Integers in most programming languages are stored in a fixed number of bits, which gives them a fixed range of representable values. Integer overflow is what happens when an arithmetic operation produces a result outside that range. Rather than growing, the value wraps around. The CWE database catalogs this as CWE-190, “Integer Overflow or Wraparound,” describing how a value incremented past the largest storable amount becomes “a very small or negative number” (cwe.mitre.org/data/definitions/190.html). The program continues running with a number that is silently and badly wrong.
The danger is rarely the wrong number by itself; it is what the program does next with it. A common pattern is computing the size of a memory allocation by multiplying a count by an element size. If that multiplication overflows, the program may allocate a buffer far smaller than intended and then write the full, larger amount of data into it, producing a buffer overflow. CWE-190 lists real cases of exactly this, including an integer overflow in OpenSSH (CVE-2002-0639) and an image with large width and height that overflowed a size calculation (CVE-2005-1141). This is why the two weakness classes are so often chained together.
In C and C++ the problem is sharpened by language rules. The SEI CERT C coding standard rule INT32-C states plainly that signed integer overflow is undefined behavior, meaning the compiler is entitled to assume it never happens and may optimize accordingly (cmu-sei.github.io/secure-coding-standards). The rule’s compliant solutions check operand values before doing arithmetic, or use the C23 checked-integer functions such as ckd_add() and ckd_mul() that report overflow instead of silently wrapping.
Integer overflow is also behind some of computing’s most expensive failures. The 1996 explosion of the European Ariane 5 rocket on its maiden flight traced to a conversion of a 64-bit floating-point value into a 16-bit signed integer that could not hold it. The lesson echoed by both CWE-190 and the CERT standard is the same: arithmetic on bounded integers is not the unbounded arithmetic of mathematics, and code that forgets the bounds eventually pays for it.