CWE

Common Weakness Enumeration

A Community-Developed List of Software & Hardware Weakness Types

CWE Top 25 Most Dangerous Software Errors
Home > CWE List > Reports > Differences between Version 4.0 and Version 4.1  
ID

Differences between Version 4.0 and Version 4.1

Summary
Summary
Total weaknesses/chains/composites (Version 4.1) 875
Total weaknesses/chains/composites (Version 4.0) 840
Total new 35
Total deprecated 0
Total with major changes 211
Total with only minor changes 3
Total unchanged 1038

Summary of Entry Types

Type Version 4.0 Version 4.1
Weakness 840 875
Category 312 312
View 39 39
Deprecated 61 61
Total 1252 1287

Field Change Summary
Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field Major Minor
Name 6 0
Description 14 0
Applicable_Platforms 6 0
Time_of_Introduction 0 0
Demonstrative_Examples 22 0
Detection_Factors 1 0
Likelihood_of_Exploit 0 0
Common_Consequences 15 2
Relationships 57 0
References 11 0
Potential_Mitigations 121 1
Observed_Examples 20 0
Terminology_Notes 2 0
Alternate_Terms 5 0
Related_Attack_Patterns 0 0
Relationship_Notes 8 0
Taxonomy_Mappings 0 0
Maintenance_Notes 5 0
Modes_of_Introduction 1 0
Research_Gaps 1 0
Background_Details 0 0
Theoretical_Notes 1 0
Weakness_Ordinalities 0 0
Other_Notes 0 0
View_Type 0 0
View_Structure 0 0
View_Filter 0 0
View_Audience 0 0
Type 1 0
Source_Taxonomy 0 0

Form and Abstraction Changes

From To Total CWE IDs
Unchanged 1251
Weakness/Base Weakness/Variant 1 129

Status Changes

From To Total
Unchanged 1252

Relationship Changes

The "Version 4.1 Total" lists the total number of relationships in Version 4.1. The "Shared" value is the total number of relationships in entries that were in both Version 4.1 and Version 4.0. The "New" value is the total number of relationships involving entries that did not exist in Version 4.0. Thus, the total number of relationships in Version 4.1 would combine stats from Shared entries and New entries.

Relationship Version 4.1 Total Version 4.0 Total Version 4.1 Shared Unchanged Added to Version 4.1 Removed from Version 4.0 Version 4.1 New
ALL 8767 8595 8591 8575 16 20 176
ChildOf 3656 3587 3583 3577 6 10 73
ParentOf 3656 3587 3583 3577 6 10 73
MemberOf 496 496 496 496
HasMember 496 496 496 496
CanPrecede 128 122 123 122 1 5
CanFollow 128 122 123 122 1 5
StartsWith 3 3 3 3
Requires 13 13 13 13
RequiredBy 13 13 13 13
CanAlsoBe 28 28 28 28
PeerOf 150 128 130 128 2 20

Nodes Removed from Version 4.0

CWE-ID CWE Name
None.

Hardware Nodes Added to Version 4.1

CWE-ID CWE Name
1254 Incorrect Comparison Logic Granularity
1256 Hardware Features Enable Physical Attacks from Software
1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions
1258 Sensitive Information Uncleared During Hardware Debug Flows
1259 Improper Protection of Security Identifiers
1260 Improper Handling of Overlap Between Protected Memory Ranges
1261 Improper Handling of Single Event Upsets
1262 Register Interface Allows Software Access to Sensitive Data or Security Settings
1263 Insufficient Physical Protection Mechanism
1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels
1266 Improper Scrubbing of Sensitive Data from Decommissioned Device
1267 Policy Uses Obsolete Encoding
1268 Agents Included in Control Policy are not Contained in Less-Privileged Policy
1269 Product Released in Non-Release Configuration
1270 Generation of Incorrect Security Identifiers
1271 Missing Known Value on Reset for Registers Holding Security Settings
1272 Debug/Power State Transitions Leak Information
1273 Device Unlock Credential Sharing
1274 Insufficient Protections on the Volatile Memory Containing Boot Code
1276 Hardware Block Incorrectly Connected to Larger System
1277 Firmware Not Updateable
1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
1279 Cryptographic Primitives used without Successful Self-Test
1280 Access Control Check Implemented After Asset is Accessed
1281 Sequence of Processor Instructions Leads to Unexpected Behavior (Halt and Catch Fire)
1282 Assumed-Immutable Data Stored in Writable Memory
1283 Mutable Attestation or Measurement Reporting Data

