cwe-191-integer-underflow
CWE-191 Integer Underflow
Description
Integer Underflow
Reference: https://cwe.mitre.org/data/definitions/191.html
OWASP Category: A03:2021 – Injection
Vulnerable Pattern
❌ Example 1: Vulnerable Pattern
// VULNERABLE: Possible underflow
int balance = user.getBalance();
int withdrawal = request.getAmount();
user.setBalance(balance - withdrawal); // Could underflow
Why it's vulnerable: This pattern is vulnerable to Integer Underflow
Deterministic Fix
✅ Secure Implementation: Secure Implementation
// SECURE: Check for underflow
int balance = user.getBalance();
int withdrawal = request.getAmount();
if (withdrawal > balance) {
throw new IllegalArgumentException("Insufficient funds");
}
// Or use Math.subtractExact for automatic overflow detection
user.setBalance(Math.subtractExact(balance, withdrawal));
Why it's secure: Implements proper protection against Integer Underflow
Detection Pattern
Look for these patterns in your codebase:
# Find subtraction operations
grep -rn "balance.*-\\|index.*-" --include="*.java"
Remediation Steps
-
Validate input values before arithmetic
-
Use Math.subtractExact() for automatic overflow/underflow detection
-
Check bounds before array index calculations
Key Imports
import java.lang.Math;
Verification
After remediation:
-
Run SAST scanner to confirm vulnerability is resolved
-
Review all instances of the vulnerable pattern
-
Add unit tests that verify the secure implementation
-
Check for similar patterns in related code
Trigger Examples
Fix CWE-191 vulnerability
Resolve Integer Underflow issue
Secure this Java code against integer underflow
SAST reports CWE-191
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | User input handling |
| Service | *Service.java | Business logic |
| Repository | *Repository.java | Data access |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07