CWE-197: Numeric Truncation Error
Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
View on MITREExtended Description
When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
Scope
Impact
The true value of the data is lost and corrupted data is used.
Mitigation Strategies
Phase
Description
Ensure that no casts, implicit or explicit, take place that move from a larger size primitive or a smaller size primitive.
Detection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Demonstrative Examples
This example, while not exploitable, shows the possible mangling of values associated with truncation errors:
The above code, when compiled and run on certain systems, returns the following output:
In the following Java example, the method updateSalesForProduct is part of a business application class that updates the sales information for a particular product. The method receives as arguments the product ID and the integer amount sold. The product ID is used to retrieve the total product count from an inventory object which returns the count as an integer. Before calling the method of the sales object to update the sales count the integer values are converted to The primitive type short since the method requires short type for the method arguments.
However, a numeric truncation error can occur if the integer values are higher than the maximum value allowed for the primitive type short. This can cause unexpected results or loss or corruption of data. In this case the sales database may be corrupted with incorrect data. Explicit casting from a from a larger size primitive type to a smaller size primitive type should be prevented. The following example an if statement is added to validate that the integer values less than the maximum value for the primitive type short before the explicit cast and the call to the sales method.
In the following Java example, the method updateSalesForProduct is part of a business application class that updates the sales information for a particular product. The method receives as arguments the product ID and the integer amount sold. The product ID is used to retrieve the total product count from an inventory object which returns the count as an integer. Before calling the method of the sales object to update the sales count the integer values are converted to The primitive type short since the method requires short type for the method arguments.
However, a numeric truncation error can occur if the integer values are higher than the maximum value allowed for the primitive type short. This can cause unexpected results or loss or corruption of data. In this case the sales database may be corrupted with incorrect data. Explicit casting from a from a larger size primitive type to a smaller size primitive type should be prevented. The following example an if statement is added to validate that the integer values less than the maximum value for the primitive type short before the explicit cast and the call to the sales method.
Observed CVE Examples (3)
Chain: integer truncation (CWE-197) causes small buffer allocation (CWE-131) leading to out-of-bounds write (CWE-787) in kernel pool, as exploited in the wild per CISA KEV.
View DetailsSize of a particular type changes for 64-bit platforms, leading to an integer truncation in document processor causes incorrect index to be generated.
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-197: Numeric Truncation Error?+
CWE-197: Numeric Truncation Error is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.
What are the security consequences of Numeric Truncation Error?+
If exploited, CWE-197 (Numeric Truncation Error) it can compromise Integrity, leading to outcomes such as Modify Memory.
How do you prevent or mitigate Numeric Truncation Error?+
Recommended mitigations for CWE-197 include: Ensure that no casts, implicit or explicit, take place that move from a larger size primitive or a smaller size primitive.
Which programming languages are affected by Numeric Truncation Error?+
CWE-197 commonly affects C, C++, Java and C#. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Numeric Truncation Error?+
MITRE documents real CVEs mapped to CWE-197, including CVE-2020-17087, CVE-2009-0231 and CVE-2008-3282. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-197 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.