Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-440 (预期行为违背) — Vulnerability Class 34

34 vulnerabilities classified as CWE-440 (预期行为违背). AI Chinese analysis included.

CWE-440 represents a functional weakness where a software component fails to adhere to its documented specification or expected behavior. This discrepancy often arises from implementation errors, misinterpretations of requirements, or inadequate testing, resulting in unpredictable system states. Attackers typically exploit this vulnerability by providing inputs that trigger the deviation, causing the application to crash, leak sensitive data, or execute unintended logic. By violating the assumed contract between components, the flaw can facilitate further attacks such as privilege escalation or denial of service. To mitigate this risk, developers must enforce rigorous validation of inputs and outputs, ensuring strict compliance with defined interfaces. Comprehensive unit and integration testing are essential to detect behavioral anomalies early. Additionally, adopting formal verification methods and clear API documentation helps align implementation with design intent, thereby reducing the likelihood of unexpected behavior in production environments.

MITRE CWE Description
A feature, API, or function does not perform according to its specification.
Common Consequences (1)
OtherQuality Degradation, Varies by Context
Examples (1)
The provided code is extracted from the Control and Status Register (CSR), csr_regfile, module within the Hack@DAC'21 OpenPiton System-on-Chip (SoC). This module is designed to implement CSR registers in accordance with the RISC-V specification. The mie (machine interrupt enable) register is a 64-bit register [REF-1384], where bits correspond to different interrupt sources. As the name suggests, m…
module csr_regfile #(...)(...); ... // --------------------------- // CSR Write and update logic // --------------------------- ... if (csr_we) begin unique case (csr_addr.address) ... riscv::CSR_SIE: begin // the mideleg makes sure only delegate-able register //(and therefore also only implemented registers) are written mie_d = (mie_q & ~mideleg_q) | (csr_wdata & mideleg_q) | utval_q; end ... endcase end endmodule
Bad · Verilog
module csr_regfile #(...)(...); ... // --------------------------- // CSR Write and update logic // --------------------------- ... if (csr_we) begin unique case (csr_addr.address) ... riscv::CSR_SIE: begin // the mideleg makes sure only delegate-able register //(and therefore also only implemented registers) are written mie_d = (mie_q & ~mideleg_q) | (csr_wdata & mideleg_q); end ... endcase end endmodule
Good · Verilog
CVE IDTitleCVSSSeverityPublished
CVE-2026-41136 free5GC AMF missing default case in Content-Type switch in HTTPUEContextTransfer — amf 9.8AICriticalAI2026-04-21
CVE-2026-3344 WatchGuard Firebox System Integrity Check Bypass — Fireware OS 6.8AIMediumAI2026-03-03
CVE-2025-13940 WatchGuard Firebox Boot Time System Integrity Check Bypass — Fireware OS 9.1AICriticalAI2025-12-04
CVE-2025-8850 Insecure API Design in danny-avila/librechat — danny-avila/librechat 6.5AIMediumAI2025-10-30
CVE-2025-52953 Junos OS and Junos OS Evolved: An unauthenticated adjacent attacker sending a valid BGP UPDATE packet forces a BGP session reset — Junos OS 6.5 Medium2025-07-11
CVE-2025-6211 MD5 Hash Collision in run-llama/llama_index — run-llama/llama_index 8.2 -2025-07-10
CVE-2025-3044 MD5 Hash Collision in run-llama/llama_index — run-llama/llama_index 6.5 -2025-07-07
CVE-2025-40555 Siemens APOGEE PXC+TALON TC Series 安全漏洞 — APOGEE PXC+TALON TC Series (BACnet) 4.7 Medium2025-05-13
CVE-2025-46712 Erlang/OTP SSH Has Strict KEX Violations — otp 3.7 Low2025-05-08
CVE-2023-26819 cJSON 安全漏洞 — cJSON 2.9 Low2025-04-19
CVE-2025-32728 OpenSSH(OpenBSD Secure Shell) 安全漏洞 — OpenSSH 4.3 Medium2025-04-10
CVE-2024-56202 Apache Traffic Server: Expect header field can unreasonably retain resource — Apache Traffic Server 9.1 -2025-03-06
CVE-2025-27401 In Tuleap, deleting a report can delete criteria filters in other reports — tuleap 4.6 Medium2025-03-04
CVE-2025-27094 Tuleap allows default values to be cleared from field configuration — tuleap 5.4 Medium2025-03-03
CVE-2024-47762 Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend — backstage 5.8 Medium2024-10-03
CVE-2024-8690 Cortex XDR Agent: Local Windows Administrator Can Disable the Agent — Cortex XDR Agent 6.7AIMediumAI2024-09-11
CVE-2024-7246 HPACK table poisoning in gRPC C++, Python & Ruby — gRPC 5.3 -2024-08-06
CVE-2024-38806 UAA Failure to Remove Shadow User’s Access — UAA 3.9 Low2024-07-18
CVE-2024-30246 Tuleap deleting or moving an artifact can delete values from unrelated artifacts — tuleap 7.6 High2024-03-29
CVE-2023-6129 POLY1305 MAC implementation corrupts vector registers on PowerPC — OpenSSL 9.8AICriticalAI2024-01-09
CVE-2023-4807 POLY1305 MAC implementation corrupts XMM registers on Windows — OpenSSL 9.8 -2023-09-08
CVE-2023-32731 Information leak in gRPC — gRPC 7.4 High2023-06-09
CVE-2023-32732 Denial-of-Service in gRPC — gRPC 5.3 Medium2023-06-09
CVE-2023-2088 OpenStack 安全漏洞 — OpenStack 6.5 -2023-05-12
CVE-2022-3344 Linux kernel 安全漏洞 — Linux kernel 5.5 -2022-10-24
CVE-2022-3281 WAGO: multiple products - Loss of MAC-Address-Filtering after reboot — 750-81xx/xxx-xxx Series PFC100/PFC200 7.5 High2022-10-17
CVE-2020-10768 Linux kernel 安全漏洞 — kernel 5.5 Medium2020-09-15
CVE-2020-10767 Linux kernel 安全漏洞 — kernel 5.5 Medium2020-09-15
CVE-2020-10766 Linux kernel scheduler 安全漏洞 — kernel 5.5 Medium2020-09-15
CVE-2019-5108 Linux kernel 授权问题漏洞 — Linux kernel 6.5 -2019-12-23

Vulnerabilities classified as CWE-440 (预期行为违背) represent 34 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.