CWE-197
Numeric Truncation Error
Extended description
When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.
Common consequences1
- IntegrityModify Memory
The true value of the data is lost and corrupted data is used.
Potential mitigations1
- Implementation
Ensure that no casts, implicit or explicit, take place that move from a larger size primitive or a smaller size primitive.
Relationships7
CVEs referencing this CWE46
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2022-42475 | A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. | CRITICAL9.8 | 99%p100 | KEV+RPoC | 2025-10-24 |
| CVE-2025-6965 | There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. | CRITICAL9.8 | 65%p99 | PoC | 2026-06-18 |
| CVE-2024-21310 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | HIGH7.8 | 12%p95 | 2025-05-03 | |
| CVE-2024-43639 | Windows KDC Proxy Remote Code Execution Vulnerability | CRITICAL9.8 | 8.75%p94 | 2025-07-08 | |
| CVE-2024-38125 | Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability | HIGH7.8 | 5.70%p92 | 2025-07-10 | |
| CVE-2024-28944 | Microsoft OLE DB Driver for SQL Server Remote Code Execution Vulnerability | HIGH8.8 | 2.35%p81 | 2025-05-03 | |
| CVE-2024-38044 | DHCP Server Service Remote Code Execution Vulnerability | HIGH7.2 | 2.14%p80 | 2026-02-10 | |
| CVE-2024-21440 | Microsoft ODBC Driver Remote Code Execution Vulnerability | HIGH8.8 | 2.03%p78 | 2025-05-03 | |
| CVE-2024-21451 | Microsoft ODBC Driver Remote Code Execution Vulnerability | HIGH8.8 | 1.95%p78 | 2025-05-03 | |
| CVE-2024-30009 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | HIGH8.8 | 1.72%p74 | 2025-05-03 | |
| CVE-2024-37337 | Microsoft SQL Server Native Scoring Information Disclosure Vulnerability | MEDIUM4.3 | 1.66%p74 | 2024-12-31 | |
| CVE-2024-21391 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | HIGH8.8 | 1.63%p73 | 2025-05-03 | |
| CVE-2024-21352 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | HIGH8.8 | 1.63%p73 | 2025-05-03 | |
| CVE-2024-30024 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | HIGH7.5 | 1.54%p72 | 2025-05-03 | |
| CVE-2024-30023 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | HIGH7.5 | 1.54%p72 | 2025-05-03 | |
| CVE-2024-30022 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | HIGH7.5 | 1.54%p72 | 2025-05-03 | |
| CVE-2024-49018 | SQL Server Native Client Remote Code Execution Vulnerability | HIGH8.8 | 1.52%p71 | 2025-07-08 | |
| CVE-2024-30029 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | HIGH7.5 | 1.49%p71 | 2025-05-03 | |
| CVE-2024-30015 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | HIGH7.5 | 1.49%p71 | 2025-05-03 | |
| CVE-2024-30014 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | HIGH7.5 | 1.49%p71 | 2025-05-03 | |
| CVE-2024-43519 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | HIGH8.8 | 1.38%p69 | 2026-06-09 | |
| CVE-2023-36641 | A numeric truncation error in Fortinet FortiProxy version 7.2.0 through 7.2.4, FortiProxy version 7.0.0 through 7.0.10, FortiProxy 2.0 all versions, FortiProxy 1.2 all versions, FortiProxy 1.1, all versions, FortiProxy 1.0 all versions, FortiOS version 7.4.0, FortiOS version 7.2.0 through 7.2.5, FortiOS version 7.0.0 through 7.0.12, FortiOS 6.4 all versions, FortiOS 6.2 all versions, FortiOS 6.0 all versions allows attacker to denial of service via specifically crafted HTTP requests. | MEDIUM6.5 | 1.27%p66 | 2024-11-21 | |
| CVE-2024-29050 | Windows Cryptographic Services Remote Code Execution Vulnerability | HIGH7.8 | 1.25%p65 | PoC | 2025-05-03 |
| CVE-2020-15202 | In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However, there are several places in TensorFlow where a lambda taking `int` or `int32` arguments is being used. In these cases, if the amount of work to be parallelized is large enough, integer truncation occurs. Depending on how the two arguments of the lambda are used, this can result in segfaults, read/write outside of heap allocated arrays, stack overflows, or data corruption. The issue is patched in commits 27b417360cbd671ef55915e4bb6bb06af8b8a832 and ca8c013b5e97b1373b3bb1c97ea655e69f31a575, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1. | CRITICAL9.0 | 1.22%p65 | 2024-11-21 | |
| CVE-2023-32143 | D-Link DAP-1360 webupg UPGCGI_CheckAuth Numeric Truncation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1360 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of requests to the /cgi-bin/webupg endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-18423. | HIGH8.8 | 1.13%p62 | 2025-05-16 | |
