Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-252 (未加检查的返回值) — Vulnerability Class 59

59 vulnerabilities classified as CWE-252 (未加检查的返回值). AI Chinese analysis included.

CWE-252 represents a critical programming weakness where software fails to verify the return value of a function or method, often stemming from the erroneous assumption that operations cannot fail or that their failure is inconsequential. This oversight allows attackers to exploit the vulnerability by forcing functions to return unexpected error codes or null values, thereby disrupting the intended execution flow. When the program proceeds without validating these outcomes, it may operate in an unstable state, leading to data corruption, denial of service, or privilege escalation. To mitigate this risk, developers must rigorously implement error-handling routines that explicitly check return statuses. By treating every function call as potentially hazardous and ensuring subsequent logic accounts for failure conditions, programmers can prevent attackers from manipulating program state through unchecked return values.

MITRE CWE Description
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. Two common programmer assumptions are "this function call can never fail" and "it doesn't matter if this function call fails". If an attacker can force the function to fail or otherwise return a value that is not expected, then the subsequent program logic could lead to a vulnerability, because the product is not in a state that the programmer assumes. For example, if the program calls a function to drop privileges but does not check the return code to ensure that privileges were successfully dropped, then the program will continue to operate with the higher privileges.
Common Consequences (1)
Availability, IntegrityUnexpected State, DoS: Crash, Exit, or Restart
An unexpected return value could place the system in a state that could lead to a crash or other unintended behaviors.
Mitigations (4)
ImplementationCheck the results of all functions that return a value and verify that the value is expected.
Effectiveness: High
ImplementationFor any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
ImplementationEnsure that you account for all possible return values from the function.
ImplementationWhen designing a function, make sure you return a value or throw an exception in case of an error.
Examples (2)
Consider the following code segment:
char buf[10], cp_buf[10]; fgets(buf, 10, stdin); strcpy(cp_buf, buf);
Bad · C
In the following example, it is possible to request that memcpy move a much larger segment of memory than assumed:
int returnChunkSize(void *) { /* if chunk info is valid, return the size of usable memory, * else, return -1 to indicate an error */ ... } int main() { ... memcpy(destBuf, srcBuf, (returnChunkSize(destBuf)-1)); ... }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2024-39558 Junos OS and Junos OS Evolved: Receipt of specific PIM packet causes rpd crash when PIM is configured along with MoFRR — Junos OS 6.5 Medium2024-07-10
CVE-2024-37039 Schneider Electric SAGE RTUs 安全漏洞 — Sage 1410 5.9 Medium2024-06-12
CVE-2023-50359 QTS, QuTS hero — QTS 3.4 Low2024-02-02
CVE-2023-6918 Libssh: missing checks for return values for digests — Red Hat Enterprise Linux 8 3.7 Low2023-12-18
CVE-2023-44322 Siemens 多款产品 安全漏洞 — RUGGEDCOM RM1224 LTE(4G) EU 3.7 Low2023-11-14
CVE-2023-44182 Junos OS and Junos OS Evolved: An Unchecked Return Value in multiple users interfaces affects confidentiality and integrity of device operations — Junos OS 7.3 High2023-10-12
CVE-2023-4162 Segmentation fault in Brocade Fabric OS after Brocade Fabric OS v9.0 — Fabric OS 4.4 Medium2023-08-31
CVE-2023-37902 Vyper's ecrecover can return undefined data if signature does not verify — vyper 5.3 Medium2023-07-25
CVE-2023-3247 Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP — PHP 2.6 Low2023-07-22
CVE-2020-8934 Site Kit by Google plugin for WordPress — Site Kit By Google 4.3 Medium2023-07-07
CVE-2023-3013 Unchecked Return Value in gpac/gpac — gpac/gpac 6.1 -2023-05-31
CVE-2023-24825 RIOT-OS vulnerable to NULL pointer dereference in gnrc_pktbuf_mark — RIOT 7.5 High2023-05-30
CVE-2022-43765 DoS in APROLs Tbase server — B&R APROL 7.5 High2023-02-08
CVE-2022-43763 Lack of checking preconditions in APROL — B&R APROL 7.5 High2023-02-08
CVE-2022-3108 Linux kernel 安全漏洞 — Kernel 5.5 -2022-12-14
CVE-2022-23476 Unchecked return value from xmlTextReaderExpand in Nokogiri — nokogiri 7.5 High2022-12-08
CVE-2022-31225 Dell BIOS 安全漏洞 — CPG BIOS 3.0 Low2022-09-12
CVE-2022-1319 Red Hat Undertow 安全漏洞 — undertow 7.5 -2022-08-31
CVE-2022-0485 libnbd 代码问题漏洞 — libnbd 6.5 -2022-08-29
CVE-2021-3659 Linux kernel 代码问题漏洞 — Kernel 5.5 -2022-08-22
CVE-2021-41041 Eclipse OpenJ9 安全漏洞 — Eclipse OpenJ9 5.3 -2022-04-27
CVE-2021-42780 OpenSC 安全漏洞 — opensc 5.3 -2022-04-18
CVE-2021-40401 Gerbv 资源管理错误漏洞 — Gerbv 8.8 -2022-02-04
CVE-2021-34585 CODESYS V2 web server: crafted requests could trigger a pointer dereference with an invalid address (DoS) — CODESYS V2 7.5 High2021-10-26
CVE-2021-31366 Junos OS: MX Series: In subscriber management / BBE configuration authd can crash if a subscriber with a specific username tries to login leading to a DoS — Junos OS 6.5 Medium2021-10-19
CVE-2021-37625 Incorrect Check of Function Return Value in Skytable — skytable 7.5 High2021-08-05
CVE-2020-17533 Apache Accumulo Improper Handling of Insufficient Permissions — Apache Accumulo 8.1 -2020-12-29
CVE-2020-6152 Accusoft ImageGear 缓冲区错误漏洞 — Accusoft 8.8 -2020-09-01
CVE-2018-14622 libtirpc 安全漏洞 — libtirpc 7.5 -2018-08-30

Vulnerabilities classified as CWE-252 (未加检查的返回值) represent 59 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.