Software Nodes Added to Version 4.1

CWE-ID CWE Name
1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
1275 Sensitive Cookie with Improper SameSite Attribute
1284 Improper Validation of Specified Quantity in Input
1285 Improper Validation of Specified Index, Position, or Offset in Input
1286 Improper Validation of Syntactic Correctness of Input
1287 Improper Validation of Specified Type of Input
1288 Improper Validation of Consistency within Input
1289 Improper Validation of Unsafe Equivalence in Input

Nodes Deprecated in Version 4.1

CWE-ID CWE Name
None.
Important Changes
Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D Description
N Name
R Relationships

D R 20 Improper Input Validation
R 41 Improper Resolution of Path Equivalence
R 73 External Control of File Name or Path
R 112 Missing XML Validation
R 114 Process Control
R 119 Improper Restriction of Operations within the Bounds of a Memory Buffer
R 129 Improper Validation of Array Index
NR 137 Data Neutralization Issues
R 147 Improper Neutralization of Input Terminators
R 178 Improper Handling of Case Sensitivity
R 179 Incorrect Behavior Order: Early Validation
R 200 Exposure of Sensitive Information to an Unauthorized Actor
R 208 Observable Timing Discrepancy
R 212 Improper Removal of Sensitive Information Before Storage or Transfer
R 284 Improper Access Control
R 345 Insufficient Verification of Data Authenticity
R 349 Acceptance of Extraneous Untrusted Data With Trusted Data
R 352 Cross-Site Request Forgery (CSRF)
R 371 State Issues
D 384 Session Fixation
D 400 Uncontrolled Resource Consumption
R 404 Improper Resource Shutdown or Release
R 416 Use After Free
R 471 Modification of Assumed-Immutable Data (MAID)
D R 606 Unchecked Input for Loop Condition
D 622 Improper Validation of Function Hook Arguments
R 626 Null Byte Interaction Error (Poison Null Byte)
R 641 Improper Restriction of Names for Files and Other Resources
R 663 Use of a Non-reentrant Function in a Concurrent Context
R 664 Improper Control of a Resource Through its Lifetime
R 665 Improper Initialization
R 668 Exposure of Resource to Wrong Sphere
R 691 Insufficient Control Flow Management
DN 692 Incomplete Denylist to Cross-Site Scripting
R 693 Protection Mechanism Failure
D R 696 Incorrect Behavior Order
R 697 Incorrect Comparison
D 707 Improper Neutralization
R 755 Improper Handling of Exceptional Conditions
D R 770 Allocation of Resources Without Limits or Throttling
D 777 Regular Expression without Anchors
R 781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
R 789 Uncontrolled Memory Allocation
R 791 Incomplete Filtering of Special Elements
R 821 Incorrect Synchronization
R 843 Access of Resource Using Incompatible Type ('Type Confusion')
DN 942 Permissive Cross-domain Policy with Untrusted Domains
R 1037 Processor Optimization Removal or Modification of Security-critical Code
R 1173 Improper Use of Validation Framework
DNR 1191 Exposed Chip Debug and or Test Interface With Insufficient Access Control
R 1195 Manufacturing and Life Cycle Management Concerns
R 1196 Security Flow Issues
R 1197 Integration Issues
R 1198 Privilege Separation and Access Control Issues
R 1199 General Circuit and Logic Design Concerns
R 1201 Core and Compute Issues
R 1202 Memory and Storage Issues
R 1205 Security Primitives and Cryptography Issues
R 1206 Power, Clock, and Reset Concerns
R 1207 Debug and Test Problems
R 1208 Cross-Cutting Problems
DNR 1215 Data Validation Issues
R 1243 Exposure of Security-Sensitive Fuse Values During Debug
DNR 1253 Incorrect Selection of Fuse Values
Detailed Difference Report
Detailed Difference Report
20 Improper Input Validation
Major Applicable_Platforms, Demonstrative_Examples, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References, Relationship_Notes, Relationships, Research_Gaps, Terminology_Notes
