CWE-190: CWE-190: Integer Overflow or Wraparound
Description
View on MITRETechnical Details
- Structure
- Simple
- Vulnerability Mapping
- ALLOWED
Applicable To
🏆 CWE Top 25 Historical Ranking
Security Consequences
Scope
Impact
Scope
Impact
Scope
Impact
Scope
Impact
Scope
Impact
Mitigation Strategies
Phase
Description
Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
Phase
Description
Strategy: Language Selection Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.
Phase
Description
Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [ REF-1482 ]. Use libraries or frameworks that make it easier to handle numbers without unexpected consequences. Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [ REF-106 ]
Phase
Description
Strategy: Input Validation Perform input validation on any numeric input by ensuring that it is within the expected range. Enforce that the input meets both the minimum and maximum requirements for the expected range. Use unsigned integers where possible. This makes it easier to perform validation for integer overflows. When signed integers are required, ensure that the range check includes minimum values as well as maximum values.
Phase
Description
Understand the programming language's underlying representation and how it interacts with numeric calculation ( CWE-681 ). Pay close attention to byte size discrepancies, precision, signed/unsigned distinctions, truncation, conversion and casting between types, "not-a-number" calculations, and how the language handles numbers that are too large or too small for its underlying representation. [ REF-7 ] Also be careful to account for 32-bit, 64-bit, and other potential differences that may affect the numeric representation.
Phase
Description
For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602 . Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Phase
Description
Strategy: Compilation or Build Hardening Examine compiler warnings closely and eliminate problems with potential security implications, such as signed / unsigned mismatch in memory operations, or use of uninitialized variables. Even if the weakness is rarely exploitable, a single failure may lead to the compromise of the entire system.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
No examples or observed CVEs available for this CWE.
CWE Relationships
Frequently Asked Questions
What is CWE-190: CWE-190: Integer Overflow or Wraparound?+
CWE-190: CWE-190: Integer Overflow or Wraparound is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description
Is CWE-190 in the CWE Top 25 Most Dangerous Software Weaknesses?+
Yes. CWE-190 ranked #24 in the CWE Top 25 for 2024, associated with 667 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.
What are the security consequences of CWE-190: Integer Overflow or Wraparound?+
If exploited, CWE-190 (CWE-190: Integer Overflow or Wraparound) it can compromise DoS: Crash, Exit, or Restart, DoS: Resource Consumption (Memory), DoS: Instability and Modify Memory, leading to outcomes such as Scope: Availability This weakness can generally lead to undefined behavior and therefore crashes. When the calculated result is used for resource allocation, this weakness can cause too many (or too few) resources to be allocated, possibly enabling crashes if the product requests more resources than can be provided., Scope: Integrity If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also and if the overflow/wraparound results in other conditions such as buffer overflows.
How do you prevent or mitigate CWE-190: Integer Overflow or Wraparound?+
Recommended mitigations for CWE-190 include: Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol. Strategy: Language Selection Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking. Strategy: Libraries or Frameworks Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [ REF-1482 ]. Use libraries or frameworks that make it easier to handle numbers without unexpected consequences. Examples include safe integer handling packages such as SafeInt (C++) or IntegerLib (C or C++). [ REF-106 ]
Which programming languages are affected by CWE-190: Integer Overflow or Wraparound?+
CWE-190 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-190 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.
Learn More
Search for vulnerabilities that exploit CWE-190
See how this weakness ranks against others
Understanding vulnerabilities vs weaknesses
How vulnerability severity is measured
Complete technical details and references