CWE-1335: Incorrect Bitwise Shift of Integer
An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.
Last updated
Overview
Specifying a value to be shifted by a negative amount is undefined in various languages. Various computer architectures implement this action in different ways. The compilers and interpreters when generating code to accomplish a shift generally do not do a check for this issue. Specifying an over-shift, a shift greater than or equal to the number of bits contained in a value to be shifted, produces a result which varies by architecture and compiler. In some languages, this action is specifically listed as producing an undefined result.
Real-world CVEs
5 recorded CVEs are caused by CWE-1335 (Incorrect Bitwise Shift of Integer). The highest-severity and most recent are shown first. 2 new CWE-1335 CVEs have been recorded so far in 2026.
- CVE-2016-9842High · CVSS 8.8 · EPSS 92th2017-05-23
- CVE-2023-52810
fs/jfs: Add check for negative db_l2nbperpage
High · CVSS 8.4 · EPSS 19th2024-05-21 - CVE-2026-5072
ptp: Potential Denial of Service via PTP Interval Shift
Medium · CVSS 6.5 · EPSS 9th2026-05-22 - CVE-2026-4426
Libarchive: libarchive: denial of service via malformed iso file processing
Medium · CVSS 6.5 · EPSS 22th2026-03-19 - CVE-2023-3161Medium · CVSS 5.5 · EPSS 11th2023-06-12
Common consequences
What can happen when CWE-1335 is exploited.
DoS: Crash, Exit, or Restart
Affects: Integrity
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-1335, grouped by where in the lifecycle they apply.
Implicitly or explicitly add checks and mitigation for negative or over-shift values.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
A negative shift amount for an x86 or x86_64 shift instruction will produce the number of bits to be shifted by taking a 2's-complement of the shift amount and effectively masking that amount to the lowest 6 bits for a 64 bit shift instruction.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2023-4720 — multimedia product performs a left shift with a negative value, leading to a crash
- CVE-2009-4307 — An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero.
- CVE-2012-2100 — An unexpected large value in the ext4 filesystem causes an overshift condition resulting in a divide by zero - fix of CVE-2009-4307.
- CVE-2020-8835 — An overshift in a kernel allowed out of bounds reads and writes resulting in a root takeover.
- CVE-2015-1607 — Program is not properly handling signed bitwise left-shifts causing an overlapping memcpy memory range error.
- CVE-2016-9842 — Compression function improperly executes a signed left shift of a negative integer.
- CVE-2018-18445 — Some kernels improperly handle right shifts of 32 bit numbers in a 64 bit register.
- CVE-2013-4206 — Putty has an incorrectly sized shift value resulting in an overshift.
- CVE-2018-20788 — LED driver overshifts under certain conditions resulting in a DoS.
Frequently asked questions
Common questions about CWE-1335.
- What is CWE-1335?
- An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.
- What CVEs are caused by CWE-1335?
- 5 recorded CVEs are attributed to CWE-1335, including CVE-2016-9842, CVE-2023-52810, CVE-2026-5072.
- How do you prevent CWE-1335?
- Implicitly or explicitly add checks and mitigation for negative or over-shift values.
- How is CWE-1335 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1335?
- Exploiting CWE-1335 can lead to: DoS: Crash, Exit, or Restart.
- Is CWE-1335 actively exploited?
- 5 recorded CVEs are caused by CWE-1335; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1335) (opens in a new tab)
- CWE-1335 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1335
Get alerted the moment a new CWE-1335 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.