Comprehensive Categorization: Insufficient Control Flow Management

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to insufficient control flow management.


Access Control Check Implemented After Asset is Accessed

A product's hardware-based access control check occurs after the asset has been accessed.

Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is n...

Assigning instead of Comparing

The code uses an operator for assignment when the intention was to perform a comparison.

Comparing instead of Assigning

The code uses an operator for comparison when the intention was to perform an assignment.

Declaration of Catch for Generic Exception

Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Declaration of Throws for Generic Exception

Throwing overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities.

Deployment of Wrong Handler

The wrong "handler" is assigned to process an object.

DMA Device Enabled Too Early in Boot Phase

The product enables a Direct Memory Access (DMA) capable device before the security configuration settings are established, which allows an attacker to extract data fr...

Excessive Iteration

The product performs an iteration or loop without sufficiently limiting the number of times that the loop is executed.

Execution After Redirect (EAR)

The web application sends a redirect to another location, but instead of exiting, it executes additional code.

Improper Control of Interaction Frequency

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

Improper Enforcement of a Single, Unique Action

The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enf...

Improper Enforcement of Behavioral Workflow

The product supports a session in which more than one behavior must be performed by an actor, but it does not properly ensure that the actor performs the behaviors in ...

Incorrect Behavior Order

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

Incorrect Behavior Order: Early Amplification

The product allows an entity to perform a legitimate but expensive operation before authentication or authorization has taken place.

Incorrect Behavior Order: Early Validation

The product validates input before applying protection mechanisms that modify the input, which could allow an attacker to bypass the validation via dangerous inputs th...

Incorrect Behavior Order: Validate Before Canonicalize

The product validates input before it is canonicalized, which prevents the product from detecting data that becomes invalid after the canonicalization step.

Incorrect Behavior Order: Validate Before Filter

The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.

Incorrect Block Delimitation

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

Incorrect Control Flow Scoping

The product does not properly return control flow to the proper location after it has completed a task or detected an unusual condition.

Incorrect Short Circuit Evaluation

The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to a...

Insufficient Control Flow Management

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

J2EE Bad Practices: Use of System.exit()

A J2EE application uses System.exit(), which also shuts down its container.

Loop with Unreachable Exit Condition ('Infinite Loop')

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Missing Handler

A handler is not available or implemented.

Non-exit on Failed Initialization

The product does not exit or otherwise modify its operation when security-relevant errors occur during initialization, such as when a configuration file has a format e...

Operator Precedence Logic Error

The product uses an expression in which operator precedence causes incorrect logic to be used.

Power-On of Untrusted Execution Core Before Enabling Fabric Access Control

The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.

Reachable Assertion

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe th...

Return Inside Finally Block

The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.

Sequence of Processor Instructions Leads to Unexpected Behavior

Specific combinations of processor instructions lead to undesirable behavior such as locking the processor until a hard reset performed.

Uncaught Exception

An exception is thrown from a function, but it is not caught.

Uncaught Exception in Servlet

The Servlet does not catch all exceptions, which may reveal sensitive debugging information.

Uncontrolled Recursion

The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls

During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.

Use of Blocking Code in Single-threaded, Non-blocking Context

The product uses a non-blocking model that relies on a single threaded process for features such as scalability, but it contains code that can block when it is invo...

Use of Incorrect Operator

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

Use of NullPointerException Catch to Detect NULL Pointer Dereference

Catching NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer.


Comprehensive Categorization for Software Assurance Trends

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...

See Also

  1. CVE --> CWE Mapping Guidance - Quick Tips


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.