Minor None
22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Major Demonstrative_Examples, Potential_Mitigations
Minor None
23 Relative Path Traversal
Major Observed_Examples, Potential_Mitigations
Minor None
24 Path Traversal: '../filedir'
Major Potential_Mitigations
Minor None
25 Path Traversal: '/../filedir'
Major Potential_Mitigations
Minor None
26 Path Traversal: '/dir/../filename'
Major Potential_Mitigations
Minor None
27 Path Traversal: 'dir/../../filename'
Major Potential_Mitigations
Minor None
28 Path Traversal: '..\filedir'
Major Observed_Examples, Potential_Mitigations
Minor None
29 Path Traversal: '\..\filename'
Major Potential_Mitigations
Minor None
30 Path Traversal: '\dir\..\filename'
Major Potential_Mitigations
Minor None
31 Path Traversal: 'dir\..\..\filename'
Major Potential_Mitigations
Minor None
32 Path Traversal: '...' (Triple Dot)
Major Potential_Mitigations
Minor None
33 Path Traversal: '....' (Multiple Dot)
Major Potential_Mitigations
Minor None
34 Path Traversal: '....//'
Major Potential_Mitigations
Minor None
35 Path Traversal: '.../...//'
Major Potential_Mitigations
Minor None
37 Path Traversal: '/absolute/pathname/here'
Major Potential_Mitigations
Minor None
38 Path Traversal: '\absolute\pathname\here'
Major Potential_Mitigations
Minor None
39 Path Traversal: 'C:dirname'
Major Potential_Mitigations
Minor None
40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
Major Potential_Mitigations
Minor None
41 Improper Resolution of Path Equivalence
Major Observed_Examples, Potential_Mitigations, Relationships
Minor None
51 Path Equivalence: '/multiple//internal/slash'
Major Potential_Mitigations
Minor None
52 Path Equivalence: '/multiple/trailing/slash//'
Major Potential_Mitigations
Minor None
53 Path Equivalence: '\multiple\\internal\backslash'
Major Potential_Mitigations
Minor None
54 Path Equivalence: 'filedir\' (Trailing Backslash)
Major Potential_Mitigations
Minor None
55 Path Equivalence: '/./' (Single Dot Directory)
Major Potential_Mitigations
Minor None
56 Path Equivalence: 'filedir*' (Wildcard)
Major Potential_Mitigations
Minor None
57 Path Equivalence: 'fakedir/../realdir/filename'
Major Observed_Examples, Potential_Mitigations
Minor None
73 External Control of File Name or Path
Major Potential_Mitigations, Relationships
Minor None
74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Major Potential_Mitigations
Minor None
75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
Major Potential_Mitigations
Minor None
76 Improper Neutralization of Equivalent Special Elements
Major Potential_Mitigations
Minor None
77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Major Potential_Mitigations
Minor None
78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Major Observed_Examples, Potential_Mitigations
Minor None
79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Major Observed_Examples, Potential_Mitigations
Minor None
80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Major Potential_Mitigations
Minor None
81 Improper Neutralization of Script in an Error Message Web Page
Major Potential_Mitigations
Minor None
83 Improper Neutralization of Script in Attributes in a Web Page
Major Potential_Mitigations
Minor None
84 Improper Neutralization of Encoded URI Schemes in a Web Page
Major Potential_Mitigations
Minor None
85 Doubled Character XSS Manipulations
Major Potential_Mitigations
Minor None
87 Improper Neutralization of Alternate XSS Syntax
Major Potential_Mitigations
Minor None
88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Major Potential_Mitigations
Minor None
89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Major Demonstrative_Examples, Potential_Mitigations, Relationship_Notes
Minor None
