CWE - Differences between Version 4.17 and Version 4.18

Home > CWE List > Reports > Differences between Version 4.17 and Version 4.18

CWE Glossary Definition

Differences between Version 4.17 and Version 4.18

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total weaknesses/chains/composites (Version 4.18) 944

Total weaknesses/chains/composites (Version 4.17) 943

Total new 3

Total deprecated 0

Total with major changes 323

Total with only minor changes 1

Total unchanged 1108

Summary of Entry Types

Type	Version 4.17	Version 4.18
Weakness	943	944
Category	374	375
View	51	52
Deprecated	64	64
Total	1432	1435

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	1	0
Description	15	0
Diagram	14	0
Relationships	21	0
Common_Consequences	16	0
Applicable_Platforms	7	0
Modes_of_Introduction	3	0
Detection_Factors	47	0
Potential_Mitigations	27	1
Demonstrative_Examples	15	0
Observed_Examples	17	0
Related_Attack_Patterns	0	0
Weakness_Ordinalities	0	0
Time_of_Introduction	0	0
Likelihood_of_Exploit	0	0
References	225	1
Mapping_Notes	1	0
Terminology_Notes	0	0
Alternate_Terms	2	0
Relationship_Notes	0	0
Taxonomy_Mappings	0	0
Maintenance_Notes	1	0
Affected_Resources	63	0
Functional_Areas	82	0
Research_Gaps	0	0
Background_Details	1	0
Theoretical_Notes	0	0
Other_Notes	4	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Type	0	0
Source_Taxonomy	0	0

Form and Abstraction Changes

From	To	Total	CWE IDs
Unchanged	1432

Status Changes

From	To	Total
Unchanged	1432

Relationship Changes

The "Version 4.18 Total" lists the total number of relationships in Version 4.18. The "Shared" value is the total number of relationships in entries that were in both Version 4.18 and Version 4.17. The "New" value is the total number of relationships involving entries that did not exist in Version 4.17. Thus, the total number of relationships in Version 4.18 would combine stats from Shared entries and New entries.

Relationship	Version 4.18 Total	Version 4.17 Total	Version 4.18 Shared	Unchanged	Added to Version 4.18
ALL	12578	12534	12534	12534	44
ChildOf	5303	5295	5295	5295	8
ParentOf	5303	5295	5295	5295	8
MemberOf	727	715	715	715	12
HasMember	727	715	715	715	12
CanPrecede	143	142	142	142	1
CanFollow	143	142	142	142	1
StartsWith	3	3	3	3
Requires	13	13	13	13
RequiredBy	13	13	13	13
CanAlsoBe	27	27	27	27
PeerOf	176	174	174	174	2

Nodes Removed in Version 4.18

CWE-ID	CWE Name
None.

Nodes Added to Version 4.18

CWE-ID	CWE Name
1432	Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List
1433	2025 MIHW Supplement: Expert Insights
1434	Insecure Setting of Generative AI/ML Model Inference Parameters

Nodes Deprecated in Version 4.18

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D 23 Relative Path Traversal

