect length computation during EnvelopedData parsing, resulting in low-severity availability impact. Specifically, when the OID embedded inside an implicit `[4] CONSTRUCTED` Other Recipient Info sequence consumes more bytes than the field's declared length, the `word32` subtraction for `oriValueSz` wraps around to a near-maximal unsigned value, feeding corrupted length data to downstream decryption logic. No public exploit has been identified and no CISA KEV listing exists; exploitation requires local access, high complexity, and passive processing of crafted input by the target application.
Memory-safety flaw in the Linux kernel's staging rtl8723bs Realtek SDIO Wi-Fi driver allows an adjacent (radio-range) attacker to trigger an unsigned-integer underflow in the rtw_mlme information-element parsing path, leading to out-of-bounds reads that can disclose kernel memory or crash the system. The bug occurs because ie_length was not validated before fixed IE offsets were subtracted from it. EPSS is low (0.16%, 6th percentile) and there is no public exploit identified at time of analysis, but a vendor (upstream kernel) fix is available.
Thunderbolt XDomain property validator in the Linux kernel triggers a heap underflow when processing zero-length TEXT property entries, enabling a local low-privileged attacker to crash the kernel (denial of service). The root cause is in tb_property_entry_valid(), which permits length==0 for TEXT entries that subsequently compute an array index of -1 during null-termination (0 * 4 - 1), writing one byte before the allocated buffer. No public exploit has been identified and EPSS is extremely low at 0.18% (8th percentile), indicating negligible opportunistic exploitation pressure despite the kernel's ubiquitous deployment footprint.
Heap overflow in NLnet Labs NSD allows a malicious or compromised zone primary to corrupt memory on a secondary (slave) NSD instance by sending an AXFR transfer containing a crafted SVCB resource record. An rdata size of 65512 causes a uint16_t length variable used for RR allocation to wrap (total size exceeds 65535), producing an undersized buffer and a controlled out-of-bounds write of up to 65509 bytes - an RCE-class primitive (CWE-190 integer overflow leading to heap overflow). No public exploit identified at time of analysis, but the controlled write and remote network vector (CVSS 4.0 base 8.7) make this a high-priority patch for any operator running NSD as a secondary.
Remote denial-of-service in Apache Kvrocks via an integer overflow in the RESTORE command's IntSet deserialization path. An attacker who can send commands to a Kvrocks instance can supply a crafted RDB-serialized IntSet payload to the RESTORE command, triggering an integer overflow that crashes the server process. This vulnerability was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two other Kvrocks CVEs (CVE-2026-46751, CVE-2026-46752), suggesting a coordinated security audit of the project; no public exploit code or CISA KEV listing has been identified at time of analysis.
Out-of-bounds kernel memory write in the Linux kernel's OMFS filesystem driver (fs/omfs) allows a local attacker to corrupt kernel memory by mounting a crafted OMFS image. omfs_fill_super() validates that s_sys_blocksize is not larger than PAGE_SIZE but fails to enforce a lower bound, so a value below OMFS_DIR_START (0x1b8 = 440) triggers an unsigned integer underflow in omfs_make_empty(), driving a roughly 4 GiB memset() that overwrites kernel memory far beyond the block buffer. There is no public exploit identified at time of analysis, the EPSS score is low (0.18%), and it is not listed in CISA KEV; the fix has been backported across many stable kernel branches.
Out-of-bounds kernel heap write in the Linux kernel's device-mapper dm-log module (dm_log) lets a privileged local actor corrupt vmalloc-allocated memory by overflowing a 32-bit region_count. In create_log_context(), dm_sector_div_up() returns a 64-bit sector_t that is truncated into an unsigned int, so a dm target with very large ti->len and small region_size under-allocates the clean_bits/sync_bits/recovering_bits bitsets while later log operations index the full untruncated region space. Tracked as CVE-2026-53059 (CWE-190) with CVSS 7.0; there is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the upstream report includes a working reproducer and a confirmed kernel crash.
