CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE-1429: Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface (4.17)  
ID

CWE-1429: Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface

Weakness ID: 1429
Vulnerability Mapping: ALLOWED This CWE ID may be used to map to real-world vulnerabilities
Abstraction: Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource.
View customized information:
For users who are interested in more notional aspects of a weakness. Example: educators, technical writers, and project/program managers. For users who are concerned with the practical application and details about the nature of a weakness and how to prevent it from happening. Example: tool developers, security researchers, pen-testers, incident response analysts. For users who are mapping an issue to CWE/CAPEC IDs, i.e., finding the most appropriate CWE for a specific issue (e.g., a CVE record). Example: tool developers, security researchers. For users who wish to see all available information for the CWE/CAPEC entry. For users who want to customize what details are displayed.
×

Edit Custom Filter


+ Description
The product has a hardware interface that silently discards operations in situations for which feedback would be security-relevant, such as the timely detection of failures or attacks.
+ Extended Description

While some systems intentionally withhold feedback as a security measure, this approach must be strictly controlled to ensure it does not obscure operational failures that require prompt detection and remediation. Without these essential confirmations, failures go undetected, increasing the risk of data loss, security vulnerabilities, and overall system instability. Even when withholding feedback is an intentional part of a security policy designed, for example, to prevent attackers from gleaning sensitive internal details, the absence of expected feedback becomes a critical weakness when it masks operational failures that require prompt detection and remediation.

For instance, certain encryption algorithms always return ciphertext regardless of errors to prevent attackers from gaining insight into internal state details. However, if such an algorithm fails to generate the expected ciphertext and provides no error feedback, the system cannot distinguish between a legitimate output and a malfunction. This can lead to undetected cryptographic failures, potentially compromising data security and system reliability. Without proper notification, a critical failure might remain hidden, undermining both the reliability and security of the process.

Therefore, this weakness captures issues across various hardware interfaces where operations are discarded without any feedback, error handling, or logging. Such omissions can lead to data loss, security vulnerabilities, and system instability, with potential impacts ranging from minor to catastrophic.

For some kinds of hardware products, some errors may be correctly identified and subsequently discarded, and the lack of feedback may have been an intentional design decision. However, this could result in a weakness if system operators or other authorized entities are not provided feedback about security-critical operations or failures that could prevent the operators from detecting and responding to an attack.

For example:

  • In a System-on-Chip (SoC) platform, write operations to reserved memory addresses might be correctly identified as invalid and subsequently discarded. However, if no feedback is provided to system operators, they may misinterpret the device's state, failing to recognize conditions that could lead to broader failures or security vulnerabilities. For example, if an attacker attempts unauthorized writes to protected regions, the system may silently discard these writes without alerting security mechanisms. This lack of feedback could obscure intrusion attempts or misconfigurations, increasing the risk of unnoticed system compromise
  • Microcontroller Interrupt Systems: When interrupts are silently ignored due to priority conflicts or internal errors without notifying higher-level control, it becomes challenging to diagnose system failures or detect potential security breaches in a timely manner.
  • Network Interface Controllers: Dropping packets - perhaps due to buffer overflows - without any error feedback can not only cause data loss but may also contribute to exploitable timing discrepancies that reveal sensitive internal processing details.
+ Common Consequences
Section HelpThis table specifies different individual consequences associated with the weakness. The Scope identifies the application security area that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in exploiting this weakness. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a weakness will be exploited to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
Impact Details

Read Memory; Read Files or Directories

Scope: Confidentiality

Likelihood: Medium

Critical data may be exposed if operations are unexecuted or discarded silently, allowing attackers to exploit the lack of feedback.

Modify Memory; Modify Files or Directories

Scope: Integrity

Likelihood: Medium

Operations may proceed based on incorrect assumptions, potentially causing data corruption or incorrect system behavior. In integrity-sensitive contexts, failing to signal that an operation did not occur as expected can mask errors that disrupt data consistency. Without feedback, the mitigation measures that should ensure updates have been performed cannot be verified, leaving the system vulnerable to both accidental and malicious data alterations

DoS: Resource Consumption (Memory); DoS: Crash, Exit, or Restart

Scope: Availability

Likelihood: High

Unhandled discarded operations can lead to resource exhaustion, triggering system crashes or denial of service. For availability, consistent feedback is crucial. Without proper notification of discarded operations, administrators or other authorized entities might miss early warning signs of resource imbalances. This delayed detection could allow a DoS condition to develop, compromising the system's ability to serve legitimate requests and maintain continuous operations.