D 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

D 120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

D 209 Generation of Error Message Containing Sensitive Information

R 226 Sensitive Information in Resource Not Removed Before Reuse

D 250 Execution with Unnecessary Privileges

D 256 Plaintext Storage of a Password

D 295 Improper Certificate Validation

D 330 Use of Insufficiently Random Values

D 367 Time-of-check Time-of-use (TOCTOU) Race Condition

R 440 Expected Behavior Violation

D 489 Active Debug Code

D 614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

R 665 Improper Initialization

R 684 Incorrect Provision of Specified Functionality

R 691 Insufficient Control Flow Management

D 770 Allocation of Resources Without Limits or Throttling

D 772 Missing Release of Resource after Effective Lifetime

D N 942 Permissive Cross-domain Security Policy with Untrusted Domains

R 1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

R 1191 On-Chip Debug and Test Interface With Improper Access Control

R 1231 Improper Prevention of Lock Bit Modification

R 1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection

R 1234 Hardware Internal or Debug Modes Allow Override of Locks

R 1244 Internal Asset Exposed to Unsafe Debug Access Level or State

R 1247 Improper Protection Against Voltage and Clock Glitches

R 1256 Improper Restriction of Software Interfaces to Hardware Features

R 1260 Improper Handling of Overlap Between Protected Memory Ranges

R 1262 Improper Access Control for Register Interface

R 1272 Sensitive Information Uncleared Before Debug/Power State Transition

R 1300 Improper Protection of Physical Side Channels

D 1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

R 1412 Comprehensive Categorization: Poor Coding Practices

R 1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution

R 1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

R 1431 Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

Detailed Difference Report

12 ASP.NET Misconfiguration: Missing Custom Error Page

Major References

Minor None

14 Compiler Removal of Code to Clear Buffers

Major References

Minor None

20 Improper Input Validation

Major Detection_Factors, References

Minor None

22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Major Applicable_Platforms, Detection_Factors, Observed_Examples, Potential_Mitigations, References

Minor None

23 Relative Path Traversal

Major Affected_Resources, Applicable_Platforms, Common_Consequences, Description, Diagram, Functional_Areas, Observed_Examples, Potential_Mitigations, References

Minor None

24 Path Traversal: '../filedir'

Major Affected_Resources, Functional_Areas

Minor None

25 Path Traversal: '/../filedir'

Major Affected_Resources, Functional_Areas

Minor None

26 Path Traversal: '/dir/../filename'

Major Affected_Resources, Functional_Areas

Minor None

27 Path Traversal: 'dir/../../filename'

Major Affected_Resources, Functional_Areas

Minor None

28 Path Traversal: '..\filedir'

Major Affected_Resources, Functional_Areas

Minor None

29 Path Traversal: '\..\filename'

Major Affected_Resources, Functional_Areas

Minor None

30 Path Traversal: '\dir\..\filename'

Major Affected_Resources, Functional_Areas

Minor None

31 Path Traversal: 'dir\..\..\filename'

Major Affected_Resources, Functional_Areas

Minor None

32 Path Traversal: '...' (Triple Dot)

Major Affected_Resources, Functional_Areas

Minor None

33 Path Traversal: '....' (Multiple Dot)

Major Affected_Resources, Functional_Areas

Minor None

34 Path Traversal: '....//'

Major Affected_Resources, Detection_Factors, Functional_Areas, References

Minor None

35 Path Traversal: '.../...//'

Major Affected_Resources, Functional_Areas

Minor None

36 Absolute Path Traversal

Major Affected_Resources, Applicable_Platforms, Functional_Areas, Observed_Examples, Potential_Mitigations, References

Minor None

37 Path Traversal: '/absolute/pathname/here'

Major Affected_Resources, Functional_Areas

Minor None

38 Path Traversal: '\absolute\pathname\here'

Major Affected_Resources, Functional_Areas

Minor None

39 Path Traversal: 'C:dirname'

Major Affected_Resources, Functional_Areas

Minor None

40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)