90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Major Potential_Mitigations, Relationship_Notes
Minor None
91 XML Injection (aka Blind XPath Injection)
Major Potential_Mitigations
Minor None
94 Improper Control of Generation of Code ('Code Injection')
Major Potential_Mitigations
Minor None
95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Major Potential_Mitigations
Minor None
96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Major Potential_Mitigations
Minor None
98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Major Potential_Mitigations
Minor None
112 Missing XML Validation
Major Relationships
Minor None
113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
Major Potential_Mitigations
Minor None
114 Process Control
Major Relationships
Minor None
116 Improper Encoding or Escaping of Output
Major Applicable_Platforms, Demonstrative_Examples, Potential_Mitigations
Minor None
117 Improper Output Neutralization for Logs
Major Potential_Mitigations
Minor None
119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Major Relationships
Minor None
120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Major Common_Consequences, Potential_Mitigations
Minor None
121 Stack-based Buffer Overflow
Major Common_Consequences
Minor None
125 Out-of-bounds Read
Major Potential_Mitigations
Minor None
126 Buffer Over-read
Major Demonstrative_Examples
Minor None
129 Improper Validation of Array Index
Major Demonstrative_Examples, Potential_Mitigations, Relationships, Type
Minor None
130 Improper Handling of Length Parameter Inconsistency
Major Common_Consequences, Demonstrative_Examples
Minor None
137 Data Neutralization Issues
Major Name, Relationships
Minor None
138 Improper Neutralization of Special Elements
Major Potential_Mitigations
Minor None
140 Improper Neutralization of Delimiters
Major Potential_Mitigations
Minor None
141 Improper Neutralization of Parameter/Argument Delimiters
Major Potential_Mitigations
Minor None
142 Improper Neutralization of Value Delimiters
Major Potential_Mitigations
Minor None
143 Improper Neutralization of Record Delimiters
Major Potential_Mitigations
Minor None
144 Improper Neutralization of Line Delimiters
Major Potential_Mitigations
Minor None
145 Improper Neutralization of Section Delimiters
Major Potential_Mitigations
Minor None
146 Improper Neutralization of Expression/Command Delimiters
Major Potential_Mitigations
Minor None
147 Improper Neutralization of Input Terminators
Major Potential_Mitigations, Relationships
Minor None
148 Improper Neutralization of Input Leaders
Major Potential_Mitigations
Minor None
149 Improper Neutralization of Quoting Syntax
Major Potential_Mitigations
Minor None
150 Improper Neutralization of Escape, Meta, or Control Sequences
Major Potential_Mitigations
Minor None
151 Improper Neutralization of Comment Delimiters
Major Potential_Mitigations
Minor None
152 Improper Neutralization of Macro Symbols
Major Potential_Mitigations
Minor None
153 Improper Neutralization of Substitution Characters
Major Potential_Mitigations
Minor None
154 Improper Neutralization of Variable Name Delimiters
Major Potential_Mitigations
Minor None
155 Improper Neutralization of Wildcards or Matching Symbols
Major Potential_Mitigations
Minor None
156 Improper Neutralization of Whitespace
Major Potential_Mitigations
Minor None
157 Failure to Sanitize Paired Delimiters
Major Potential_Mitigations
Minor None
158 Improper Neutralization of Null Byte or NUL Character
Major Observed_Examples, Potential_Mitigations
Minor None
159 Improper Handling of Invalid Use of Special Elements
Major Potential_Mitigations
Minor None
160 Improper Neutralization of Leading Special Elements
Major Potential_Mitigations
Minor None
161 Improper Neutralization of Multiple Leading Special Elements
Major Potential_Mitigations
Minor None
