Category: SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO)
Stable
Summary
Weaknesses in this category are related to the rules and recommendations in the Input Output (FIO) section of the SEI CERT C Coding Standard.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-134 | Use of Externally-Controlled Format String | This vulnerability occurs when a program uses a format string from an untrusted, external source (like user input, a network packet, or a file) in a formatting function (e.g., printf, sprintf). An attacker can craft a malicious format string to read or write memory, potentially crashing the application or executing arbitrary code. |
| CWE-197 | Numeric Truncation Error | A numeric truncation error happens when a program converts a number to a smaller data type, cutting off its higher-order bits and corrupting the original value. |
| CWE-20 | Improper Input Validation | This vulnerability occurs when an application accepts data from an external source but fails to properly verify that the data is safe and correctly formatted before using it. This missing or flawed validation check allows malicious or malformed inputs to disrupt the application's logic or security. |
| CWE-241 | Improper Handling of Unexpected Data Type | This vulnerability occurs when software fails to properly validate or safely process data that arrives in an unexpected format. For example, the system might expect a numeric input but receives text instead, leading to crashes, errors, or security issues. |
| CWE-404 | Improper Resource Shutdown or Release | This vulnerability occurs when a program fails to properly close or release a system resource—like a file handle, database connection, or memory block—after it's no longer needed, preventing its reuse. |
| CWE-459 | Incomplete Cleanup | This vulnerability occurs when an application fails to properly remove temporary files, data structures, or system resources after they are no longer needed. |
| CWE-664 | Improper Control of a Resource Through its Lifetime | This vulnerability occurs when software fails to properly manage a resource throughout its entire lifecycle—from creation and active use to its final release or destruction. |
| CWE-666 | Operation on Resource in Wrong Phase of Lifetime | This vulnerability occurs when software interacts with a resource—like memory, a file, or a network connection—at an incorrect stage of its existence, leading to crashes, data corruption, or unpredictable behavior. |
| CWE-67 | Improper Handling of Windows Device Names | This vulnerability occurs when an application builds file paths from user input but fails to properly recognize or handle Windows reserved device names like AUX, CON, or COM1. Attackers can exploit this by submitting these special names, which typically causes the application to crash, hang, or leak sensitive information when it tries to access them as regular files. |
| CWE-672 | Operation on a Resource after Expiration or Release | This vulnerability occurs when a program continues to use a resource—like memory, a file handle, or a network connection—after it has been freed, closed, or is no longer valid. |
| CWE-685 | Function Call With Incorrect Number of Arguments | This weakness occurs when a program calls a function, method, or subroutine but provides the wrong number of arguments—either too many or too few. This mismatch can cause the program to behave unpredictably, access incorrect memory, or crash, creating a security vulnerability. |
| CWE-686 | Function Call With Incorrect Argument Type | This vulnerability occurs when a program calls a function or method but passes an argument of the wrong data type, which can cause unexpected behavior or security flaws. |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | This weakness occurs when software depends on specific behaviors of an API, data structure, or system component that are not formally guaranteed by its specification. The code assumes these behaviors will always work a certain way, but they might change or fail under different conditions. |
| CWE-771 | Missing Reference to Active Allocated Resource | This vulnerability occurs when software loses track of a resource it has allocated, like memory or a file handle, preventing the system from properly releasing it back for future use. |
| CWE-772 | Missing Release of Resource after Effective Lifetime | This vulnerability occurs when a program fails to properly release a system resource—like memory, file handles, or network sockets—after it is no longer needed. This leads to a gradual accumulation of unused resources, known as a resource leak. |
| CWE-773 | Missing Reference to Active File Descriptor or Handle | This vulnerability occurs when a program fails to keep track of open files or resources, preventing the system from properly closing and reclaiming them. |
| CWE-775 | Missing Release of File Descriptor or Handle after Effective Lifetime | This vulnerability occurs when a program fails to properly close file descriptors or handles after they are no longer needed, leaving these system resources allocated. |
| CWE-910 | Use of Expired File Descriptor | This vulnerability occurs when a program attempts to use a file descriptor after it has been closed, treating it as if it were still valid. |
| CWE-1154 | Weaknesses Addressed by the SEI CERT C Coding Standard | CWE entries in this view (graph) are fully or partially eliminated by following the guidance presented in the online wiki that reflects that current rules and recommendations of the SEI CERT C Coding Standard. |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.