CWE-191: Integer Underflow (Wrap or Wraparound)
Also known as: Integer underflow
The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Last updated
Overview
This can happen in signed and unsigned cases.
Real-world CVEs
277 recorded CVEs are caused by CWE-191 (Integer Underflow (Wrap or Wraparound)), including 1 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 79 new CWE-191 CVEs have been recorded so far in 2026 (61 in 2025).
- CVE-2014-0497CISA KEVCritical · CVSS 9.4 · EPSS 100th2014-02-05
- CVE-2026-51540Critical · CVSS 9.8 · EPSS 30th2026-07-13
- CVE-2026-37534Critical · CVSS 9.8 · EPSS 34th2026-05-01
- CVE-2026-31883
FreeRDP has a `size_t` underflow in ADPCM decoder leads to heap-buffer-overflow write
Critical · CVSS 9.8 · EPSS 24th2026-03-13 - CVE-2024-38063Critical · CVSS 9.8 · EPSS 99th2024-08-13
- CVE-2024-38074
Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
Critical · CVSS 9.8 · EPSS 80th2024-07-09 - CVE-2024-32040
FreeRDP vulnerable to integer underflow in nsc_rle_decode
Critical · CVSS 9.8 · EPSS 78th2024-04-22 - CVE-2024-23313Critical · CVSS 9.8 · EPSS 76th2024-02-20
- CVE-2024-0808Critical · CVSS 9.8 · EPSS 42th2024-01-23
- CVE-2023-32653Critical · CVSS 9.8 · EPSS 60th2023-09-25
- CVE-2023-32014Critical · CVSS 9.8 · EPSS 78th2023-06-13
- CVE-2023-28250Critical · CVSS 9.8 · EPSS 79th2023-04-11
Showing 12 of 277 recorded CWE-191 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-191 vulnerabilitiesCommon consequences
What can happen when CWE-191 is exploited.
DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability
Affects: Availability
This weakness will generally lead to undefined behavior and therefore crashes. In the case of overflows involving loop index variables, the likelihood of infinite loops is also high.
Modify Memory
Affects: Integrity
If the value in question is important to data (as opposed to flow), simple data corruption has occurred. Also, if the wrap around results in other conditions such as buffer overflows, further memory corruption may occur.
Execute Unauthorized Code or Commands, Bypass Protection Mechanism
Affects: Confidentiality, Availability, Access Control
This weakness can sometimes trigger buffer overflows which can be used to execute arbitrary code. This is usually outside the scope of a program's implicit security policy.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following example subtracts from a 32 bit signed integer.
Vulnerable example
#include <stdio.h>The example has an integer underflow. The value of i is already at the lowest negative value possible, so after subtracting 1, the new value of i is 2147483647.
This code performs a stack allocation based on a length calculation.
Vulnerable example
int a = 5, b = 6;Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2004-0816 — Integer underflow in firewall via malformed packet.
- CVE-2004-1002 — Integer underflow by packet with invalid length.
- CVE-2005-0199 — Long input causes incorrect length calculation.
- CVE-2005-1891 — Malformed icon causes integer underflow in loop counter variable.
Terminology & mappings
Alternate terms
- Integer underflow
Mapped taxonomies
- PLOVER: Integer underflow (wrap or wraparound)
- Software Fault Patterns: Glitch in computation (SFP1)
- CERT C Secure Coding: Ensure that unsigned integer operations do not wrap (INT30-C) — Imprecise fit
- CERT C Secure Coding: Ensure that operations on signed integers do not result in overflow (INT32-C) — Imprecise fit
Frequently asked questions
Common questions about CWE-191.
- What is CWE-191?
- The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
- What CVEs are caused by CWE-191?
- 277 recorded CVEs are attributed to CWE-191, including CVE-2014-0497, CVE-2026-51540, CVE-2026-37534. 1 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How is CWE-191 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-191?
- Exploiting CWE-191 can lead to: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Instability, Modify Memory, Execute Unauthorized Code or Commands.
- Is CWE-191 actively exploited?
- Yes. 1 CWE-191 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 277 recorded CVEs.
References
- MITRE CWE definition (CWE-191) (opens in a new tab)
- CWE-191 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-191
Get alerted the moment a new CWE-191 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.