Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-670 (控制流实现总是不正确) — Vulnerability Class 70

70 vulnerabilities classified as CWE-670 (控制流实现总是不正确). AI Chinese analysis included.

CWE-670 represents a critical implementation flaw where the actual control flow diverges from the intended algorithmic logic, resulting in consistent incorrect behavior whenever the erroneous path is executed. This weakness typically arises from misunderstandings of language syntax, such as omitting braces in conditional statements or misusing loop structures, causing unintended execution sequences. Attackers exploit these logical gaps to bypass security checks, manipulate data integrity, or trigger denial-of-service conditions by forcing the application down an unexpected code path. To prevent CWE-670, developers must rigorously adhere to coding standards, utilize static analysis tools to detect structural anomalies, and employ comprehensive unit testing that specifically targets edge cases and complex branching logic. Clear code formatting and peer reviews further ensure that the implemented flow accurately mirrors the designed algorithm, eliminating ambiguity and ensuring predictable system behavior.

MITRE CWE Description
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.
Common Consequences (1)
OtherOther, Alter Execution Logic
Examples (2)
This code queries a server and displays its status when a request comes from an authorized IP address.
$requestingIP = $_SERVER['REMOTE_ADDR']; if(!in_array($requestingIP,$ipAllowList)){ echo "You are not authorized to view this page"; http_redirect($errorPageURL); } $status = getServerStatus(); echo $status; ...
Bad · PHP
In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.
if (condition==true) Do_X(); Do_Y();
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-44928 Uriparser 安全漏洞 — uriparser 2.9 Low2026-05-08
CVE-2026-41988 uuid 安全漏洞 — uuid 3.2 Low2026-04-23
CVE-2026-35343 uutils coreutils cut Inconsistent Output Suppression with Newline Delimiters — coreutils 3.3 Low2026-04-22
CVE-2026-40942 DSF: Inverted Time Comparison in OIDC JWKS and Token Cache — dsf 5.9AIMediumAI2026-04-21
CVE-2026-41527 kleopatra 安全漏洞 — Kleopatra 6.9 Medium2026-04-21
CVE-2026-6608 lm-sys fastchat Arena Side-by-Side View add_text control flow — fastchat 5.3 Medium2026-04-20
CVE-2026-40960 Luanti 安全漏洞 — Luanti 8.1 High2026-04-16
CVE-2026-40719 MaraDNS 安全漏洞 — MaraDNS 7.5 High2026-04-15
CVE-2026-40396 Varnish Cache 安全漏洞 — Varnish Cache 4.0 Medium2026-04-12
CVE-2026-40394 Varnish Cache和Varnish Enterprise 安全漏洞 — Varnish Cache 4.0 Medium2026-04-12
CVE-2026-40200 musl libc 安全漏洞 — musl 8.1 High2026-04-10
CVE-2026-34946 Wasmtime's host panics when Winch compiler executes `table.fill` — wasmtime 7.7AIHighAI2026-04-09
CVE-2026-35414 OpenSSH 安全漏洞 — OpenSSH 4.2 Medium2026-04-02
CVE-2026-35387 OpenSSH 安全漏洞 — OpenSSH 3.1 Low2026-04-02
CVE-2025-58136 Apache Traffic Server: A simple legitimate POST request causes a crash — Apache Traffic Server 7.5AIHighAI2026-04-02
CVE-2026-33011 Nest Fastify HEAD Request Middleware Bypass — nest 7.1 -2026-03-20
CVE-2026-32713 PX4 Autopilot MAVLink FTP Session Validation Logic Error Allows Operations on Invalid File Descriptors — PX4-Autopilot 4.3 Medium2026-03-13
CVE-2026-1874 Denial-of-Service (DoS) vulnerability in Ethernet function of MELSEC iQ-F Series EtherNet/IP module and Ethernet module — MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP 7.5AIHighAI2026-03-03
CVE-2026-26267 rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide — rs-soroban-sdk 7.5 High2026-02-19
CVE-2025-33199 NVIDIA DGX Spark 安全漏洞 — DGX Spark 3.2 Low2025-11-25
CVE-2025-32942 SSH Communications Security SSH Tectia Server 安全漏洞 — Tectia Server 7.2 High2025-10-02
CVE-2025-49091 KDE Konsole 安全漏洞 — Konsole 8.2 High2025-06-11
CVE-2025-32996 http-proxy-middleware 安全漏洞 — http-proxy-middleware 4.0 Medium2025-04-15
CVE-2025-2886 Terminating targets role delegations are not respected in tough — tough 4.3AIMediumAI2025-03-27
CVE-2025-24800 Critical vulnerability in `ismp-grandpa` <v15.0.1 — hyperbridge 7.5 -2025-01-28
CVE-2025-21607 Success of Certain Precompile Calls not Checked in Vyper — vyper 7.1 -2025-01-14
CVE-2024-53271 HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset in envoy — envoy 7.1 High2024-12-18
CVE-2024-53270 HTTP/1: sending overload crashes when the request is reset beforehand in envoy — envoy 7.5 High2024-12-18
CVE-2024-53269 Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting in envoy — envoy 4.5 Medium2024-12-18
CVE-2024-52811 Acks not validated before logged to qlog leads to buffer overflow in ngtcp2 — ngtcp2 8.2 High2024-11-25

Vulnerabilities classified as CWE-670 (控制流实现总是不正确) represent 70 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.