Major Affected_Resources, Functional_Areas

Minor None

41 Improper Resolution of Path Equivalence

Major Detection_Factors, Functional_Areas, References

Minor None

42 Path Equivalence: 'filename.' (Trailing Dot)

Major Affected_Resources, Functional_Areas

Minor None

43 Path Equivalence: 'filename....' (Multiple Trailing Dot)

Major Affected_Resources, Functional_Areas

Minor None

44 Path Equivalence: 'file.name' (Internal Dot)

Major Affected_Resources, Functional_Areas

Minor None

45 Path Equivalence: 'file...name' (Multiple Internal Dot)

Major Affected_Resources, Functional_Areas

Minor None

46 Path Equivalence: 'filename ' (Trailing Space)

Major Affected_Resources, Functional_Areas

Minor None

47 Path Equivalence: ' filename' (Leading Space)

Major Affected_Resources, Functional_Areas

Minor None

48 Path Equivalence: 'file name' (Internal Whitespace)

Major Affected_Resources, Functional_Areas

Minor None

49 Path Equivalence: 'filename/' (Trailing Slash)

Major Affected_Resources, Functional_Areas

Minor None

50 Path Equivalence: '//multiple/leading/slash'

Major Affected_Resources, Functional_Areas

Minor None

51 Path Equivalence: '/multiple//internal/slash'

Major Affected_Resources, Functional_Areas

Minor None

52 Path Equivalence: '/multiple/trailing/slash//'

Major Affected_Resources, Functional_Areas

Minor None

53 Path Equivalence: '\multiple\\internal\backslash'

Major Affected_Resources, Functional_Areas

Minor None

54 Path Equivalence: 'filedir\' (Trailing Backslash)

Major Affected_Resources, Functional_Areas

Minor None

55 Path Equivalence: '/./' (Single Dot Directory)

Major Affected_Resources, Functional_Areas

Minor None

56 Path Equivalence: 'filedir*' (Wildcard)

Major Affected_Resources, Functional_Areas

Minor None

57 Path Equivalence: 'fakedir/../realdir/filename'

Major Affected_Resources, Functional_Areas

Minor None

58 Path Equivalence: Windows 8.3 Filename

Major Affected_Resources

Minor None

59 Improper Link Resolution Before File Access ('Link Following')

Major Detection_Factors, References

Minor None

61 UNIX Symbolic Link (Symlink) Following

Major Affected_Resources, Functional_Areas, References

Minor None

62 UNIX Hard Link

Major Affected_Resources, Functional_Areas

Minor None

64 Windows Shortcut Following (.LNK)

Major Affected_Resources, Functional_Areas

Minor None

65 Windows Hard Link

Major Affected_Resources, Functional_Areas

Minor None

66 Improper Handling of File Names that Identify Virtual Resources

Major Detection_Factors, References

Minor None

67 Improper Handling of Windows Device Names

Major Functional_Areas

Minor None

69 Improper Handling of Windows ::DATA Alternate Data Stream

Major Affected_Resources, Functional_Areas

Minor None

72 Improper Handling of Apple HFS+ Alternate Data Stream Path

Major Affected_Resources, Functional_Areas

Minor None

73 External Control of File Name or Path

Major References

Minor None

74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Major Demonstrative_Examples

Minor None

78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Major Applicable_Platforms, Detection_Factors, Observed_Examples, Potential_Mitigations, References

Minor None

79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Major Applicable_Platforms, Observed_Examples, Potential_Mitigations, References

Minor None

80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Major Common_Consequences, Description, Diagram, Other_Notes

Minor None

88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

Major Functional_Areas

Minor None

89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Major Detection_Factors, Potential_Mitigations, References

Minor None

98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Major Potential_Mitigations, References

Minor None

114 Process Control

Major Functional_Areas

Minor None

116 Improper Encoding or Escaping of Output

Major References

Minor None

119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Major Demonstrative_Examples, Detection_Factors, Functional_Areas, References

Minor None

120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Major Description, Detection_Factors, Diagram, Other_Notes, References

Minor None

121 Stack-based Buffer Overflow

Major Affected_Resources, Functional_Areas, References

Minor None

122 Heap-based Buffer Overflow

Major Functional_Areas, References

Minor None

123 Write-what-where Condition

Major Affected_Resources, Functional_Areas, Observed_Examples

Minor None

124 Buffer Underwrite ('Buffer Underflow')

Major Affected_Resources, Functional_Areas

Minor None

125 Out-of-bounds Read

Major Affected_Resources, Demonstrative_Examples, Functional_Areas

Minor None

126 Buffer Over-read

Major Affected_Resources, Common_Consequences, Demonstrative_Examples, Functional_Areas

Minor None

127 Buffer Under-read

Major Affected_Resources, Common_Consequences, Demonstrative_Examples, Functional_Areas

Minor None

129 Improper Validation of Array Index

Major Demonstrative_Examples, Functional_Areas

Minor None

130 Improper Handling of Length Parameter Inconsistency

Major Demonstrative_Examples

Minor None

131 Incorrect Calculation of Buffer Size

Major Affected_Resources, Detection_Factors, Functional_Areas, Potential_Mitigations, References

