Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1077 (使用不正确的比较运算符比较浮点值) — Vulnerability Class 4

4 vulnerabilities classified as CWE-1077 (使用不正确的比较运算符比较浮点值). AI Chinese analysis included.

CWE-1077 represents a logic error where developers use direct equality operators to compare floating-point numbers, ignoring inherent precision loss from binary representation. This weakness arises because arithmetic operations often introduce minute rounding discrepancies, causing two mathematically equivalent values to differ slightly in memory. Attackers typically exploit this by crafting inputs that trigger these subtle divergences, bypassing security checks or causing unexpected program termination. To mitigate this risk, developers must avoid strict equality tests for floats. Instead, they should implement tolerance-based comparisons using a small epsilon value, checking if the absolute difference between numbers falls within an acceptable threshold. This approach ensures robust handling of imprecise results, maintaining logical integrity and preventing exploitation through numerical edge cases.

MITRE CWE Description
The code performs a comparison such as an equality test between two float (floating point) values, but it uses comparison operators that do not account for the possibility of loss of precision. Numeric calculation using floating point values can generate imprecise results because of rounding errors. As a result, two different calculations might generate numbers that are mathematically equal, but have slightly different bit representations that do not translate to the same mathematically-equal values. As a result, an equality test or other comparison might produce unexpected results.
Common Consequences (1)
OtherReduce Reliability
This issue can prevent the product from running reliably. If the relevant code is reachable by an attacker, then this reliability problem might introduce a vulnerability.
CVE IDTitleCVSSSeverityPublished
CVE-2023-4720 Floating Point Comparison with Incorrect Operator in gpac/gpac — gpac/gpac 6.2 -2023-09-01
CVE-2023-32627 Floating point exception in src/voc.c — sox 6.2 Medium2023-07-10
CVE-2023-26590 Floating point exception in src/aiff.c — sox 6.2 Medium2023-07-10
CVE-2022-4293 Floating Point Comparison with Incorrect Operator in vim/vim — vim/vim 6.2 -2022-12-05

Vulnerabilities classified as CWE-1077 (使用不正确的比较运算符比较浮点值) represent 4 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.