CWE-691
Insufficient Control Flow Management
Draft
2008-04-11
00h00 +00:00
00h00 +00:00
2024-02-29
00h00 +00:00
00h00 +00:00
Notifications for a CWE
Stay informed of any changes for a specific CWE.
Name: Insufficient Control Flow Management
The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
General Informations
Modes Of Introduction
Architecture and DesignImplementation
Applicable Platforms
Language
Class: Not Language-Specific (Undetermined)Technologies
Class: Not Technology-Specific (Undetermined)Common Consequences
| Scope | Impact | Likelihood |
|---|---|---|
| Other | Alter Execution Logic |
Observed Examples
| References | Description |
|---|---|
CVE-2019-9805 | Chain: Creation of the packet client occurs before initialization is complete (CWE-696) resulting in a read from uninitialized memory (CWE-908), causing memory corruption. |
CVE-2014-1266 | chain: incorrect "goto" in Apple SSL product bypasses certificate validation, allowing Adversary-in-the-Middle (AITM) attack (Apple "goto fail" bug). CWE-705 (Incorrect Control Flow Scoping) -> CWE-561 (Dead Code) -> CWE-295 (Improper Certificate Validation) -> CWE-393 (Return of Wrong Status Code) -> CWE-300 (Channel Accessible by Non-Endpoint). |
CVE-2011-1027 | Chain: off-by-one error (CWE-193) leads to infinite loop (CWE-835) using invalid hex-encoded characters. |
Vulnerability Mapping Notes
Justification : This CWE entry is extremely high-level, a Pillar. However, classification research is limited for weaknesses of this type, so there can be gaps or organizational difficulties within CWE that force use of this weakness, even at such a high level of abstraction.Comment : Where feasible, consider children or descendants of this entry instead.
Related Attack Patterns
| CAPEC-ID | Attack Pattern Name |
|---|---|
| CAPEC-29 | Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly. |
Submission
| Name | Organization | Date | Date release | Version |
|---|---|---|---|---|
| CWE Content Team | MITRE | Draft 9 |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| Eric Dalci | Cigital | updated Time_of_Introduction | |
| CWE Content Team | MITRE | updated Relationships, Other_Notes | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Related_Attack_Patterns | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Maintenance_Notes, Other_Notes, Relationships | |
| CWE Content Team | MITRE | updated Common_Consequences | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Relationships, Relevant_Properties | |
| CWE Content Team | MITRE | updated Applicable_Platforms, Type | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Maintenance_Notes | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Relationships | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Observed_Examples, Relationships | |
| CWE Content Team | MITRE | updated Demonstrative_Examples |
2025©
tesweb SA