Minor None

134 Use of Externally-Controlled Format String

Major Detection_Factors, Functional_Areas, References

Minor None

188 Reliance on Data/Memory Layout

Major Affected_Resources, Functional_Areas

Minor None

190 Integer Overflow or Wraparound

Major Detection_Factors, Observed_Examples, Potential_Mitigations, References

Minor None

193 Off-by-one Error

Major References

Minor None

198 Use of Incorrect Byte Ordering

Major Affected_Resources, Functional_Areas

Minor None

200 Exposure of Sensitive Information to an Unauthorized Actor

Major Detection_Factors, References

Minor None

209 Generation of Error Message Containing Sensitive Information

Major Common_Consequences, Description, Diagram, Other_Notes, References

Minor None

214 Invocation of Process Using Visible Sensitive Information

Major Functional_Areas

Minor None

226 Sensitive Information in Resource Not Removed Before Reuse

Major Relationships

Minor None

240 Improper Handling of Inconsistent Structural Elements

Major Demonstrative_Examples

Minor None

244 Improper Clearing of Heap Memory Before Release ('Heap Inspection')

Major Functional_Areas

Minor None

250 Execution with Unnecessary Privileges

Major Common_Consequences, Description, Detection_Factors, Diagram, Other_Notes, References

Minor None

252 Unchecked Return Value

Major Potential_Mitigations, References

Minor None

256 Plaintext Storage of a Password

Major Common_Consequences, Description, Diagram

Minor None

262 Not Using Password Aging

Major References

Minor None

263 Password Aging with Long Expiration

Major Maintenance_Notes, Mapping_Notes, Potential_Mitigations, References

Minor None

272 Least Privilege Violation

Major Detection_Factors, References

Minor None

276 Incorrect Default Permissions

Major Detection_Factors, References

Minor None

285 Improper Authorization

Major Detection_Factors, References

Minor None

287 Improper Authentication

Major Demonstrative_Examples, Detection_Factors, References

Minor None

295 Improper Certificate Validation

Major Common_Consequences, Description, Detection_Factors, Diagram, References

Minor None

296 Improper Following of a Certificate's Chain of Trust

Major References

Minor None

297 Improper Validation of Certificate with Host Mismatch

Major References

Minor None

300 Channel Accessible by Non-Endpoint

Major Alternate_Terms, Detection_Factors

Minor None

306 Missing Authentication for Critical Function

Major Detection_Factors, References

Minor None

307 Improper Restriction of Excessive Authentication Attempts

Major Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References

Minor None

311 Missing Encryption of Sensitive Data

Major Detection_Factors, References

Minor None

319 Cleartext Transmission of Sensitive Information

Major References

Minor None

327 Use of a Broken or Risky Cryptographic Algorithm

Major Detection_Factors, Potential_Mitigations, References

Minor None

328 Use of Weak Hash

Major References

Minor None

330 Use of Insufficiently Random Values

Major Description, Detection_Factors, Diagram, References

Minor None

332 Insufficient Entropy in PRNG

Major References

Minor None

334 Small Space of Random Values

Major References

Minor None

336 Same Seed in Pseudo-Random Number Generator (PRNG)

Major References

Minor None

337 Predictable Seed in Pseudo-Random Number Generator (PRNG)

Major References

Minor None

339 Small Seed Space in PRNG

Major References

Minor None

341 Predictable from Observable State

Major References

Minor None

342 Predictable Exact Value from Previous Values

Major References

Minor None

343 Predictable Value Range from Previous Values

Major References

Minor None

344 Use of Invariant Value in Dynamically Changing Context

Major References

Minor None

346 Origin Validation Error

Major Observed_Examples

Minor None

352 Cross-Site Request Forgery (CSRF)

Major Detection_Factors, Potential_Mitigations, References

Minor None

359 Exposure of Private Personal Information to an Unauthorized Actor

Major References

Minor None

362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Major Detection_Factors, References

