{"id":"CVE-2018-18928","details":"International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.","modified":"2026-04-16T00:10:49.898774480Z","published":"2018-11-04T20:29:00.247Z","references":[{"type":"ADVISORY","url":"https://bugs.chromium.org/p/chromium/issues/detail?id=900059"},{"type":"ADVISORY","url":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51"},{"type":"ADVISORY","url":"https://unicode-org.atlassian.net/browse/ICU-20246"},{"type":"FIX","url":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/unicode-org/icu","events":[{"introduced":"0"},{"fixed":"53d8c8f3d181d87a6aa925b449b51c4a2c922a51"}]}],"versions":["cldr-32-beta2","last-cvs-commit","last-svn-commit","milestone-59-0-1","milestone-60-0-1","release-59-rc","release-60-rc","release-61-rc","release-62-rc","release-63-rc"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-18928.json","vanir_signatures":[{"id":"CVE-2018-18928-05a1e0c1","digest":{"threshold":0.9,"line_hashes":["235380922417724273752120984794739763498","240948955305313391274631482281993570583","298551886312612177768163145201981513716","29037743298277454571552545575659148634"]},"target":{"file":"icu4c/source/i18n/fmtable.cpp"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","deprecated":false,"signature_version":"v1","signature_type":"Line"},{"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-1021e7cd","digest":{"function_hash":"209040715241252438079843634589717793125","length":405},"target":{"function":"bcdToBigDecimal","file":"icu4j/main/classes/core/src/com/ibm/icu/impl/number/DecimalQuantity_DualStorageBCD.java"},"deprecated":false,"signature_version":"v1","signature_type":"Function"},{"digest":{"threshold":0.9,"line_hashes":["209401259799217645772514829297229999829","42127486368864085335537098372172567088","169538807423298615807566842104017609162","155812189009242648149116484760886469871"]},"deprecated":false,"target":{"file":"icu4c/source/i18n/number_decimalquantity.cpp"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-13db443a","signature_version":"v1","signature_type":"Line"},{"target":{"function":"NumberFormatTest::Test20037_ScientificIntegerOverflow","file":"icu4c/source/test/intltest/numfmtst.cpp"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-1662d53f","digest":{"function_hash":"321900820634206432231705415193601742855","length":749},"deprecated":false,"signature_version":"v1","signature_type":"Function"},{"deprecated":false,"target":{"file":"icu4j/main/classes/core/src/com/ibm/icu/impl/number/DecimalQuantity_DualStorageBCD.java"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","digest":{"threshold":0.9,"line_hashes":["277656801268948993926366603651571764962","327121349401331928183510165421893547511","106866773774383492022973682563486209598","313344001116259217978603234508917087433"]},"id":"CVE-2018-18928-4f6160a1","signature_version":"v1","signature_type":"Line"},{"digest":{"threshold":0.9,"line_hashes":["279197795648750236016082165046801673573","285393831193474953761955264723675553714","260819794824143240743826795602987523105","264767276355902451311774195196810373887"]},"deprecated":false,"target":{"file":"icu4c/source/test/intltest/numfmtst.cpp"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-50899722","signature_version":"v1","signature_type":"Line"},{"digest":{"threshold":0.9,"line_hashes":["318954539559952159987724506500038643171","104227988973702857340918821106403042817","143451758896789048344166533739090187490","42679916047396215103377881040777016006"]},"deprecated":false,"target":{"file":"icu4j/main/tests/core/src/com/ibm/icu/dev/test/format/NumberFormatTest.java"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-8e62b19d","signature_version":"v1","signature_type":"Line"},{"id":"CVE-2018-18928-ad7a84f3","digest":{"function_hash":"284733635857698465385038062712162369124","length":902},"target":{"function":"toScientificString","file":"icu4j/main/classes/core/src/com/ibm/icu/impl/number/DecimalQuantity_AbstractBCD.java"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","deprecated":false,"signature_version":"v1","signature_type":"Function"},{"target":{"function":"DecimalQuantity::toScientificString","file":"icu4c/source/i18n/number_decimalquantity.cpp"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-bf55c408","digest":{"function_hash":"283490022854476084683159277088419071224","length":897},"deprecated":false,"signature_version":"v1","signature_type":"Function"},{"target":{"function":"Test20037_ScientificIntegerOverflow","file":"icu4j/main/tests/core/src/com/ibm/icu/dev/test/format/NumberFormatTest.java"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-c85d7358","digest":{"function_hash":"323189177863867637945822748829724125990","length":481},"deprecated":false,"signature_version":"v1","signature_type":"Function"},{"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-e29d4be0","digest":{"function_hash":"293214317832657242931498963234831168367","length":814},"target":{"function":"Formattable::internalGetCharString","file":"icu4c/source/i18n/fmtable.cpp"},"deprecated":false,"signature_version":"v1","signature_type":"Function"},{"target":{"file":"icu4j/main/classes/core/src/com/ibm/icu/impl/number/DecimalQuantity_AbstractBCD.java"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-f37f6e00","digest":{"threshold":0.9,"line_hashes":["67709256282999126152612069180773756468","3682782463407928000009361767446119233","67168528261376778857037572812495019342","145295344314604399018304338039896393831"]},"deprecated":false,"signature_version":"v1","signature_type":"Line"}]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}