Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-758 (依赖未定义、未指明或实现定义的行为) — Vulnerability Class 9

9 vulnerabilities classified as CWE-758 (依赖未定义、未指明或实现定义的行为). AI Chinese analysis included.

CWE-758 represents a critical architectural flaw where software depends on undefined, unspecified, or implementation-specific behaviors rather than standardized guarantees. This weakness typically emerges when developers assume consistent properties across different platforms, compilers, or runtime environments, leading to unpredictable outcomes during porting or updates. Exploitation often occurs indirectly; attackers may leverage platform-specific variations or interaction errors to trigger unexpected code paths, causing crashes, data corruption, or privilege escalation. To mitigate this risk, developers must strictly adhere to language standards and avoid relying on implicit assumptions about data structures or API behaviors. Rigorous cross-platform testing, static analysis tools, and explicit validation of all external inputs ensure that code remains portable and robust. By eliminating reliance on non-portable features, engineers can prevent subtle bugs that compromise security and stability in diverse computing environments.

MITRE CWE Description
The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. This can lead to resultant weaknesses when the required properties change, such as when the product is ported to a different platform or if an interaction error (CWE-435) occurs.
Common Consequences (1)
OtherReduce Maintainability, Unexpected State, Quality Degradation
Examples (2)
This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function.
int (*pt2Function) (float, char, char)=0x08040000; int result2 = (*pt2Function) (12, 'a', 'b'); // Here we can inject code to execute.
Bad · C
The following function returns a stack address.
char* getName() { char name[STR_MAX]; fillInName(name); return name; }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-40279 BACnet Stack: Undefined-behavior signed left shift in `decode_signed32()` — bacnet-stack 3.7 Low2026-04-21
CVE-2026-34549 iccDEV: UB at IccUtil.cpp — iccDEV 6.2 Medium2026-03-31
CVE-2026-34547 iccDEV: UB at IccUtil.cpp — iccDEV 6.2 Medium2026-03-31
CVE-2026-34537 iccDEV: UB in CIccOpDefEnvVar::Exec() — iccDEV 6.2 Medium2026-03-31
CVE-2026-34533 iccDEV: UB in CIccCalculatorFunc::ApplySequence() — iccDEV 6.2 Medium2026-03-31
CVE-2026-21677 iccDEV has Undefined Behavior in CIccCLUT::Init() — iccDEV 8.8 High2026-01-06
CVE-2025-54811 OpenPLC_V3 — OpenPLC_V3 7.1 High2025-10-01
CVE-2025-55160 ImageMagick Undefined Behavior (function-type-mismatch) in CloneSplayTree — ImageMagick 6.1 Medium2025-08-13
CVE-2023-30624 Wasmtime has Undefined Behavior in Rust runtime functions — wasmtime 3.9 Low2023-04-27

Vulnerabilities classified as CWE-758 (依赖未定义、未指明或实现定义的行为) represent 9 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.