Minor None

367 Time-of-check Time-of-use (TOCTOU) Race Condition

Major Common_Consequences, Description, Diagram, Modes_of_Introduction

Minor None

384 Session Fixation

Major Potential_Mitigations, References

Minor None

392 Missing Report of Error Condition

Major References

Minor None

395 Use of NullPointerException Catch to Detect NULL Pointer Dereference

Major Detection_Factors, References

Minor None

400 Uncontrolled Resource Consumption

Major Observed_Examples, References

Minor None

403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

Major Functional_Areas

Minor None

415 Double Free

Major Functional_Areas

Minor None

416 Use After Free

Major Functional_Areas

Minor None

421 Race Condition During Access to Alternate Channel

Major Functional_Areas

Minor None

427 Uncontrolled Search Path Element

Major Affected_Resources, Functional_Areas, References

Minor None

434 Unrestricted Upload of File with Dangerous Type

Major Detection_Factors, References

Minor None

436 Interpretation Conflict

Major References

Minor None

440 Expected Behavior Violation

Major Relationships

Minor None

444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Major References

Minor None

451 User Interface (UI) Misrepresentation of Critical Information

Major References

Minor None

456 Missing Initialization of a Variable

Major Potential_Mitigations, References

Minor None

457 Use of Uninitialized Variable

Major Potential_Mitigations, References

Minor None

466 Return of Pointer Value Outside of Expected Range

Major Affected_Resources, Functional_Areas

Minor None

476 NULL Pointer Dereference

Major Potential_Mitigations, References

Minor None

477 Use of Obsolete Function

Major Detection_Factors, References

Minor None

489 Active Debug Code

Major Common_Consequences, Description, Diagram, Modes_of_Introduction

Minor None

494 Download of Code Without Integrity Check

Major Potential_Mitigations, References

Minor None

502 Deserialization of Untrusted Data

Major Observed_Examples, Potential_Mitigations, References

Minor None

506 Embedded Malicious Code

Major Detection_Factors, References

Minor None

510 Trapdoor

Major Detection_Factors, References

Minor None

514 Covert Channel

Major Detection_Factors, References

Minor None

521 Weak Password Requirements

Major Potential_Mitigations, References

Minor None

543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context

Major References

Minor None

561 Dead Code

Major Detection_Factors, References

Minor None

562 Return of Stack Variable Address

Major Affected_Resources, Functional_Areas

Minor None

587 Assignment of a Fixed Address to a Pointer

Major Affected_Resources, Functional_Areas

Minor None

590 Free of Memory not on the Heap

Major Functional_Areas, References

Minor None

595 Comparison of Object References Instead of Object Contents

Major References

Minor None

601 URL Redirection to Untrusted Site ('Open Redirect')

Major Alternate_Terms, Common_Consequences, Detection_Factors, Potential_Mitigations, References

Minor None

606 Unchecked Input for Loop Condition

Major Demonstrative_Examples

Minor None

611 Improper Restriction of XML External Entity Reference

Major References

Minor None

614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Major Common_Consequences, Description, Diagram, Potential_Mitigations

