CWE-1265: Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code.
View on MITREExtended Description
In a complex product, a single function call may lead to many different possible code paths, some of which may involve deeply nested calls. It may be difficult to foresee all possible code paths that could emanate from a given function call. In some systems, an external actor can manipulate inputs to the system and thereby achieve a wide range of possible control flows. This is frequently a concern in products that execute scripts from untrusted sources. Examples of such products are web browsers and PDF readers. A weakness is present when one of the possible code paths resulting from a function call alters program state that the original caller assumes to be unchanged during the call.
Technical Details
- Structure
- Simple
Applicable To
Security Consequences
No consequence information available for this CWE.
Mitigation Strategies
Phase
Description
When architecting a system that will execute untrusted code in response to events, consider executing the untrusted event handlers asynchronously (asynchronous message passing) as opposed to executing them synchronously at the time each event fires. The untrusted code should execute at the start of the next iteration of the thread's message loop. In this way, calls into non-reentrant code are strictly serialized, so that each operation completes fully before the next operation begins. Special attention must be paid to all places where type coercion may result in script execution. Performing all needed coercions at the very beginning of an operation can help reduce the chance of operations executing at unexpected junctures.
Effectiveness
HighPhase
Description
Make sure the code (e.g., function or class) in question is reentrant by not leveraging non-local data, not modifying its own code, and not calling other non-reentrant code.
Effectiveness
HighDetection Methods
No detection method information available for this CWE.
Code Examples & CVEs
Observed CVE Examples (2)
In this vulnerability, by registering a malicious onerror handler, an adversary can produce unexpected re-entrance of a CDOMRange object. [REF-1098]
View DetailsThis CVE covers several vulnerable scenarios enabled by abuse of the Class_Terminate feature in Microsoft VBScript. In one scenario, Class_Terminate is used to produce an undesirable re-entrance of ScriptingDictionary during execution of that object's destructor. In another scenario, a vulnerable condition results from a recursive entrance of a property setter method. This recursive invocation produces a second, spurious call to the Release method of a reference-counted object, causing a UAF when that object is freed prematurely. This vulnerability pattern has been popularized as "Double Kill". [REF-1099]
View DetailsCWE Relationships
No relationship information available for this CWE.
Frequently Asked Questions
What is CWE-1265: Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls?+
CWE-1265: Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls is a Common Weakness Enumeration (CWE) entry maintained by MITRE. During execution of non-reentrant code, the product performs a call that unintentionally produces a nested invocation of the non-reentrant code. In a complex product, a single function call may lead to many different possible code paths, some of which may involve deeply nested calls. It may be difficult to foresee all possible code paths that could emanate from a given function call. In some systems, an external actor can manipulate inputs to the system and thereby achieve a wide range of possible control flows. This is frequently a concern in products that execute scripts from untrusted sources. Examples of such products are web browsers and PDF readers. A weakness is present when one of the possible code paths resulting from a function call alters program state that the original caller assumes to be unchanged during the call.
How do you prevent or mitigate Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls?+
Recommended mitigations for CWE-1265 include: When architecting a system that will execute untrusted code in response to events, consider executing the untrusted event handlers asynchronously (asynchronous message passing) as opposed to executing them synchronously at the time each event fires. The untrusted code should execute at the start of the next iteration of the thread's message loop. In this way, calls into non-reentrant code are strictly serialized, so that each operation completes fully before the next operation begins. Special attention must be paid to all places where type coercion may result in script execution. Performing all needed coercions at the very beginning of an operation can help reduce the chance of operations executing at unexpected junctures. Make sure the code (e.g., function or class) in question is reentrant by not leveraging non-local data, not modifying its own code, and not calling other non-reentrant code.
Which programming languages are affected by Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls?+
CWE-1265 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.
What are real-world examples of Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls?+
MITRE documents real CVEs mapped to CWE-1265, including CVE-2014-1772 and CVE-2018-8174. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.
What is the difference between a CWE and a CVE?+
A CWE (Common Weakness Enumeration) like CWE-1265 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.