logo

Uncaught Exception

Draft Base
Structure: Simple
Description

This vulnerability occurs when a function throws an error or exception, but the calling code does not have a proper handler to catch and manage it.

Extended Description

Uncaught exceptions break the normal flow of your application. Instead of gracefully handling an unexpected condition—like a failed network request, invalid input, or missing file—the program will typically terminate abruptly. This leads to a poor user experience, interrupted operations, and makes debugging more difficult, as the root cause may be obscured by a generic crash. Beyond causing crashes, unhandled exceptions can leak sensitive internal details about your application's structure, such as stack traces, file paths, or even partial data. Attackers can use this information to map your system and plan further exploits. To prevent this, developers should implement strategic try-catch blocks around risky operations and define clear fallback behaviors or user-friendly error messages.
Common Consequences 1
Scope: AvailabilityConfidentiality

Impact: DoS: Crash, Exit, or RestartRead Application Data

An uncaught exception could cause the system to be placed in a state that could lead to a crash, exposure of sensitive information or other unintended behaviors.
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Demonstrative Examples 3

ID : DX-39

The following example attempts to resolve a hostname.

Code Example:

Bad
Java
java
A DNS lookup failure will cause the Servlet to throw an exception.
The _alloca() function allocates memory on the stack. If an allocation request is too large for the available stack space, _alloca() throws an exception. If the exception is not caught, the program will crash, potentially enabling a denial of service attack. _alloca() has been deprecated as of Microsoft Visual Studio 2005(R). It has been replaced with the more secure _alloca_s().
EnterCriticalSection() can raise an exception, potentially causing the program to crash. Under operating systems prior to Windows 2000, the EnterCriticalSection() function can raise an exception in low memory situations. If the exception is not caught, the program will crash, potentially enabling a denial of service attack.
Observed Examples 2
CVE-2023-41151SDK for OPC Unified Architecture (OPC UA) server has uncaught exception when a socket is blocked for writing but the server tries to send an error
CVE-2023-21087Java code in a smartphone OS can encounter a "boot loop" due to an uncaught exception
References 1
Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors
Katrina Tsipenyuk, Brian Chess, and Gary McGraw
NIST Workshop on Software Security Assurance Tools Techniques and MetricsNIST
07-11-2005
https://samate.nist.gov/SSATTM_Content/papers/Seven%20Pernicious%20Kingdoms%20-%20Taxonomy%20of%20Sw%20Security%20Errors%20-%20Tsipenyuk%20-%20Chess%20-%20McGraw.pdf
ID: REF-6
Applicable Platforms
Languages:
C++ : UndeterminedJava : UndeterminedC# : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Incorrect Control Flow Scoping (CWE-705)
ChildOf: Improper Handling of Exceptional Conditions (CWE-755)
ChildOf: Improper Check or Handling of Exceptional Conditions (CWE-703)
ChildOf: Improper Check or Handling of Exceptional Conditions (CWE-703)
Taxonomy Mapping
  • 7 Pernicious Kingdoms
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • SEI CERT Perl Coding Standard
  • Software Fault Patterns