Minor None

626 Null Byte Interaction Error (Poison Null Byte)

Major References

Minor None

635 Weaknesses Originally Used by NVD from 2008 to 2016

Major References

Minor None

642 External Control of Critical State Data

Major Potential_Mitigations, References

Minor None

653 Improper Isolation or Compartmentalization

Major References

Minor None

656 Reliance on Security Through Obscurity

Major Demonstrative_Examples, References

Minor None

657 Violation of Secure Design Principles

Major Demonstrative_Examples, References

Minor None

664 Improper Control of a Resource Through its Lifetime

Major Observed_Examples

Minor None

665 Improper Initialization

Major References, Relationships

Minor None

676 Use of Potentially Dangerous Function

Major Detection_Factors, References

Minor None

680 Integer Overflow to Buffer Overflow

Major Affected_Resources, Functional_Areas

Minor None

682 Incorrect Calculation

Major References

Minor None

684 Incorrect Provision of Specified Functionality

Major Relationships

Minor None

691 Insufficient Control Flow Management

Major Relationships

Minor None

698 Execution After Redirect (EAR)

Major References

Minor None

703 Improper Check or Handling of Exceptional Conditions

Major Detection_Factors, References

Minor None

712 OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)

Major References

Minor None

715 OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference

Major References

Minor None

716 OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)

Major References

Minor None

717 OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling

Major References

Minor None

718 OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management

Major References

Minor None

719 OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage

Major References

Minor None

720 OWASP Top Ten 2007 Category A9 - Insecure Communications

Major References

Minor None

721 OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access

Major References

Minor None

722 OWASP Top Ten 2004 Category A1 - Unvalidated Input

Major References

Minor None

723 OWASP Top Ten 2004 Category A2 - Broken Access Control

Major References

Minor None

724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management

Major References

Minor None

725 OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws

Major References

Minor None

726 OWASP Top Ten 2004 Category A5 - Buffer Overflows

Major References

Minor None

727 OWASP Top Ten 2004 Category A6 - Injection Flaws

Major References

Minor None

728 OWASP Top Ten 2004 Category A7 - Improper Error Handling

Major References

Minor None

729 OWASP Top Ten 2004 Category A8 - Insecure Storage

Major References

Minor None

730 OWASP Top Ten 2004 Category A9 - Denial of Service

Major References

Minor None

731 OWASP Top Ten 2004 Category A10 - Insecure Configuration Management

Major References

Minor None

732 Incorrect Permission Assignment for Critical Resource

Major Detection_Factors, References

Minor None

755 Improper Handling of Exceptional Conditions

Major References

Minor None

759 Use of a One-Way Hash without a Salt

Major Detection_Factors, References

Minor None

760 Use of a One-Way Hash with a Predictable Salt

Major References

Minor None

761 Free of Pointer not at Start of Buffer

Major Functional_Areas, References

Minor None

762 Mismatched Memory Management Routines

Major Functional_Areas, References

Minor None

763 Release of Invalid Pointer or Reference

Major Functional_Areas, References

Minor None

770 Allocation of Resources Without Limits or Throttling

Major Common_Consequences, Description, Diagram, Observed_Examples, Potential_Mitigations, References

