Empty Exception Block

Incomplete Variant

Structure: Simple

Description

This weakness occurs when a try-catch or try-finally block is present but contains no code to handle the caught exception or perform cleanup.

Extended Description

Empty exception blocks silently swallow errors, making debugging extremely difficult. The program appears to run normally, but underlying failures—like a failed database connection or a corrupted file read—go unreported, leading to unpredictable behavior and corrupted data states. From a security perspective, this reliability flaw can become a vulnerability if an attacker can trigger the exception. By suppressing critical error messages, empty catch blocks can hide the symptoms of an ongoing attack, such as authentication bypass attempts or injection attacks, allowing malicious activity to continue undetected.

Common Consequences 1

Scope: Other

Impact: Reduce Reliability

Potential Mitigations 1

Phase: Implementation

For every exception block add code that handles the specific exception in the way intended by the application.

Demonstrative Examples 1

ID : DX-213

In the following Java example, the code catches an ArithmeticException.

Code Example:Bad
Java
java

Since the exception block is empty, no action is taken.

In the code below the exception has been logged and the bad execution has been handled in the desired way allowing the program to continue in an expected way.

Code Example:Good
Java
java

References 1

Automated Source Code Reliability Measure (ASCRM)

Object Management Group (OMG)

01-2016

http://www.omg.org/spec/ASCRM/1.0/

ID: REF-961

Applicable Platforms

Languages:

Not Language-Specific : Undetermined

Related Weaknesses

ChildOf:

Empty Code Block (CWE-1071)

Taxonomy Mapping

OMG ASCRM