Common Weakness Enumeration

CWE Glossary Definition

News & Events - 2024

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

New CWE Board Member from NVIDIA

April 18, 2024 | Share this article

Deana O’Meara of NVIDIA has joined the CWE Board.

Through open and collaborative discussions, CWE Board members provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction. Members include technical implementers that provide input and guidance regarding the creation, design, review, maintenance, and applications of CWE entries; subject matter experts who are domain experts in weakness and/or attack pattern fields and represent a significant constituency related to, or affected by, CWE; and advocates who actively support and promote CWE throughout the community in a highly visible and responsible manner.

Join the “Root Cause Mapping” Working Group!

April 10, 2024 | Share this article

Several CWE™ Program and CVE® Program stakeholder organizations — Intel, Microsoft, Red Hat, Rapid 7, CISA, HSSEDI — have established the Root Cause Mapping Working Group (RCM WG) focused on identifying the capabilities, processes, and information needed to improve and scale accurate root cause mapping of vulnerabilities.

“Root cause mapping” is the identification of the underlying cause(s) of a vulnerability. Accurate and precise root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers.

RCM WG efforts will include:

• Identifying and describing the current challenges in performing and reporting accurate root cause mapping
• Defining how the CWE hierarchy and content must improve to facilitate better root cause mapping which will have the effect of better achieving CWE program adoption and coverage goals
• Developing new capabilities to simplify the root cause mapping process

The RCM WG is accepting new members. If you are interested in participating, please email us at cwe@mitre.org.

Microsoft Announces It Will Use CWE for Root Cause Mapping of Its CVEs

April 10, 2024 | Share this article

On April 8, 2024, Microsoft announced in a Microsoft Security Response Center blog article entitled “Toward greater transparency: Adopting the CWE standard for Microsoft CVEs” that it will now “publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWE™) industry standard.”

In addition to explaining how Microsoft will use CWE, along with providing an example of Microsoft CVE Record with CWE information (i.e., in CVE Record CVE-2024-29990, when viewing the JSON for this record), blog author Lisa Olson, Senior Program Manager Security Release at Microsoft, states: “We believe adopting CWE will better serve our customers, developers, and security practitioners across the industry. This standard will facilitate more effective community discussions about finding and mitigating these weaknesses in existing software and hardware, while also minimizing them in future updates and releases. Ultimately, our commitment to CWE represents a meaningful step toward a more cyber-secure world.”

Read the complete “Toward greater transparency: Adopting the CWE standard for Microsoft CVEs” article on the Microsoft website.

CWE Program Updates Guidance for the “Root Cause Mapping” of Vulnerabilities

March 22, 2024 | Share this article

The CWE Program has updated its guidance for mapping the root cause(s) of vulnerabilities on the “Root Cause Mapping Guidance” page on the CWE website.

Importance of Root Cause Mapping

“Root cause mapping” is the identification of the underlying cause(s) of a vulnerability. Accurate and precise root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers.

Additionally, it enables:

1. Driving the removal of classes of vulnerabilities: Root cause mapping encourages a valuable feedback loop into a vendor’s software development lifecycle or architecture design planning.
2. Saving money: the more weaknesses avoided in product development, the less vulnerabilities to manage after deployment.
3. Trend analysis (e.g., how big of a problem is memory safety compared to other problems like injection?).
4. Further insight to potential “exploitability” based on root cause (e.g., command injection vulnerabilities tend to see increased adversary attention, be targeted by certain actors).
5. Organizations demonstrating transparency to customers about how they are targeting and addressing problems in their products.

Today, however, root cause mapping is not done accurately at scale by the vulnerability management ecosystem. The CWE Program’s new and improved guidance addresses this problem.

New and Improved Guidance for Root Cause Mapping

Root cause mapping is best accomplished by correlating CVE Records and/or bug or vulnerability tickets with CWE entries. The new and improved guidance provides an overview and step-by-step methodologies for mapping CVEs to CWEs.

This guidance is intended to help CVE Numbering Authorities (CNAs) and those who produce or analyze CVE Records. It is also likely to be helpful to those who are analyzing vulnerabilities that are not tracked by the CVE Program.

View the new and improved root cause mapping guidance here.

Working Group

Several CVE and CWE stakeholder organizations have established a working group focused on identifying the capabilities, processes, and information needed to improve and scale accurate root cause mapping. Efforts include:

• Identifying and describing the current challenges in performing and reporting accurate root cause mapping
• Defining how the CWE hierarchy and content must improve to facilitate better root cause mapping which will have the effect of better achieving CWE program adoption and coverage goals
• Developing new capabilities to simplify the root cause mapping process

If you are interested in participating, please email us at cwe@mitre.org.

