Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-192 (整数强制转换错误) — Vulnerability Class 6

6 vulnerabilities classified as CWE-192 (整数强制转换错误). AI Chinese analysis included.

CWE-192, Integer Coercion Error, is a software weakness involving the improper type casting, extension, or truncation of primitive data types. This flaw typically arises when developers implicitly or explicitly convert integers between different sizes or signedness without adequate validation, leading to unexpected data behavior. Attackers often exploit these errors by manipulating input values to trigger unintended arithmetic results, such as sign extension vulnerabilities or overflow conditions. While these issues primarily cause data integrity problems or application crashes, they can occasionally facilitate more severe attacks like buffer overflows or logic bypasses. To prevent such weaknesses, developers must enforce strict type checking, utilize safe conversion functions, and validate input ranges before any coercion occurs. Implementing static analysis tools and adhering to secure coding standards further mitigates the risk of accidental integer coercion during software development.

MITRE CWE Description
Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types. Several flaws fall under the category of integer coercion errors. For the most part, these errors in and of themselves result only in availability and data integrity issues. However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions.
Common Consequences (3)
AvailabilityDoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Crash, Exit, or Restart
Integer coercion often leads to undefined states of execution resulting in infinite loops or crashes.
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
In some cases, integer coercion errors can lead to exploitable buffer overflow conditions, resulting in the execution of arbitrary code.
Integrity, OtherOther
Integer coercion errors result in an incorrect value being stored for the variable in question.
Mitigations (3)
RequirementsA language which throws exceptions on ambiguous data casts might be chosen.
Architecture and DesignDesign objects and program flow such that multiple or complex casts are unnecessary
ImplementationEnsure that any data type casting that you must used is entirely understood in order to reduce the plausibility of error in use.
Examples (2)
The following code is intended to read an incoming packet from a socket and extract one or more headers.
DataPacket *packet; int numHeaders; PacketHeader *headers; sock=AcceptSocketConnection(); ReadPacket(packet, sock); numHeaders =packet->headers; if (numHeaders > 100) { ExitError("too many headers!"); } headers = malloc(numHeaders * sizeof(PacketHeader); ParsePacketHeaders(packet, headers);
Bad · C
The following code reads a maximum size and performs validation on that size. It then performs a strncpy, assuming it will not exceed the boundaries of the array. While the use of "short s" is forced in this particular example, short int's are frequently used within real-world code, such as code that processes structured data.
int GetUntrustedInt () { return(0x0000FFFF); } void main (int argc, char **argv) { char path[256]; char *input; int i; short s; unsigned int sz; i = GetUntrustedInt(); s = i; /* s is -1 so it passes the safety check - CWE-697 */ if (s > 256) { DiePainfully("go away!\n"); } /* s is sign-extended and saved in sz */ sz = s; /* output: i=65535, s=-1, sz=4294967295 - your mileage may vary */ printf("i=%d, s=%d, sz=%u\n", i, s, sz); input = GetUserInput("Enter pathname:"); /* strncpy interprets s as unsigned int, so it's treated as MAX_INT (CWE-195), enabling buffer overflow (CWE-119) */ strncpy(pat
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-8276 bettercap MySQL Server mysql_server.go integer coercion — bettercap 3.7 Low2026-05-11
CVE-2026-8275 bettercap zerogod IPP Service zerogod_ipp_primitives.go ippReadChunkedBody integer coercion — bettercap 3.7 Low2026-05-11
CVE-2022-2639 Linux kernel 数字错误漏洞 — kernel 7.8 -2022-09-01
CVE-2014-125012 FFmpeg dxtroy.c integer coercion — FFmpeg 5.3 Medium2022-06-18
CVE-2014-125011 FFmpeg ansi.c decode_frame integer coercion — FFmpeg 5.3 Medium2022-06-18
CVE-2021-32996 FANUC Robotics Virtual Robot Controller 缓冲区错误漏洞 — R-30iA, R-30iA Mate 7.5 -2022-01-07

Vulnerabilities classified as CWE-192 (整数强制转换错误) represent 6 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.