CWE

Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE List > CWE- Individual Dictionary Definition (2.11)  
ID

CWE VIEW: Weaknesses Addressed by the CERT C++ Secure Coding Standard

View ID: 868
Structure: Graph
Status: Incomplete
Presentation Filter:
+ View Data

View Objective

CWE entries in this view (graph) are fully or partially eliminated by following the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this view is incomplete.

+ View Audience
StakeholderDescription
Developers

By following the CERT C++ Secure Coding Standard, developers will be able to fully or partially prevent the weaknesses that are identified in this view. In addition, developers can use a CWE coverage graph to determine which weaknesses are not directly addressed by the standard, which will help identify and resolve remaining gaps in training, tool acquisition, or other approaches for reducing weaknesses.

Software_Customers

If a software developer claims to be following the CERT C++ Secure Coding Standard, then customers can search for the weaknesses in this view in order to formulate independent evidence of that claim.

Educators

Educators can use this view in multiple ways. For example, if there is a focus on teaching weaknesses, the educator could link them to the relevant Secure Coding Standard.

+ Relationships
Show Details:
868 - Weaknesses Addressed by the CERT C++ Secure Coding Standard
*CategoryCategoryCERT C++ Secure Coding Section 01 - Preprocessor (PRE) - (869)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 869 (CERT C++ Secure Coding Section 01 - Preprocessor (PRE))
Weaknesses in this category are related to rules in the Preprocessor (PRE) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*CategoryCategoryCERT C++ Secure Coding Section 02 - Declarations and Initialization (DCL) - (870)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 870 (CERT C++ Secure Coding Section 02 - Declarations and Initialization (DCL))
Weaknesses in this category are related to rules in the Declarations and Initialization (DCL) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
+CategoryCategoryCERT C++ Secure Coding Section 03 - Expressions (EXP) - (871)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 871 (CERT C++ Secure Coding Section 03 - Expressions (EXP))
Weaknesses in this category are related to rules in the Expressions (EXP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness VariantWeakness VariantIncorrect Short Circuit Evaluation - (768)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 871 (CERT C++ Secure Coding Section 03 - Expressions (EXP)) > 768 (Incorrect Short Circuit Evaluation)
The software contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.
*Weakness BaseWeakness BaseUse of Incorrect Operator - (480)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 871 (CERT C++ Secure Coding Section 03 - Expressions (EXP)) > 480 (Use of Incorrect Operator)
The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways.
*Weakness BaseWeakness BaseNULL Pointer Dereference - (476)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 871 (CERT C++ Secure Coding Section 03 - Expressions (EXP)) > 476 (NULL Pointer Dereference)
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
+CategoryCategoryCERT C++ Secure Coding Section 04 - Integers (INT) - (872)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT))
Weaknesses in this category are related to rules in the Integers (INT) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseAssignment of a Fixed Address to a Pointer - (587)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 587 (Assignment of a Fixed Address to a Pointer)
The software sets a pointer to a specific address other than NULL or 0.
*Weakness BaseWeakness BaseDivide By Zero - (369)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 369 (Divide By Zero)
The product divides a value by zero.
*Weakness ClassWeakness ClassIncorrect Calculation - (682)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 682 (Incorrect Calculation)
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
*Weakness BaseWeakness BaseIncorrect Conversion between Numeric Types - (681)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 681 (Incorrect Conversion between Numeric Types)
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
*CategoryCategoryInteger Coercion Error - (192)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 192 (Integer Coercion Error)
Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.
*Weakness BaseWeakness BaseInteger Overflow or Wraparound - (190)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 190 (Integer Overflow or Wraparound)
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
*Weakness BaseWeakness BaseNumeric Truncation Error - (197)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 197 (Numeric Truncation Error)
Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
*Weakness BaseWeakness BaseReturn of Pointer Value Outside of Expected Range - (466)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 466 (Return of Pointer Value Outside of Expected Range)
A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.
*Weakness BaseWeakness BaseUnchecked Input for Loop Condition - (606)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 606 (Unchecked Input for Loop Condition)
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service because of excessive looping.
*Weakness ClassWeakness ClassImproper Input Validation - (20)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 20 (Improper Input Validation)
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
*Weakness BaseWeakness BaseImproper Validation of Array Index - (129)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 129 (Improper Validation of Array Index)
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. out-of-bounds array indexindex-out-of-rangearray index underflow
