Category: SFP Secondary Cluster: Incorrect Exception Behavior
Incomplete
Summary
This category identifies Software Fault Patterns (SFPs) within the Incorrect Exception Behavior cluster (SFP6).
Membership
| ID | Name | Description |
|---|---|---|
| CWE-392 | Missing Report of Error Condition | This vulnerability occurs when a system fails to properly signal that an error has happened. Instead of returning a clear error code, status, or exception, the software continues as if nothing went wrong, leaving other components unaware of the failure. |
| CWE-393 | Return of Wrong Status Code | This vulnerability occurs when a function returns an inaccurate status code or value that misrepresents the actual outcome of an operation. This false signal can cause the application to behave in unexpected and potentially insecure ways. |
| CWE-455 | Non-exit on Failed Initialization | This vulnerability occurs when software continues to run as normal after encountering a critical security failure during its startup process. Instead of halting or entering a safe mode, the application proceeds with weakened or missing security controls, leaving it exposed. |
| CWE-460 | Improper Cleanup on Thrown Exception | This vulnerability occurs when a program fails to properly restore its state or release resources after an exception is thrown, leaving the application in an inconsistent or unexpected condition. |
| CWE-544 | Missing Standardized Error Handling Mechanism | This weakness occurs when software lacks a unified, consistent approach to managing errors across its codebase, leading to unpredictable security gaps and unreliable behavior. |
| CWE-584 | Return Inside Finally Block | This vulnerability occurs when a function places a return statement inside a finally block. This dangerous pattern silently discards any unhandled exceptions thrown earlier in the try block, making errors invisible and undermining application stability. |
| CWE-636 | Not Failing Securely ('Failing Open') | This vulnerability occurs when a system, upon encountering an error or failure, defaults to its least secure configuration instead of a safer alternative. Examples include reverting to the weakest encryption or the most permissive access rules. |
| CWE-703 | Improper Check or Handling of Exceptional Conditions | This vulnerability occurs when software fails to properly plan for or manage rare but possible error scenarios, leaving it unprepared for unexpected events that can disrupt normal operation. |
| CWE-888 | Software Fault Pattern (SFP) Clusters | CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs). |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.
Comment:
See member weaknesses of this category.