Integer overflow in the Linux kernel SCSI target core allows a local attacker with low privileges to crash the kernel via crafted UNMAP commands. The `sbc_execute_unmap()` function performs a capacity bounds check on LBA + range but fails to guard against 64-bit wraparound, meaning an attacker can supply values that overflow to bypass the check and trigger a kernel panic. No public exploit code or CISA KEV listing exists; EPSS is 0.18% (7th percentile), reflecting the niche attack surface limited to systems actively running SCSI target daemons. Patches are confirmed available across all supported stable kernel branches.
Integer overflow in the Linux kernel's AF_ALG socket interface (crypto/af_alg.c) lets a local user supply an oversized AEAD associated-data length that wraps during TX buffer size arithmetic, corrupting size checks; the fix caps AD length to 0x80000000. Carrying CVSS 7.0 (AV:L/AC:H/PR:L), it affects any kernel exposing the algif AEAD interface and threatens confidentiality, integrity, and availability through resulting memory corruption. There is no public exploit identified at time of analysis, and EPSS is low at 0.18% (8th percentile), consistent with a local-only, high-complexity issue.
Local privilege-relevant memory corruption in the Linux kernel's KVM subsystem (kvm_reset_dirty_gfn) lets any process holding /dev/kvm bypass a dirty-ring bounds check via a u64 integer overflow, driving a near-U64_MAX guest frame number into gfn_to_rmap() for an out-of-bounds kvm_rmap_head load and a conditional write-flag clear. Affected are kernels from 5.11 through the 7.x line running VMs on the shadow-paging (legacy/rmap) MMU path. This is a local (AV:L), low-privilege (PR:L) issue rated CVSS 7.8; there is no public exploit identified at time of analysis, EPSS is low at 0.19% (9th percentile), and it is not on CISA KEV.
In the Linux kernel, the following vulnerability has been resolved: i2c: dev: prevent integer overflow in I2C_TIMEOUT ioctl While fuzzing with Syzkaller, a persistent `schedule_timeout: wrong timeout value` warning was observed, accompanied by SMBus controller state machine corruption. The I2C_TIMEOUT ioctl accepts a user-provided timeout in multiples of 10 ms. The user argument is checked against INT_MAX, but it is subsequently multiplied by 10 before being passed to msecs_to_jiffies(). A malicious user can pass a large value (e.g., 429496729) that passes the `arg > INT_MAX` check but overflows when multiplied by 10. This results in a truncated 32-bit unsigned value that bypasses the internal `(int)m < 0` check in `msecs_to_jiffies()`. The truncated value is then assigned to `client->adapter->timeout` (a signed 32-bit int), which is reinterpreted as a negative number. When passed to wait_for_completion_timeout(), this negative value undergoes sign extension to a 64-bit unsigned long, triggering the `schedule_timeout` warning and causing premature returns. This leaves the SMBus state machine in an unrecoverable state, constituting a local Denial of Service (DoS). Fix this by bounding the user argument to `INT_MAX / 10`. [wsa: move the comment as well]
Local privilege escalation via use-after-free in the Linux kernel's batman-adv (B.A.T.M.A.N. advanced) mesh networking module allows a local low-privileged user to crash or potentially gain code execution by triggering a tp_meter counter underflow during interface shutdown. Concurrent shutdown paths (timeout, user cancel, normal finish) each decrement the 'sending' atomic counter, underflowing it to -1, which traps the sender kthread in an infinite loop and produces a use-after-free when the mesh interface is removed while the zombie thread still runs. No public exploit identified at time of analysis, and EPSS is low at 0.16%; a vendor patch is available across multiple stable trees.
Integer overflow in the xmlwf utility bundled with libexpat before 2.8.2 enables heap corruption via XML documents containing an excessive number of NOTATION declarations in a DOCTYPE block. The flaw in endDoctypeDecl allows a crafted XML file to wrap a signed integer counter, producing an undersized heap allocation that can be overflowed with high confidentiality and integrity impact. No confirmed active exploitation (not in CISA KEV) and no public exploit code have been identified at time of analysis; vendor-released patch is available in libexpat 2.8.2.