*Weakness BaseWeakness BaseUse of Potentially Dangerous Function - (676)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 872 (CERT C++ Secure Coding Section 04 - Integers (INT)) > 676 (Use of Potentially Dangerous Function)
The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
+CategoryCategoryCERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP) - (873)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 873 (CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP))
Weaknesses in this category are related to rules in the Floating Point Arithmetic (FLP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseDivide By Zero - (369)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 873 (CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP)) > 369 (Divide By Zero)
The product divides a value by zero.
*Weakness VariantWeakness VariantFunction Call With Incorrect Argument Type - (686)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 873 (CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP)) > 686 (Function Call With Incorrect Argument Type)
The software calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.
*Weakness ClassWeakness ClassIncorrect Calculation - (682)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 873 (CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP)) > 682 (Incorrect Calculation)
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
*Weakness BaseWeakness BaseIncorrect Conversion between Numeric Types - (681)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 873 (CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP)) > 681 (Incorrect Conversion between Numeric Types)
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
+CategoryCategoryCERT C++ Secure Coding Section 06 - Arrays and the STL (ARR) - (874)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 874 (CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR))
Weaknesses in this category are related to rules in the Arrays and the STL (ARR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseBuffer Access with Incorrect Length Value - (805)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 874 (CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)) > 805 (Buffer Access with Incorrect Length Value)
The software uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
*Weakness BaseWeakness BaseImproper Validation of Array Index - (129)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 874 (CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)) > 129 (Improper Validation of Array Index)
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. out-of-bounds array indexindex-out-of-rangearray index underflow
*Weakness BaseWeakness BaseUse of Pointer Subtraction to Determine Size - (469)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 874 (CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)) > 469 (Use of Pointer Subtraction to Determine Size)
The application subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.
*Weakness VariantWeakness VariantUse of sizeof() on a Pointer Type - (467)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 874 (CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)) > 467 (Use of sizeof() on a Pointer Type)
The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine how much memory has been allocated.
*Weakness ClassWeakness ClassImproper Initialization - (665)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 874 (CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)) > 665 (Improper Initialization)
The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
*Weakness ClassWeakness ClassImproper Restriction of Operations within the Bounds of a Memory Buffer - (119)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 874 (CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR)) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Memory Corruption
+CategoryCategoryCERT C++ Secure Coding Section 07 - Characters and Strings (STR) - (875)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 875 (CERT C++ Secure Coding Section 07 - Characters and Strings (STR))
Weaknesses in this category are related to rules in the Characters and Strings (STR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseAddition of Data Structure Sentinel - (464)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 875 (CERT C++ Secure Coding Section 07 - Characters and Strings (STR)) > 464 (Addition of Data Structure Sentinel)
The accidental addition of a data-structure sentinel can cause serious programming logic problems.
*Weakness BaseWeakness BaseArgument Injection or Modification - (88)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 875 (CERT C++ Secure Coding Section 07 - Characters and Strings (STR)) > 88 (Argument Injection or Modification)
The software does not sufficiently delimit the arguments being passed to a component in another control sphere, allowing alternate arguments to be provided, leading to potentially security-relevant changes.
*Weakness BaseWeakness BaseBuffer Copy without Checking Size of Input ('Classic Buffer Overflow') - (120)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 875 (CERT C++ Secure Coding Section 07 - Characters and Strings (STR)) > 120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'))
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.buffer overrunUnbounded Transfer
*Weakness VariantWeakness VariantFunction Call With Incorrect Argument Type - (686)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 875 (CERT C++ Secure Coding Section 07 - Characters and Strings (STR)) > 686 (Function Call With Incorrect Argument Type)
The software calls a function, procedure, or routine, but the caller specifies an argument that is the wrong data type, which may lead to resultant weaknesses.
*Weakness BaseWeakness BaseImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 875 (CERT C++ Secure Coding Section 07 - Characters and Strings (STR)) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters
