CWE - Differences between Version 4.1 and Version 4.2

Home > CWE List > Reports > Differences between Version 4.1 and Version 4.2

Differences between Version 4.1 and Version 4.2

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total weaknesses/chains/composites (Version 4.2)	891
Total weaknesses/chains/composites (Version 4.1)	875
Total new	22
Total deprecated	0
Total with major changes	259
Total with only minor changes
Total unchanged	1028

Summary of Entry Types

Type	Version 4.1	Version 4.2
Weakness	875	891
Category	312	316
View	39	41
Deprecated	61	61
Total	1287	1309

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	19	0
Description	44	0
Applicable_Platforms	10	0
Time_of_Introduction	0	0
Demonstrative_Examples	37	0
Detection_Factors	0	0
Likelihood_of_Exploit	0	0
Common_Consequences	14	0
Relationships	189	0
References	4	0
Potential_Mitigations	30	0
Observed_Examples	5	0
Terminology_Notes	0	0
Alternate_Terms	5	0
Related_Attack_Patterns	70	0
Relationship_Notes	0	0
Taxonomy_Mappings	0	0
Maintenance_Notes	6	0
Modes_of_Introduction	20	0
Research_Gaps	5	0
Background_Details	1	0
Theoretical_Notes	1	0
Weakness_Ordinalities	0	0
Other_Notes	0	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Type	0	0
Source_Taxonomy	0	0

Form and Abstraction Changes

From	To	Total	CWE IDs
Unchanged		1287

Status Changes

From	To	Total
Unchanged		1287

Relationship Changes

The "Version 4.2 Total" lists the total number of relationships in Version 4.2. The "Shared" value is the total number of relationships in entries that were in both Version 4.2 and Version 4.1. The "New" value is the total number of relationships involving entries that did not exist in Version 4.1. Thus, the total number of relationships in Version 4.2 would combine stats from Shared entries and New entries.

Relationship	Version 4.2 Total	Version 4.1 Total	Version 4.2 Shared	Unchanged	Added to Version 4.2	Removed from Version 4.1	Version 4.2 New
ALL	9241	8767	8875	8747	128	20	366
ChildOf	3857	3656	3708	3648	60	8	149
ParentOf	3857	3656	3708	3648	60	8	149
MemberOf	528	496	499	496	3		29
HasMember	528	496	499	496	3		29
CanPrecede	129	128	129	128	1
CanFollow	129	128	129	128	1
StartsWith	3	3	3	3
Requires	13	13	13	13
RequiredBy	13	13	13	13
CanAlsoBe	28	28	28	28
PeerOf	156	150	146	146		4	10

Nodes Removed from Version 4.1

CWE-ID	CWE Name
None.

Software Nodes Added to Version 4.2

CWE-ID	CWE Name
1293	Missing Source Correlation of Multiple Independent Data
1305	CISQ Quality Measures (2020)
1306	CISQ Quality Measures - Reliability
1307	CISQ Quality Measures - Maintainability
1308	CISQ Quality Measures - Security
1309	CISQ Quality Measures - Efficiency
1350	Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses

Hardware Nodes Added to Version 4.2

CWE-ID	CWE Name
1255	Comparison Logic is Vulnerable to Power Side-Channel Attacks
1290	Incorrect Decoding of Security Identifiers
1291	Public Key Re-Use for Signing both Debug and Production Code
1292	Incorrect Conversion of Security Identifiers
1294	Insecure Security Identifier Mechanism
1295	Debug Messages Revealing Unnecessary Information
1296	Incorrect Chaining or Granularity of Debug Components
1297	Unprotected Confidential Information on Device is Accessible by OSAT Vendors
1298	Hardware Logic Contains Race Conditions
1299	Missing Protection Mechanism for Alternate Hardware Interface
1300	Improper Protection Against Physical Side Channels
1301	Insufficient or Incomplete Data Removal within Hardware Component
1302	Missing Security Identifier
1303	Non-Transparent Sharing of Microarchitectural Resources
1304	Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation

