CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE-690: Unchecked Return Value to NULL Pointer Dereference (4.18)
ID
CWE Glossary Definition

CWE-690: Unchecked Return Value to NULL Pointer Dereference

Weakness ID: 690 (Structure: Chain) Chain - a Compound Element that is a sequence of two or more separate weaknesses that can be closely linked together within software. One weakness, X, can directly create the conditions that are necessary to cause another weakness, Y, to enter a vulnerable condition. When this happens, CWE refers to X as "primary" to Y, and Y is "resultant" from X. Chains can involve more than two weaknesses, and in some cases, they might have a tree-like structure.
Vulnerability Mapping: DISCOURAGED This CWE ID should not be used to map to real-world vulnerabilities
View customized information:
For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers. For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts. For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers. For users who wish to see all available information for the CWE/CAPEC entry. For users who want to customize what details are displayed.
×

Edit Custom Filter


Description
The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
Extended Description
While unchecked return value weaknesses are not limited to returns of NULL pointers (see the examples in CWE-252), functions often return NULL to indicate an error status. When this error condition is not checked, a NULL pointer dereference can occur.
Common Consequences
Section HelpThis table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Impact Details

DoS: Crash, Exit, or Restart

Scope: Availability

Execute Unauthorized Code or Commands; Read Memory; Modify Memory

Scope: Integrity, Confidentiality, Availability

In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution.
Chain Components
Nature Type ID Name
StartsWith BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 252 Unchecked Return Value
FollowedBy BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 476 NULL Pointer Dereference
Relationships
Section Help This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
Relevant to the view "Research Concepts" (View-1000)
Nature Type ID Name
ChildOf Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 252 Unchecked Return Value
Modes Of Introduction
Section HelpThe different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
Phase Note
Implementation A typical occurrence of this weakness occurs when an application includes user-controlled input to a malloc() call. The related code might be correct with respect to preventing buffer overflows, but if a large value is provided, the malloc() will fail due to insufficient memory. This problem also frequently occurs when a parsing routine expects that certain elements will always be present. If malformed input is provided, the parser might return NULL. For example, strtok() can return NULL.
Applicable Platforms
Section HelpThis listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
Languages

C (Undetermined Prevalence)

C++ (Undetermined Prevalence)

Demonstrative Examples

Example 1


The code below makes a call to the getUserName() function but doesn't check the return value before dereferencing (which may cause a NullPointerException).

(bad code)
Example Language: Java
String username = getUserName();
if (username.equals(ADMIN_USER)) {
...
}


Example 2


This example takes an IP address from a user, verifies that it is well formed and then looks up the hostname and copies it into a buffer.

(bad code)
Example Language: C
void host_lookup(char *user_supplied_addr){
struct hostent *hp;
in_addr_t *addr;
char hostname[64];
in_addr_t inet_addr(const char *cp);

/*routine that ensures user_supplied_addr is in the right format for conversion */

validate_addr_form(user_supplied_addr);
addr = inet_addr(user_supplied_addr);
hp = gethostbyaddr( addr, sizeof(struct in_addr), AF_INET);
strcpy(hostname, hp->h_name);
}

If an attacker provides an address that appears to be well-formed, but the address does not resolve to a hostname, then the call to gethostbyaddr() will return NULL. Since the code does not check the return value from gethostbyaddr (CWE-252), a NULL pointer dereference (CWE-476) would then occur in the call to strcpy().

Note that this code is also vulnerable to a buffer overflow (CWE-119).



Selected Observed Examples

Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

Reference Description
Large Content-Length value leads to NULL pointer dereference when malloc fails.
Large message length field leads to NULL pointer dereference when malloc fails.
Parsing routine encounters NULL dereference when input is missing a colon separator.
URI parsing API sets argument to NULL when a parsing failure occurs, such as when the Referer header is missing a hostname, leading to NULL dereference.
chain: unchecked return value can lead to NULL dereference
Detection Methods
Method Details

Black Box
This typically occurs in rarely-triggered error conditions, reducing the chances of detection during black box testing.

White Box
Code analysis can require knowledge of API behaviors for library functions that might return NULL, reducing the chances of detection when unknown libraries are used.
Memberships
Section HelpThis MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
Nature Type ID Name
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 851 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR)
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 876 CERT C++ Secure Coding Section 08 - Memory Management (MEM)
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1157 SEI CERT C Coding Standard - Guidelines 03. Expressions (EXP)
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1181 SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP)
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1399 Comprehensive Categorization: Memory Safety
Vulnerability Mapping Notes
Usage DISCOURAGED
(this CWE ID should not be used to map to real-world vulnerabilities)
Reason Other

Rationale

This CWE entry is a named chain, which combines multiple weaknesses.

Comments

Mapping to each separate weakness in the chain would be more precise.
Taxonomy Mappings
Mapped Taxonomy Name Node ID Fit Mapped Node Name
CERT C Secure Coding EXP34-C CWE More Specific Do not dereference null pointers
The CERT Oracle Secure Coding Standard for Java (2011) ERR08-J Do not catch NullPointerException or any of its ancestors
SEI CERT Perl Coding Standard EXP32-PL CWE More Specific Do not ignore function return values
Content History
Submissions
Submission Date Submitter Organization
2008年04月11日
(CWE Draft 9, 2008年04月11日) 		CWE Content Team MITRE
Modifications
Modification Date Modifier Organization
2023年06月29日 CWE Content Team MITRE
updated Mapping_Notes, Relationships
2023年04月27日 CWE Content Team MITRE
updated Relationships
2021年03月15日 CWE Content Team MITRE
updated Demonstrative_Examples, Relationships
2020年06月25日 CWE Content Team MITRE
updated Common_Consequences
2019年01月03日 CWE Content Team MITRE
updated Relationships, Taxonomy_Mappings
2017年11月08日 CWE Content Team MITRE
updated Relationships, Relevant_Properties, Taxonomy_Mappings, Time_of_Introduction
2017年01月19日 CWE Content Team MITRE
updated Relationships
2014年06月23日 CWE Content Team MITRE
updated Modes_of_Introduction, Other_Notes
2011年09月13日 CWE Content Team MITRE
updated Relationships, Taxonomy_Mappings
2011年06月01日 CWE Content Team MITRE
updated Common_Consequences, Relationships, Taxonomy_Mappings
2010年09月27日 CWE Content Team MITRE
updated Observed_Examples
2009年12月28日 CWE Content Team MITRE
updated Demonstrative_Examples
2008年09月08日 CWE Content Team MITRE
updated Applicable_Platforms, Description, Detection_Factors, Relationships, Other_Notes
2008年07月01日 Eric Dalci Cigital
updated Time_of_Introduction
2008年07月01日 Sean Eidemiller Cigital
added/updated demonstrative examples
More information is available — Please edit the custom filter or select a different filter.
Page Last Updated: September 09, 2025

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

AltStyle によって変換されたページ (->オリジナル) /