162 Improper Neutralization of Trailing Special Elements
Major Potential_Mitigations
Minor None
163 Improper Neutralization of Multiple Trailing Special Elements
Major Potential_Mitigations
Minor None
164 Improper Neutralization of Internal Special Elements
Major Potential_Mitigations
Minor None
165 Improper Neutralization of Multiple Internal Special Elements
Major Potential_Mitigations
Minor None
166 Improper Handling of Missing Special Element
Major Potential_Mitigations
Minor None
167 Improper Handling of Additional Special Element
Major Potential_Mitigations
Minor None
168 Improper Handling of Inconsistent Special Elements
Major Potential_Mitigations
Minor None
172 Encoding Error
Major Potential_Mitigations
Minor None
173 Improper Handling of Alternate Encoding
Major Potential_Mitigations
Minor None
174 Double Decoding of the Same Data
Major Potential_Mitigations
Minor None
175 Improper Handling of Mixed Encoding
Major Potential_Mitigations
Minor None
176 Improper Handling of Unicode Encoding
Major Potential_Mitigations
Minor None
177 Improper Handling of URL Encoding (Hex Encoding)
Major Potential_Mitigations
Minor None
178 Improper Handling of Case Sensitivity
Major Demonstrative_Examples, Potential_Mitigations, Relationships
Minor None
179 Incorrect Behavior Order: Early Validation
Major Demonstrative_Examples, Potential_Mitigations, Relationships
Minor None
180 Incorrect Behavior Order: Validate Before Canonicalize
Major Demonstrative_Examples, Potential_Mitigations
Minor None
182 Collapse of Data into Unsafe Value
Major Potential_Mitigations
Minor None
183 Permissive List of Allowed Inputs
Major Alternate_Terms, Observed_Examples
Minor None
184 Incomplete List of Disallowed Inputs
Major Alternate_Terms, Observed_Examples
Minor None
185 Incorrect Regular Expression
Major Relationship_Notes
Minor None
186 Overly Restrictive Regular Expression
Major Relationship_Notes
Minor None
190 Integer Overflow or Wraparound
Major Observed_Examples
Minor None
200 Exposure of Sensitive Information to an Unauthorized Actor
Major Relationships
Minor None
208 Observable Timing Discrepancy
Major Relationships
Minor None
212 Improper Removal of Sensitive Information Before Storage or Transfer
Major Relationships
Minor None
241 Improper Handling of Unexpected Data Type
Major Potential_Mitigations
Minor None
251 Often Misused: String Management
Major References
Minor None
252 Unchecked Return Value
Major Observed_Examples
Minor None
284 Improper Access Control
Major Relationships
Minor None
289 Authentication Bypass by Alternate Name
Major Potential_Mitigations
Minor None
345 Insufficient Verification of Data Authenticity
Major Relationships
Minor None
346 Origin Validation Error
Major Demonstrative_Examples, Terminology_Notes
Minor None
348 Use of Less Trusted Source
Major Demonstrative_Examples
Minor None
349 Acceptance of Extraneous Untrusted Data With Trusted Data
Major Observed_Examples, Relationships
Minor None
352 Cross-Site Request Forgery (CSRF)
Major Relationships, Theoretical_Notes
Minor None
371 State Issues
Major Relationships
Minor None
384 Session Fixation
Major Description
Minor None
400 Uncontrolled Resource Consumption
Major Description, Maintenance_Notes
Minor None
404 Improper Resource Shutdown or Release
Major Relationships
Minor None
415 Double Free
Major Common_Consequences
Minor None
416 Use After Free
Major Relationships
Minor None
427 Uncontrolled Search Path Element
Major Potential_Mitigations
Minor None
428 Unquoted Search Path or Element
Major Potential_Mitigations
Minor None
434 Unrestricted Upload of File with Dangerous Type
Major Potential_Mitigations, Relationship_Notes
Minor None
450 Multiple Interpretations of UI Input
Major Potential_Mitigations
Minor None
454 External Initialization of Trusted Variables or Data Stores