*Weakness BaseWeakness BaseImproper Null Termination - (170)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 875 (CERT C++ Secure Coding Section 07 - Characters and Strings (STR)) > 170 (Improper Null Termination)
The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
*Weakness ClassWeakness ClassIncorrect Type Conversion or Cast - (704)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 875 (CERT C++ Secure Coding Section 07 - Characters and Strings (STR)) > 704 (Incorrect Type Conversion or Cast)
The software does not correctly convert an object, resource or structure from one type to a different type.
*Weakness BaseWeakness BaseOff-by-one Error - (193)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 875 (CERT C++ Secure Coding Section 07 - Characters and Strings (STR)) > 193 (Off-by-one Error)
A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.off-by-five
*Weakness ClassWeakness ClassImproper Restriction of Operations within the Bounds of a Memory Buffer - (119)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 875 (CERT C++ Secure Coding Section 07 - Characters and Strings (STR)) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Memory Corruption
+CategoryCategoryCERT C++ Secure Coding Section 08 - Memory Management (MEM) - (876)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM))
Weaknesses in this category are related to rules in the Memory Management (MEM) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseAllocation of Resources Without Limits or Throttling - (770)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 770 (Allocation of Resources Without Limits or Throttling)
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor.
*Weakness VariantWeakness VariantDouble Free - (415)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 415 (Double Free)
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.Double-free
*Weakness VariantWeakness VariantExposure of Core Dump File to an Unauthorized Control Sphere - (528)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 528 (Exposure of Core Dump File to an Unauthorized Control Sphere)
The product generates a core dump file in a directory that is accessible to actors outside of the intended control sphere.
*Weakness VariantWeakness VariantFree of Memory not on the Heap - (590)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 590 (Free of Memory not on the Heap)
The application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().
*Weakness VariantWeakness VariantFunction Call With Incorrectly Specified Argument Value - (687)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 687 (Function Call With Incorrectly Specified Argument Value)
The software calls a function, procedure, or routine, but the caller specifies an argument that contains the wrong value, which may lead to resultant weaknesses.
*Weakness VariantWeakness VariantImproper Clearing of Heap Memory Before Release ('Heap Inspection') - (244)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 244 (Improper Clearing of Heap Memory Before Release ('Heap Inspection'))
Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.
*Weakness ClassWeakness ClassImproper Initialization - (665)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 665 (Improper Initialization)
The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
*Weakness BaseWeakness BaseImproper Resource Shutdown or Release - (404)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 404 (Improper Resource Shutdown or Release)
The program does not release or incorrectly releases a resource before it is made available for re-use.
*Weakness ClassWeakness ClassImproper Restriction of Operations within the Bounds of a Memory Buffer - (119)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Memory Corruption
*Weakness BaseWeakness BaseIncorrect Calculation of Buffer Size - (131)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 131 (Incorrect Calculation of Buffer Size)
The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
*Weakness VariantWeakness VariantMismatched Memory Management Routines - (762)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 762 (Mismatched Memory Management Routines)
The application attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.
*Weakness BaseWeakness BaseNULL Pointer Dereference - (476)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 476 (NULL Pointer Dereference)
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.
*Weakness VariantWeakness VariantSensitive Data Storage in Improperly Locked Memory - (591)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 591 (Sensitive Data Storage in Improperly Locked Memory)
The application stores sensitive data in memory that is not locked, or that has been incorrectly locked, which might cause the memory to be written to swap files on disk by the virtual memory manager. This can make the data more accessible to external actors.
*Weakness BaseWeakness BaseSensitive Information Uncleared Before Release - (226)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 226 (Sensitive Information Uncleared Before Release)
The software does not fully clear previously used information in a data structure, file, or other resource, before making that resource available to a party in another control sphere.
*Weakness BaseWeakness BaseUnchecked Return Value - (252)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 252 (Unchecked Return Value)
The software does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
*Compound Element: ChainCompound Element: ChainUnchecked Return Value to NULL Pointer Dereference - (690)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 690 (Unchecked Return Value to NULL Pointer Dereference)
The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
*Weakness BaseWeakness BaseUntrusted Pointer Dereference - (822)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 822 (Untrusted Pointer Dereference)
