logo

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

Incomplete Class
Structure: Simple
Description

This weakness occurs when software depends on specific behaviors of an API, data structure, or system component that are not formally guaranteed by its specification. The code assumes these behaviors will always work a certain way, but they might change or fail under different conditions.

Extended Description

Relying on undefined or platform-specific behavior creates fragile code that can break unexpectedly. For example, a function might return results in a particular order on your development machine, but a different compiler or operating system version could alter that order, causing logic errors or crashes. This often surfaces during porting to a new environment or during complex interactions between components. To avoid this, developers should strictly use documented, standardized behaviors and avoid assumptions about internal implementation details that aren't part of the official contract.
Common Consequences 1
Scope: Other

Impact: Other
Detection Methods 1
FuzzingHigh
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Demonstrative Examples 2

ID : DX-192

This code assumes a particular function will always be found at a particular address. It assigns a pointer to that address and calls the function.

Code Example:

Bad
C
c

// Here we can inject code to execute.*

The same function may not always be found at the same memory address. This could lead to a crash, or an attacker may alter the memory at the expected address, leading to arbitrary code execution.

ID : DX-203

The following function returns a stack address.

Code Example:

Bad
C
c
Observed Examples 1
CVE-2006-1902Change in C compiler behavior causes resultant buffer overflows in programs that depend on behaviors that were undefined in the C standard.
Related Weaknesses
ChildOf: Improper Adherence to Coding Standards (CWE-710)
Taxonomy Mapping
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding
  • CERT C Secure Coding