Nodes Deprecated in Version 4.2

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

		R	20	Improper Input Validation
		R	22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
		R	23	Relative Path Traversal
		R	36	Absolute Path Traversal
		R	74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
		R	77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
		R	78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
		R	79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
		R	88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
		R	89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
		R	90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
		R	91	XML Injection (aka Blind XPath Injection)
		R	94	Improper Control of Generation of Code ('Code Injection')
		R	99	Improper Control of Resource Identifiers ('Resource Injection')
		R	119	Improper Restriction of Operations within the Bounds of a Memory Buffer
		R	120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
		R	123	Write-what-where Condition
		R	125	Out-of-bounds Read
		R	129	Improper Validation of Array Index
		R	130	Improper Handling of Length Parameter Inconsistency
		R	131	Incorrect Calculation of Buffer Size
		R	134	Use of Externally-Controlled Format String
		R	170	Improper Null Termination
		R	190	Integer Overflow or Wraparound
		R	194	Unexpected Sign Extension
		R	195	Signed to Unsigned Conversion Error
		R	196	Unsigned to Signed Conversion Error
		R	197	Numeric Truncation Error
D		R	200	Exposure of Sensitive Information to an Unauthorized Actor
D	N		201	Insertion of Sensitive Information Into Sent Data
D	N	R	203	Observable Differences in Behavior to Error Inputs
		R	205	Observable Behavioral Discrepancy
D	N	R	226	Sensitive Information in Resource Not Removed Before Reuse
		R	248	Uncaught Exception
		R	252	Unchecked Return Value
		R	259	Use of Hard-coded Password
		R	260	Password in Configuration File
		R	269	Improper Privilege Management
D			276	Incorrect Default Permissions
		R	284	Improper Access Control
		R	285	Improper Authorization
		R	287	Improper Authentication
		R	288	Authentication Bypass Using an Alternate Path or Channel
		R	306	Missing Authentication for Critical Function
		R	320	Key Management Errors
		R	321	Use of Hard-coded Cryptographic Key
D	N		325	Missing Cryptographic Step
		R	345	Insufficient Verification of Data Authenticity
		R	352	Cross-Site Request Forgery (CSRF)
		R	362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
		R	366	Race Condition within a Thread
		R	369	Divide By Zero
		R	390	Detection of Error Condition Without Action
		R	391	Unchecked Error Condition
		R	392	Missing Report of Error Condition
		R	394	Unexpected Status Code or Return Value
		R	400	Uncontrolled Resource Consumption
		R	401	Missing Release of Memory after Effective Lifetime
		R	404	Improper Resource Shutdown or Release
		R	407	Inefficient Algorithmic Complexity
		R	415	Double Free
		R	416	Use After Free
		R	420	Unprotected Alternate Channel
		R	424	Improper Protection of Alternate Path
		R	434	Unrestricted Upload of File with Dangerous Type
D			440	Expected Behavior Violation
D		R	441	Unintended Proxy or Intermediary ('Confused Deputy')
		R	456	Missing Initialization of a Variable
		R	457	Use of Uninitialized Variable
		R	459	Incomplete Cleanup
		R	476	NULL Pointer Dereference
		R	477	Use of Obsolete Function
		R	478	Missing Default Case in Switch Statement
		R	480	Use of Incorrect Operator
		R	484	Omitted Break Statement in Switch
		R	494	Download of Code Without Integrity Check
		R	502	Deserialization of Untrusted Data
		R	522	Insufficiently Protected Credentials
		R	543	Use of Singleton Pattern Without Synchronization in a Multithreaded Context
		R	555	J2EE Misconfiguration: Plaintext Password in Configuration File
		R	561	Dead Code
		R	562	Return of Stack Variable Address
		R	564	SQL Injection: Hibernate
		R	567	Unsynchronized Access to Shared Data in a Multithreaded Context
		R	570	Expression is Always False
		R	571	Expression is Always True
		R	595	Comparison of Object References Instead of Object Contents
		R	597	Use of Wrong Operator in String Comparison
		R	606	Unchecked Input for Loop Condition
		R	611	Improper Restriction of XML External Entity Reference
		R	624	Executable Regular Expression Error
		R	643	Improper Neutralization of Data within XPath Expressions ('XPath Injection')
		R	652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
		R	662	Improper Synchronization
		R	664	Improper Control of a Resource Through its Lifetime
		R	665	Improper Initialization
		R	667	Improper Locking
		R	672	Operation on a Resource after Expiration or Release
		R	681	Incorrect Conversion between Numeric Types
		R	682	Incorrect Calculation
		R	689	Permission Race Condition During Resource Copy
		R	693	Protection Mechanism Failure
		R	699	Software Development
		R	703	Improper Check or Handling of Exceptional Conditions
		R	704	Incorrect Type Conversion or Cast
		R	732	Incorrect Permission Assignment for Critical Resource
		R	758	Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
		R	764	Multiple Locks of a Critical Resource
		R	772	Missing Release of Resource after Effective Lifetime
		R	775	Missing Release of File Descriptor or Handle after Effective Lifetime
		R	778	Insufficient Logging
		R	783	Operator Precedence Logic Error
		R	786	Access of Memory Location Before Start of Buffer
		R	787	Out-of-bounds Write
		R	788	Access of Memory Location After End of Buffer
		R	789	Uncontrolled Memory Allocation
		R	798	Use of Hard-coded Credentials
		R	805	Buffer Access with Incorrect Length Value
		R	820	Missing Synchronization
		R	821	Incorrect Synchronization
		R	822	Untrusted Pointer Dereference
		R	823	Use of Out-of-range Pointer Offset
		R	824	Access of Uninitialized Pointer
		R	825	Expired Pointer Dereference
		R	833	Deadlock
		R	835	Loop with Unreachable Exit Condition ('Infinite Loop')
		R	862	Missing Authorization