The program obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.
*Weakness BaseWeakness BaseUse After Free - (416)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 416 (Use After Free)
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.Dangling pointerUse-After-Free
*Weakness BaseWeakness BaseWrap-around Error - (128)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 128 (Wrap-around Error)
Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.
*Weakness ClassWeakness ClassImproper Check for Unusual or Exceptional Conditions - (754)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 754 (Improper Check for Unusual or Exceptional Conditions)
The software does not check or improperly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.
*Weakness ClassWeakness ClassImproper Check or Handling of Exceptional Conditions - (703)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 703 (Improper Check or Handling of Exceptional Conditions)
The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
*Weakness ClassWeakness ClassImproper Input Validation - (20)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 20 (Improper Input Validation)
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
*Weakness BaseWeakness BaseInteger Overflow or Wraparound - (190)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 190 (Integer Overflow or Wraparound)
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.
*Weakness BaseWeakness BaseUnchecked Error Condition - (391)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 876 (CERT C++ Secure Coding Section 08 - Memory Management (MEM)) > 391 (Unchecked Error Condition)
Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
+CategoryCategoryCERT C++ Secure Coding Section 09 - Input Output (FIO) - (877)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO))
Weaknesses in this category are related to rules in the Input Output (FIO) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseCreation of Temporary File in Directory with Incorrect Permissions - (379)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 379 (Creation of Temporary File in Directory with Incorrect Permissions)
The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
*Weakness ClassWeakness ClassDuplicate Operations on Resource - (675)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 675 (Duplicate Operations on Resource)
The product performs the same operation on a resource two or more times, when the operation should only be applied once.
*Weakness BaseWeakness BaseExposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') - (403)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 403 (Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak'))
A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.File descriptor leak
*Weakness ClassWeakness ClassExternal Control of File Name or Path - (73)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 73 (External Control of File Name or Path)
The software allows user input to control or influence paths or file names that are used in filesystem operations.
*Weakness BaseWeakness BaseFiles or Directories Accessible to External Parties - (552)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 552 (Files or Directories Accessible to External Parties)
Files or directories are accessible in the environment that should not be.
*Weakness BaseWeakness BaseImproper Handling of Unexpected Data Type - (241)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 241 (Improper Handling of Unexpected Data Type)
The software does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
*Weakness VariantWeakness VariantImproper Handling of Windows Device Names - (67)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 67 (Improper Handling of Windows Device Names)
The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
*Weakness ClassWeakness ClassImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Directory traversalPath traversal
*Weakness BaseWeakness BaseImproper Link Resolution Before File Access ('Link Following') - (59)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 59 (Improper Link Resolution Before File Access ('Link Following'))
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.insecure temporary file
*Weakness BaseWeakness BaseImproper Resolution of Path Equivalence - (41)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 41 (Improper Resolution of Path Equivalence)
The system or application is vulnerable to file system contents disclosure through path equivalence. Path equivalence involves the use of special characters in file and directory names. The associated manipulations are intended to generate multiple names for the same object.
*Weakness VariantWeakness VariantIncorrect Default Permissions - (276)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 276 (Incorrect Default Permissions)
The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor.
*Weakness VariantWeakness VariantIncorrect Execution-Assigned Permissions - (279)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 279 (Incorrect Execution-Assigned Permissions)
While it is executing, the software sets the permissions of an object in a way that violates the intended permissions that have been specified by the user.
*Weakness ClassWeakness ClassIncorrect Permission Assignment for Critical Resource - (732)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 732 (Incorrect Permission Assignment for Critical Resource)
The software specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
*Weakness VariantWeakness VariantPath Traversal: '/absolute/pathname/here' - (37)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 37 (Path Traversal: '/absolute/pathname/here')
A software system that accepts input in the form of a slash absolute path ('/absolute/pathname/here') without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files.