CWE at CVE/FIRST VulnCon 2024

March 22, 2024 | Share this article

CWE was the main focus of two sessions at CVE/FIRST VulnCon 2024 at the McKimmon Center in Raleigh, North Carolina, USA, held March 25-27, 2024:

• “The CWE Program: Current State and Road Ahead” presentation — “An overview of the CWE Program’s current efforts to implement its federation strategy to increase program coverage and adoption. This includes efforts to modernize CWE Program infrastructure (e.g., deploying a REST API), federate CWE content development (e.g., launch the CWE Content Development Repository (CDR) to provide a platform for program partners to collaborate transparently on CWE content development), and an overview of the CWE community working groups/special interest groups and what they are trying to accomplish.”
• “Enabling Accurate, Decentralized Root Cause Mapping at Scale” discussion panel — “Root cause mapping is the identification of the underlying cause of a vulnerability. The Root Cause Mapping Working Group (RCM WG) was established by CVE and CWE community stakeholders with the purpose of determining how to improve and scale accurate root cause mapping. Specifically, the working group is exploring the feasibility of an effective decentralized root cause mapping ecosystem to enable trend analysis and risk management. This moderated discussion panel with members of the RCM WG covered the value, challenge, and potential for accurate and decentralized root cause mapping at scale.”

Thank you so much to everyone who attended our RCM discussion panel and CWE talk at the first-ever VulnCon conference. We are already looking forward to next year’s event!

CWE Version 4.14 Now Available

February 29, 2024 | Share this article

CWE Version 4.14 has been posted on the CWE List page and includes a number of exciting updates. There are 4 new weakness entries related to related to hardware micro architectures; 1 new View for “Weaknesses Addressed by ISA/IEC 62443 Requirements” for industrial automation and control systems; updates to observed and demonstrative examples; 10 new demonstrative examples from the HACK@DAC security challenge contest; among other changes.

Also, a major enhancement has been made to CWE entry pages beginning with this release. All CWE entry web pages will now have vulnerability mapping labels underneath their titles. These include labels for when a CWE is approved, discouraged, or prohibited from vulnerability root cause mapping. In addition, the labels provide a direct link to the entry’s Mapping Notes for quick reference to more detailed information.

The CWE Program thanks Intel, AMD, ARM, Cycuity, Riscure, HACK@DAC contributors from Texas A&M University and Technical University of Darmstadt, and members of the CWE ICS/OT Special Interest Group (ICS/OT SIG) and Hardware CWE Special Interest Group (HW CWE SIG) for their collaboration preparing for this new version.

Main Changes

4 New Weakness Entries Related to Hardware Micro Architectures:

• CWE-1420: Exposure of Sensitive Information during Transient Execution
• CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
• CWE-1422: Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution
• CWE-1423: Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

1 New View:

• CWE-1424: Weaknesses Addressed by ISA/IEC 62443 Requirements – This view covers weaknesses that are addressed by following requirements in the ISA/IEC 62443 series of standards for industrial automation and control systems (IACS). For this view, members of the CWE ICS/OT SIG analyzed a set of CWEs and mapped them to specific requirements covered by ISA/IEC 62443.

New and Updated Observed Examples:

• 38 CWEs were updated to include observed examples of weaknesses in the wild, which are a direct result of analyzing CVE Records as part of the 2023 CWE Top 25 effort, community collaboration, or highlighting canonical examples in parent CWEs.

New and Updated Demonstrative Examples:

• 91 CWEs were updated with demonstrative examples, including 10 resulting from collaboration with the participants (Texas A&M University and Technical University of Darmstadt) from the HACK@DAC security challenge contest.

A detailed report is available that lists specific changes between Version 4.13 and Version 4.14.

There were no schema updates.

Summary

There are 938 weaknesses and a total of 1,426 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.13_v4.14.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on @cwecapec on X (formerly Twitter), and on @CWE_Program on Mastodon. Please contact us with any comments or concerns.

CWE Podcast: “Red Hat’s CWE Journey”

January 18, 2024 | Share this article

“Out-Of-Bounds Read” is the CWE Program’s free podcast about common weaknesses in software and hardware, the vulnerabilities they cause, how to reduce them, and how using CWE can help make products more secure by design.

In our latest episode, CWE Program Lead Alec Summers talks with Red Hat’s Przemyslaw Roguski, CWE Technical Lead Steve Christey, and CWE Top 25 Lead Connor Mullaly, about Common Weakness Enumeration (CWE™) and the problem it solves; how Red Hat’s experience and relationship with CWE began and developed over time; how Red Hat uses CWE today, especially “CWE-699: Software Development”; how CWE’s different “views” can be used to educate and enable new and/or existing CWE users; CWE mappings and why mapping to CWEs/root cause weaknesses is important in vulnerability disclosure; the CWE Top 25 list; CWE in the software development lifecycle; how ongoing development of CWE benefits users; and more.

Additional details about Red Hat’s ongoing use of CWE are included in these two articles on the Red Hat blog, “Red Hat’s CWE journey” and “Weakness risk-patterns: A Red Hat way to identify poor software practices in the secure development lifecycle.”

The podcast is available for free on the CWE Program Channel on YouTube. Please give our latest episode a listen and let us know what you think by commenting on YouTube, X-Twitter, LinkedIn, Mastodon, or by email. We look forward to hearing from you!