logo

Floating Point Comparison with Incorrect Operator

Incomplete Variant
Structure: Simple
Description

This vulnerability occurs when code compares two floating-point numbers using direct equality operators (like == or !=) without accounting for inherent precision limitations. These operators fail to consider tiny rounding differences that are common in floating-point arithmetic, leading to incorrect or unexpected comparison results.

Extended Description

Floating-point arithmetic is inherently imprecise due to how computers represent decimal numbers in binary. Operations like addition, multiplication, or division can introduce microscopic rounding errors. This means two calculations that should mathematically yield the same result might produce values that differ by an extremely small amount (e.g., 1.0000000000000002 vs. 1.0). A direct equality check will falsely treat these as different numbers. This reliability flaw can cause software to behave unpredictably—such as failing validation checks, entering incorrect logic branches, or crashing. If an attacker can influence the calculations being compared, they might exploit this instability to bypass security controls, cause a denial of service, or trigger unexpected program behavior.
Common Consequences 1
Scope: Other

Impact: Reduce Reliability
References 2
Automated Source Code Reliability Measure (ASCRM)
Object Management Group (OMG)
01-2016
http://www.omg.org/spec/ASCRM/1.0/
ID: REF-961
Comparing Floating Point Numbers, 2012 Edition
Bruce Dawson
25-02-2012
https://randomascii.wordpress.com/2012/02/25/comparing-floating-point-numbers-2012-edition/
ID: REF-975
Related Weaknesses
ChildOf: Incorrect Comparison (CWE-697)
Taxonomy Mapping
  • OMG ASCRM