Integer Underflow

An integer underflow (or numeric underflow in general) happens when an arithmetic operation results in a numeric value that is outside of the range for the represented datatype (integer, long, double, etc). The arithmetic output wraps around to a wrong value. This causes a non-deterministic program behaviour such as program crash, validation bypass or denial of service.

Remediation

Use the arithmetic properties to check for overflow condition. For example, given positive x and y, x + y is always equal or bigger than x or y. When overflow happens, the result of addition does not follow this math property.
Use a dynamic data type (e.g. BigInteger) for boundary check before assigning the value to the fixed data type (e.g. Integer).
Refer to SecDim's Numeric Overflow short course for more information.

Metadata

Severity: low
Slug: integer-underflow

CWEs

128: Wrap-around Error
191: Integer Underflow (Wrap or Wraparound)

OWASP

SC08:2025: Integer Overflow and Underflow

Available Labs

Open Csharp labs in SecDim Play for this vulnerability.

trivial

Integer Overflow.cs

Csharp Trivial

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.