		R	863	Incorrect Authorization
		R	888	Software Fault Pattern (SFP) Clusters
		R	908	Use of Uninitialized Resource
		R	917	Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
		R	1041	Use of Redundant Code
		R	1042	Static Member Data Element outside of a Singleton Class Element
		R	1043	Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
		R	1045	Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
		R	1046	Creation of Immutable Text Using String Concatenation
		R	1047	Modules with Circular Dependencies
		R	1048	Invokable Control Element with Large Number of Outward Calls
		R	1049	Excessive Data Query Operations in a Large Data Table
		R	1050	Excessive Platform Resource Consumption within a Loop
		R	1051	Initialization with Hard-Coded Network Resource Configuration Data
		R	1052	Excessive Use of Hard-Coded Literals in Initialization
		R	1054	Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
		R	1055	Multiple Inheritance from Concrete Classes
		R	1057	Data Access Operations Outside of Expected Data Manager Component
		R	1058	Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
		R	1060	Excessive Number of Inefficient Server-Side Data Accesses
		R	1062	Parent Class with References to Child Class
		R	1064	Invokable Control Element with Signature Containing an Excessive Number of Parameters
		R	1066	Missing Serialization Control Element
		R	1067	Excessive Execution of Sequential Searches of Data Resource
		R	1070	Serializable Data Element Containing non-Serializable Item Elements
		R	1072	Data Resource Access without Use of Connection Pooling
		R	1073	Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
		R	1074	Class with Excessively Deep Inheritance
		R	1075	Unconditional Control Flow Transfer outside of Switch Block
		R	1077	Floating Point Comparison with Incorrect Operator
		R	1079	Parent Class without Virtual Destructor Method
		R	1080	Source Code File with Excessive Number of Lines of Code
		R	1082	Class Instance Self Destruction Control Element
		R	1083	Data Access from Outside Expected Data Manager Component
		R	1084	Invokable Control Element with Excessive File or Data Access Operations
		R	1085	Invokable Control Element with Excessive Volume of Commented-out Code
		R	1086	Class with Excessive Number of Child Classes
		R	1087	Class with Virtual Method without a Virtual Destructor
		R	1088	Synchronous Access of Remote Resource without Timeout
		R	1089	Large Data Table with Excessive Number of Indices
		R	1090	Method Containing Access of a Member Element from Another Class
		R	1091	Use of Object without Invoking Destructor Method
		R	1094	Excessive Index Range Scan for a Data Resource
		R	1095	Loop Condition Value Update within the Loop
		R	1096	Singleton Class Instance Creation without Proper Locking or Synchronization
		R	1097	Persistent Storable Data Element without Associated Comparison Control Element
		R	1098	Data Element containing Pointer Item without Proper Copy Control Element
D	N	R	1189	Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
D	N	R	1191	Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization
D			1192	System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
		R	1195	Manufacturing and Life Cycle Management Concerns
D			1197	Integration Issues
		R	1198	Privilege Separation and Access Control Issues
		R	1199	General Circuit and Logic Design Concerns
		R	1201	Core and Compute Issues
		R	1206	Power, Clock, and Reset Concerns
		R	1207	Debug and Test Problems
		R	1208	Cross-Cutting Problems
D			1232	Improper Lock Behavior After Power State Transition
D			1234	Hardware Internal or Debug Modes Allow Override of Locks
		R	1236	Improper Neutralization of Formula Elements in a CSV File
		R	1237	SFP Primary Cluster: Faulty Resource Release
		R	1238	SFP Primary Cluster: Failure to Release Memory
D			1240	Use of a Risky Cryptographic Primitive
D			1241	Use of Predictable Algorithm in Random Number Generator
D			1242	Inclusion of Undocumented Features or Chicken Bits
D	N		1243	Sensitive Non-Volatile Information Not Protected During Debug
	N		1244	Improper Access to Sensitive Information Using Debug and Test Interfaces
D			1246	Improper Write Handling in Limited-write Non-Volatile Memories
D	N		1247	Missing or Improperly Implemented Protection Against Voltage and Clock Glitches
D			1251	Mirrored Regions with Different Values
D			1253	Incorrect Selection of Fuse Values
		R	1254	Incorrect Comparison Logic Granularity
D			1256	Hardware Features Enable Physical Attacks from Software
D			1257	Improper Access Control Applied to Mirrored or Aliased Memory Regions
D	N	R	1258	Exposure of Sensitive System Information Due to Uncleared Debug Information
D	N	R	1259	Improper Restriction of Security Token Assignment
D			1260	Improper Handling of Overlap Between Protected Memory Ranges
D			1262	Register Interface Allows Software Access to Sensitive Data or Security Settings
D	N	R	1263	Improper Physical Access Control
D			1264	Hardware Logic with Insecure De-Synchronization between Control and Data Channels
D			1267	Policy Uses Obsolete Encoding
D	N		1268	Policy Privileges are not Assigned Consistently Between Control and Data Agents
D			1269	Product Released in Non-Release Configuration
D	N	R	1270	Generation of Incorrect Security Tokens
D	N	R	1271	Unitialized Value on Reset for Registers Holding Security Settings
D	N	R	1272	Sensitive Information Uncleared Before Debug/Power State Transition
D			1273	Device Unlock Credential Sharing
D			1274	Insufficient Protections on the Volatile Memory Containing Boot Code
D	N		1276	Hardware Child Block Incorrectly Connected to Parent System
D			1277	Firmware Not Updateable
D			1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
D	N		1279	Cryptographic Operations are run Before Supporting Units are Ready
D			1280	Access Control Check Implemented After Asset is Accessed
D	N		1282	Assumed-Immutable Data is Stored in Writable Memory

