diff --git a/container/seccomp/std_test.go b/container/seccomp/std_test.go
index 026fef8b..93b5613c 100644
--- a/container/seccomp/std_test.go
+++ b/container/seccomp/std_test.go
@@ -26,7 +26,9 @@ func TestSyscallResolveName(t *testing.T) {
 
 func TestRuleType(t *testing.T) {
 	assertKind[ext.Uint, scmpUint](t)
+	assertOverflow(t, ext.Uint(ext.MaxUint))
 	assertKind[ext.Int, scmpInt](t)
+	assertOverflow(t, ext.Int(ext.MaxInt))
 
 	assertSize[std.NativeRule, syscallRule](t)
 	assertKind[std.ScmpDatum, scmpDatum](t)
@@ -62,3 +64,14 @@ func assertKind[native, equivalent any](t *testing.T) {
 		t.Fatalf("%s: %s, want %s", nativeType.Name(), nativeType.Kind(), equivalentType.Kind())
 	}
 }
+
+// assertOverflow asserts that incrementing m overflows.
+func assertOverflow[T ~int32 | ~uint32](t *testing.T, m T) {
+	t.Helper()
+
+	old := m
+	m++
+	if m > old {
+		t.Fatalf("unexpected value %#x", m)
+	}
+}
diff --git a/ext/ext.go b/ext/ext.go
index 12fd2550..2667f8e4 100644
--- a/ext/ext.go
+++ b/ext/ext.go
@@ -4,6 +4,7 @@ package ext
 import (
 	"encoding/json"
 	"iter"
+	"math"
 	"strconv"
 )
 
@@ -15,6 +16,12 @@ type (
 	Int = int32
 )
 
+// Integer limit values.
+const (
+	MaxUint = math.MaxUint32
+	MaxInt  = math.MaxInt32
+)
+
 // SyscallNum represents an architecture-specific, Linux syscall number.
 type SyscallNum Int