Integer Underflow

An integer underflow (or numeric underflow in general) happens when an arithmetic operation results in a numeric value that is outside of the range for the represented datatype (integer, long, double, etc). The arithmetic output wraps around to a wrong value. This causes a non-deterministic program behaviour such as program crash, validation bypass or denial of service.

Remediation

Use the arithmetic properties to check for overflow condition. For example, given positive `x` and `y`, `x + y` is always equal or bigger than `x` or `y`. When overflow happens, the result of addition does not follow this math property.
Use a dynamic data type (e.g. `BigInteger`) for boundary check before assigning the value to the fixed data type (e.g. `Integer`).
Refer to https://learn.secdim.com/course/reboot-boeing-787[SecDim's Numeric Overflow] short course for more information.

Metadata

Severity: low
Slug: integer-underflow

CWEs

128: Wrap-around Error
191: Integer Underflow (Wrap or Wraparound)

OWASP

SC08:2025: Integer Overflow and Underflow

Available Labs

Open Php labs in SecDim Play for this vulnerability.

trivial

Integer Overflow.php

PHP Trivial Laravel

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.