An integer (or numeric) overflow occurs when an arithmetic operation produces a value outside the representable range of the target data type (e.g., `int`, `long`, `double`). The result wraps around to an incorrect value, leading to unexpected program behaviour such as crashes, validation bypasses, memory corruption, or denial of service. In some cases, attackers can leverage overflows to trigger buffer overflows or bypass security checks, escalating the severity to arbitrary code execution.
Remediation
Implement explicit boundary checks before performing arithmetic operations. For example, for positive `x` and `y`, `x + y` must be greater than or equal to both `x` and `y`; if not, an overflow has occurred.
Use wider or arbitrary-precision data types (e.g., `BigInteger`) for intermediate calculations, and only assign results back to fixed-width types after range validation.
Enable compiler or runtime checks and sanitisation options that detect integer overflows (e.g., `-ftrapv` in GCC, sanitizers in Clang/LLVM, or runtime guards in managed languages).
Perform thorough input validation, particularly on values used in size calculations, offsets, or loop counters.
Refer to https://learn.secdim.com/course/reboot-boeing-787[SecDim's Numeric Overflow] short course for more information.
Metadata
Severity: medium
Slug: integer-overflow
CWEs
190: Integer Overflow or Wraparound
128: Wrap-around Error
680: Integer Overflow to Buffer Overflow
682: Incorrect Calculation
839: Numeric Range Comparison Without Minimum Check
OWASP
SC08:2025: Integer Overflow and Underflow
Available Labs
Select a language to explore available labs for this vulnerability.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
