7PK - Code Quality

A category in the Common Weakness Enumeration published by The MITRE Corporation.

  • Source

    CWE Catalog - 4.12

  • Identifier

    CWE-398

  • Status

    Draft

Contents

Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that do not directly introduce a weakness or vulnerability, but indicate that the product has not been carefully developed or maintained. According to the authors of the Seven Pernicious Kingdoms, "Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an adversary it provides an opportunity to stress the system in unexpected ways."

Weaknesses

Double Free

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

NULL Pointer Dereference

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Undefined Behavior for Input to API

The behavior of this function is undefined unless its control parameter is set to a specific value.

Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

Use of Function with Inconsistent Implementations

The code uses a function that has inconsistent implementations across operating systems and versions.

Use of Obsolete Function

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

Use of Uninitialized Variable

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

Concepts

Seven Pernicious Kingdoms

This view (graph) organizes weaknesses using a hierarchical structure that is similar to that used by Seven Pernicious Kingdoms.

See Also

  1. Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors

    NIST Workshop on Software Security Assurance Tools Techniques and Metrics

Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.