*Weakness VariantWeakness VariantPath Traversal: 'C:dirname' - (39)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 39 (Path Traversal: 'C:dirname')
An attacker can inject a drive letter or Windows volume letter ('C:dirname') into a software system to potentially redirect access to an unintended location or arbitrary file.
*Weakness VariantWeakness VariantPath Traversal: '\absolute\pathname\here' - (38)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 38 (Path Traversal: '\absolute\pathname\here')
A software system that accepts input in the form of a backslash absolute path ('\absolute\pathname\here') without appropriate validation can allow an attacker to traverse the file system to unintended locations or access arbitrary files.
*Weakness BaseWeakness BaseTime-of-check Time-of-use (TOCTOU) Race Condition - (367)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 367 (Time-of-check Time-of-use (TOCTOU) Race Condition)
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.TOCTTOUTOCCTOU
*Weakness VariantWeakness VariantUNIX Hard Link - (62)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 62 (UNIX Hard Link)
The software, when opening a file or directory, does not sufficiently account for when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.
*Weakness BaseWeakness BaseUse of Externally-Controlled Format String - (134)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 134 (Use of Externally-Controlled Format String)
The software uses a function that accepts a format string as an argument, but the format string originates from an external source.
*Weakness BaseWeakness BaseUse of Potentially Dangerous Function - (676)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 676 (Use of Potentially Dangerous Function)
The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
*Weakness VariantWeakness VariantWindows Hard Link - (65)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 65 (Windows Hard Link)
The software, when opening a file or directory, does not sufficiently handle when the name is associated with a hard link to a target that is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.
*Weakness VariantWeakness VariantWindows Shortcut Following (.LNK) - (64)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 64 (Windows Shortcut Following (.LNK))
The software, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the software to operate on unauthorized files.Windows symbolic link followingsymlink
*Weakness BaseWeakness BaseAllocation of Resources Without Limits or Throttling - (770)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 770 (Allocation of Resources Without Limits or Throttling)
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on how many resources can be allocated, in violation of the intended security policy for that actor.
*Weakness ClassWeakness ClassConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'))
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
*Weakness BaseWeakness BaseImproper Resource Shutdown or Release - (404)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 404 (Improper Resource Shutdown or Release)
The program does not release or incorrectly releases a resource before it is made available for re-use.
*Weakness ClassWeakness ClassImproper Restriction of Operations within the Bounds of a Memory Buffer - (119)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Memory Corruption
*Weakness BaseWeakness BaseUnchecked Error Condition - (391)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 877 (CERT C++ Secure Coding Section 09 - Input Output (FIO)) > 391 (Unchecked Error Condition)
Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
+CategoryCategoryCERT C++ Secure Coding Section 10 - Environment (ENV) - (878)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV))
Weaknesses in this category are related to rules in the Environment (ENV) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseDuplicate Key in Associative List (Alist) - (462)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV)) > 462 (Duplicate Key in Associative List (Alist))
Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.
*Weakness BaseWeakness BaseReliance on Untrusted Inputs in a Security Decision - (807)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV)) > 807 (Reliance on Untrusted Inputs in a Security Decision)
The application uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
+Compound Element: CompositeCompound Element: CompositeUntrusted Search Path - (426)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV)) > 426 (Untrusted Search Path)
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.Untrusted Path
*Weakness ClassWeakness ClassContainment Errors (Container Errors) - (216)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV)) > 426 (Untrusted Search Path) > 216 (Containment Errors (Container Errors))
This tries to cover various problems in which improper data are included within a "container."
*Weakness BaseWeakness BaseModification of Assumed-Immutable Data (MAID) - (471)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV)) > 426 (Untrusted Search Path) > 471 (Modification of Assumed-Immutable Data (MAID))
The software does not properly protect an assumed-immutable element from being modified by an attacker.
*CategoryCategoryPermission Issues - (275)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV)) > 426 (Untrusted Search Path) > 275 (Permission Issues)
Weaknesses in this category are related to improper assignment or handling of permissions.
*Weakness BaseWeakness BaseArgument Injection or Modification - (88)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV)) > 88 (Argument Injection or Modification)
The software does not sufficiently delimit the arguments being passed to a component in another control sphere, allowing alternate arguments to be provided, leading to potentially security-relevant changes.