Major Potential_Mitigations
Minor None
456 Missing Initialization of a Variable
Major Demonstrative_Examples
Minor None
469 Use of Pointer Subtraction to Determine Size
Major Common_Consequences
Minor None
470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Major Potential_Mitigations
Minor None
471 Modification of Assumed-Immutable Data (MAID)
Major Relationships
Minor None
472 External Control of Assumed-Immutable Web Parameter
Major Potential_Mitigations
Minor None
476 NULL Pointer Dereference
Major Common_Consequences
Minor None
502 Deserialization of Untrusted Data
Major Alternate_Terms, Potential_Mitigations
Minor None
551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
Major Potential_Mitigations
Minor None
562 Return of Stack Variable Address
Major Common_Consequences
Minor None
564 SQL Injection: Hibernate
Major Potential_Mitigations
Minor None
601 URL Redirection to Untrusted Site ('Open Redirect')
Major Potential_Mitigations
Minor None
606 Unchecked Input for Loop Condition
Major Demonstrative_Examples, Description, Relationships
Minor None
621 Variable Extraction Error
Major Potential_Mitigations
Minor None
622 Improper Validation of Function Hook Arguments
Major Description
Minor None
623 Unsafe ActiveX Control Marked Safe For Scripting
Major Observed_Examples
Minor None
626 Null Byte Interaction Error (Poison Null Byte)
Major Observed_Examples, Relationships
Minor None
627 Dynamic Variable Evaluation
Major Potential_Mitigations
Minor None
639 Authorization Bypass Through User-Controlled Key
Major Alternate_Terms
Minor None
641 Improper Restriction of Names for Files and Other Resources
Major Potential_Mitigations, Relationships
Minor None
642 External Control of Critical State Data
Major Demonstrative_Examples
Minor None
663 Use of a Non-reentrant Function in a Concurrent Context
Major Relationships
Minor None
664 Improper Control of a Resource Through its Lifetime
Major Relationships
Minor None
665 Improper Initialization
Major Relationships
Minor None
668 Exposure of Resource to Wrong Sphere
Major Relationships
Minor None
690 Unchecked Return Value to NULL Pointer Dereference
Major Common_Consequences
Minor None
691 Insufficient Control Flow Management
Major Relationships
Minor None
692 Incomplete Denylist to Cross-Site Scripting
Major Description, Name, Observed_Examples, References
Minor None
693 Protection Mechanism Failure
Major Relationships
Minor None
696 Incorrect Behavior Order
Major Description, Observed_Examples, Relationships
Minor None
697 Incorrect Comparison
Major Relationships
Minor None
698 Execution After Redirect (EAR)
Major Demonstrative_Examples
Minor None
707 Improper Neutralization
Major Description, Maintenance_Notes
Minor None
733 Compiler Optimization Removal or Modification of Security-critical Code
Major Observed_Examples
Minor None
754 Improper Check for Unusual or Exceptional Conditions
Major Potential_Mitigations
Minor None
755 Improper Handling of Exceptional Conditions
Major Relationships
Minor None
770 Allocation of Resources Without Limits or Throttling
Major Applicable_Platforms, Description, Maintenance_Notes, Potential_Mitigations, Relationship_Notes, Relationships
Minor None
777 Regular Expression without Anchors
Major Common_Consequences, Description, Potential_Mitigations
Minor None
781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
Major Relationships
Minor None
787 Out-of-bounds Write
Major Observed_Examples
Minor None
788 Access of Memory Location After End of Buffer
Major Demonstrative_Examples
Minor None
789 Uncontrolled Memory Allocation
Major Relationships
Minor None
791 Incomplete Filtering of Special Elements
Major Relationships
Minor None
805 Buffer Access with Incorrect Length Value
Major Common_Consequences
Minor None
806 Buffer Access Using Size of Source Buffer
