Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-390 (未有动作错误条件的检测) — Vulnerability Class 14

14 vulnerabilities classified as CWE-390 (未有动作错误条件的检测). AI Chinese analysis included.

CWE-390 represents a critical logic flaw where software identifies an error condition but fails to execute any remedial action. This weakness typically arises when developers detect exceptions or invalid states but ignore them, allowing the program to continue execution with corrupted data or undefined behavior. Attackers exploit this by triggering the specific error condition, causing the application to proceed in an unstable state that may lead to data corruption, denial of service, or further vulnerabilities like buffer overflows. To prevent this, developers must implement robust error handling strategies that include logging the incident, notifying administrators, and safely terminating or resetting the process. Ensuring that every detected error triggers a defined response mechanism is essential for maintaining system integrity and preventing silent failures that compromise security and reliability.

MITRE CWE Description
The product detects a specific error, but takes no actions to handle the error.
Common Consequences (1)
Integrity, OtherVaries by Context, Unexpected State, Alter Execution Logic
An attacker could utilize an ignored error condition to place the system in an unexpected state that could lead to the execution of unintended logic and could cause other unintended behavior.
Mitigations (3)
ImplementationProperly handle each exception. This is the recommended solution. Ensure that all exceptions are handled in such a way that you can be sure of the state of your system at any given moment.
ImplementationIf a function returns an error, it is important to either fix the problem and try again, alert the user that an error has happened and let the program continue, or alert the user and close and cleanup the program.
TestingSubject the product to extensive testing to discover some of the possible instances of where/how errors or return values are not handled. Consider testing techniques such as ad hoc, equivalence partitioning, robustness and fault tolerance, mutation, and fuzzing.
Examples (2)
The following example attempts to allocate memory for a character. After the call to malloc, an if statement is used to check whether the malloc function failed.
foo=malloc(sizeof(char)); //the next line checks to see if malloc failed if (foo==NULL) { //We do nothing so we just ignore the error. }
Bad · C
foo=malloc(sizeof(char)); //the next line checks to see if malloc failed if (foo==NULL) { printf("Malloc failed to allocate memory resources"); return -1; }
Good · C
In the following C++ example the method readFile() will read the file whose name is provided in the input parameter and will return the contents of the file in char string. The method calls open() and read() may result in errors if the file does not exist or does not contain any data to read. These errors will be thrown when the is_open() method and good() method indicate errors opening or reading…
char* readfile (char *filename) { try { // open input file ifstream infile; infile.open(filename); if (!infile.is_open()) { throw "Unable to open file " + filename; } // get length of file infile.seekg (0, ios::end); int length = infile.tellg(); infile.seekg (0, ios::beg); // allocate memory char *buffer = new char [length]; // read data from file infile.read (buffer,length); if (!infile.good()) { throw "Unable to read from file " + filename; } infile.close(); return buffer; } catch (...) { /* bug: insert code to handle this later */ } }
Bad · C++
char* readFile (char *filename) { try { // open input file ifstream infile; infile.open(filename); if (!infile.is_open()) { throw "Unable to open file " + filename; } // get length of file infile.seekg (0, ios::end); int length = infile.tellg(); infile.seekg (0, ios::beg); // allocate memory char *buffer = new char [length]; // read data from file infile.read (buffer,length); if (!infile.good()) { throw "Unable to read from file " + filename; } infile.close(); return buffer; } catch (char *str) { printf("Error: %s \n", str); infile.close(); throw str; } catch (...) { printf("Error occurred try
Good · C++
CVE IDTitleCVSSSeverityPublished
CVE-2025-0029 AMD EPYC 9005 Series 安全漏洞 — AMD EPYC™ 9005 Series Processors 6.7AIMediumAI2026-02-10
CVE-2025-46367 Dell Alienware Command Center 安全漏洞 — Alienware Command Center 7.8 High2025-11-13
CVE-2025-27039 Detection of Error Condition Without Action in Computer Vision — Snapdragon 6.6 Medium2025-10-09
CVE-2024-49841 Detection of Error Condition Without Action in Hypervisor — Snapdragon 7.8 High2025-05-06
CVE-2025-26465 Openssh: machine-in-the-middle attack if verifyhostkeydns is enabled 6.8 Medium2025-02-18
CVE-2025-25204 `gh attestation verify` returns incorrect exit code during verification if no attestations are present — cli 6.3 Medium2025-02-14
CVE-2024-12086 Rsync: rsync server leaks arbitrary client files 6.1 Medium2025-01-14
CVE-2024-11942 Drupal core - Moderately critical - Improper error handling - SA-CORE-2024-002 — Drupal Core 9.1 -2024-12-05
CVE-2024-30255 HTTP/2: CPU exhaustion due to CONTINUATION frame flood — envoy 5.3 Medium2024-04-04
CVE-2024-27919 HTTP/2: memory exhaustion due to CONTINUATION frame flood — envoy 7.5 High2024-04-04
CVE-2024-20316 Cisco IOS XE Software 安全漏洞 — Cisco IOS XE Software 5.8 Medium2024-03-27
CVE-2021-40391 Gerbv 缓冲区错误漏洞 — Gerbv 7.8 -2021-11-19
CVE-2019-5051 Simple DirectMedia Layer 缓冲区错误漏洞 — Simple DirectMedia 8.8 -2019-07-03
CVE-2017-7485 PostgreSQL 安全漏洞 — PostgreSQL 6.8 -2017-05-12

Vulnerabilities classified as CWE-390 (未有动作错误条件的检测) represent 14 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.