Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-617 (可达断言) — Vulnerability Class 234

234 vulnerabilities classified as CWE-617 (可达断言). AI Chinese analysis included.

CWE-617 represents a software weakness where an assertion statement, intended for debugging or internal logic validation, remains enabled in production code and can be triggered by external input. This flaw typically leads to a denial of service, as the application abruptly terminates or crashes when the assertion fails, rather than handling the error gracefully. Attackers exploit this by crafting specific inputs that violate the assumed invariants, forcing the program to exit unexpectedly. To mitigate this risk, developers must ensure that assertions are strictly disabled in production environments or replace them with robust error-handling mechanisms. By validating inputs and managing exceptions without relying on fatal assertions, teams can maintain application availability and prevent attackers from leveraging these logic checks for disruptive service interruptions.

MITRE CWE Description
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. While assertion is good for catching logic errors and reducing the chances of reaching more serious vulnerability conditions, it can still lead to a denial of service. For example, if a server handles multiple simultaneous connections, and an assert() occurs in one single connection that causes all other connections to be dropped, this is a reachable assertion that leads to a denial of service.
Common Consequences (1)
AvailabilityDoS: Crash, Exit, or Restart
An attacker that can trigger an assert statement can still lead to a denial of service if the relevant code can be triggered by an attacker, and if the scope of the assert() extends beyond the attacker's own session.
Mitigations (2)
ImplementationMake sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
ImplementationPerform input validation on user data.
Examples (1)
In the excerpt below, an AssertionError (an unchecked exception) is thrown if the user hasn't entered an email address in an HTML form.
String email = request.getParameter("email_address"); assert email != null;
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2024-20152 MediaTek Chipsets 安全漏洞 — MT2737, MT3603, MT6835, MT6878, MT6886, MT6897, MT6990, MT7902, MT7920, MT7922, MT8518S, MT8532, MT8755, MT8766, MT8768, MT8775, MT8781, MT8796, MT8798, MT8893 4.4 -2025-01-06
CVE-2024-7138 Denial of Service in Silicon Labs RS9116 Bluetooth SDK — RS9116 Bluetooth SDK 6.5 Medium2024-12-19
CVE-2024-20139 MediaTek Chipsets 安全漏洞 — MT2737, MT3605, MT6985, MT6989, MT6990, MT7925, MT7927, MT8518S, MT8532, MT8678 5.5 -2024-12-02
CVE-2021-1440 Cisco IOS XR Software BGP Resource Public Key Infrastructure Denial of Service Vulnerability — Cisco IOS XR Software 6.8 Medium2024-11-18
CVE-2024-23385 Reachable Assertion in Modem — Snapdragon 7.5 High2024-11-04
CVE-2024-10455 Reachable Assertion in µD3TN — µD3TN 7.5 High2024-10-28
CVE-2024-47522 Suricata ja4: invalid alpn leads to panic — suricata 7.5 High2024-10-16
CVE-2024-45795 Suricata detect/datasets: reachable assertion with unimplemented rule option — suricata 7.5 High2024-10-16
CVE-2024-45396 Quicly assertion failures — quicly 7.5 High2024-10-11
CVE-2024-45403 H2O assertion failure when HTTP/3 requests are cancelled — h2o 3.7 Low2024-10-11
CVE-2024-20094 MediaTek 芯片 安全漏洞 — MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6875T, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 7.5 -2024-10-07
CVE-2024-8354 Qemu-kvm: usb: assertion failure in usb_ep_get() 5.5 Medium2024-09-19
CVE-2024-8768 Vllm: a completions api request with an empty prompt will crash the vllm api server. 7.5 High2024-09-17
CVE-2024-23350 Reachable Assertion in Multi Mode Call Processor — Snapdragon 6.5 Medium2024-08-05
CVE-2024-39949 Dahua NVR 安全漏洞 — NVR4XXX 7.5 High2024-07-31
CVE-2024-3374 MongoDB Server (mongod) may crash when generating ftdc — MongoDB Server 5.3 Medium2024-05-14
CVE-2024-33601 nscd: netgroup cache may terminate daemon on memory allocation failure — glibc 6.2 -2024-05-06
CVE-2023-43529 Reachable Assertion in Data Modem — Snapdragon 7.5 High2024-05-06
CVE-2024-3567 Qemu-kvm: net: assertion failure in update_sctp_checksum() 5.5 Medium2024-04-10
CVE-2023-33096 Reachable Assertion in Multi-Mode Call Processor — Snapdragon 7.5 High2024-03-04
CVE-2023-33095 Reachable Assertion in Multi-Mode Call Processor — Snapdragon 7.5 High2024-03-04
CVE-2023-43523 Reachable Assertion in WLAN Firmware — Snapdragon 7.5 High2024-02-06
CVE-2023-33044 Reachable Assertion in Data Modem — Snapdragon 7.5 High2023-12-05
CVE-2023-33043 Reachable Assertion in Modem — Snapdragon 7.5 High2023-12-05
CVE-2023-33041 Reachable assertion in WLAN Firmware — Snapdragon 7.5 High2023-12-05
CVE-2023-40462 Improper input leads to DoS — ALEOS 7.5 High2023-12-04
CVE-2023-49286 Denial of Service in Helper Process management — squid 8.6 High2023-12-04
CVE-2023-5871 Libnbd: malicious nbd server may crash libnbd — Red Hat Enterprise Linux 9 5.3 Medium2023-11-27
CVE-2023-38473 Reachable assertion in avahi_alternative_host_name — avahi 6.2 Medium2023-11-02
CVE-2023-38472 Reachable assertion in avahi_rdata_parse — avahi 6.2 Medium2023-11-02

Vulnerabilities classified as CWE-617 (可达断言) represent 234 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.