Weaknesses in Software Written in C

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompa...

The accidental addition of a data-structure sentinel can cause serious programming logic problems.

The code uses an operator for assignment when the intention was to perform a comparison.

The product sets a pointer to a specific address other than NULL or 0.

The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of...

The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds ...

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buf...

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.

The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.

The code uses an operator for comparison when the intention was to perform an assignment.

The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a ...

The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the j...

The accidental deletion of a data-structure sentinel can cause serious programming logic problems.

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.

The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.

The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and result...

The product calls a function, procedure, or routine, but the caller specifies the wrong variable or reference as one of the arguments, which may lead to undefined beha...

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer ...

The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.

The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.

Using realloc() to resize buffers that store sensitive information can leave the sensitive information exposed to attack, because it is not removed from memory.

The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the as...

The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index ref...

The product manages a group of objects or resources and performs a separate memory allocation for each object, but it does not properly limit the total amount of memor...

An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected ...

The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.

The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.

The product does not correctly calculate the length of strings that can contain wide or multi-byte characters.

In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.

The product does not correctly convert an object, resource, or structure from one type to a different type.

Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.

The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the co...

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of mem...

The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to al...

The code does not have a default case in an expression with multiple conditions, such as a switch statement.

The product does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory.

The product attempts to close or release a resource or handle more than once, without any successful open between the close operations.

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

The product checks a value to ensure that it is less than or equal to a maximum, but it does not also verify that the value is greater than or equal to the minimum.

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the...

The product uses an expression in which operator precedence causes incorrect logic to be used.

The product reads data past the end, or before the beginning, of the intended buffer.

The product writes data past the end, or before the beginning, of the intended buffer.

The product sends non-cloned mutable data as an argument to a method or function.

The product, while copying or cloning a resource, does not set the resource's permissions or access control until the copy is complete, leaving the resource exposed to...

The product has a method that is declared public, but returns a reference to a private data structure, which could then be modified in unexpected ways.

Assigning public data to a private array is equivalent to giving public access to the array.

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution...

The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.

A function can return a pointer to memory that is outside of the buffer that the pointer is expected to reference.

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.

The product uses a signal handler that introduces a race condition.

The product defines a signal handler that calls a non-reentrant function.

The product uses a signed primitive and performs a cast to an unsigned primitive, which can produce an unexpected value if the value of the signed primitive can not be...

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter ...

The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer der...

The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, ...

The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not ...

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

The product uses or accesses a file descriptor after it has been closed.

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

The code uses a function that has inconsistent implementations across operating systems and versions.

The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

The product calls a function that can never be guaranteed to work safely.

The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.

The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.

The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.

The code calls sizeof() on a malloced pointer type, which always returns the wordsize/8. This can produce an unexpected result if the programmer intended to determine ...

The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().

The code uses a variable that has not been initialized, leading to unpredictable or unintended results.

Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.

Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.