{"id":"CVE-2018-18928","details":"International Components for Unicode (ICU) for C/C++ 63.1 has an integer overflow in number::impl::DecimalQuantity::toScientificString() in i18n/number_decimalquantity.cpp.","modified":"2026-04-16T04:43:43.440076684Z","published":"2018-11-04T20:29:00.247Z","references":[{"type":"ADVISORY","url":"https://bugs.chromium.org/p/chromium/issues/detail?id=900059"},{"type":"ADVISORY","url":"https://unicode-org.atlassian.net/browse/ICU-20246"},{"type":"FIX","url":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/unicode-org/icu","events":[{"introduced":"0"},{"last_affected":"46895456ad1b6660d17eaeba2c101600ad8d8eb8"},{"fixed":"53d8c8f3d181d87a6aa925b449b51c4a2c922a51"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"63.1"}]}}],"versions":["cldr-32-beta2","last-cvs-commit","last-svn-commit","latest","milestone-59-0-1","milestone-60-0-1","release-59-rc","release-60-rc","release-61-rc","release-62-rc","release-63-1","release-63-rc"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-18928.json","vanir_signatures_modified":"2026-04-11T11:39:43Z","vanir_signatures":[{"target":{"file":"icu4c/source/i18n/fmtable.cpp"},"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","digest":{"threshold":0.9,"line_hashes":["235380922417724273752120984794739763498","240948955305313391274631482281993570583","298551886312612177768163145201981513716","29037743298277454571552545575659148634"]},"signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2018-18928-05a1e0c1"},{"signature_type":"Function","signature_version":"v1","digest":{"length":405,"function_hash":"209040715241252438079843634589717793125"},"target":{"file":"icu4j/main/classes/core/src/com/ibm/icu/impl/number/DecimalQuantity_DualStorageBCD.java","function":"bcdToBigDecimal"},"deprecated":false,"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-1021e7cd"},{"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","signature_version":"v1","signature_type":"Line","target":{"file":"icu4c/source/i18n/number_decimalquantity.cpp"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["209401259799217645772514829297229999829","42127486368864085335537098372172567088","169538807423298615807566842104017609162","155812189009242648149116484760886469871"]},"id":"CVE-2018-18928-13db443a"},{"signature_type":"Function","signature_version":"v1","digest":{"length":749,"function_hash":"321900820634206432231705415193601742855"},"target":{"file":"icu4c/source/test/intltest/numfmtst.cpp","function":"NumberFormatTest::Test20037_ScientificIntegerOverflow"},"deprecated":false,"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-1662d53f"},{"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["277656801268948993926366603651571764962","327121349401331928183510165421893547511","106866773774383492022973682563486209598","313344001116259217978603234508917087433"]},"signature_type":"Line","deprecated":false,"target":{"file":"icu4j/main/classes/core/src/com/ibm/icu/impl/number/DecimalQuantity_DualStorageBCD.java"},"id":"CVE-2018-18928-4f6160a1"},{"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["279197795648750236016082165046801673573","285393831193474953761955264723675553714","260819794824143240743826795602987523105","264767276355902451311774195196810373887"]},"signature_type":"Line","deprecated":false,"target":{"file":"icu4c/source/test/intltest/numfmtst.cpp"},"id":"CVE-2018-18928-50899722"},{"signature_type":"Line","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["318954539559952159987724506500038643171","104227988973702857340918821106403042817","143451758896789048344166533739090187490","42679916047396215103377881040777016006"]},"target":{"file":"icu4j/main/tests/core/src/com/ibm/icu/dev/test/format/NumberFormatTest.java"},"deprecated":false,"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-8e62b19d"},{"signature_type":"Function","signature_version":"v1","digest":{"length":902,"function_hash":"284733635857698465385038062712162369124"},"target":{"file":"icu4j/main/classes/core/src/com/ibm/icu/impl/number/DecimalQuantity_AbstractBCD.java","function":"toScientificString"},"deprecated":false,"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-ad7a84f3"},{"signature_type":"Function","signature_version":"v1","digest":{"length":897,"function_hash":"283490022854476084683159277088419071224"},"target":{"file":"icu4c/source/i18n/number_decimalquantity.cpp","function":"DecimalQuantity::toScientificString"},"deprecated":false,"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-bf55c408"},{"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","signature_version":"v1","signature_type":"Function","digest":{"length":481,"function_hash":"323189177863867637945822748829724125990"},"deprecated":false,"target":{"file":"icu4j/main/tests/core/src/com/ibm/icu/dev/test/format/NumberFormatTest.java","function":"Test20037_ScientificIntegerOverflow"},"id":"CVE-2018-18928-c85d7358"},{"signature_type":"Function","signature_version":"v1","digest":{"length":814,"function_hash":"293214317832657242931498963234831168367"},"target":{"file":"icu4c/source/i18n/fmtable.cpp","function":"Formattable::internalGetCharString"},"deprecated":false,"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","id":"CVE-2018-18928-e29d4be0"},{"source":"https://github.com/unicode-org/icu/commit/53d8c8f3d181d87a6aa925b449b51c4a2c922a51","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["67709256282999126152612069180773756468","3682782463407928000009361767446119233","67168528261376778857037572812495019342","145295344314604399018304338039896393831"]},"signature_type":"Line","deprecated":false,"target":{"file":"icu4j/main/classes/core/src/com/ibm/icu/impl/number/DecimalQuantity_AbstractBCD.java"},"id":"CVE-2018-18928-f37f6e00"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}