Detailed Difference Report

20	Improper Input Validation
	Major	Potential_Mitigations, Related_Attack_Patterns, Relationships
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Relationships
	Minor	None
23	Relative Path Traversal
	Major	Relationships
	Minor	None
36	Absolute Path Traversal
	Major	Relationships
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Related_Attack_Patterns, Relationships
	Minor	None
77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
	Major	Relationships
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Relationships
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Relationships
	Minor	None
88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
	Major	Relationships
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Relationships
	Minor	None
90	Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
	Major	Relationships
	Minor	None
91	XML Injection (aka Blind XPath Injection)
	Major	Relationships
	Minor	None
94	Improper Control of Generation of Code ('Code Injection')
	Major	Relationships
	Minor	None
99	Improper Control of Resource Identifiers ('Resource Injection')
	Major	Relationships
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Alternate_Terms, Relationships
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Alternate_Terms, Relationships
	Minor	None
123	Write-what-where Condition
	Major	Relationships
	Minor	None
125	Out-of-bounds Read
	Major	Observed_Examples, Potential_Mitigations, Relationships
	Minor	None
129	Improper Validation of Array Index
	Major	Potential_Mitigations, Relationships
	Minor	None
130	Improper Handling of Length Parameter Inconsistency
	Major	Relationships
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Relationships
	Minor	None
134	Use of Externally-Controlled Format String
	Major	Relationships
	Minor	None
170	Improper Null Termination
	Major	Relationships
	Minor	None
190	Integer Overflow or Wraparound
	Major	Relationships
	Minor	None
194	Unexpected Sign Extension
	Major	Relationships
	Minor	None
195	Signed to Unsigned Conversion Error
	Major	Relationships
	Minor	None
196	Unsigned to Signed Conversion Error
	Major	Relationships
	Minor	None
197	Numeric Truncation Error
	Major	Relationships
	Minor	None
200	Exposure of Sensitive Information to an Unauthorized Actor
	Major	Alternate_Terms, Description, Maintenance_Notes, Related_Attack_Patterns, Relationships
	Minor	None
201	Insertion of Sensitive Information Into Sent Data
	Major	Description, Name
	Minor	None
203	Observable Differences in Behavior to Error Inputs
	Major	Alternate_Terms, Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships, Research_Gaps
	Minor	None
205	Observable Behavioral Discrepancy
	Major	Relationships
	Minor	None
226	Sensitive Information in Resource Not Removed Before Reuse
	Major	Description, Name, Related_Attack_Patterns, Relationships
	Minor	None
248	Uncaught Exception
	Major	Relationships
	Minor	None
252	Unchecked Return Value
	Major	Relationships
	Minor	None
259	Use of Hard-coded Password
	Major	Relationships
	Minor	None
260	Password in Configuration File
	Major	Relationships
	Minor	None
262	Not Using Password Aging
	Major	Related_Attack_Patterns
	Minor	None
263	Password Aging with Long Expiration
	Major	Related_Attack_Patterns
	Minor	None
267	Privilege Defined With Unsafe Actions
	Major	Demonstrative_Examples
	Minor	None
269	Improper Privilege Management
	Major	Relationships
	Minor	None
276	Incorrect Default Permissions
	Major	Description, Modes_of_Introduction, Potential_Mitigations
	Minor	None
284	Improper Access Control
	Major	Relationships
	Minor	None
285	Improper Authorization
	Major	Relationships
	Minor	None
287	Improper Authentication
	Major	Relationships
	Minor	None
288	Authentication Bypass Using an Alternate Path or Channel
	Major	Relationships
	Minor	None
294	Authentication Bypass by Capture-replay
	Major	Related_Attack_Patterns
	Minor	None
295	Improper Certificate Validation
	Major	Related_Attack_Patterns
	Minor	None
306	Missing Authentication for Critical Function
	Major	Relationships
	Minor	None
307	Improper Restriction of Excessive Authentication Attempts
	Major	Related_Attack_Patterns
	Minor	None
308	Use of Single-factor Authentication
	Major	Related_Attack_Patterns
	Minor	None
309	Use of Password System for Primary Authentication
	Major	Related_Attack_Patterns
	Minor	None
320	Key Management Errors
	Major	Relationships
	Minor	None
321	Use of Hard-coded Cryptographic Key
	Major	Relationships
	Minor	None
325	Missing Cryptographic Step
	Major	Common_Consequences, Description, Modes_of_Introduction, Name
	Minor	None
345	Insufficient Verification of Data Authenticity
	Major	Relationships
	Minor	None
347	Improper Verification of Cryptographic Signature
	Major	Related_Attack_Patterns
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Relationships
	Minor	None