| CVE-2023-36710 | Windows Media Foundation Core Remote Code Execution Vulnerability | HIGH7.8 | 1.11%p62 | 2025-04-14 | |
| CVE-2024-21429 | Windows USB Hub Driver Remote Code Execution Vulnerability | MEDIUM6.8 | 0.90%p55 | 2025-05-03 | |
| CVE-2024-21434 | Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability | HIGH7.8 | 0.83%p53 | 2025-05-03 | |
| CVE-2024-21377 | Windows DNS Information Disclosure Vulnerability | MEDIUM5.5 | 0.65%p46 | 2025-05-03 | |
| CVE-2024-38086 | Azure Kinect SDK Remote Code Execution Vulnerability | MEDIUM6.4 | 0.61%p44 | 2025-12-09 | |
| CVE-2026-42944 | NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation. | HIGH7.5 | 0.51%p39 | 2026-05-20 | |
| CVE-2026-40380 | Heap-based buffer overflow in Volume Manager Extension Driver allows an authorized attacker to execute code with a physical attack. | MEDIUM6.2 | 0.45%p35 | 2026-06-09 | |
| CVE-2025-53723 | Numeric truncation error in Windows Hyper-V allows an authorized attacker to elevate privileges locally. | HIGH7.8 | 0.42%p34 | 2026-02-26 | |
| CVE-2023-35328 | Windows Transaction Manager Elevation of Privilege Vulnerability | HIGH7.8 | 0.42%p34 | 2025-01-01 | |
| CVE-2025-49679 | Numeric truncation error in Windows Shell allows an authorized attacker to elevate privileges locally. | HIGH7.8 | 0.37%p28 | 2026-02-13 | |
| CVE-2026-40404 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | HIGH7.8 | 0.31%p23 | 2026-06-10 | |
| CVE-2026-44823 | Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | HIGH7.8 | 0.30%p21 | 2026-06-10 | |
| CVE-2022-34670 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an unprivileged regular user can cause truncation errors when casting a primitive to a primitive of smaller size causes data to be lost in the conversion, which may lead to denial of service or information disclosure. | HIGH7.8 | 0.29%p20 | 2025-04-11 | |
| CVE-2022-34680 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an integer truncation can lead to an out-of-bounds read, which may lead to denial of service. | MEDIUM5.5 | 0.27%p19 | 2025-04-10 | |
| CVE-2022-34676 | NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel mode layer handler, where an out-of-bounds read may lead to denial of service, information disclosure, or data tampering. | HIGH7.8 | 0.26%p17 | 2025-04-11 | |
| CVE-2026-40409 | Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability | HIGH7.8 | 0.24%p15 | 2026-06-11 | |
| CVE-2026-44927 | In uriparser before 1.0.2, there is pointer difference truncation to int in various places. | MEDIUM5.3 | 0.21%p11 | 2026-05-12 | |
| CVE-2026-32240 | Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This vulnerability is fixed in 1.4.0. | MEDIUM6.5 | 0.21%p11 | 2026-03-18 | |
| CVE-2025-10543 | In Eclipse Paho Go MQTT v3.1 library (paho.mqtt.golang) versions <=1.5.0 UTF-8 encoded strings, passed into the library, may be incorrectly encoded if their length exceeds 65535 bytes. This may lead to unexpected content in packets sent to the server (for example, part of an MQTT topic may leak into the message body in a PUBLISH packet). The issue arises because the length of the data passed in was converted from an int64/int32 (depending upon CPU) to an int16 without checks for overflows. The int16 length was then written, followed by the data (e.g. topic). This meant that when the data (e.g. topic) was over 65535 bytes then the amount of data written exceeds what the length field indicates. This could lead to a corrupt packet, or mean that the excess data leaks into another field (e.g. topic leaks into message body). | MEDIUM5.3 | 0.19%p9 | 2026-01-16 | |
| CVE-2026-42371 | uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes. | MEDIUM5.1 | 0.17%p7 | 2026-05-18 | |
| CVE-2026-6039 | LibreOffice can import drawings in the DXF format used by CAD software. A heap buffer overflow existed when importing a DXF polyline. The point count taken from the file was truncated to a 16-bit value when the point buffer was sized, while the full count was used to fill it, so a polyline whose point count exceeded the 16-bit range was written past the end of the buffer. In fixed versions such oversized polylines are rejected. | NONE | 0.12%p2 | 2026-06-15 |