Integer Underflow
What is Integer Underflow?
Integer UnderflowAn arithmetic flaw (CWE-191) in which subtracting from an unsigned value below zero wraps to a huge number, often enabling oversized allocations or buffer overruns.
Integer underflow occurs when an unsigned integer is decremented below zero or signed arithmetic crosses INT_MIN and the result wraps to a very large positive value. The classic pattern is len = header_len - prefix_len where prefix_len is attacker-controlled; the resulting huge len then bypasses bounds checks and triggers heap or stack buffer overflows, or out-of-bounds reads. Real-world examples include CVE-2018-1000005 (libcurl) and many kernel networking bugs where size_t arithmetic on packet lengths underflows. Mitigations: use signed arithmetic with explicit comparisons, checked subtraction (e.g. __builtin_sub_overflow, std::safe_int), language-level overflow trapping (Rust debug mode, Swift), fuzzing with sanitisers (UBSan), and strict input validation.
● Examples
- 01
len = total - header_len wrapping to 0xFFFFFFFF when total < header_len, then used as a memcpy size.
- 02
Linux kernel CVE-2019-11815 where a remaining-length subtraction underflowed and enabled a UAF.
● Frequently asked questions
What is Integer Underflow?
An arithmetic flaw (CWE-191) in which subtracting from an unsigned value below zero wraps to a huge number, often enabling oversized allocations or buffer overruns. It belongs to the Attacks & Threats category of cybersecurity.
What does Integer Underflow mean?
An arithmetic flaw (CWE-191) in which subtracting from an unsigned value below zero wraps to a huge number, often enabling oversized allocations or buffer overruns.
How does Integer Underflow work?
Integer underflow occurs when an unsigned integer is decremented below zero or signed arithmetic crosses INT_MIN and the result wraps to a very large positive value. The classic pattern is len = header_len - prefix_len where prefix_len is attacker-controlled; the resulting huge len then bypasses bounds checks and triggers heap or stack buffer overflows, or out-of-bounds reads. Real-world examples include CVE-2018-1000005 (libcurl) and many kernel networking bugs where size_t arithmetic on packet lengths underflows. Mitigations: use signed arithmetic with explicit comparisons, checked subtraction (e.g. __builtin_sub_overflow, std::safe_int), language-level overflow trapping (Rust debug mode, Swift), fuzzing with sanitisers (UBSan), and strict input validation.
How do you defend against Integer Underflow?
Defences for Integer Underflow typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Integer Underflow?
Common alternative names include: Unsigned underflow, CWE-191.
● Related terms
- vulnerabilities№ 543
Integer Overflow
A bug where an arithmetic operation produces a value outside the representable range of its integer type, wrapping or truncating in security-critical ways.
- vulnerabilities№ 131
Buffer Overflow
A memory-safety flaw where a program writes past the end of an allocated buffer, corrupting adjacent memory and often enabling code execution.
- attacks№ 772
Out-of-Bounds Read
A memory-safety bug (CWE-125) where software reads data before, after, or otherwise outside the intended buffer, leaking adjacent memory contents.
- vulnerabilities№ 667
Memory Corruption
An umbrella term for vulnerabilities where a program writes outside the bounds of intended memory, undermining type-safety, control flow, or data integrity.
- appsec№ 538
Input Validation
The server-side check that every untrusted input matches an expected type, length, range, format and value set before being processed by the application.