Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-440 (预期行为违背) — Vulnerability Class 34

34 vulnerabilities classified as CWE-440 (预期行为违背). AI Chinese analysis included.

CWE-440 represents a functional weakness where a software component fails to adhere to its documented specification or expected behavior. This discrepancy often arises from implementation errors, misinterpretations of requirements, or inadequate testing, resulting in unpredictable system states. Attackers typically exploit this vulnerability by providing inputs that trigger the deviation, causing the application to crash, leak sensitive data, or execute unintended logic. By violating the assumed contract between components, the flaw can facilitate further attacks such as privilege escalation or denial of service. To mitigate this risk, developers must enforce rigorous validation of inputs and outputs, ensuring strict compliance with defined interfaces. Comprehensive unit and integration testing are essential to detect behavioral anomalies early. Additionally, adopting formal verification methods and clear API documentation helps align implementation with design intent, thereby reducing the likelihood of unexpected behavior in production environments.

MITRE CWE Description
A feature, API, or function does not perform according to its specification.
Common Consequences (1)
OtherQuality Degradation, Varies by Context
Examples (1)
The provided code is extracted from the Control and Status Register (CSR), csr_regfile, module within the Hack@DAC'21 OpenPiton System-on-Chip (SoC). This module is designed to implement CSR registers in accordance with the RISC-V specification. The mie (machine interrupt enable) register is a 64-bit register [REF-1384], where bits correspond to different interrupt sources. As the name suggests, m…
module csr_regfile #(...)(...); ... // --------------------------- // CSR Write and update logic // --------------------------- ... if (csr_we) begin unique case (csr_addr.address) ... riscv::CSR_SIE: begin // the mideleg makes sure only delegate-able register //(and therefore also only implemented registers) are written mie_d = (mie_q & ~mideleg_q) | (csr_wdata & mideleg_q) | utval_q; end ... endcase end endmodule
Bad · Verilog
module csr_regfile #(...)(...); ... // --------------------------- // CSR Write and update logic // --------------------------- ... if (csr_we) begin unique case (csr_addr.address) ... riscv::CSR_SIE: begin // the mideleg makes sure only delegate-able register //(and therefore also only implemented registers) are written mie_d = (mie_q & ~mideleg_q) | (csr_wdata & mideleg_q); end ... endcase end endmodule
Good · Verilog
CVE IDTitleCVSSSeverityPublished
CVE-2019-5062 hostapd 访问控制错误漏洞 — W1.f1 6.5 -2019-12-12
CVE-2019-5061 hostapd 授权问题漏洞 — W1.f1 6.5 -2019-12-12
CVE-2018-12550 Eclipse Mosquitto 访问控制错误漏洞 — Eclipse Mosquitto 7.4 -2019-03-27
CVE-2019-6569 多款Siemens产品安全漏洞 — SCALANCE X204-2--2019-03-26

Vulnerabilities classified as CWE-440 (预期行为违背) represent 34 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.