Minor None

772 Missing Release of Resource after Effective Lifetime

Major Common_Consequences, Description, Diagram

Minor None

780 Use of RSA Algorithm without OAEP

Major References

Minor None

786 Access of Memory Location Before Start of Buffer

Major Affected_Resources, Functional_Areas

Minor None

787 Out-of-bounds Write

Major Affected_Resources, Functional_Areas, References

Minor None

788 Access of Memory Location After End of Buffer

Major Affected_Resources, Demonstrative_Examples, Functional_Areas

Minor None

789 Memory Allocation with Excessive Size Value

Major Affected_Resources, Functional_Areas, Observed_Examples

Minor None

798 Use of Hard-coded Credentials

Major Detection_Factors, References

Minor None

805 Buffer Access with Incorrect Length Value

Major Functional_Areas

Minor None

806 Buffer Access Using Size of Source Buffer

Major Functional_Areas

Minor None

807 Reliance on Untrusted Inputs in a Security Decision

Major Detection_Factors, References

Minor None

809 Weaknesses in OWASP Top Ten (2010)

Major References

Minor None

810 OWASP Top Ten 2010 Category A1 - Injection

Major References

Minor None

811 OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)

Major References

Minor None

812 OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management

Major References

Minor None

813 OWASP Top Ten 2010 Category A4 - Insecure Direct Object References

Major References

Minor None

814 OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF)

Major References

Minor None

815 OWASP Top Ten 2010 Category A6 - Security Misconfiguration

Major References

Minor None

816 OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage

Major References

Minor None

817 OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access

Major References

Minor None

818 OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection

Major References

Minor None

819 OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forwards

Major References

Minor None

822 Untrusted Pointer Dereference

Major Affected_Resources, Functional_Areas

Minor None

823 Use of Out-of-range Pointer Offset

Major Affected_Resources, Functional_Areas

Minor None

824 Access of Uninitialized Pointer

Major Affected_Resources, Functional_Areas

Minor None

825 Expired Pointer Dereference

Major Affected_Resources, Functional_Areas

Minor None

829 Inclusion of Functionality from Untrusted Control Sphere

Major Detection_Factors, Potential_Mitigations, References

Minor None

834 Excessive Iteration

Major Detection_Factors, References

Minor None

838 Inappropriate Encoding for Output Context

Major References

Minor None

839 Numeric Range Comparison Without Minimum Check

Major Demonstrative_Examples

Minor None

862 Missing Authorization

Major Applicable_Platforms, Detection_Factors, Observed_Examples, References

Minor None

863 Incorrect Authorization

Major Detection_Factors, Observed_Examples, References

Minor None

888 Software Fault Pattern (SFP) Clusters

Major References

Minor None

908 Use of Uninitialized Resource

Major References

Minor None

916 Use of Password Hash With Insufficient Computational Effort

Major Detection_Factors, References

Minor None

918 Server-Side Request Forgery (SSRF)

Major Applicable_Platforms, Observed_Examples, References

Minor None

928 Weaknesses in OWASP Top Ten (2013)

Major References

Minor None

929 OWASP Top Ten 2013 Category A1 - Injection

Major References

Minor None

930 OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management

Major References

Minor None

931 OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)

Major References

Minor None

932 OWASP Top Ten 2013 Category A4 - Insecure Direct Object References

Major References

Minor None

933 OWASP Top Ten 2013 Category A5 - Security Misconfiguration

Major References

Minor None

934 OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure

Major References

Minor None

936 OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF)

Major References

Minor None

937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Major References

Minor None

938 OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards

Major References

Minor None

941 Incorrectly Specified Destination in a Communication Channel

Major References

Minor None

942 Permissive Cross-domain Security Policy with Untrusted Domains

Major Background_Details, Common_Consequences, Description, Name, Potential_Mitigations, References

Minor None

1003 Weaknesses for Simplified Mapping of Published Vulnerabilities

Major References

Minor None

1007 Insufficient Visual Distinction of Homoglyphs Presented to User

Major References

Minor None

1026 Weaknesses in OWASP Top Ten (2017)

Major References

Minor None

1027 OWASP Top Ten 2017 Category A1 - Injection

Major References

Minor None

1028 OWASP Top Ten 2017 Category A2 - Broken Authentication

Major References

Minor None

1029 OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure

Major References

Minor None

1030 OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)

Major References

Minor None

1031 OWASP Top Ten 2017 Category A5 - Broken Access Control

Major References

Minor None

1032 OWASP Top Ten 2017 Category A6 - Security Misconfiguration

Major References

Minor None

1033 OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)

Major References

Minor None

1034 OWASP Top Ten 2017 Category A8 - Insecure Deserialization

Major References

Minor None

1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Major References

Minor None

1036 OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring

Major References

Minor None

1039 Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism

Major References

Minor None

1059 Insufficient Technical Documentation

Major References

Minor None

1128 CISQ Quality Measures (2016)

Major References

Minor None

1129 CISQ Quality Measures (2016) - Reliability

Major References

Minor None

1130 CISQ Quality Measures (2016) - Maintainability

Major References

Minor None

1131 CISQ Quality Measures (2016) - Security

Major References

Minor None

1132 CISQ Quality Measures (2016) - Performance Efficiency

Major References

Minor None

1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

Major Relationships

Minor None

1191 On-Chip Debug and Test Interface With Improper Access Control

Major References, Relationships

Minor None

1231 Improper Prevention of Lock Bit Modification

Major Relationships

Minor None

1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection

Major Relationships

Minor None

1234 Hardware Internal or Debug Modes Allow Override of Locks

Major Relationships

Minor None

1236 Improper Neutralization of Formula Elements in a CSV File

Major References

Minor None

1239 Improper Zeroization of Hardware Register

Major References

Minor None

1240 Use of a Cryptographic Primitive with a Risky Implementation

Major References

Minor Potential_Mitigations

1244 Internal Asset Exposed to Unsafe Debug Access Level or State

Major References, Relationships

Minor None

1246 Improper Write Handling in Limited-write Non-Volatile Memories

Major References

Minor None

1247 Improper Protection Against Voltage and Clock Glitches

Major Relationships

Minor None

1256 Improper Restriction of Software Interfaces to Hardware Features

Major Relationships

Minor None

1260 Improper Handling of Overlap Between Protected Memory Ranges

Major Relationships

Minor None

1262 Improper Access Control for Register Interface

Major Relationships

Minor None

1272 Sensitive Information Uncleared Before Debug/Power State Transition

Major References, Relationships

Minor None

1275 Sensitive Cookie with Improper SameSite Attribute

Major References

Minor None

1284 Improper Validation of Specified Quantity in Input

Major Observed_Examples

Minor None

1293 Missing Source Correlation of Multiple Independent Data

Major References

Minor None

1295 Debug Messages Revealing Unnecessary Information

Major References

Minor None

1300 Improper Protection of Physical Side Channels

Major References, Relationships

Minor None

1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Major Common_Consequences, Description, Diagram, Modes_of_Introduction

