CWE-194: Unexpected Sign Extension

VariantIncompleteExploit Likelihood: High

The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
CC++
Platforms

Frequently Asked Questions

What is CWE-194: Unexpected Sign Extension?+

CWE-194: Unexpected Sign Extension is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.

What are the security consequences of Unexpected Sign Extension?+

If exploited, CWE-194 (Unexpected Sign Extension) it can compromise Integrity, Confidentiality, Availability and Other, leading to outcomes such as Read Memory, Modify Memory and Other.

How do you prevent or mitigate Unexpected Sign Extension?+

Recommended mitigations for CWE-194 include: Avoid using signed variables if you don't need to represent negative values. When negative values are needed, perform validation after you save those values to larger data types, or before passing them to functions that are expecting unsigned values.

Which programming languages are affected by Unexpected Sign Extension?+

CWE-194 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Unexpected Sign Extension?+

MITRE documents real CVEs mapped to CWE-194, including CVE-2018-10887, CVE-1999-0234, CVE-2003-0161, CVE-2007-4988 and CVE-2005-2753. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-194 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More

CWE-194: Unexpected Sign Extension | CWE Lookup | InventiveHQ