359	Exposure of Private Personal Information to an Unauthorized Actor
	Major	Related_Attack_Patterns
	Minor	None
362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
	Major	Relationships
	Minor	None
366	Race Condition within a Thread
	Major	Relationships
	Minor	None
369	Divide By Zero
	Major	Relationships
	Minor	None
390	Detection of Error Condition Without Action
	Major	Relationships
	Minor	None
391	Unchecked Error Condition
	Major	Relationships
	Minor	None
392	Missing Report of Error Condition
	Major	Relationships
	Minor	None
394	Unexpected Status Code or Return Value
	Major	Relationships
	Minor	None
400	Uncontrolled Resource Consumption
	Major	Relationships
	Minor	None
401	Missing Release of Memory after Effective Lifetime
	Major	Relationships
	Minor	None
404	Improper Resource Shutdown or Release
	Major	Relationships
	Minor	None
407	Inefficient Algorithmic Complexity
	Major	Relationships
	Minor	None
415	Double Free
	Major	Relationships
	Minor	None
416	Use After Free
	Major	Relationships
	Minor	None
420	Unprotected Alternate Channel
	Major	Relationships
	Minor	None
424	Improper Protection of Alternate Path
	Major	Relationships
	Minor	None
434	Unrestricted Upload of File with Dangerous Type
	Major	Relationships
	Minor	None
436	Interpretation Conflict
	Major	Related_Attack_Patterns
	Minor	None
440	Expected Behavior Violation
	Major	Description, Observed_Examples, Theoretical_Notes
	Minor	None
441	Unintended Proxy or Intermediary ('Confused Deputy')
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations, References, Relationships
	Minor	None
456	Missing Initialization of a Variable
	Major	Relationships
	Minor	None
457	Use of Uninitialized Variable
	Major	Relationships
	Minor	None
459	Incomplete Cleanup
	Major	Relationships
	Minor	None
476	NULL Pointer Dereference
	Major	Relationships
	Minor	None
477	Use of Obsolete Function
	Major	Relationships
	Minor	None
478	Missing Default Case in Switch Statement
	Major	Relationships
	Minor	None
480	Use of Incorrect Operator
	Major	Relationships
	Minor	None
484	Omitted Break Statement in Switch
	Major	Relationships
	Minor	None
494	Download of Code Without Integrity Check
	Major	Relationships
	Minor	None
502	Deserialization of Untrusted Data
	Major	Relationships
	Minor	None
521	Weak Password Requirements
	Major	Related_Attack_Patterns
	Minor	None
522	Insufficiently Protected Credentials
	Major	Related_Attack_Patterns, Relationships
	Minor	None
543	Use of Singleton Pattern Without Synchronization in a Multithreaded Context
	Major	Relationships
	Minor	None
552	Files or Directories Accessible to External Parties
	Major	Related_Attack_Patterns
	Minor	None
555	J2EE Misconfiguration: Plaintext Password in Configuration File
	Major	Relationships
	Minor	None
561	Dead Code
	Major	Relationships
	Minor	None
562	Return of Stack Variable Address
	Major	Relationships
	Minor	None
564	SQL Injection: Hibernate
	Major	Relationships
	Minor	None
567	Unsynchronized Access to Shared Data in a Multithreaded Context
	Major	Relationships
	Minor	None
570	Expression is Always False
	Major	Relationships
	Minor	None
571	Expression is Always True
	Major	Relationships
	Minor	None
595	Comparison of Object References Instead of Object Contents
	Major	Relationships
	Minor	None
597	Use of Wrong Operator in String Comparison
	Major	Relationships
	Minor	None
606	Unchecked Input for Loop Condition
	Major	Relationships
	Minor	None
611	Improper Restriction of XML External Entity Reference
	Major	Relationships
	Minor	None
624	Executable Regular Expression Error
	Major	Relationships
	Minor	None
643	Improper Neutralization of Data within XPath Expressions ('XPath Injection')
	Major	Relationships
	Minor	None
652	Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
	Major	Relationships
	Minor	None
654	Reliance on a Single Factor in a Security Decision
	Major	Related_Attack_Patterns
	Minor	None
662	Improper Synchronization
	Major	Relationships
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Relationships
	Minor	None
665	Improper Initialization
	Major	Relationships
	Minor	None
667	Improper Locking
	Major	Relationships
	Minor	None
672	Operation on a Resource after Expiration or Release
	Major	Relationships
	Minor	None
681	Incorrect Conversion between Numeric Types
	Major	Relationships
	Minor	None
682	Incorrect Calculation
	Major	Relationships
	Minor	None
689	Permission Race Condition During Resource Copy
	Major	Relationships
	Minor	None
693	Protection Mechanism Failure
	Major	Related_Attack_Patterns, Relationships
	Minor	None
697	Incorrect Comparison
	Major	Related_Attack_Patterns
	Minor	None
699	Software Development
	Major	Relationships
	Minor	None
703	Improper Check or Handling of Exceptional Conditions
	Major	Relationships
	Minor	None
704	Incorrect Type Conversion or Cast
	Major	Relationships
	Minor	None
707	Improper Neutralization
