Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-691 (不充分的控制流管理) — Vulnerability Class 11

11 vulnerabilities classified as CWE-691 (不充分的控制流管理). AI Chinese analysis included.

CWE-691 represents a critical architectural weakness where software fails to properly manage its execution path, allowing control flow to be altered unexpectedly. This vulnerability typically arises when applications lack robust state management or error handling mechanisms, enabling attackers to manipulate internal logic by injecting malicious inputs or exploiting race conditions. By bypassing intended security checks or triggering unintended code paths, adversaries can achieve unauthorized access, data corruption, or denial of service. To mitigate this risk, developers must implement strict state validation and enforce deterministic execution models. Utilizing formal verification techniques, comprehensive input sanitization, and rigorous exception handling ensures that the application’s control flow remains predictable and secure. Additionally, adopting defensive programming practices and conducting thorough code reviews helps identify and rectify logic flaws before deployment, thereby preventing attackers from exploiting these structural inconsistencies.

MITRE CWE Description
The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
Common Consequences (1)
OtherAlter Execution Logic
Examples (2)
The following function attempts to acquire a lock in order to perform operations on a shared resource.
void f(pthread_mutex_t *mutex) { pthread_mutex_lock(mutex); /* access shared resource */ pthread_mutex_unlock(mutex); }
Bad · C
int f(pthread_mutex_t *mutex) { int result; result = pthread_mutex_lock(mutex); if (0 != result) return result; /* access shared resource */ return pthread_mutex_unlock(mutex); }
Good · C
In this example, the programmer has indented the statements to call Do_X() and Do_Y(), as if the intention is that these functions are only called when the condition is true. However, because there are no braces to signify the block, Do_Y() will always be executed, even if the condition is false.
if (condition==true) Do_X(); Do_Y();
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-5938 Foxit PDF Editor/Reader Infinite Loop Denial-of-Service Vulnerability — Foxit PDF Editor 5.5 Medium2026-04-27
CVE-2025-49463 Zoom Clients for iOS - Insufficient Control Flow Management — Zoom Clients for iOS 6.5 Medium2025-07-10
CVE-2025-47774 Vyper's `slice()` may elide side-effects when output length is 0 — vyper 9.1AICriticalAI2025-05-15
CVE-2025-47285 Vyper's `concat()` builtin may elide side-effects for zero-length arguments — vyper 8.2AIHighAI2025-05-15
CVE-2024-37158 Evmos is missing precompile checks — evmos 3.5 Low2024-06-17
CVE-2023-5102 SICK APU RDT400 安全漏洞 — APU0200 5.3 Medium2023-10-09
CVE-2023-44384 Discourse-Jira could make SSRF attack by setting Jira URL to an arbitrary location — discourse-jira 4.1 Medium2023-10-06
CVE-2022-48481 JetBrains Toolbox 安全漏洞 — Toolbox App 5.2 Medium2023-04-28
CVE-2022-46828 JetBrains IntelliJ IDEA 代码问题漏洞 — IntelliJ IDEA 5.2 Medium2022-12-08
CVE-2022-20697 Cisco IOS and IOS XE Software Web Services Denial of Service Vulnerability — Cisco IOS 8.6 High2022-04-15
CVE-2021-4106 Vulnerability in Snow Inventory Java Scanner — Snow Inventory Java Scanner 7.8 High2022-02-16

Vulnerabilities classified as CWE-691 (不充分的控制流管理) represent 11 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.