Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-617 (可达断言) — Vulnerability Class 233

233 vulnerabilities classified as CWE-617 (可达断言). AI Chinese analysis included.

CWE-617 represents a software weakness where an assertion statement, intended for debugging or internal logic validation, remains enabled in production code and can be triggered by external input. This flaw typically leads to a denial of service, as the application abruptly terminates or crashes when the assertion fails, rather than handling the error gracefully. Attackers exploit this by crafting specific inputs that violate the assumed invariants, forcing the program to exit unexpectedly. To mitigate this risk, developers must ensure that assertions are strictly disabled in production environments or replace them with robust error-handling mechanisms. By validating inputs and managing exceptions without relying on fatal assertions, teams can maintain application availability and prevent attackers from leveraging these logic checks for disruptive service interruptions.

MITRE CWE Description
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.
Common Consequences (1)
AvailabilityDoS: Crash, Exit, or Restart
An attacker that can trigger an assert statement can still lead to a denial of service if the relevant code can be triggered by an attacker, and if the scope of the assert() extends beyond the attacker's own session.
Mitigations (2)
ImplementationMake sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
ImplementationPerform input validation on user data.
Examples (1)
In the excerpt below, an AssertionError (an unchecked exception) is thrown if the user hasn't entered an email address in an HTML form.
String email = request.getParameter("email_address"); assert email != null;
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-41584 ZEBRA: rk Identity Point Panic in Transaction Verification — zebra--2026-05-08
CVE-2026-20450 Qualcomm Modem MSV-6100远程拒绝服务漏洞 — MediaTek chipset 7.5AIHighAI2026-05-04
CVE-2026-41485 Kyverno Controller Denial of Service via forEach Mutation Panic — kyverno 7.7 High2026-04-24
CVE-2026-34067 nimiq-transaction vulnerable to panic via `HistoryTreeProof` length mismatch — nimiq-transaction 3.1 Low2026-04-22
CVE-2026-34063 network-libp2p: Peer can crash the node by opening discovery protocol substream twice — network-libp2p 7.5 High2026-04-22
CVE-2026-34069 nimiq-consensus panics via RequestMacroChain micro-block locator — core-rs-albatross 5.3 Medium2026-04-13
CVE-2026-34933 Avahi: Reachable assertion in `transport_flags_from_domain()` via conflicting publish flags crashes avahi-daemon — avahi 5.5 Medium2026-04-03
CVE-2026-30867 CocoaMQTT: Denial of Service via Reachable Assertion in `PUBLISH` Packet Parsing — CocoaMQTT 5.7 Medium2026-04-02
CVE-2026-33952 FreeRDP: DoS via WINPR_ASSERT in rts_read_auth_verifier_no_checks — FreeRDP 7.5 -2026-03-30
CVE-2026-33977 FreeRDP: DoS via WINPR_ASSERT in IMA ADPCM audio decoder (dsp.c:331) — FreeRDP 7.5 -2026-03-30
CVE-2026-4046 iconv crash due to assertion failure with untrusted input — glibc 7.5 -2026-03-30
CVE-2026-5170 Users could trigger a crash of mongod primaries during promotion to sharded — MongoDB Server 5.3 Medium2026-03-30
CVE-2026-3119 Authenticated query containing a TKEY record may cause named to terminate unexpectedly — BIND 9 6.5 Medium2026-03-25
CVE-2026-3608 Stack overflow in Kea daemons — Kea 7.5 High2026-03-25
CVE-2026-27135 nghttp2 Denial of service: Assertion failure due to the missing state validation — nghttp2 7.5 High2026-03-18
CVE-2025-47384 Reachable Assertion in FW — Snapdragon 6.5 Medium2026-03-02
CVE-2025-47371 Reachable Assertion in Modem — Snapdragon 6.5 Medium2026-03-02
CVE-2026-27015 FreeRDP: Smartcard NDR Alignment Padding Triggers Reachable WINPR_ASSERT Abort (Client DoS) — FreeRDP 7.5AIHighAI2026-02-25
CVE-2026-2523 Open5GS SMF gn-handler.c smf_gn_handle_create_pdp_context_request assertion — Open5GS 5.3 Medium2026-02-16
CVE-2025-48023 Yokogawa Electric Vnet/IP Interface 安全漏洞 — Vnet/IP Interface Package 7.5AIHighAI2026-02-13
CVE-2025-48020 Yokogawa Electric Corporation Vnet/IP Interface 安全漏洞 — Vnet/IP Interface Package 7.5AIHighAI2026-02-13
CVE-2025-48019 Yokogawa Electric Corporation Vnet/IP Interface 安全漏洞 — Vnet/IP Interface Package 7.5AIHighAI2026-02-13
CVE-2026-25610 Invalid $geoNear index hint may cause server crash — MongoDB Server 6.5 Medium2026-02-10
CVE-2026-20405 MediaTek Chipsets 安全漏洞 — MediaTek chipset 7.5AIHighAI2026-02-02
CVE-2026-20422 MediaTek Chipsets 安全漏洞 — MediaTek chipset 7.5AIHighAI2026-02-02
CVE-2026-20401 MediaTek Chipsets 安全漏洞 — MediaTek chipset 7.5AIHighAI2026-02-02
CVE-2026-1738 Open5GS SGWC context.c sgwc_tunnel_add assertion — Open5GS 5.3 Medium2026-02-02
CVE-2026-1737 Open5GS CreateBearerRequest s5c-handler.c sgwc_s5c_handle_create_bearer_request assertion — Open5GS 5.3 Medium2026-02-02
CVE-2026-1736 Open5GS SGWC s11-handler.c assertion — Open5GS 5.3 Medium2026-02-02
CVE-2025-15497 OpenVPN 安全漏洞 — OpenVPN 6.5AIMediumAI2026-01-30

Vulnerabilities classified as CWE-617 (可达断言) represent 233 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.