	Major	Related_Attack_Patterns
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Relationships
	Minor	None
758	Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
	Major	Relationships
	Minor	None
764	Multiple Locks of a Critical Resource
	Major	Relationships
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	Relationships
	Minor	None
775	Missing Release of File Descriptor or Handle after Effective Lifetime
	Major	Relationships
	Minor	None
778	Insufficient Logging
	Major	Relationships
	Minor	None
783	Operator Precedence Logic Error
	Major	Relationships
	Minor	None
786	Access of Memory Location Before Start of Buffer
	Major	Relationships
	Minor	None
787	Out-of-bounds Write
	Major	Alternate_Terms, Demonstrative_Examples, Observed_Examples, Relationships
	Minor	None
788	Access of Memory Location After End of Buffer
	Major	Relationships
	Minor	None
789	Uncontrolled Memory Allocation
	Major	Relationships
	Minor	None
798	Use of Hard-coded Credentials
	Major	Relationships
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	Relationships
	Minor	None
820	Missing Synchronization
	Major	Relationships
	Minor	None
821	Incorrect Synchronization
	Major	Relationships
	Minor	None
822	Untrusted Pointer Dereference
	Major	Relationships
	Minor	None
823	Use of Out-of-range Pointer Offset
	Major	Relationships
	Minor	None
824	Access of Uninitialized Pointer
	Major	Relationships
	Minor	None
825	Expired Pointer Dereference
	Major	Relationships
	Minor	None
833	Deadlock
	Major	Relationships
	Minor	None
835	Loop with Unreachable Exit Condition ('Infinite Loop')
	Major	Relationships
	Minor	None
836	Use of Password Hash Instead of Password for Authentication
	Major	Related_Attack_Patterns
	Minor	None
862	Missing Authorization
	Major	Relationships
	Minor	None
863	Incorrect Authorization
	Major	Relationships
	Minor	None
888	Software Fault Pattern (SFP) Clusters
	Major	Relationships
	Minor	None
908	Use of Uninitialized Resource
	Major	Relationships
	Minor	None
917	Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
	Major	Relationships
	Minor	None
1021	Improper Restriction of Rendered UI Layers or Frames
	Major	Related_Attack_Patterns
	Minor	None
1041	Use of Redundant Code
	Major	Relationships
	Minor	None
1042	Static Member Data Element outside of a Singleton Class Element
	Major	Relationships
	Minor	None
1043	Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
	Major	Relationships
	Minor	None
1045	Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
	Major	Relationships
	Minor	None
1046	Creation of Immutable Text Using String Concatenation
	Major	Relationships
	Minor	None
1047	Modules with Circular Dependencies
	Major	Relationships
	Minor	None
1048	Invokable Control Element with Large Number of Outward Calls
	Major	Relationships
	Minor	None
1049	Excessive Data Query Operations in a Large Data Table
	Major	Relationships
	Minor	None
1050	Excessive Platform Resource Consumption within a Loop
	Major	Relationships
	Minor	None
1051	Initialization with Hard-Coded Network Resource Configuration Data
	Major	Relationships
	Minor	None
1052	Excessive Use of Hard-Coded Literals in Initialization
	Major	Relationships
	Minor	None
1054	Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
	Major	Relationships
	Minor	None
1055	Multiple Inheritance from Concrete Classes
	Major	Relationships
	Minor	None
1057	Data Access Operations Outside of Expected Data Manager Component
	Major	Relationships
	Minor	None
1058	Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
	Major	Relationships
	Minor	None
1060	Excessive Number of Inefficient Server-Side Data Accesses
	Major	Relationships
	Minor	None
1062	Parent Class with References to Child Class
	Major	Relationships
	Minor	None
1064	Invokable Control Element with Signature Containing an Excessive Number of Parameters
	Major	Relationships
	Minor	None
1066	Missing Serialization Control Element
	Major	Relationships
	Minor	None
1067	Excessive Execution of Sequential Searches of Data Resource
	Major	Relationships
	Minor	None
1070	Serializable Data Element Containing non-Serializable Item Elements
	Major	Relationships
	Minor	None
1072	Data Resource Access without Use of Connection Pooling
	Major	Relationships
	Minor	None
1073	Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
	Major	Relationships
	Minor	None
1074	Class with Excessively Deep Inheritance
	Major	Relationships
	Minor	None
1075	Unconditional Control Flow Transfer outside of Switch Block
	Major	Relationships
	Minor	None
1077	Floating Point Comparison with Incorrect Operator
	Major	Relationships
	Minor	None
1079	Parent Class without Virtual Destructor Method
	Major	Relationships
	Minor	None
1080	Source Code File with Excessive Number of Lines of Code
	Major	Relationships
	Minor	None
1082	Class Instance Self Destruction Control Element
	Major	Relationships
	Minor	None