*Weakness BaseWeakness BaseImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV)) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Shell injectionShell metacharacters
*Weakness ClassWeakness ClassImproper Restriction of Operations within the Bounds of a Memory Buffer - (119)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV)) > 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.Memory Corruption
*Weakness ClassWeakness ClassIncorrect Control Flow Scoping - (705)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 878 (CERT C++ Secure Coding Section 10 - Environment (ENV)) > 705 (Incorrect Control Flow Scoping)
The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
+CategoryCategoryCERT C++ Secure Coding Section 11 - Signals (SIG) - (879)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 879 (CERT C++ Secure Coding Section 11 - Signals (SIG))
Weaknesses in this category are related to rules in the Signals (SIG) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness BaseWeakness BaseImproper Synchronization - (662)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 879 (CERT C++ Secure Coding Section 11 - Signals (SIG)) > 662 (Improper Synchronization)
The software attempts to use a shared resource in an exclusive manner, but does not prevent or incorrectly prevents use of the resource by another thread or process.
*Weakness VariantWeakness VariantSignal Handler Use of a Non-reentrant Function - (479)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 879 (CERT C++ Secure Coding Section 11 - Signals (SIG)) > 479 (Signal Handler Use of a Non-reentrant Function)
The program defines a signal handler that calls a non-reentrant function.
+CategoryCategoryCERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR) - (880)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR))
Weaknesses in this category are related to rules in the Exceptions and Error Handling (ERR) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness ClassWeakness ClassDetection of Error Condition Without Action - (390)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)) > 390 (Detection of Error Condition Without Action)
The software detects a specific error, but takes no actions to handle the error.
*Weakness VariantWeakness VariantExposure of System Data to an Unauthorized Control Sphere - (497)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)) > 497 (Exposure of System Data to an Unauthorized Control Sphere)
Exposing system data or debugging information helps an adversary learn about the system and form an attack plan.
*Weakness ClassWeakness ClassImproper Check for Unusual or Exceptional Conditions - (754)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)) > 754 (Improper Check for Unusual or Exceptional Conditions)
The software does not check or improperly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software.
*Weakness ClassWeakness ClassImproper Check or Handling of Exceptional Conditions - (703)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)) > 703 (Improper Check or Handling of Exceptional Conditions)
The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
*Weakness VariantWeakness VariantImproper Cleanup on Thrown Exception - (460)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)) > 460 (Improper Cleanup on Thrown Exception)
The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
*Weakness ClassWeakness ClassImproper Handling of Exceptional Conditions - (755)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)) > 755 (Improper Handling of Exceptional Conditions)
The software does not handle or incorrectly handles an exceptional condition.
*Weakness ClassWeakness ClassIncorrect Control Flow Scoping - (705)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)) > 705 (Incorrect Control Flow Scoping)
The software does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.
*Weakness BaseWeakness BaseInformation Exposure Through an Error Message - (209)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)) > 209 (Information Exposure Through an Error Message)
The software generates an error message that includes sensitive information about its environment, users, or associated data.
*Weakness BaseWeakness BaseMissing Standardized Error Handling Mechanism - (544)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)) > 544 (Missing Standardized Error Handling Mechanism)
The software does not use a standardized method for handling errors throughout the code, which might introduce inconsistent error handling and resultant weaknesses.
*Weakness BaseWeakness BaseUnchecked Error Condition - (391)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 880 (CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR)) > 391 (Unchecked Error Condition)
Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
+CategoryCategoryCERT C++ Secure Coding Section 13 - Object Oriented Programming (OOP) - (881)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 881 (CERT C++ Secure Coding Section 13 - Object Oriented Programming (OOP))
Weaknesses in this category are related to rules in the Object Oriented Programming (OOP) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness ClassWeakness ClassInsufficient Encapsulation - (485)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 881 (CERT C++ Secure Coding Section 13 - Object Oriented Programming (OOP)) > 485 (Insufficient Encapsulation)
The product does not sufficiently encapsulate critical data or functionality.
+CategoryCategoryCERT C++ Secure Coding Section 14 - Concurrency (CON) - (882)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 882 (CERT C++ Secure Coding Section 14 - Concurrency (CON))
Weaknesses in this category are related to rules in the Concurrency (CON) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness ClassWeakness ClassConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - (362)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 882 (CERT C++ Secure Coding Section 14 - Concurrency (CON)) > 362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'))
