CWE-128: Wrap-around Error
Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.
Last updated
Overview
CWE-128 (Wrap-around Error) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
Due to how addition is performed by computers, if a primitive is incremented past the maximum value possible for its storage space, the system will not recognize this, and therefore increment each bit as if it still had extra space. Because of how negative numbers are represented in binary, primitives interpreted as signed may "wrap" to very large negative values.
Real-world CVEs
3 recorded CVEs are caused by CWE-128 (Wrap-around Error). The highest-severity and most recent are shown first. 1 new CWE-128 CVE has been recorded so far in 2026.
Common consequences
What can happen when CWE-128 is exploited.
DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability
Affects: Availability
This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.
Modify Memory
Affects: Integrity
If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.
Execute Unauthorized Code or Commands, Bypass Protection Mechanism
Affects: Confidentiality, Availability, Access Control
This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-128, grouped by where in the lifecycle they apply.
Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
Provide clear upper and lower bounds on the scale of any protocols designed.
Perform validation on all incremented variables to ensure that they remain within reasonable bounds.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following image processing code allocates a table for images.
Vulnerable example
img_t table_ptr; /*struct containing img data, 10kB each*/This code intends to allocate a table of size num_imgs, however as num_imgs grows large, the calculation determining the size of the list will eventually overflow (CWE-190). This will result in a very small list to be allocated instead. If the subsequent code operates on the list as if it were num_imgs long, it may result in many types of out-of-bounds problems (CWE-119).
Terminology & mappings
Mapped taxonomies
- CLASP: Wrap-around error
- CERT C Secure Coding: Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t (MEM07-C)
- Software Fault Patterns: Glitch in computation (SFP1)
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-128.
- What is CWE-128?
- Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.
- What CVEs are caused by CWE-128?
- 3 recorded CVEs are attributed to CWE-128, including CVE-2024-23981, CVE-2022-35258, CVE-2026-54905.
- How do you prevent CWE-128?
- Requirements specification: The choice could be made to use a language that is not susceptible to these issues.
- How is CWE-128 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-128?
- Exploiting CWE-128 can lead to: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability, Modify Memory, Execute Unauthorized Code or Commands.
- Is CWE-128 actively exploited?
- 3 recorded CVEs are caused by CWE-128; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-128) (opens in a new tab)
- CWE-128 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-128
Get alerted the moment a new CWE-128 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.