+ Potential Mitigations
Phase(s) Mitigation

Architecture and Design

Incorporate logging and feedback mechanisms during the design phase to ensure proper handling of discarded operations.

Effectiveness: High

Note:

Addressing the issue at the design stage prevents the weakness from manifesting later.

Implementation

Developers should ensure that every critical operation includes proper logging or error feedback mechanisms.

Effectiveness: Moderate

Note:

Implementation-level checks complement design-phase measures.

+ Relationships
Section Help This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as PeerOf and CanAlsoBe are defined to show similar weaknesses that the user may want to explore.
+ Relevant to the view "Research Concepts" (View-1000)
Nature Type ID Name
ChildOf Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 223 Omission of Security-relevant Information
PeerOf Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 392 Missing Report of Error Condition
+ Relevant to the view "Hardware Design" (View-1194)
Nature Type ID Name
MemberOf Category Category - a CWE entry that contains a set of other entries that share a common characteristic. 1208 Cross-Cutting Problems
+ Modes Of Introduction
Section HelpThe different Modes of Introduction provide information about how and when this weakness may be introduced. The Phase identifies a point in the life cycle at which introduction may occur, while the Note provides a typical scenario related to introduction during the given phase.
Phase Note
Architecture and Design

This weakness can be introduced during the architecture and design phase when the system does not incorporate proper mechanisms for error reporting or feedback for discarded operations, such as when handling reserved addresses or unexecuted instructions.

Implementation

It can also arise during implementation if developers fail to include appropriate feedback or logging for critical operations. This leads to silent failures in certain scenarios like interrupt handling or network buffer overflows.

Requirements

A further layer of complexity emerges when considering specifications. The weakness may stem either from ambiguous product design specifications that fail to delineate when feedback should occur or from implementations that do not adhere to existing requirements. In either case, the result is the same: feedback that is critical for detecting operational failures or security breaches is missing.

+ Applicable Platforms
Section HelpThis listing shows possible areas for which the given weakness could appear. These may be for specific named Languages, Operating Systems, Architectures, Paradigms, Technologies, or a class of such platforms. The platform is listed along with how frequently the given weakness appears for that instance.
Languages

C (Undetermined Prevalence)

C++ (Undetermined Prevalence)

Verilog (Undetermined Prevalence)

Class: Hardware Description Language (Undetermined Prevalence)

Class: Not Language-Specific (Undetermined Prevalence)

Architectures

ARM (Undetermined Prevalence)

x86 (Undetermined Prevalence)

Class: Embedded (Undetermined Prevalence)

Technologies

Security Hardware (Undetermined Prevalence)

Processor Hardware (Undetermined Prevalence)

Microcontroller Hardware (Undetermined Prevalence)

Class: System on Chip (Undetermined Prevalence)

+ Demonstrative Examples

Example 1


This code creates an interrupt handler. If the interrupt's priority is lower than the currently active one, the interrupt is discarded without any feedback, perhaps due to resource constraints.

(bad code)
Example Language:

void interrupt_handler(int irq) {
if (irq_priority[irq] < current_priority) {
return;
}
process_interrupt(irq);
}

The omission of feedback for the dropped lower-priority interrupt can cause developers to misinterpret the state of the system, leading to incorrect assumptions and potential system failures, such as missed sensor readings.

Attackers might leverage this lack of visibility to induce conditions that lead to timing side-channels. For example, an attacker could intentionally flood the system with high-priority interrupts, forcing the system to discard lower-priority interrupts consistently. If these discarded interrupts correspond to processes executing critical security functions (e.g., cryptographic key handling), an attacker might measure system timing variations to infer when and how those functions are executing. This creates a timing side channel that could be used to extract sensitive information. Moreover, since these lower-priority interrupts are not reported, the system remains unaware that critical tasks such as sensor data collection or maintenance routines, are being starved of execution. Over time, this can lead to functional failures or watchdog time resets in real-time systems.