Major Common_Consequences
Minor None
821 Incorrect Synchronization
Major Relationships
Minor None
829 Inclusion of Functionality from Untrusted Control Sphere
Major Potential_Mitigations
Minor None
840 Business Logic Errors
Major References
Minor None
843 Access of Resource Using Incompatible Type ('Type Confusion')
Major Common_Consequences, Relationships
Minor None
913 Improper Control of Dynamically-Managed Code Resources
Major Potential_Mitigations
Minor None
914 Improper Control of Dynamically-Identified Variables
Major Potential_Mitigations
Minor None
915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Major Alternate_Terms, Potential_Mitigations
Minor None
927 Use of Implicit Intent for Sensitive Communication
Major Demonstrative_Examples
Minor None
939 Improper Authorization in Handler for Custom URL Scheme
Major Potential_Mitigations
Minor None
940 Improper Verification of Source of a Communication Channel
Major Demonstrative_Examples, Potential_Mitigations
Minor None
942 Permissive Cross-domain Policy with Untrusted Domains
Major Description, Name
Minor None
1007 Insufficient Visual Distinction of Homoglyphs Presented to User
Major Observed_Examples
Minor None
1021 Improper Restriction of Rendered UI Layers or Frames
Major Potential_Mitigations
Minor None
1037 Processor Optimization Removal or Modification of Security-critical Code
Major Relationships
Minor None
1128 CISQ Quality Measures (2016)
Major References
Minor None
1129 CISQ Quality Measures - Reliability
Major References
Minor None
1130 CISQ Quality Measures - Maintainability
Major References
Minor None
1131 CISQ Quality Measures - Security
Major References
Minor None
1132 CISQ Quality Measures - Performance
Major References
Minor None
1173 Improper Use of Validation Framework
Major Relationships
Minor None
1191 Exposed Chip Debug and or Test Interface With Insufficient Access Control
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Name, References, Relationships
Minor None
1195 Manufacturing and Life Cycle Management Concerns
Major Relationships
Minor None
1196 Security Flow Issues
Major Relationships
Minor None
1197 Integration Issues
Major Relationships
Minor None
1198 Privilege Separation and Access Control Issues
Major Relationships
Minor None
1199 General Circuit and Logic Design Concerns
Major Relationships
Minor None
1201 Core and Compute Issues
Major Relationships
Minor None
1202 Memory and Storage Issues
Major Relationships
Minor None
1205 Security Primitives and Cryptography Issues
Major Relationships
Minor None
1206 Power, Clock, and Reset Concerns
Major Relationships
Minor None
1207 Debug and Test Problems
Major Relationships
Minor None
1208 Cross-Cutting Problems
Major Relationships
Minor None
1215 Data Validation Issues
Major Description, Name, Relationship_Notes, Relationships
Minor None
1221 Incorrect Register Defaults or Module Parameters
Major None
Minor Potential_Mitigations
1223 Race Condition for Write-Once Attributes
Major None
Minor Common_Consequences
1224 Improper Restriction of Write-Once Bit Fields
Major None
Minor Common_Consequences
1241 Use of Predictable Algorithm in Random Number Generator
Major Common_Consequences, Demonstrative_Examples, Modes_of_Introduction
Minor None
1243 Exposure of Security-Sensitive Fuse Values During Debug
Major Relationships
Minor None
1250 Improper Preservation of Consistency Between Independent Representations of Shared State
Major Applicable_Platforms
Minor None
1253 Incorrect Selection of Fuse Values
Major Applicable_Platforms, Common_Consequences, Demonstrative_Examples, Description, Detection_Factors, Maintenance_Notes, Name, Potential_Mitigations, References, Relationships
Minor None
More information is available — Please select a different filter.
Page Last Updated: June 25, 2020