Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-354 (完整性检查值验证不恰当) — Vulnerability Class 63

63 vulnerabilities classified as CWE-354 (完整性检查值验证不恰当). AI Chinese analysis included.

CWE-354 represents a critical integrity verification weakness where software fails to properly validate checksums or integrity check values associated with incoming data. This flaw typically allows attackers to exploit the system by intercepting and modifying messages during transmission, effectively bypassing detection mechanisms that should identify corrupted or tampered content. Without rigorous validation, the application may process maliciously altered data, leading to severe consequences such as data corruption, unauthorized access, or system instability. Developers can mitigate this risk by strictly implementing cryptographic hashing algorithms, such as SHA-256, to generate and verify unique integrity signatures for all critical data packets. Ensuring that every received message is authenticated against its expected hash value before processing guarantees data authenticity and prevents the execution of compromised instructions or the acceptance of forged inputs.

MITRE CWE Description
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. Improper validation of checksums before use results in an unnecessary risk that can easily be mitigated. The protocol specification describes the algorithm used for calculating the checksum. It is then a simple matter of implementing the calculation and verifying that the calculated checksum and the received checksum match. Improper verification of the calculated checksum and the received checksum can lead to far greater consequences.
Common Consequences (3)
Integrity, OtherModify Application Data, Other
Integrity checks usually use a secret key that helps authenticate the data origin. Skipping integrity checking generally opens up the possibility that new data from an invalid source can be injected.
Integrity, OtherOther
Data that is parsed and used may be corrupted.
Non-Repudiation, OtherHide Activities, Other
Without a checksum check, it is impossible to determine if any changes have been made to the data after it was sent.
Mitigations (1)
ImplementationEnsure that the checksums present in messages are properly checked in accordance with the protocol specification before they are parsed and used.
Examples (1)
The following example demonstrates the weakness.
sd = socket(AF_INET, SOCK_DGRAM, 0); serv.sin_family = AF_INET; serv.sin_addr.s_addr = htonl(INADDR_ANY); servr.sin_port = htons(1008); bind(sd, (struct sockaddr *) & serv, sizeof(serv)); while (1) { memset(msg, 0x0, MAX_MSG); clilen = sizeof(cli); if (inet_ntoa(cli.sin_addr)==...) n = recvfrom(sd, msg, MAX_MSG, 0, (struct sockaddr *) & cli, &clilen); }
Bad · C
while(true) { DatagramPacket packet = new DatagramPacket(data,data.length,IPAddress, port); socket.send(sendPacket); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-32148 Lockfile checksums not verified in Hex allows dependency integrity bypass — hex 5.5 -2026-04-30
CVE-2026-32105 xrdp: RDP MAC signature (dataSignature) never verified on receive — integrity bypass in non-TLS mode — xrdp 5.9AIMediumAI2026-04-17
CVE-2026-5479 wolfSSL EVP ChaCha20-Poly1305 AEAD authentication tag — wolfSSL 7.5 -2026-04-10
CVE-2026-5504 PKCS7 CBC Padding Oracle — Plaintext Recovery — wolfSSL 7.5AIHighAI2026-04-09
CVE-2026-26928 Lack of Dynamic Library Validation in SzafirHost — SzafirHost 9.8AICriticalAI2026-04-02
CVE-2026-28498 Authlib: Fail-Open Cryptographic Verification in OIDC Hash Binding — authlib 7.5 -2026-03-16
CVE-2026-32600 xml-security is Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption — xml-security 8.2 High2026-03-13
CVE-2026-32313 xmlseclibs is Missing AES-GCM Authentication Tag Validation on Encrypted Nodes Allows for Unauthorized Decryption — xmlseclibs 8.2 High2026-03-13
CVE-2026-31839 Striae has a hash validation utility vulnerability — striae 8.2 High2026-03-11
CVE-2026-28402 nimiq/core-rs-albatross's nimiq-blockchain missing proposal body root verification — core-rs-albatross 7.1 High2026-02-27
CVE-2026-26275 httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass — httpsig-rs 7.5 High2026-02-19
CVE-2026-25934 go-git improperly verifies data integrity values for .idx and .pack files — go-git 4.3 Medium2026-02-09
CVE-2025-11543 Sharp NP series 安全漏洞 — NP-P502HL-2, NP-P502WL-2, NP-P502HLG-2, NP-P502WLG, NP-P502H, NP-P502W, NP-P452H, NP-P452W, NP-P502HG, NP-P502WG, NP-P452HG, NP-P452WG, NP-P502H+, NP-P502W+, NP-CR5450H, NP-CR5450W, NP-P502HL, NP-P502WL, NP-P502HLG, NP-P502WLG, NP-P502HL+, NP-P502WL+, NP-CR5450HL, NP-CR5450WL, NP-UM352W, NP-UM352WG, NP-UM352W+ 7.7AIHighAI2025-12-22
CVE-2025-33193 NVIDIA DGX Spark 安全漏洞 — DGX Spark 5.7 Medium2025-11-25
CVE-2025-4616 Prisma Browser: Insufficient Validation of Untrusted Input Vulnerability in Prisma Browser — Prisma Browser 5.5 -2025-11-14
CVE-2024-7402 Netskope Client Configuration Tampering with Local MITM — Netskope Client 8.1AIHighAI2025-08-14
CVE-2025-54887 jwe: Missing AES-GCM authentication tag validation in encrypted JWEs — ruby-jwe 9.1 Critical2025-08-08
CVE-2025-7096 Comodo Internet Security Premium Manifest File cis_update_x64.xml integrity check — Internet Security Premium 8.1 High2025-07-06
CVE-2024-46992 Electron ASAR Integrity bypass by just modifying the content — electron 7.8 High2025-07-01
CVE-2025-39203 Hitachi Energy MicroSCADA X SYS600 安全漏洞 — MicroSCADA X SYS600 6.5 Medium2025-06-24
CVE-2025-4418 AVEVA PI Connector for CygNet Improper Validation of Integrity Check Value — PI Connector for CygNet 4.4 Medium2025-06-12
CVE-2025-3479 Forminator <= 1.42.0 - Order Replay Vulnerability — Forminator Forms – Contact Form, Payment Form & Custom Form Builder 5.3 Medium2025-04-17
CVE-2025-3247 Contact Form 7 <= 6.0.5 - Order Replay Vulnerability — Contact Form 7 5.3 Medium2025-04-16
CVE-2024-47573 Fortinet FortiNDR 安全漏洞 — FortiNDR 6.0 Medium2025-03-14
CVE-2024-47935 TXOne Networks StellarProtect (Legacy Mode), StellarEnforce, and Safe Lock Improper Validation of Integrity Check Value Vulnerability — StellarProtect (Legacy Mode) 6.7 Medium2025-02-17
CVE-2025-25183 vLLM using built-in hash() from Python 3.12 leads to predictable hash collisions in vLLM prefix cache — vllm 2.6 Low2025-02-07
CVE-2023-50738 A firmware downgrade prevention vulnerability has been identified in newer Lexmark devices. — Printer Firmware 4.3 Medium2025-01-17
CVE-2020-9210 Huawei Myna 安全漏洞 — Myna 6.8 Medium2024-12-27
CVE-2024-47255 2N Access Commander 安全漏洞 — 2N Access Commander 4.7 Medium2024-11-05
CVE-2024-48930 secp256k1-node vulnerable to private key extraction over ECDH — secp256k1-node 7.5AIHighAI2024-10-21

Vulnerabilities classified as CWE-354 (完整性检查值验证不恰当) represent 63 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.