Minor None

1327 Binding to an Unrestricted IP Address

Major References

Minor None

1340 CISQ Data Protection Measures

Major References

Minor None

1343 Weaknesses in the 2021 CWE Most Important Hardware Weaknesses List

Major References

Minor None

1357 Reliance on Insufficiently Trustworthy Component

Major References

Minor None

1358 Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS

Major References

Minor None

1359 ICS Communications

Major References

Minor None

1360 ICS Dependencies (& Architecture)

Major References

Minor None

1361 ICS Supply Chain

Major References

Minor None

1362 ICS Engineering (Constructions/Deployment)

Major References

Minor None

1363 ICS Operations (& Maintenance)

Major References

Minor None

1364 ICS Communications: Zone Boundary Failures

Major References

Minor None

1365 ICS Communications: Unreliability

Major References

Minor None

1366 ICS Communications: Frail Security in Protocols

Major References

Minor None

1367 ICS Dependencies (& Architecture): External Physical Systems

Major References

Minor None

1368 ICS Dependencies (& Architecture): External Digital Systems

Major References

Minor None

1369 ICS Supply Chain: IT/OT Convergence/Expansion

Major References

Minor None

1370 ICS Supply Chain: Common Mode Frailties

Major References

Minor None

1371 ICS Supply Chain: Poorly Documented or Undocumented Features

Major References

Minor None

1372 ICS Supply Chain: OT Counterfeit and Malicious Corruption

Major References

Minor None

1373 ICS Engineering (Construction/Deployment): Trust Model Problems

Major References

Minor None

1374 ICS Engineering (Construction/Deployment): Maker Breaker Blindness

Major References

Minor None

1375 ICS Engineering (Construction/Deployment): Gaps in Details/Data

Major References

Minor None

1376 ICS Engineering (Construction/Deployment): Security Gaps in Commissioning

Major References

Minor None

1377 ICS Engineering (Construction/Deployment): Inherent Predictability in Design

Major References

Minor None

1378 ICS Operations (& Maintenance): Gaps in obligations and training

Major References

Minor None

1379 ICS Operations (& Maintenance): Human factors in ICS environments

Major References

Minor None

1380 ICS Operations (& Maintenance): Post-analysis changes

Major References

Minor None

1381 ICS Operations (& Maintenance): Exploitable Standard Operational Procedures

Major References

Minor None

1382 ICS Operations (& Maintenance): Emerging Energy Technologies

Major References

Minor None

1383 ICS Operations (& Maintenance): Compliance/Conformance with Regulatory Requirements

Major References

Minor None

1384 Improper Handling of Physical or Environmental Conditions

Major References

Minor None

1385 Missing Origin Validation in WebSockets

Major References

Minor None

1391 Use of Weak Credentials

Major References

Minor None

1393 Use of Default Password

Major References

Minor None

1395 Dependency on Vulnerable Third-Party Component

Major References

Minor None

1412 Comprehensive Categorization: Poor Coding Practices

Major Relationships

Minor None

1420 Exposure of Sensitive Information during Transient Execution

Major References

Minor None

1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution

Major References, Relationships

Minor None

1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

Major Relationships

Minor None

1427 Improper Neutralization of Input Used for LLM Prompting

Major References

Minor None

1428 Reliance on HTTP instead of HTTPS

Major References

Minor None

1430 Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses

Major None

Minor References

1431 Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

Major Relationships

Minor None

More information is available — Please edit the custom filter or select a different filter.

Page Last Updated: September 09, 2025

MITRE

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

HSSEDI