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
*Weakness VariantWeakness VariantExposure of Data Element to Wrong Session - (488)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 882 (CERT C++ Secure Coding Section 14 - Concurrency (CON)) > 488 (Exposure of Data Element to Wrong Session)
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
*Weakness BaseWeakness BaseMissing Release of Resource after Effective Lifetime - (772)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 882 (CERT C++ Secure Coding Section 14 - Concurrency (CON)) > 772 (Missing Release of Resource after Effective Lifetime)
The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
*Weakness BaseWeakness BaseRace Condition within a Thread - (366)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 882 (CERT C++ Secure Coding Section 14 - Concurrency (CON)) > 366 (Race Condition within a Thread)
If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
*Weakness BaseWeakness BaseImproper Resource Shutdown or Release - (404)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 882 (CERT C++ Secure Coding Section 14 - Concurrency (CON)) > 404 (Improper Resource Shutdown or Release)
The program does not release or incorrectly releases a resource before it is made available for re-use.
+CategoryCategoryCERT C++ Secure Coding Section 49 - Miscellaneous (MSC) - (883)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC))
Weaknesses in this category are related to rules in the Miscellaneous (MSC) section of the CERT C++ Secure Coding Standard. Since not all rules map to specific weaknesses, this category may be incomplete.
*Weakness VariantWeakness VariantAssignment to Variable without Use ('Unused Variable') - (563)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 563 (Assignment to Variable without Use ('Unused Variable'))
The variable's value is assigned but never used, making it a dead store.
*Weakness VariantWeakness VariantComparing instead of Assigning - (482)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 482 (Comparing instead of Assigning)
The code uses an operator for comparison when the intention was to perform an assignment.
*Weakness BaseWeakness BaseCompiler Removal of Code to Clear Buffers - (14)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 14 (Compiler Removal of Code to Clear Buffers)
Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."
*Weakness VariantWeakness VariantDead Code - (561)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 561 (Dead Code)
The software contains dead code, which can never be executed.
*Weakness VariantWeakness VariantExpression is Always False - (570)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 570 (Expression is Always False)
The software contains an expression that will always evaluate to false.
*Weakness VariantWeakness VariantExpression is Always True - (571)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 571 (Expression is Always True)
The software contains an expression that will always evaluate to true.
*Weakness ClassWeakness ClassImproper Encoding or Escaping of Output - (116)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 116 (Improper Encoding or Escaping of Output)
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Output SanitizationOutput ValidationOutput Encoding
*Weakness VariantWeakness VariantImproper Handling of Unicode Encoding - (176)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 176 (Improper Handling of Unicode Encoding)
The software does not properly handle when an input contains Unicode encoding.
*Weakness ClassWeakness ClassImproper Input Validation - (20)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 20 (Improper Input Validation)
The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.
*Weakness ClassWeakness ClassInsufficient Comparison - (697)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 697 (Insufficient Comparison)
The software compares two entities in a security-relevant context, but the comparison is insufficient, which may lead to resultant weaknesses.
*Weakness ClassWeakness ClassUse of Insufficiently Random Values - (330)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 330 (Use of Insufficiently Random Values)
The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.
*Weakness BaseWeakness BaseUse of a Broken or Risky Cryptographic Algorithm - (327)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 327 (Use of a Broken or Risky Cryptographic Algorithm)
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
*Weakness ClassWeakness ClassIncorrect Type Conversion or Cast - (704)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 704 (Incorrect Type Conversion or Cast)
The software does not correctly convert an object, resource or structure from one type to a different type.
*Weakness BaseWeakness BaseUse of Incorrect Operator - (480)
868 (Weaknesses Addressed by the CERT C++ Secure Coding Standard) > 883 (CERT C++ Secure Coding Section 49 - Miscellaneous (MSC)) > 480 (Use of Incorrect Operator)
The programmer accidentally uses the wrong operator, which changes the application logic in security-relevant ways.
+ Relationship Notes

The relationships in this view were determined based on specific statements within the rules from the standard. Not all rules have direct relationships to individual weaknesses, although they likely have chaining relationships in specific circumstances.

+ References
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
2011-08-04Internal CWE Team
+ View Metrics
CWEs in this viewTotal CWEs
Total111out of1006
Views0out of33
Categories16out of245
Weaknesses93out of720
Compound_Elements2out of8

More information is available — Please select a different filter.
Page Last Updated: May 05, 2017