CWE-195 Variant Draft

Signed to Unsigned Conversion Error

This vulnerability occurs when a signed integer (which can hold negative values) is converted to an unsigned integer (which holds only non-negative values). If the original signed value is negative,…

Definition

What is CWE-195?

This vulnerability occurs when a signed integer (which can hold negative values) is converted to an unsigned integer (which holds only non-negative values). If the original signed value is negative, the conversion produces a large, unexpected positive number instead of an error, breaking the program's logic.
Implicit conversions between signed and unsigned numbers are a common source of bugs because they happen silently during assignments or function calls. Developers often assume the value remains semantically the same, but a negative signed number becomes a very large unsigned number. This violates program assumptions and can lead to incorrect calculations, infinite loops, or flawed condition checks. A critical risk emerges when these converted values control memory operations. Many functions return negative numbers to signal errors (like -1). If such a return value is passed directly as a 'size' argument to functions like memcpy() or malloc(), the implicit conversion turns the failure indicator into a massive allocation or copy length. This typically causes a buffer overflow, crashing the program or creating a serious security exploit.
Auswirkungen in der Praxis

Real-world CVEs caused by CWE-195

  • CVE-2025-27363

    Font rendering library does not properly handle assigning a signed short value to an unsigned long (CWE-195), leading to an integer wraparound (CWE-190), causing too small of a buffer (CWE-131), leading to an out-of-bounds write (CWE-787).

  • CVE-2007-4268

    Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

  1. 1

    In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.

  2. 2

    If the error condition in the code above is met, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

  3. 3

    In this example, depending on the return value of accecssmainframe(), the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned value, amount will be implicitly cast to an unsigned number.

  4. 4

    If the return value of accessmainframe() is -1, then the return value of readdata() will be 4,294,967,295 on a system that uses 32-bit integers.

  5. 5

    The following code is intended to read an incoming packet from a socket and extract one or more headers.

Verwundbares Codebeispiel

Vulnerable C

In this example the variable amount can hold a negative value when it is returned. Because the function is declared to return an unsigned int, amount will be implicitly converted to unsigned.

Verwundbar C 
unsigned int readdata () {
  	int amount = 0;
  	...
  	if (result == ERROR)
  	amount = -1;
  	...
  	return amount;
  }
Sicheres Codebeispiel

Secure pseudo

Sicher pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste

How to prevent CWE-195

  • Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
  • Implementation Validate input at trust boundaries; use allowlists, not denylists.
  • Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
  • Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
  • Operation Monitor logs for the runtime signals listed in the next section.
Erkennungssignale

How to detect CWE-195

Automated Static Analysis High

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Plexicus Auto-Fix

Plexicus erkennt CWE-195 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen
Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-195?

This vulnerability occurs when a signed integer (which can hold negative values) is converted to an unsigned integer (which holds only non-negative values). If the original signed value is negative, the conversion produces a large, unexpected positive number instead of an error, breaking the program's logic.

Wie gravierend ist CWE-195?

MITRE hat für diese Schwachstelle keine Exploit-Wahrscheinlichkeit veröffentlicht. Behandle sie als mittlere Auswirkung, bis dein Threat Model anderes belegt.

Welche Sprachen oder Plattformen sind von CWE-195 betroffen?

MITRE lists the following affected platforms: C, C++.

Wie kann ich CWE-195 verhindern?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

Wie erkennt und behebt Plexicus CWE-195?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-195 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-195?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/195.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-195

CWE-681 Parent

Incorrect Conversion between Numeric Types

This vulnerability occurs when a program converts a value from one numeric type to another (like a 64-bit integer to a 32-bit integer) and…

CWE-192 Sibling

Integer Coercion Error

An integer coercion error occurs when a program incorrectly converts, extends, or truncates a number between different data types, leading…

CWE-194 Sibling

Unexpected Sign Extension

This vulnerability occurs when a signed number from a smaller data type is moved or cast to a larger type, causing its sign bit to be…

CWE-196 Sibling

Unsigned to Signed Conversion Error

This vulnerability occurs when a program takes an unsigned integer and converts it directly to a signed integer. If the original unsigned…

CWE-197 Sibling

Numeric Truncation Error

A numeric truncation error happens when a program converts a number to a smaller data type, cutting off its higher-order bits and…

CWE-119 Kann vorausgehen

Improper Restriction of Operations within the Bounds of a Memory Buffer

This vulnerability occurs when software accesses a memory buffer but reads from or writes to a location outside its allocated boundary.…

Ressourcen

Further reading

Bereit, wenn du es bist

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen