🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Integer Underflow

An integer underflow (or numeric underflow in general) happens when an arithmetic operation results in a numeric value that is outside of the range for the represented datatype (integer, long, double, etc). The arithmetic output wraps around to a wrong value. This causes a non-deterministic program behaviour such as program crash, validation bypass or denial of service.

Remediation

  • Use the arithmetic properties to check for overflow condition. For example, given positive x and y, x + y is always equal or bigger than x or y. When overflow happens, the result of addition does not follow this math property.
  • Use a dynamic data type (e.g. BigInteger) for boundary check before assigning the value to the fixed data type (e.g. Integer).
  • Refer to SecDim's Numeric Overflow short course for more information.

Metadata

  • Severity: low
  • Slug: integer-underflow

CWEs

  • 128: Wrap-around Error
  • 191: Integer Underflow (Wrap or Wraparound)

OWASP

  • SC08:2025: Integer Overflow and Underflow

Available Labs

Open Java labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.