Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-176 (Unicode编码处理不恰当) — Vulnerability Class 18

18 vulnerabilities classified as CWE-176 (Unicode编码处理不恰当). AI Chinese analysis included.

CWE-176 represents an input validation weakness where software fails to correctly process or normalize Unicode-encoded data, leading to inconsistent interpretation across different system components. Attackers typically exploit this by crafting malicious inputs containing mixed encoding schemes or invalid sequences, which can bypass security filters, trigger buffer overflows, or cause unexpected application crashes. This inconsistency often arises when one layer of the application stack interprets the input differently than another, such as a web server versus a database. To mitigate this risk, developers must enforce strict input validation and normalization strategies, ensuring that all Unicode data is consistently decoded and standardized before processing. Utilizing robust, well-tested libraries for character encoding and explicitly defining expected character sets helps prevent these ambiguities, thereby securing the application against encoding-based attacks.

MITRE CWE Description
The product does not properly handle when an input contains Unicode encoding.
Common Consequences (1)
IntegrityUnexpected State
Mitigations (3)
Architecture and DesignAvoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
ImplementationAssume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range…
ImplementationInputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
Examples (1)
Windows provides the MultiByteToWideChar(), WideCharToMultiByte(), UnicodeToBytes(), and BytesToUnicode() functions to convert between arbitrary multibyte (usually ANSI) character strings and Unicode (wide character) strings. The size arguments to these functions are specified in different units, (one in bytes, the other in characters) making their use prone to error.
void getUserInfo(char *username, struct _USER_INFO_2 info){ WCHAR unicodeUser[UNLEN+1]; MultiByteToWideChar(CP_ACP, 0, username, -1, unicodeUser, sizeof(unicodeUser)); NetUserGetInfo(NULL, unicodeUser, 2, (LPBYTE *)&info); }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-7040 Text::Minify::XS versions from 0.3.0 before 0.7.8 for Perl have heap overflow when processing some malformed UTF-8 characters — Text::Minify::XS 9.8AICriticalAI2026-04-27
CVE-2026-35375 uutils coreutils split Local Data Integrity Issue via Lossy Filename Encoding — coreutils 3.3 Low2026-04-22
CVE-2026-35373 uutils coreutils ln Local Denial of Service via Improper Handling of Non-UTF-8 Filenames — coreutils 3.3 Low2026-04-22
CVE-2026-35346 uutils coreutils comm Silent Data Corruption via Lossy UTF-8 Normalization — coreutils 3.3 Low2026-04-22
CVE-2026-20202 Improper Input Validation during User Account Creation in Splunk Enterprise — Splunk Enterprise 6.6 Medium2026-04-15
CVE-2026-4116 SonicWALL SMA1000 安全漏洞 — SMA1000 8.8AIHighAI2026-04-09
CVE-2026-4114 SonicWALL SMA1000 安全漏洞 — SMA1000 7.2AIHighAI2026-04-09
CVE-2026-25480 FileStore key canonicalization collisions allow response cache mixup/poisoning (ASCII ord + Unicode NFKD) — litestar 6.5 Medium2026-02-09
CVE-2026-23950 node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS — node-tar 8.8 High2026-01-20
CVE-2025-59547 DNN's CKEditor File Uploader functionality vulnerable through Unicode obfuscation — Dnn.Platform 5.3 Medium2025-09-23
CVE-2024-8067 Unicode "best fit" argument injection — Helix Core 9.1AICriticalAI2024-09-24
CVE-2024-24691 Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows - Improper Input Validation — Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows 9.6 Critical2024-02-14
CVE-2023-52081 ewen-lbh/ffcss late-Unicode normalization vulnerability — ffcss 5.3 Medium2023-12-28
CVE-2023-41889 Late-Unicode normalization vulnerability in SHIRASAGI — shirasagi 5.3 Medium2023-09-15
CVE-2023-31169 Improper Handling of Unicode Encoding — SEL-5030 acSELerator QuickSet Software 4.8 Medium2023-08-31
CVE-2023-39213 Zoom Client 注入漏洞 — Zoom Desktop Client for Windows and Zoom VDI Client 9.6 Critical2023-08-08
CVE-2022-29812 JetBrains IntelliJ IDEA 安全漏洞 — IntelliJ IDEA 2.3 Low2022-04-28
CVE-2020-8929 Ciphertext integrity weakness in Tink — Tink 5.3 Medium2020-10-19

Vulnerabilities classified as CWE-176 (Unicode编码处理不恰当) represent 18 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.