1083	Data Access from Outside Expected Data Manager Component
	Major	Relationships
	Minor	None
1084	Invokable Control Element with Excessive File or Data Access Operations
	Major	Relationships
	Minor	None
1085	Invokable Control Element with Excessive Volume of Commented-out Code
	Major	Relationships
	Minor	None
1086	Class with Excessive Number of Child Classes
	Major	Relationships
	Minor	None
1087	Class with Virtual Method without a Virtual Destructor
	Major	Relationships
	Minor	None
1088	Synchronous Access of Remote Resource without Timeout
	Major	Relationships
	Minor	None
1089	Large Data Table with Excessive Number of Indices
	Major	Relationships
	Minor	None
1090	Method Containing Access of a Member Element from Another Class
	Major	Relationships
	Minor	None
1091	Use of Object without Invoking Destructor Method
	Major	Relationships
	Minor	None
1094	Excessive Index Range Scan for a Data Resource
	Major	Relationships
	Minor	None
1095	Loop Condition Value Update within the Loop
	Major	Relationships
	Minor	None
1096	Singleton Class Instance Creation without Proper Locking or Synchronization
	Major	Relationships
	Minor	None
1097	Persistent Storable Data Element without Associated Comparison Control Element
	Major	Relationships
	Minor	None
1098	Data Element containing Pointer Item without Proper Copy Control Element
	Major	Relationships
	Minor	None
1189	Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
	Major	Common_Consequences, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
	Minor	None
1190	DMA Device Enabled Too Early in Boot Phase
	Major	Related_Attack_Patterns
	Minor	None
1191	Exposed Chip Debug and Test Interface With Insufficient or Missing Authorization
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
	Minor	None
1192	System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
	Major	Description
	Minor	None
1193	Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
	Major	References, Related_Attack_Patterns
	Minor	None
1195	Manufacturing and Life Cycle Management Concerns
	Major	Relationships
	Minor	None
1197	Integration Issues
	Major	Description
	Minor	None
1198	Privilege Separation and Access Control Issues
	Major	Relationships
	Minor	None
1199	General Circuit and Logic Design Concerns
	Major	Relationships
	Minor	None
1201	Core and Compute Issues
	Major	Relationships
	Minor	None
1206	Power, Clock, and Reset Concerns
	Major	Relationships
	Minor	None
1207	Debug and Test Problems
	Major	Relationships
	Minor	None
1208	Cross-Cutting Problems
	Major	Relationships
	Minor	None
1209	Failure to Disable Reserved Bits
	Major	Related_Attack_Patterns
	Minor	None
1220	Insufficient Granularity of Access Control
	Major	Related_Attack_Patterns
	Minor	None
1222	Insufficient Granularity of Address Regions Protected by Register Locks
	Major	Related_Attack_Patterns
	Minor	None
1223	Race Condition for Write-Once Attributes
	Major	Related_Attack_Patterns
	Minor	None
1224	Improper Restriction of Write-Once Bit Fields
	Major	Related_Attack_Patterns
	Minor	None
1231	Improper Implementation of Lock Protection Registers
	Major	Related_Attack_Patterns
	Minor	None
1232	Improper Lock Behavior After Power State Transition
	Major	Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
1233	Improper Hardware Lock Protection for Security Sensitive Controls
	Major	Related_Attack_Patterns
	Minor	None
1234	Hardware Internal or Debug Modes Allow Override of Locks
	Major	Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
1236	Improper Neutralization of Formula Elements in a CSV File
	Major	Relationships
	Minor	None
1237	SFP Primary Cluster: Faulty Resource Release
	Major	Relationships
	Minor	None
1238	SFP Primary Cluster: Failure to Release Memory
	Major	Relationships
	Minor	None
1239	Improper Zeroization of Hardware Register
	Major	Related_Attack_Patterns
	Minor	None
1240	Use of a Risky Cryptographic Primitive
	Major	Background_Details, Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns, Research_Gaps
	Minor	None
1241	Use of Predictable Algorithm in Random Number Generator
	Major	Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns, Research_Gaps
	Minor	None
1242	Inclusion of Undocumented Features or Chicken Bits
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
1243	Sensitive Non-Volatile Information Not Protected During Debug
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
1244	Improper Access to Sensitive Information Using Debug and Test Interfaces
	Major	Demonstrative_Examples, Name, Observed_Examples, Related_Attack_Patterns
	Minor	None
1245	Improper Finite State Machines (FSMs) in Hardware Logic
	Major	Related_Attack_Patterns
	Minor	None
1246	Improper Write Handling in Limited-write Non-Volatile Memories
	Major	Demonstrative_Examples, Description, Potential_Mitigations, Research_Gaps
	Minor	None