One way to address this problem could be to use structured logging to provide visibility into discarded interrupts. This allows administrators, developers, or other authorized entities to track missed interrupts and optimize the system.

(good code)
Example Language:

// Priority threshold for active interrupts
int current_priority = 3;
// Simulated priority levels for different IRQs
int irq_priority[5] = {1, 2, 3, 4, 5};
void process_interrupt(int irq) {
printf("Processing interrupt %d\n", irq);
}
void interrupt_handler(int irq) {
if (irq_priority[irq] < current_priority) {
// Log the dropped interrupt using structured feedback
fprintf(stderr, "Warning: Interrupt %d dropped (Priority: %d < Current: %d)\n",
irq, irq_priority[irq], current_priority);
exit(EXIT_FAILURE); // Exit with failure status to indicate a critical issue.
}
process_interrupt(irq);
}


Example 2


Consider a SoC design with these component IPs:

IP 1. Execution Core <--> IP 2 SoC Fabric (NoC, tile etc. ) <--> IP 3 Memory Controller <--> External/ internal memory.

The Core executes operations that trigger transactions that traverse the HW fabric links to read/write to the final memory module.

There can be unexpected errors in each link. For adding reliability and redundance, features like ECCs are used in these transactions. Error correction capabilities have to define how many error bits can be detected and which errors can be corrected, and which are uncorrectable errors. In design, often the severity level and response on different errors is allowed to be configured by system firmware modules like BIOS.

(bad code)
 
If an uncorrectable error occurs, the design does not explicitly trigger an alert back to the execution core.

For system security, if an uncorrectable error occurs but is not reported to the execution core and handled before the core attempts to consume the data that is read/written through the corrupted transactions, then this could enable silent data corruption (SDC) attacks.

In the case of confidential compute technologies where system firmware is not a trusted component, error handling controls can be misconfigured to trigger this weakness and attack the assets protected by confidential compute.

(good code)
 
Modify the design so that any uncorrectable error triggers an alert back to the execution core and gets handled before the core can consume the data read/written through the corrupted transactions. Update design access control policies to ensure that alerts sent to execution core on uncorrectable errors cannot be disabled or masked by untrusted software/firmware.


+ Selected Observed Examples

Note: this is a curated list of examples for users to understand the variety of ways in which this weakness can be introduced. It is not a complete list of all CVEs that are related to this CWE entry.

Reference Description
Open source silicon root of trust (RoT) product does not immediately report when an integrity check fails for memory requests, causing the product to accept and continue processing data [REF-1468]
+ Detection Methods
Method Details

Automated Static Analysis - Source Code

Scans code for missing error handling or feedback mechanisms.

Effectiveness: High

Note:

This identify common issues early in the development phase.

Manual Static Analysis - Source Code

Experts manually inspect the code for unhandled operations.

Effectiveness: Moderate

Note:

Useful for identifying design-level omissions.

+ Memberships
Section HelpThis MemberOf Relationships table shows additional CWE Categories and Views that reference this weakness as a member. This information is often useful in understanding where a weakness fits within the context of external information sources.
Nature Type ID Name
MemberOf CategoryCategory - a CWE entry that contains a set of other entries that share a common characteristic. 1413 Comprehensive Categorization: Protection Mechanism Failure
+ Vulnerability Mapping Notes
Usage ALLOWED
(this CWE ID may be used to map to real-world vulnerabilities)
Reason Acceptable-Use

Rationale

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
+ References
[REF-1468] GregAC. "OpenTitan issue: [rv_core_ibex] Bus errors on integrity check failure". 2022-03-09.
<https://github.com/lowRISC/opentitan/issues/11336>. (URL validated: 2025-04-02)
+ Content History
+ Submissions
Submission Date Submitter Organization
2023-12-20
(CWE 4.17, 2025-04-03)
Amisha Srivastava University of Texas at Dallas
+ Contributions
Contribution Date Contributor Organization
2025-03-25
(CWE 4.17, 2025-04-03)
Hareesh Khattri Intel Corporation
Contributed an observed example and a demonstrative example.
Page Last Updated: April 03, 2025