Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.

What CVEs are caused by CWE-192?

5 recorded CVEs are attributed to CWE-192, including CVE-2021-32996, CVE-2026-8275, CVE-2014-125012.

How do you prevent CWE-192?

A language which throws exceptions on ambiguous data casts might be chosen.

How is CWE-192 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-192?

Exploiting CWE-192 can lead to: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands, Other.

Is CWE-192 actively exploited?

5 recorded CVEs are caused by CWE-192; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-192: Integer Coercion Error

CVE-2014-125011

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

The following code is intended to read an incoming packet from a socket and extract one or more headers.

Vulnerable example

DataPacket *packet;

The code performs a check to make sure that the packet does not contain too many headers. However, numHeaders is defined as a signed int, so it could be negative. If the incoming packet specifies a value such as -3, then the malloc calculation will generate a negative number (say, -300 if each header can be a maximum of 100 bytes). When this result is provided to malloc(), it is first converted to a size_t type. This conversion then produces a large value such as 4294966996, which may cause malloc() to fail or to allocate an extremely large amount of memory (CWE-195). With the appropriate negative numbers, an attacker could trick malloc() into using a very small positive number, which then allocates a buffer that is much smaller than expected, potentially leading to a buffer overflow.

The following code reads a maximum size and performs validation on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.

Vulnerable example

int GetUntrustedInt () {

This code first exhibits an example of CWE-839, allowing "s" to be a negative number. When the negative short "s" is converted to an unsigned integer, it becomes an extremely large positive integer. When this converted integer is used by strncpy() it will lead to a buffer overflow (CWE-119).

CWE-192: Integer Coercion Error

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-192?

What CVEs are caused by CWE-192?

How do you prevent CWE-192?

How is CWE-192 detected?

What are the consequences of CWE-192?

Is CWE-192 actively exploited?

References

Stay ahead of CWE-192

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Related

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-192?

What CVEs are caused by CWE-192?

How do you prevent CWE-192?

How is CWE-192 detected?

What are the consequences of CWE-192?

Is CWE-192 actively exploited?

References

Stay ahead of CWE-192