1247	Missing or Improperly Implemented Protection Against Voltage and Clock Glitches
	Major	Demonstrative_Examples, Description, Name, Observed_Examples, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
1248	Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
	Major	Modes_of_Introduction, Related_Attack_Patterns
	Minor	None
1251	Mirrored Regions with Different Values
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Research_Gaps
	Minor	None
1252	CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
	Major	Related_Attack_Patterns
	Minor	None
1253	Incorrect Selection of Fuse Values
	Major	Applicable_Platforms, Demonstrative_Examples, Description
	Minor	None
1254	Incorrect Comparison Logic Granularity
	Major	Relationships
	Minor	None
1256	Hardware Features Enable Physical Attacks from Software
	Major	Demonstrative_Examples, Description, Maintenance_Notes, Related_Attack_Patterns
	Minor	None
1257	Improper Access Control Applied to Mirrored or Aliased Memory Regions
	Major	Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
1258	Exposure of Sensitive System Information Due to Uncleared Debug Information
	Major	Demonstrative_Examples, Description, Name, Related_Attack_Patterns, Relationships
	Minor	None
1259	Improper Restriction of Security Token Assignment
	Major	Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
	Minor	None
1260	Improper Handling of Overlap Between Protected Memory Ranges
	Major	Demonstrative_Examples, Description, Modes_of_Introduction, Related_Attack_Patterns
	Minor	None
1262	Register Interface Allows Software Access to Sensitive Data or Security Settings
	Major	Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
1263	Improper Physical Access Control
	Major	Common_Consequences, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
	Minor	None
1264	Hardware Logic with Insecure De-Synchronization between Control and Data Channels
	Major	Description, Related_Attack_Patterns
	Minor	None
1265	Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
1266	Improper Scrubbing of Sensitive Data from Decommissioned Device
	Major	Potential_Mitigations, Related_Attack_Patterns
	Minor	None
1267	Policy Uses Obsolete Encoding
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations
	Minor	None
1268	Policy Privileges are not Assigned Consistently Between Control and Data Agents
	Major	Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
1269	Product Released in Non-Release Configuration
	Major	Description, Related_Attack_Patterns
	Minor	None
1270	Generation of Incorrect Security Tokens
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Relationships
	Minor	None
1271	Unitialized Value on Reset for Registers Holding Security Settings
	Major	Common_Consequences, Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
	Minor	None
1272	Sensitive Information Uncleared Before Debug/Power State Transition
	Major	Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, Potential_Mitigations, Related_Attack_Patterns, Relationships
	Minor	None
1273	Device Unlock Credential Sharing
	Major	Demonstrative_Examples, Description, Related_Attack_Patterns
	Minor	None
1274	Insufficient Protections on the Volatile Memory Containing Boot Code
	Major	Demonstrative_Examples, Description, Related_Attack_Patterns
	Minor	None
1275	Sensitive Cookie with Improper SameSite Attribute
	Major	Demonstrative_Examples, Related_Attack_Patterns
	Minor	None
1276	Hardware Child Block Incorrectly Connected to Parent System
	Major	Demonstrative_Examples, Description, Modes_of_Introduction, Name, Potential_Mitigations
	Minor	None
1277	Firmware Not Updateable
	Major	Common_Consequences, Demonstrative_Examples, Description, Potential_Mitigations
	Minor	None
1278	Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
	Major	Demonstrative_Examples, Description, Modes_of_Introduction, Potential_Mitigations, References, Related_Attack_Patterns
	Minor	None
1279	Cryptographic Operations are run Before Supporting Units are Ready
	Major	Common_Consequences, Demonstrative_Examples, Description, Maintenance_Notes, Modes_of_Introduction, Name, Potential_Mitigations, Related_Attack_Patterns
	Minor	None
1280	Access Control Check Implemented After Asset is Accessed
	Major	Applicable_Platforms, Demonstrative_Examples, Description, Related_Attack_Patterns
	Minor	None
1281	Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire)
	Major	Related_Attack_Patterns
	Minor	None
1282	Assumed-Immutable Data is Stored in Writable Memory
	Major	Demonstrative_Examples, Description, Modes_of_Introduction, Name
	Minor	None
1283	Mutable Attestation or Measurement Reporting Data
	Major	References, Related_Attack_Patterns
	Minor	None
1286	Improper Validation of Syntactic Correctness of Input
	Major	Related_Attack_Patterns
	Minor	None

Page Last Updated: August 20, 2020


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration