CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.18)  
ID

CWE VIEW: Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List

View ID: 1432
Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph
Downloads: Booklet | CSV | XML
+ Objective
CWE entries in this view are listed in the 2025 CWE Most Important Hardware Weaknesses List, as determined by the Hardware CWE Special Interest Group (HW CWE SIG). The 2025 MIHW aims to drive awareness of critical hardware weaknesses and provide the cybersecurity community with practical guidance to prevent security issues at the source. By combining advanced data analysis with expert consensus, the list helps organizations prioritize mitigations, strengthen design practices, and make informed decisions throughout the hardware lifecycle.
+ Audience
Stakeholder Description
Hardware Designers Address key security weaknesses during hardware design process.
Product Customers Evaluate products for critical security weaknesses and enforce supplier security standards.
Applied Researchers Investigate selected weaknesses and develop new mitigation strategies.
Academic Researchers Identify gaps in foundational security models to develop advanced approaches.
Assessment Teams Focus testing on high-priority hardware security weaknesses.
Assessment Tool Vendors Improve automated tools to detect critical security weaknesses.
Educators Structure course content and research projects around hardware security weaknesses.
+ Relationships
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
Show Details:
1432 - Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Sensitive Information in Resource Not Removed Before Reuse - (226)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 226 (Sensitive Information in Resource Not Removed Before Reuse)
The product releases a resource such as memory or a file so that it can be made available for reuse, but it does not clear or "zeroize" the information contained in the resource before the product performs a critical state transition or makes the resource available for reuse by other entities.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Isolation of Shared Resources on System-on-a-Chip (SoC) - (1189)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1189 (Improper Isolation of Shared Resources on System-on-a-Chip (SoC))
The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. On-Chip Debug and Test Interface With Improper Access Control - (1191)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1191 (On-Chip Debug and Test Interface With Improper Access Control)
The chip does not implement or does not correctly perform access control to check whether users are authorized to access internal registers and test modes through the physical debug/test interface.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Hardware Internal or Debug Modes Allow Override of Locks - (1234)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1234 (Hardware Internal or Debug Modes Allow Override of Locks)
System configuration protection may be bypassed during debug mode.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Protection Against Voltage and Clock Glitches - (1247)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1247 (Improper Protection Against Voltage and Clock Glitches)
The device does not contain or contains incorrectly implemented circuitry or sensors to detect and mitigate voltage and clock glitches and protect sensitive information or software contained on the device.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Restriction of Software Interfaces to Hardware Features - (1256)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1256 (Improper Restriction of Software Interfaces to Hardware Features)
The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Handling of Overlap Between Protected Memory Ranges - (1260)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1260 (Improper Handling of Overlap Between Protected Memory Ranges)
The product allows address regions to overlap, which can result in the bypassing of intended memory protection.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Access Control for Register Interface - (1262)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1262 (Improper Access Control for Register Interface)
The product uses memory-mapped I/O registers that act as an interface to hardware functionality from software, but there is improper access control to those registers.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Protection of Physical Side Channels - (1300)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1300 (Improper Protection of Physical Side Channels)
The device does not contain sufficient protection mechanisms to prevent physical side channels from exposing sensitive information due to patterns in physically observable phenomena such as variations in power consumption, electromagnetic emissions (EME), or acoustic emissions.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution - (1421)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1421 (Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution)
A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially exposing the data over a covert channel.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution - (1423)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1423 (Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution)
Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. 2025 MIHW Supplement: Expert Insights - (1433)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1433 (2025 MIHW Supplement: Expert Insights)
Weaknesses in this category were not included in the 2025 Most Important Hardware Weaknesses (MIHW) because they did not have sufficient weakness data to support their inclusion. However, they stand out as expert-driven selections. Each of these weaknesses received high scores from Subject Matter Experts, reflecting strong consensus among those with deep domain knowledge.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Prevention of Lock Bit Modification - (1231)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1433 (2025 MIHW Supplement: Expert Insights) > 1231 (Improper Prevention of Lock Bit Modification)
The product uses a trusted lock bit for restricting access to registers, address regions, or other resources, but the product does not prevent the value of the lock bit from being modified after it has been set.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Security-Sensitive Hardware Controls with Missing Lock Bit Protection - (1233)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1433 (2025 MIHW Supplement: Expert Insights) > 1233 (Security-Sensitive Hardware Controls with Missing Lock Bit Protection)
The product uses a register lock bit protection mechanism, but it does not ensure that the lock bit prevents modification of system registers or controls that perform changes to important hardware system configuration.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Internal Asset Exposed to Unsafe Debug Access Level or State - (1244)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1433 (2025 MIHW Supplement: Expert Insights) > 1244 (Internal Asset Exposed to Unsafe Debug Access Level or State)
The product uses physical debug or test interfaces with support for multiple access levels, but it assigns the wrong debug access level to an internal asset, providing unintended access to the asset from untrusted debug agents.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Sensitive Information Uncleared Before Debug/Power State Transition - (1272)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1433 (2025 MIHW Supplement: Expert Insights) > 1272 (Sensitive Information Uncleared Before Debug/Power State Transition)
The product performs a power or debug state transition, but it does not clear sensitive information that should no longer be accessible due to changes to information access restrictions.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Driving Intermediate Cryptographic State/Results to Hardware Module Outputs - (1431)
1432 (Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List) > 1433 (2025 MIHW Supplement: Expert Insights) > 1431 (Driving Intermediate Cryptographic State/Results to Hardware Module Outputs)
The product uses a hardware module implementing a cryptographic algorithm that writes sensitive information about the intermediate state or results of its cryptographic operations via one of its output wires (typically the output port containing the final result).
Back to top
+ Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.
+ References
[REF-1480] MITRE. "2025 CWE Most Important Hardware Weaknesses". 2025-08-20. <https://cwe.mitre.org/topHW/index.html>. URL validated: 2025-09-06.
[REF-1483] MITRE. "2025 CWE MIHW Suggested Use Cases". 2025-08-20. <https://cwe.mitre.org/topHW/archive/2025/2025_MIHW_use_cases>. URL validated: 2025-09-06.
+ View Metrics
CWEs in this view Total CWEs
Weaknesses 16 out of 944
Categories 1 out of 375
Views 0 out of 52
Total 17 out of 1371
+ Content History
+ Submissions
Submission Date Submitter Organization
2025-09-06
(CWE 4.18, 2025-09-09) 		CWE Content Team MITRE
+ Contributions
Contribution Date Contributor Organization
2025-08-20
(CWE 4.18, 2025-09-09) 		2025 MIHW Working Group
Helped the CWE Team to define methodology and scoring algorithms; performed data analysis and mappings for Weakness Data Collection (WDC); and/or participated in Expert Poll 1 (EP1) or Expert Poll 2 (EP2).
Page Last Updated: September 09, 2025
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.