CWE-839
Numeric Range Comparison Without Minimum Check
Extended description
Some products use signed integers or floats even when their values are only expected to be positive or 0. An input validation check might assume that the value is positive, and only check for the maximum value. If the value is negative, but the code assumes that the value is positive, this can produce an error. The error may have security consequences if the negative value is used for memory allocation, array access, buffer access, etc. Ultimately, the error could lead to a buffer overflow or other type of memory corruption. The use of a negative number in a positive-only context could have security implications for other types of resources. For example, a shopping cart might check that the user is not requesting more than 10 items, but a request for -3 items could cause the application to calculate a negative price and credit the attacker's account.
Common consequences3
- IntegrityConfidentialityAvailabilityModify Application DataExecute Unauthorized Code or Commands
An attacker could modify the structure of the message or data being sent to the downstream component, possibly injecting commands.
- AvailabilityDoS: Resource Consumption (Other)
in some contexts, a negative value could lead to resource consumption.
- ConfidentialityIntegrityModify MemoryRead Memory
If a negative value is used to access memory, buffers, or other indexable structures, it could access memory outside the bounds of the buffer.
Potential mitigations2
- Implementation
If the number to be used is always expected to be positive, change the variable type from signed to unsigned or size_t.
- Implementation
If the number to be used could have a negative value based on the specification (thus requiring a signed value), but the number should only be positive to preserve code correctness, then include a check to ensure that the value is positive.
CVEs referencing this CWE4
| CVE | Description | Severity | EPSS | Flags | Modified |
|---|---|---|---|---|---|
| CVE-2019-20925 | An unauthenticated client can trigger denial of service by issuing specially crafted wire protocol messages, which cause the message decompressor to incorrectly allocate memory. This issue affects MongoDB Server v4.2 versions prior to 4.2.1; MongoDB Server v4.0 versions prior to 4.0.13; MongoDB Server v3.6 versions prior to 3.6.15 and MongoDB Server v3.4 versions prior to 3.4.24. | HIGH7.5 | 1.66%p74 | 2024-11-21 | |
| CVE-2023-22854 | The ccmweb component of Mitel MiContact Center Business server 9.2.2.0 through 9.4.1.0 could allow an unauthenticated attacker to download arbitrary files, due to insufficient restriction of URL parameters. A successful exploit could allow access to sensitive information. | HIGH7.5 | 0.60%p44 | 2025-03-21 | |
| CVE-2023-0425 | ABB is aware of vulnerabilities in the product versions listed below. An update is available that resolves the reported vulnerabilities in the product versions under maintenance. An attacker who successfully exploited one or more of these vulnerabilities could cause the product to stop or make the product inaccessible. Numeric Range Comparison Without Minimum Check vulnerability in ABB Freelance controllers AC 700F (Controller modules), ABB Freelance controllers AC 900F (controller modules).This issue affects: Freelance controllers AC 700F: from 9.0;0 through V9.2 SP2, through Freelance 2013, through Freelance 2013SP1, through Freelance 2016, through Freelance 2016SP1, through Freelance 2019, through Freelance 2019 SP1, through Freelance 2019 SP1 FP1; Freelance controllers AC 900F: Freelance 2013, through Freelance 2013SP1, through Freelance 2016, through Freelance 2016SP1, through Freelance 2019, through Freelance 2019 SP1, through Freelance 2019 SP1 FP1. | HIGH7.5 | 0.40%p32 | 2024-12-04 | |
| CVE-2026-48840 | Exim 4.88 before 4.99.4, in some proxy configurations, mishandles certain short payloads, leading to disclosure of uninitialized stack memory values to a client. | MEDIUM5.3 | 0.27%p19 | 2026-06-05 |