CWE-1235: Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

BaseIncomplete

The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.

View on MITRE
Back to CWE Lookup

Extended Description

Languages such as Java and C# support automatic conversion through their respective compilers from primitive types into objects of the corresponding wrapper classes, and vice versa. For example, a compiler might convert an int to Integer (called autoboxing) or an Integer to int (called unboxing). This eliminates forcing the programmer to perform these conversions manually, which makes the code cleaner. However, this feature comes at a cost of performance and can lead to resource exhaustion and impact availability when used with generic collections. Therefore, they should not be used for scientific computing or other performance critical operations. They are only suited to support "impedance mismatch" between reference types and primitives.

Technical Details

Structure
Simple

Applicable To

Languages
JavaC#
Platforms
Not OS-Specific

Frequently Asked Questions

What is CWE-1235: Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations?+

CWE-1235: Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations. Languages such as Java and C# support automatic conversion through their respective compilers from primitive types into objects of the corresponding wrapper classes, and vice versa. For example, a compiler might convert an int to Integer (called autoboxing) or an Integer to int (called unboxing). This eliminates forcing the programmer to perform these conversions manually, which makes the code cleaner. However, this feature comes at a cost of performance and can lead to resource exhaustion and impact availability when used with generic collections. Therefore, they should not be used for scientific computing or other performance critical operations. They are only suited to support "impedance mismatch" between reference types and primitives.

What are the security consequences of Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations?+

If exploited, CWE-1235 (Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations) it can compromise Availability, leading to outcomes such as DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other) and Reduce Performance.

How do you prevent or mitigate Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations?+

Recommended mitigations for CWE-1235 include: Use of boxed primitives should be limited to certain situations such as when calling methods with typed parameters. Examine the use of boxed primitives prior to use. Use SparseArrays or ArrayMap instead of HashMap to avoid performance overhead.

Which programming languages are affected by Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations?+

CWE-1235 commonly affects Java and C#. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1235 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More