Integer overflow in libexpat's xmlwf tool allows an attacker supplying a crafted XML file with an excessively long DOCTYPE system identifier to trigger a heap buffer overflow via the resolveSystemId function. All libexpat versions before 2.8.2 are affected; the root cause is an unchecked size_t arithmetic operation - both the addition of string lengths and the subsequent multiplication by sizeof(XML_Char) - before a malloc call. No public exploit has been identified at time of analysis, and exploitation requires local access under high-complexity conditions per the CVSS:3.1/AV:L/AC:H vector.
Integer overflow in the `xmlwf` command-line utility bundled with libexpat before 2.8.2 allows heap buffer overflow when the `-d outputDir` flag is used with extremely long path values. The overflow occurs during malloc size calculation - `(tcslen(outputDir) + tcslen(file) + 2) * sizeof(XML_Char)` - wrapping the size_t to a near-zero value, causing an undersized allocation followed by out-of-bounds write during filename construction. No public exploit has been identified at time of analysis and the vulnerability is absent from CISA KEV, but the heap overflow primitive is well-understood and could yield code execution in automated XML processing pipelines.
Integer overflow in libexpat's copyString function (xmlparse.c) allows heap buffer overflow when processing specially crafted XML input, affecting all libexpat versions before 2.8.2. The missing bounds check on a size multiplication permits an attacker-controlled string length to wrap around SIZE_MAX, producing an undersized heap allocation that is subsequently overwritten - enabling potential memory corruption, arbitrary code execution, or data disclosure in any application consuming the library. No public exploit has been identified at time of analysis; a vendor-released patch is available in libexpat 2.8.2.
Integer overflow in libexpat before 2.8.2 allows heap corruption during XML prolog parsing when accumulated entity value pool length exceeds INT_MAX, yielding high confidentiality and integrity impact per CVSS. The flaw resides in doProlog and the related storeSelfEntityValue path, where poolLength() return values are cast to signed integers without bounds validation - a gap closed in the upstream fix via explicit INT_MAX guards. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV, but the widespread use of libexpat as a dependency across system tools, language runtimes, and XML-processing services means the blast radius of a weaponized exploit would be broad.
Integer overflow in libexpat's XML_ParseBuffer function allows potential heap corruption leading to high-confidentiality and high-integrity impact in all libexpat versions before 2.8.2. The overflow occurs because XML_ParseBuffer lacked a bounds check on the byte index accumulator that was already present in the sibling XML_Parse function - a defensive guard omitted asymmetrically between two code paths. Any application that routes XML input through XML_ParseBuffer (a common pattern in incremental parsing) is exposed. No public exploit has been identified at time of analysis and no KEV listing exists, but the high C and I CVSS impact ratings reflect the potential for code execution via heap corruption.
Integer overflow in libexpat's getAttributeId routine exposes any application embedding libexpat before version 2.8.2 to memory corruption with high confidentiality and integrity impact when parsing specially crafted XML documents. The flaw occurs when an internal counter traversing the attribute ID table reaches INT_MAX and wraps, producing an invalid index that can corrupt adjacent heap memory. No public exploit has been identified at time of analysis, and CISA has not listed this in the KEV catalog, but a vendor-released patch is available in libexpat 2.8.2 and upgrade is the recommended remediation.
Integer overflow in libexpat's addBinding function (xmlparse.c) before version 2.8.2 allows memory corruption during XML namespace binding processing, with high confidentiality and integrity impact. All libexpat releases from 0 through 2.8.2-pre are affected (CPE: cpe:2.3:a:libexpat_project:libexpat:*:*:*:*:*:*:*:*), encompassing a significant downstream attack surface given the library's widespread use in Python, PHP, and system utilities. No public exploit or active exploitation has been confirmed at time of analysis; the official CVSS 3.1 score of 6.9 reflects meaningful impact tempered by high attack complexity and a local attack vector.
Integer overflow in libexpat's storeAtts() function before version 2.8.2 allows heap buffer corruption during XML namespace attribute processing. When an XML document contains namespace-qualified attributes whose prefix name or local-part name approaches or exceeds INT_MAX bytes, the combined expanded-name length calculation wraps to a small integer, causing allocation of an undersized heap buffer followed by an out-of-bounds write during the memcpy phase. The vendor CVSS scores this 6.9 with High confidentiality and integrity impact; no public exploit has been identified at time of analysis and the CVE is not listed in the CISA KEV catalog.