CWE-839: Numeric Range Comparison Without Minimum Check

BaseIncomplete

The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.

View on MITRE
Back to CWE Lookup

Extended Description

Some products use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption. The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker's account.

Technical Details

Structure
Simple

Applicable To

Languages
CC++
Platforms

Frequently Asked Questions

What is CWE-839: Numeric Range Comparison Without Minimum Check?+

CWE-839: Numeric Range Comparison Without Minimum Check is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum. Some products use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption. The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker's account.

What are the security consequences of Numeric Range Comparison Without Minimum Check?+

If exploited, CWE-839 (Numeric Range Comparison Without Minimum Check) it can compromise Integrity, Confidentiality and Availability, leading to outcomes such as Modify Application Data, Execute Unauthorized Code or Commands, DoS: Resource Consumption (Other), Modify Memory and Read Memory.

How do you prevent or mitigate Numeric Range Comparison Without Minimum Check?+

Recommended mitigations for CWE-839 include: If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t. If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.

Which programming languages are affected by Numeric Range Comparison Without Minimum Check?+

CWE-839 commonly affects C and C++. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Numeric Range Comparison Without Minimum Check?+

MITRE documents real CVEs mapped to CWE-839, including CVE-2010-1866, CVE-2009-1099, CVE-2011-0521, CVE-2010-3704 and CVE-2010-2530. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-839 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More